svn commit: samba r21903 - in branches/SAMBA_3_0/source/libsmb: .

[Jeremy Allison]

On Wed, Mar 21, 2007 at 03:48:26PM +1100, Luke Howard wrote:
> 
> For NTLM, it sounds like you're doing effectively
> what is done for DCE RPC in NTLMv2 (AEAD).

Yep. I modelled the code on our RPC code.

> Yes, this is why years ago I proposed gss_wrap variants
> for AEAD:
> 
> http://www1.ietf.org/mail-archive/web/kitten/current/msg00024.html
> 
> But we'll probably never see this in standard Kerberos
> distributions, and rolling your own encryption routines
> is generally asking for trouble so, yes, I think you
> don't have a choice here.

I agree, it's the best I can do.

> An attacker could tamper with the header (a classic
> example in the DCE RPC case is changing the opcode;
> I don't know enough about the SMB PDU layout to know
> what attacks are possible, but you may be providing
> the user with a false sense of security if you only
> integrity protect the payload).

No, it's ok. The SMB packets look like this :

[1 byte type]
[3 byte length]
Characters 0xFF 'S' 'M' 'B'
<rest of header + data>

I'm encrypting and protecting <rest of data+header>
in both the gss and NTLM cases, and also protecting
the entire packet (start to end) in the NTLM case.

The only thing anyone could do is change the
type, or length or corrupt the 'S' 'M' 'B'
letters. In any of these cases we just drop
the packet and terminate the connection, but
we do that in the non-encrypted case as well
so there's no additional harm.

> Anyway, your hands are pretty much tied if you want to
> use the deployed GSS-API. FWIW I haven't seen any
> evidence that MS use AEAD in DCE RPC for Kerberos,
> even though they do for NTLMv2.

Interesting...

> BTW, I heard some murmurings about Vista just tunnelling
> SMB in TLS but haven't confirmed it myself...

Any idea how to trigger that ? We used to do
that in older versions of Samba but we discontinued
when no one used it. I don't think anyone wants
to put TLS inside the Linux or Mac kernel :-).

Jeremy.