Encrypted CIFS
Stefan (metze) Metzmacher
metze at samba.org
Tue Sep 19 16:14:46 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Andrew, Jeremy and Steve,
I haven't followed your discussion in detail yesterday, but this morning
I thought a bit about the problem while I couldn't sleep anymore:-)
First I think we should learn from what we have learned about SMB2:
1.) TreeConnects are only valid on the UserSessions that creates them.
2.) SMB2 signing depends on the UserSession.
Then I'm with Andrew that we should use a standard framing for the
encryption, but I think the comparing with LDAP seems wrong to me
as LDAP can only have one UserSession at a time!
So I think DCERPC would much better match what we need, as it also
allows multiple contexts and the DCERPC header is always transmited
unencrypted and only the payload is encrypted, but the signature also
takes the header in account.
I think we should implement something like this:
1.) create a new SMB dialect "Samba 3.0.24" and let the client send that
by default. When the server also supports it can tell the client
the connection will be used with this dialect.
2.) because client and server know that they're not talking to windows
the session setup could contain some flags to say if the client
wants plain, sign or sing/seal for the new UserSession.
3.) on further packets we would do the following depending whether
plain, sign or sign/seal was selected on the UserSession:
- then we would call gensec_seal() on the SMB payload data
(maybe mutliples times depending on the gensec_max_input_data()
and gensec_max_wrapped_data()) and append the resulting signatues
behind the buffer. We could may use SMB signiture field 2 * uint32
for storing the offset to the first GSSAPI signature and the count
chunks
4.) The new dialect would also force that only the NT session setups are
supported, using raw NTLMSSP or GSSAPI/SPNEGO. Also the server could
force the usage of a TreeConnect is only allowed on the correct
UserSession and as the client proposed the new dialect it knows
about this.
Comments are welcome:-)
metze
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFFEBd2m70gjA5TCD8RAg/uAKCbM1t2weyxDY1pEGvN9nbI0KgvoQCfUMV/
8heSg4VMlIOoqs0WHTy35+w=
=RMzW
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list