CIFS Security Specs Update

(Pick up NEW VERSION of "CIFS Authentication Protocol" -- see below)

There are three new documents available describing proposed fixes to the CIFS/SMB authentication protocols. We are making these available in order to facilitate widespread public review. The fixes, if they pass review, will be available in Service Pack 3.

The original protocol from which the new version descends was designed more than a decade ago; recently, quite a few weaknesses have been found in those previous versions. This latest revision is an attempt to repair some of those weaknesses with as small a change to the protocol as possible, so that it can be incrementally and rapidly deployed.

The updated protocol has two main improvements -- it supports mutual authentication, so it closes a "man-in-the-middle" attack; and it supports message authentication, so it prevents active message attacks.

All three documents are available in .doc, .txt and postscript.

Distribution of these documents is unlimited. Please send comments to the authors at CIFS@MICROSOFT.COM. Discussion of CIFS is on the mailing list CIFS@LISTSERV.MSN.COM; subscribe by sending a message to LISTSERV@LISTSERV.MSN.COM with a body of "subscribe CIFS you@your.domain". There is a CIFS home page at http://www.microsoft.com/intdev/cifs.

CIFS Authentication Protocol

This document describes authentication protocol abstracted from the implementation details, in order to make scrutiny of its security properties easier. It only describes the strongest of several variants of the authentication protocol; a brief summary of the other variants is at the end of the document, together with a description of how the real protocols vary from this abstraction. Click for .doc, .txt, postscript.

CIFS Authentication Protocol Specification

The full details of the authentication protocols are in this document. Click for .doc, .txt, postscript.

CIFS Security Considerations

This document contains a discussion of the security properties of the authentication protocols. Click for .doc, .txt, postscript.

Changes:

3/28/97 -- new version (draft 4) of CIFS Authentication Protocol.
Old version is saved as "cifs-auth-3.*" Summary of changes:
- Incorporate all reported errata
- fix sequence number handling
- add description of key server protocol