Encrypted CIFS

Stefan (metze) Metzmacher metze at samba.org
Tue Sep 19 16:14:46 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Andrew, Jeremy and Steve,

I haven't followed your discussion in detail yesterday, but this morning
I thought a bit about the problem while I couldn't sleep anymore:-)

First I think we should learn from what we have learned about SMB2:

1.) TreeConnects are only valid on the UserSessions that creates them.
2.) SMB2 signing depends on the UserSession.

Then I'm with Andrew that we should use a standard framing for the
encryption, but I think the comparing with LDAP seems wrong to me
as LDAP can only have one UserSession at a time!

So I think DCERPC would much better match what we need, as it also
allows multiple contexts and the DCERPC header is always transmited
unencrypted and only the payload is encrypted, but the signature also
takes the header in account.

I think we should implement something like this:

1.) create a new SMB dialect "Samba 3.0.24" and let the client send that
    by default. When the server also supports it can tell the client
    the connection will be used with this dialect.

2.) because client and server know that they're not talking to windows
    the session setup could contain some flags to say if the client
    wants plain, sign or sing/seal for the new UserSession.

3.) on further packets we would do the following depending whether
    plain, sign or sign/seal was selected on the UserSession:

    - then we would call gensec_seal() on the SMB payload data
      (maybe mutliples times depending on the gensec_max_input_data()
      and gensec_max_wrapped_data()) and append the resulting signatues
      behind the buffer. We could may use SMB signiture field 2 * uint32
      for storing the offset to the first GSSAPI signature and the count
      chunks

4.) The new dialect would also force that only the NT session setups are
    supported, using raw NTLMSSP or GSSAPI/SPNEGO. Also the server could
    force the usage of a TreeConnect is only allowed on the correct
    UserSession and as the client proposed the new dialect it knows
    about this.

Comments are welcome:-)

metze
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFFEBd2m70gjA5TCD8RAg/uAKCbM1t2weyxDY1pEGvN9nbI0KgvoQCfUMV/
8heSg4VMlIOoqs0WHTy35+w=
=RMzW
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list