Comment Re:Article one giant spew of hyperbole (Score 1) 171
The article states "the encryption method used was devised in 1998 and is weak by todayâ(TM)s standards
When faced with claims of security it is necessary to fully understand the underlying basis of trust without which security is a mirage.
What is the mechanism by which one system or user authenticates the identity of another system or user and why is this process trustworthy?
Without secure authentication and proper binding encryption by itself is useless.
You are going need a little more than "$3000 worth of GPUs" to forward brute force the AES-CMAC hashed passwords.
How are the key parameters to AES and HMACs derived? If an attacker can figure that out then a whopping $0 worth of GPUs will suffice.
So how about it... where does this magical session key for admittedly very substantial and well engineered SMB3 encryption come from?
The answer is NTLMv2 or Kerberos. This is a "bad deal". NTLMv2 credentials can be stolen and replayed with impunity by launching offline brute force attacks against captured challenge response. Ditto for Kerberos. Game over.