0

I try to connect to MS-SQL-Analysis-Services via TCP, and looking for information, how encryption is actually done.

I've found https://web.archive.org/web/20080905014603/http:/sqlblog.com/blogs/mosha/archive/2005/12/02/analysis-services-2005-protocol-xmla-over-tcp-ip.aspx which says, that the messages are encrypted, but not how. And from https://learn.microsoft.com/en-us/openspecs/sql_server_protocols/ms-ssas/be97878a-81ba-46cc-bde1-0d2548cd7e05 I know, that there is a header with length information of data and token, but not, how encryption is done.

The reference to RFC2743 or GSS-API is not very useful, because GSS_wrap uses some other format.

Where can I find some reference implementation of the encryption done in XMLA?

Daniel
  • 42,087
  • 4
  • 55
  • 81
  • [This](https://learn.microsoft.com/openspecs/sql_server_protocols/ms-ssas/be84959b-ec40-4f5a-b18b-b271b0901668) has a little more and refers to RFC 4178 (GSS negotation). A little more digging leads us [here](https://learn.microsoft.com/openspecs/sql_server_protocols/ms-ssas/427a9bf1-c3fc-4bb5-a10b-ddde06f22024) -- basically it uses SPNEGO through SSPI, probably much as TDS does (though I haven't checked that). A full, detailed description of what happens probably still needs a packet trace and some trial and error. – Jeroen Mostert Jul 25 '22 at 13:15
  • Note that MS provides ready-to-go .NET libraries for XMLA for both .NET Framework and Core (in the `Microsoft.AnalysisServices.AdomdClient` packages), though this wraps some managed code and the whole thing is not open source. I suggest using those unless you have a very specific need for reimplementing or reversing things. – Jeroen Mostert Jul 25 '22 at 13:21
  • Shoud be "wraps some *unmanaged* code" in the above, obviously. – Jeroen Mostert Jul 25 '22 at 13:32

1 Answers1

0

AnalysisServices expects encrypted data in the form length of data : length of signature : data : signature. The term token for the signature is misleading.

The GSS-API function GSS_wrap on the other side produces output of the form signature : data, with signature has a fixed length of 16 bytes.

Daniel
  • 42,087
  • 4
  • 55
  • 81