[Re: Implement samba.crypto.arcfour_crypt_blob for Python access]
Simo did review the patch but sent his response only to me. Forwarding
it back to the list.
/ Alexander Bokovoy
On Fri, Mar 10, 2017 at 04:43:34PM +0200, Alexander Bokovoy wrote:
> attached patch improves availability of Samba AD in FIPS 140-2 environment.
> To establish trust relationship, we call CreateTrustedDomainEx2 LSA
> call. This call requires to encrypt AuthenticationInformation blob with
> RC4 cipher. While Samba C code does use lib/crypto/arcfour.c to have
> independent RC4 implementation, Python code relies on system Python
> libraries to get access to RC4 cipher.
> In FIPS 140-2 compliant environment all non-compliant ciphers are
> disabled and calling them causes an error. Thus, encrypting
> AuthenticationInformation blob with RC4 is not possible in this
> Use of RC4 is part of the MS-LSAD 5.1.1:
> Implementations of this protocol protect the LSAPR_TRUSTED_DOMAIN_AUTH_BLOB
> structure by encrypting the data referenced by that structure's AuthBlob field.
> The RC4 algorithm is used to encrypt the data on request (and reply) and
> decrypt the data on receipt. The key, required during runtime by the RC4
> algorithm, is the 16-byte key specified by the method that uses this
> structure (for example, see section 188.8.131.52.10). The size of data (the
> AuthSize field of LSAPR_TRUSTED_DOMAIN_AUTH_BLOB) must remain unencrypted.
> I asked Microsoft dochelp team on the matter and got an answer:
> FIPS mode does not change Windows Server product behavior with regards
> to MS-LSAD 5.1.1.
> LSAD goes over RPCE, which in turn goes over SMB/SMB2 transport. The
> protocol requires packet integrity or encryption at the RPCE level.
> MS-SMB/CIFS and MS-SMB2 (and its related authentication protocols)
> define what cryptographic algorithms are used respectively by each
> dialect of the protocol. As specified in the specs, each negotiated
> protocol parameters indicates what crypto is used. This does not depend
> on any FIPS mode configuration.
> On Windows, SMB1 can be disabled by configuration if desired, but this
> is purely driven by known security limitations with SMB1 protocol,
> rather than FIPS enforcing any policy.
> The encrypted blob (LSAPR_TRUSTED_DOMAIN_AUTH_BLOB structure you are
> referring to) is RC4-encrypted at the application level using the key
> from that RPC binding session.
> The encryption key is the session key from the RPC binding policy
> As we have RC4 implementation on application level already, exposing it
> to Python code allows us to solve the availability problem.
It's not the greatest option to expose crypto, but it seem simple enough and
the amount of code is not a lot.