WPA2 bugz - One Man's Quick & Dirty Response
Benjamin Kaduk
kaduk at mit.edu
Fri Oct 20 02:14:44 UTC 2017
On Thu, Oct 19, 2017 at 03:07:57PM +0200, WhiteWinterWolf (Simon) wrote:
> Hi Benjamin,
>
> Le 19/10/2017 à 00:43, Benjamin Kaduk a écrit :
> >> NFS has no built-in encryption, it may be possible to tunnel it but this
> >> is out-of-scope here (using a VPN and tunnel everything would be easier
> >> than nitpicking and tunnel only the NFS data flow).
> >
> > This statement is either false or highly misleading. NFS (both v3 and v4)
> > is an RPC protocol, and RPCSEC_GSS exists and can provide per-message
> > confidentiality protection. It may be true that Kerberos is basically
> > the only GSS-API mechanism implemented for RPCSEC_GSS, and the necessary
> > Kerberos setup is far more painful to set up than it needs to be,
> > but all modern NFS implementations support it.
>
> The support RPCSEC_GSS has been added in NFSv4, it was not available in
> NFSv3.
>
> Try to find any mention of RPCSEC_GSS in NFSv3 RFC:
> https://tools.ietf.org/html/rfc1813
>
> NFSv4 RFC on the other side documents the addition of this feature in
> the protocol:
> https://tools.ietf.org/html/rfc3010
Right, NFSv4 built it in from the start whereas it had to be hacked onto
NFSv3
> Don't confuse RPCSEC_GSS with AUTH_KERBEROS and AUTH_DES, which weren't
> widely supported and protect only the authentication phase: in-transit
> data was still left unprotected (and this is what we are talking about
> with this KRACK issue).
It seems that RFC 2623 aims to clarify their differences.
(It only covers the single-DES kerberos enctypes, which are not particularly
secure anymore; see RFC 6649.)
> The NFSv3 protocol itself had no authentication whatsoever, full trust
> was given to the client system, making it a blatant security hole in
> most infrastructures. That's precisely one of the reasons why NFSv4 was
> needed.
Indeed, the design goals were from a different era (and before my time).
> I don't know if they managed to make it easy to use or if an external
> Kerberos server is required, but in the former case that would indeed be
> a great choice for end-users (but, given it is not the default and seems
> to be among the "advanced" options, I fear that setting-up Kerberos is
> left as an exercise for the user).
Alas, it is left that way all too often. Since we're on the topic, I'll link
http://web.mit.edu/kerberos/krb5-latest/doc/admin/install.html
and note that that is quite different from the Heimdal included in the
FreeBSD base system.
>
> >> SMB has no widely compatible encryption:
> >>
> >> - Microsoft has built its own, proprietary encryption available and
> >> compatible only with the latest Windows versions.
> >> - Open source implementations rely on TLS, natively supported by some
> >> client but requiring (AFAIK) `stunnel` server-side.
> >
> > I am not a SMB/CIFS expert, but (e.g.)
> > https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1670508 seems to
> > indicate that "proprietary" is false, and does not give much support
> > to the claim that it requires TLS. (I believe in-kernel TLS support
> > had not landed by June, when Xenial was getting its fix.)
>
> Sorry, but Microsoft SMB extensions *are* proprietary extensions.
>
> I encourage your to read the following page which explains the
> impressive work made by Samba people:
>
> https://www.samba.org/samba/docs/myths_about_samba.html
>
> And in particular the description of their "French cafe" technique:
>
> http://samba.org/ftp/tridge/misc/french_cafe.txt
Fair enough, and thank you for the links. I don't do much with SMB, myself,
so had to try to search while writing my previous mail.
-Ben
More information about the freebsd-security
mailing list