wireshark decryption

Aurélien Aptel aaptel at suse.com
Mon May 29 12:35:31 UTC 2017

Stefan Metzmacher <metze at samba.org> writes:
> ntlmssph->session_key is not the 32bit "session key" (which seems to be
> a key into a session array instead of being a crypto key) used in
> SMB1,

Fair enough.

> it's the session key that resulted out of the ntlmssp exchange.

So, is this key really supposed to be used as-is to derive the crypto

The Microsoft Open Specifications Support Team says this about session
keys [1]:

> Note: These cryptographic keys are all derived from the SessionKey. As
> a result, SMB 3.0 signing and encryption is as secure as the session
> key. Not only must this key be unique and very random, but also it
> needs be kept secret.

If the ntlmssph->session_key is read on the wire it's not
secret. Something is not right.

1: https://blogs.msdn.microsoft.com/openspecification/2012/10/05/encryption-in-smb-3-0-a-protocol-perspective/

Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

More information about the samba-technical mailing list