Re: Logon protocols

From: Invisible (orphi69_at_hotmail.com)
Date: 06/18/03 

Date: Wed, 18 Jun 2003 02:21:28 -0700

>> So when a user tries to log in, the client sends their
>> username and a hash of their password to the DC?
>Not actually. It's a challenge/response protocol. So you
prove that you know
>the secret (password) by computing a result from a value
sent to you by the
>server (using the hash of the pwd). It's the result that
goes encrypted on
>the wire.

Right... so the server sends the client some random data,
and the client sends back a hash of the data AND the
password? (And since the random data is different every
time, the computed hash will be different, but easily
checkable by any system that knows what the password
SHOULD be.) Is that how it works approximately?

>> Is this suseptable to a replay attack?
>No. The challenge changes for every connection attempt.

Good to hear...

>> >By default, two hashes are created : LMHash and NTHash.
>>
>> So Win9x uses LMHash and WinNT uses NTHash?
>Yes. Moreover there are 2 versions of NTLM : 1 and 2. The
second is the more
>robust.

Mmm, who'd have thought? ;-) Who uses what? (We only have
NT 4.0 workstations, if that makes any difference.)

>> (But I can make Win9x use the stronger NTHash by
>> installing the DS client. Does it require any other
>> configuration, or does it automatically stop using LM?)
>I do think so but should check. If I remember correctly,
there is a
>limitation. You can logon using NTLM with AD client on
Win9x but you can't
>change your password. You then have to go on a NT,W2K,
WXP,W2K3 machine to
>do that.

Sounds likely... we're trying to get rid of the Win9x
computers anyway. ;-)

Thankyou!

Relevant Pages

  • Re: Socket Server with Encryption help
    ... After reading your post I got a very strong suspicion that regardless of your saying that you read "a lot of papers about Symmetric, Asymmetric, Hash, Envelope and Signature" you didn't read even distantly enough to be able to implement something even distantly secure. ... The classical paper on three party authenticated protocols design was written by Needham and Schroeder "Using encryption for authentication in large networks of computers" in 1978, where they described several protocols, one of witch was modified, strengthened and extended a bit later to become what is now known as Kerberos. ... I've started to develop a server and client socket classes with encryption. ...
    (microsoft.public.dotnet.security)
  • Re: Custom Authentication with WSE 2.0
    ... Get the Client to hash the password before sending the password over. ... Based on the custom handler in web.config Wse instantiates the custom ... to encrypt the passwords (the username for example), so that way I can come ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Webservice or not Advice
    ... Http is not a guarantted protocol though. ... longas the client does the same) as a aecondary argument. ... also calculate a hash value once the dataset is received. ... I'm wondering since im calling up a webservice to pass a ...
    (microsoft.public.dotnet.distributed_apps)
  • Re: public key vs passwd authentication?
    ... > original salt and the sequence number. ... the client might possibly want to keep a log of all server "salts" ... if any client hash value leaks that is for an iteration less than ... currently be used by a server. ...
    (comp.security.ssh)
  • Re: kerberos!
    ... the client can specify the level- it is not always the "strongest ... And it is NTLMv2, NTLM, and LM. ... > in NTLMv3 the Password hash is still consistent. ...
    (NT-Bugtraq)
Quantcast