Quantcast

Implement samba.crypto.arcfour_crypt_blob for Python access

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Implement samba.crypto.arcfour_crypt_blob for Python access

Alexander Bokovoy
Hi,

attached patch improves availability of Samba AD in FIPS 140-2 environment.

To establish trust relationship, we call CreateTrustedDomainEx2 LSA
call. This call requires to encrypt AuthenticationInformation blob with
RC4 cipher. While Samba C code does use lib/crypto/arcfour.c to have
independent RC4 implementation, Python code relies on system Python
libraries to get access to RC4 cipher.

In FIPS 140-2 compliant environment all non-compliant ciphers are
disabled and calling them causes an error. Thus, encrypting
AuthenticationInformation blob with RC4 is not possible in this
environment.

Use of RC4 is part of the MS-LSAD 5.1.1:
----------
Implementations of this protocol protect the LSAPR_TRUSTED_DOMAIN_AUTH_BLOB
structure by encrypting the data referenced by that structure's AuthBlob field.
The RC4 algorithm is used to encrypt the data on request (and reply) and
decrypt the data on receipt. The key, required during runtime by the RC4
algorithm, is the 16-byte key specified by the method that uses this
structure (for example, see section 3.1.4.7.10). The size of data (the
AuthSize field of LSAPR_TRUSTED_DOMAIN_AUTH_BLOB) must remain unencrypted.
----------

I asked Microsoft dochelp team on the matter and got an answer:

----------
FIPS mode does not change Windows Server product behavior with regards
to MS-LSAD 5.1.1.

LSAD goes over RPCE, which in turn goes over SMB/SMB2 transport. The
protocol requires packet integrity or encryption at the RPCE level.
MS-SMB/CIFS and MS-SMB2 (and its related authentication protocols)
define what cryptographic algorithms are used respectively by each
dialect of the protocol. As specified in the specs, each negotiated
protocol parameters indicates what crypto is used. This does not depend
on any FIPS mode configuration.

On Windows, SMB1 can be disabled by configuration if desired, but this
is purely driven by known security limitations with SMB1 protocol,
rather than FIPS enforcing any policy.

The encrypted blob (LSAPR_TRUSTED_DOMAIN_AUTH_BLOB structure you are
referring to) is RC4-encrypted at the application level using the key
from that RPC binding session.

The encryption key is the session key from the RPC binding policy
handle.
-----------

As we have RC4 implementation on application level already, exposing it
to Python code allows us to solve the availability problem.

--
/ Alexander Bokovoy

samba-python-samba.crypto.patch (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Implement samba.crypto.arcfour_crypt_blob for Python access

Samba - samba-technical mailing list
Hi Alexander,

RB+, looks fine and pushed to autobuild.

Thanks,
Guenther

On 10/03/17 15:43, Alexander Bokovoy wrote:

> Hi,
>
> attached patch improves availability of Samba AD in FIPS 140-2 environment.
>
> To establish trust relationship, we call CreateTrustedDomainEx2 LSA
> call. This call requires to encrypt AuthenticationInformation blob with
> RC4 cipher. While Samba C code does use lib/crypto/arcfour.c to have
> independent RC4 implementation, Python code relies on system Python
> libraries to get access to RC4 cipher.
>
> In FIPS 140-2 compliant environment all non-compliant ciphers are
> disabled and calling them causes an error. Thus, encrypting
> AuthenticationInformation blob with RC4 is not possible in this
> environment.
>
> Use of RC4 is part of the MS-LSAD 5.1.1:
> ----------
> Implementations of this protocol protect the LSAPR_TRUSTED_DOMAIN_AUTH_BLOB
> structure by encrypting the data referenced by that structure's AuthBlob field.
> The RC4 algorithm is used to encrypt the data on request (and reply) and
> decrypt the data on receipt. The key, required during runtime by the RC4
> algorithm, is the 16-byte key specified by the method that uses this
> structure (for example, see section 3.1.4.7.10). The size of data (the
> AuthSize field of LSAPR_TRUSTED_DOMAIN_AUTH_BLOB) must remain unencrypted.
> ----------
>
> I asked Microsoft dochelp team on the matter and got an answer:
>
> ----------
> FIPS mode does not change Windows Server product behavior with regards
> to MS-LSAD 5.1.1.
>
> LSAD goes over RPCE, which in turn goes over SMB/SMB2 transport. The
> protocol requires packet integrity or encryption at the RPCE level.
> MS-SMB/CIFS and MS-SMB2 (and its related authentication protocols)
> define what cryptographic algorithms are used respectively by each
> dialect of the protocol. As specified in the specs, each negotiated
> protocol parameters indicates what crypto is used. This does not depend
> on any FIPS mode configuration.
>
> On Windows, SMB1 can be disabled by configuration if desired, but this
> is purely driven by known security limitations with SMB1 protocol,
> rather than FIPS enforcing any policy.
>
> The encrypted blob (LSAPR_TRUSTED_DOMAIN_AUTH_BLOB structure you are
> referring to) is RC4-encrypted at the application level using the key
> from that RPC binding session.
>
> The encryption key is the session key from the RPC binding policy
> handle.
> -----------
>
> As we have RC4 implementation on application level already, exposing it
> to Python code allows us to solve the availability problem.
>

--
G√ľnther Deschner                    GPG-ID: 8EE11688
Red Hat                         [hidden email]
Samba Team                              [hidden email]


signature.asc (208 bytes) Download Attachment
Loading...