path: root/lib/crypto/REQUIREMENTS

A list of the crypto operations that we require, and what uses them.

This list is to allow research into using external crypto libraries.
Those possibly supported in the git version of GnuTLS are indicated as '# GNUTLS'
Those possibly supported in the git version of nettle are indicated as '# NETTLE'

ARCFOUR (RC4)
 - the old SamOEMHash
 - Password encryption on SAMR for password set/get
 - NETLOGON SamLogon session keys
 - Schannel
 - genrate_random_data()

 # GNUTLS
 # NETTLE

DES
 - NTLM challenge-response
 - LSA QuerySecret et al
 - NETLOGON SamLogon session keys
 - ServerGetTrustInfo returned passwords
 - RID encryption of passwords

 # NETTLE

3DES
 - NETLOGON Credentials

 # NETTLE

CRC32
 - DRSUAPI replication replicated secrets

AES CFB8
 - SCHANNEL
 - NETLOGON SamLogon session keys

AES 128
 - SMB VFS traffic analyzer

 # NETTLE (AES-NI available)

AES128 CCM
 - SMB2 2.24 SMB encryption

 # GNUTLS
 # NETTLE (AES-NI available)

AES128 GCM
 - SMB2 3.10 SMB encryption

 # GNUTLS
 # NETTLE (AES-NI available)

AES128 CMAC
 - SMB2 0x224 SMB Signing

MD4
 - NTLM password hash
 - genrate_random_number()

 # NETTLE

MD5
 - NTLM2
 - SCHANNEL
 - NTLMSSP
 - NETLOGON computer credentials
 - DRSUAPI blob encryption
 - SAMR/wkssvc password change/set encryption
 - vfs_fruit
 - vfs_streams_xattr
 - passdb old password history format
 - dsdb password_hash module
 - SMB1 SMB signing
 - NTP ntp_signd

 # GNUTLS
 # NETTLE

HMAC-MD5
 - NTLMv2

 # GNUTLS
 # NETTLE

HMACSHA256
 - SMB2 < 2.24 SMB signing
 - SMB2 Key derivation

 # GNUTLS
 # NETTLE

HMACSHA1
 - BackupKey ServerWrap

 # GNUTLS
 # NETTLE

SHA256
 - Security Descriptor hash for vfs_acl_xattr
 - oLschema2ldif

 # GNUTLS
 # NETTLE

SHA512
 - SMB2 Pre-auth integrity verification
 - BackupKey ClientWrap

 # GNUTLS
 # NETTLE

RSA
 - BackupKey ClientWrap

 # GNUTLS
 # NETTLE