RE: Basic/NT: Case sensitivity of the passwords.

> -----Original Message-----
> From: Chemolli Francesco (USI) [mailto:ChemolliF@GruppoCredit.it]
> Sent: Wednesday, May 09, 2001 4:49 PM
> To: 'Eric Dumas'; squid-dev@squid-cache.org
> Subject: RE: Basic/NT: Case sensitivity of the passwords.
>
>
> > Hello.
> >
> > I am currently looking at the Basic/NT authentication
> system of Squid,
> > and I found out that whatever password entered, it will be
> considered
> > as case-insensitive by the PDC when sent in clear.
> >
> > Does any body knows how to change this behavior as it could be a
> > potential issue? According to the last samba code I looked at, the
> > behavior should be exactly the same (so, passwords are
> > case-insensitives), even if the password is crypted (using
> > SMBEncrypt).
>
> This is a "feature" of the authentication scheme.
> NT authentication can use two different hashes for auth
> purposes. One is the (more recent) "NT hash", which is case-sensitive.
> The other is the (older) "LM hash" (as in Lan Manager hash) which is
> case-insensitive, and is the one used by the auth code.
> The problem is, I'm not really sure on HOW (if it's possible at all)
> to use the stronger NT hash scheme.

I believe Eric is referring to the a particular basic auth helper, not
the NTLM version of squid...

Rob
 
> This case-insensitivity is one of the most dangerous aspects
> of the NT authentication schemes. Since it reduces the key space
> enormously, brute-forcing an LM password is not hard at all.
>
> --
> /kinkie
>
Received on Wed May 09 2001 - 00:47:52 MDT