52 questions
GSSAPI FIPS compliant AES encryption
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 49%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGJ%3C/text%3E%3C/svg%3E)
Griff James
1
Reputation point
Are there any plans in the pipeline to update MSFT's GSSAPI implementation to add support for AES-256 encryption?
I know that no RFC currently exists for this, the strongest session key supported by the RFCs is 3DES which is deprecated.
On a related note the NTLMv2, SMB and NETLOGON protocols are also lagging behind with only AES-128 being supported. Any plans to update these as well?
thx
Windows development Windows Open Specifications
Windows for business Windows Server Devices and deployment Configure application groups
{count} votes
-
Jeff McCashland 481 Reputation points Microsoft Employee Moderator2022-12-15T17:41:01.393+00:00 Hello @Griff James ,
Encryption in GSSAPI is done by implementation libraries used by GSS wrappers. The implementation libraries may be updated without changing the wrappers. For example, Kerberos initially didn’t support AES encryption types, however support was added later while the wrapper essentially stayed the same.
Your comment about NETLOGON supporting only AES-128 at this time is correct. However, SMB currently has support for AES-256. As we add features and tighten security, you’ll see support for stronger encryption types in the products, but not all products will adopt them at the same time. Beyond that, we cannot comment on specific future plans.
If you have a specific question or problem around the lack of AES-256 encryption, please provide more details about your issue so that we can investigate further.
Thank you,
Jeff McCashland
Microsoft Open Specifications
Sign in to comment
Sign in to answer