RE: focus-ms@securityfocus.com

From: Fred Langston (Fred.Langston_at_guardent.com)
Date: 09/05/03

  • Next message: Jake Frost: "MS03-008 and SP4"
    To: 'Zachary Mutrux' <zmutrux@compumentor.org>, focus-ms@securityfocus.com
    Date: Fri, 5 Sep 2003 16:11:27 -0400 
    
    

    These are encrypted using a one-way hash; hence, the encryption is
    irreversible by definition.

    Fred Langston, CISSP
      Senior Principal Consultant
      W: 206.903.8147 x223 F: 206.903.1862 M: 425.765.3330
      Seattle, WA www.Guardent.com
    ________________________________________
    G U A R D E N T
      Enterprise Security and Privacy Programs

    -----Original Message-----
    From: Zachary Mutrux [mailto:zmutrux@compumentor.org]
    Sent: Friday, September 05, 2003 10:31 AM
    To: focus-ms@securityfocus.com
    Subject: RE: focus-ms@securityfocus.com

    Thank you, Brian.

    > "irreversibly"?

    So the credentials are encrypted and stored in the registry after you
    successfully authenticate to a domain controller. Then when a domain
    controller is not available, you submit your credentials again, they are
    encrypted again, and they are compared with the encrypted copy that is
    cached. If they match, you get in.

    It does seem to me that anything that can be encrypted can be decrypted.
    Especially if the same method results in two encrypted copies that can be
    compared. Does anyone disagree?

    Zac

    > -----Original Message-----
    > From: Perry, Brian [mailto:Brian.Perry@phns.com]
    > Sent: Thursday, September 04, 2003 7:32 AM
    > To: Paulo Wilbert; Kim Oppalfens; simonis@myself.com; fala83@libero.it
    > Cc: focus-ms@securityfocus.com; todd@toddschubert.com
    > Subject: RE: focus-ms@securityfocus.com
    >
    >
    > If I may....Quoting MS Security Resource Kit... pg.79
    >
    > Cached Credentials
    > "By default, Windows NT, Windows 2000, and Windows XP cache the
    > credentials of domain accounts used to log on to the network at the
    > local computer. The credentials include the users name, password, and
    > domain. Rather than storing the actual credential information, the
    > information is stored in an irreversibly encrypted form and on the
    > local computer."
    >
    > "irreversibly"?
    >
    > bp

    ---------------------------------------------------------------------------
    KaVaDo provides the first and only integrated Web application scanner and
    firewall security suite that prevent Web applications attacks, the most
    common form of online exploitation. Download a FREE whitepaper on Security
    Policy Automation for Web Applications.
    http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    KaVaDo provides the first and only integrated Web application scanner and
    firewall security suite that prevent Web applications attacks, the most
    common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
    http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
    ---------------------------------------------------------------------------


  • Next message: Jake Frost: "MS03-008 and SP4"

    Relevant Pages

    • Re: Where to store private key
      ... Storing your secrets directly in code is a very bad ... You need to protect the access credentials ... Windows login password to protect your login user environment). ... You generate a good random encryption credential using PasswordDeriveBYtes ...
      (microsoft.public.dotnet.security)
    • Re: Accessing documents from a corrupted harddrive
      ... The other reason is not so simple, applies only to XP Pro, and involves encryption and account credentials. ... When you tell XP Pro that you want to use encryption, you need to - *but you don't have to*, and this is where the danger lies - export the account credentials or specify a recovery agent. ... There is no way to decrypt the encrypted data without the importing the exported credentials, and if that wasn't done the data is effectively gone. ...
      (microsoft.public.windowsxp.general)
    • Re: Accessing documents from a corrupted harddrive
      ... encryption and account credentials. ... credentials or specify a recovery agent. ... There is no way to decrypt the encrypted data without the importing the ...
      (microsoft.public.windowsxp.general)
    • Re: How is this done?
      ... >And what security protects the transmission of the login ... could be passing the credentials to any auth mechanism) ... That's quite a lot of encryption. ... Regards, ...
      (microsoft.public.inetserver.iis.security)
    • Re: username and Password sent as clear text strings
      ... encryption of the traffic. ... SSL is used. ... client, it would seem like too much hassle for a low possibility hack. ... This is how all web applications on the planet work today by design. ...
      (Pen-Test)