[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] Confirm kerberos key selection rules for PAC KDC signature
From: Andrew Bartlett <abartlet () samba ! org>
Date: 2012-02-02 9:39:57
Message-ID: 1328175598.23516.201.camel () obed
[Download RAW message or body]
On Mon, 2012-01-30 at 20:26 +0000, Edgar Olougouna wrote:
> Andrew,
>
> This happens in a typical scenario similar to the following.
>
> The DC is running Windows Server 2008 at domain functional level Windows Server \
> 2003. The Kerberos client and server present following etypes to the DC:
> EType: aes256-cts-hmac-sha1-96 (18)
> EType: aes128-cts-hmac-sha1-96 (17)
> EType: rc4-hmac (23)
>
> The client is issued a ticket with an encryption type aes256-cts-hmac-sha1-96 (18). \
> The PAC in the in the service ticket has a SignatureType of KERB_CHECKSUM_HMAC_MD5 \
> (based of the logic described in my previous email, condition 1) is met but \
> condition 2) is not met).
I'm clearly missing something here:
How does the KDC issue a service ticket with type AES and not meet the
requirements for an AES checksum on the PAC? Also, which key is the
signature calculated with in this case?
Also, can you explain how this describes the behaviour when the server
only supports DES?
We find that the SignatureType is of type KERB_CHECKSUM_HMAC_MD5 but
they DES key (with which the ticket was encrypted) is in fact used for
the HMAC calculation.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic