wireshark decryption
Aurélien Aptel
aaptel at suse.com
Mon May 29 12:35:31 UTC 2017
Stefan Metzmacher <metze at samba.org> writes:
> ntlmssph->session_key is not the 32bit "session key" (which seems to be
> a key into a session array instead of being a crypto key) used in
> SMB1,
Fair enough.
> it's the session key that resulted out of the ntlmssp exchange.
So, is this key really supposed to be used as-is to derive the crypto
keys?
The Microsoft Open Specifications Support Team says this about session
keys [1]:
> Note: These cryptographic keys are all derived from the SessionKey. As
> a result, SMB 3.0 signing and encryption is as secure as the session
> key. Not only must this key be unique and very random, but also it
> needs be kept secret.
If the ntlmssph->session_key is read on the wire it's not
secret. Something is not right.
1: https://blogs.msdn.microsoft.com/openspecification/2012/10/05/encryption-in-smb-3-0-a-protocol-perspective/
--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
More information about the samba-technical
mailing list