On Thu, 2010-07-01 at 12:22 -0500, Shirish Pargaonkar wrote: > On Mon, Jun 28, 2010 at 6:25 PM, Andrew Bartlett <abartlet@xxxxxxxxx> wrote: > > On Mon, 2010-06-28 at 17:47 -0500, Shirish Pargaonkar wrote: > > > >> When I look at Windows - Windows smb2 traces, the (16 bytes) signature > >> looks nothing like > >> version (which is 1), ciphertext of 8 bytes of hmac-md5, sequence number > > > > SMB2 SMB Signing does not use the NTLMSSP packet signing algorithm. > > Instead, like SMB, it takes the session key already calculated and > > applies a unique-to-SMB2 algorithm to it. This involves sha256 I > > think. > > > > Andrew Bartlett > > > > -- > > Andrew Bartlett http://samba.org/~abartlet/ > > Authentication Developer, Samba Team http://samba.org > > Samba Developer, Cisco Inc. > > > > > I have had luck with some kernel crypto apis while working on this code. > I have been able to use arc4 and md5 hash apis successfully while > not being able to figure out hmac-md5 apis and I had not even > looked at sha, which I will. > > What is confusing to me is, current cifs code using ntlmv2 within > ntlmssp authenticates and signs against Windows 2003 server > successfully/ > > But it does not against Windows 7 and Windows 2008 (I do not have > a Windows Vista installation). I am currently changing to code and > I am sure I would be able to authenticate using ntlmv2 within ntlmssp. > singing is what is confusing. > > With smb2 client also, I can authenticate against Windows 7 and > Windows 2008 but signing fails. > > So I am confused about what algorithm to use for cifs to sign > against Windows 7 and Windows 2008 server for ntlmv2 within ntlmssp > and what algorithm to use for smb2 to sign against a Windows 7 > and Windows 2008 server for ntlmv2 within ntlmssp. > > I have been reading and following MS-NLMP and > http://davenport.sourceforge.net/ntlm.html The trick here is only to follow these up to the point at which the master key is generated, not the signing or sealing keys. The master key (16 bytes) is the input the special SMB and SMB2 signing algorithms. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
Attachment:
signature.asc
Description: This is a digitally signed message part