locked
Server requests session key of the client help RRS feed

  • Question

  • Hi

    I apologise if this is the wrong place to ask as this is more an implementation than a protocol question but the page MS-SMB2 3.3.4.5 Server Application Requests Session Key of the Client seems to indicate that it is possible to get the derived application key for a session on the SMB Server. I've been looking into documentation in Windows to see how this may be possible but the closest thing I could find is ImpersonateNamedPipeClient to impersonate the user but even then I'm unsure how to bridge the gap and get the session/application key from there.

    As a bit of background I'm hoping to use this key to encrypt the bytes being sent in a named pipe over SMB so that any secrets going across the wire can't be sniffed out. I'm aware that SMB 3 has encryption on the protocol level but for older dialects this isn't possible which is why I'm hoping there was a mechanism to retrieve the key for a client connection.

    Thanks

    Jordan


    Friday, January 17, 2020 2:29 AM

Answers

  • Hi Jordan:

    While SMB 2 and earlier version do not provide encryption, named pipe over SMB is generally used by RPC, which provides it own encryption (sealing) which is independent of the SMB version.

    In case of Windows, the "application" in the section you mentioned is the server side of RPC API. An application programmer don't have to deal with implementing encryption and decryption. 

    If you are writing an application that is using named pipe for RPC, you need to use the API for encryption and decryption. Windows RPC API is described here https://docs.microsoft.com/en-us/windows/win32/rpc/rpc-start-page



    Regards, Obaid Farooqi


    Friday, January 17, 2020 5:42 AM

All replies

  • Hi Jordan:

    While SMB 2 and earlier version do not provide encryption, named pipe over SMB is generally used by RPC, which provides it own encryption (sealing) which is independent of the SMB version.

    In case of Windows, the "application" in the section you mentioned is the server side of RPC API. An application programmer don't have to deal with implementing encryption and decryption. 

    If you are writing an application that is using named pipe for RPC, you need to use the API for encryption and decryption. Windows RPC API is described here https://docs.microsoft.com/en-us/windows/win32/rpc/rpc-start-page



    Regards, Obaid Farooqi


    Friday, January 17, 2020 5:42 AM
  • Thanks, I prefer not to use RPC as that just adds more complication to the task but I appreciate the clarification.
    Thursday, January 23, 2020 12:30 AM
  • Hi Jordan:

    In that case, you may want to utilize the SSPI to do authentication and sealing by yourself. The SSPI API is documented at https://docs.microsoft.com/en-us/windows/win32/rpc/security-support-provider-interface-sspi-


    Regards, Obaid Farooqi

    Thursday, January 23, 2020 10:23 PM
  • Obaid that's my problem, I have to reauthenticate once the SMB session has been set up which adds more round trips to the process. I haven't found a way to reutilise the SSPI context set up in the SMB session (if that is even possible).
    Wednesday, January 29, 2020 7:35 PM