RE: NTLM

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Mon, 25 Feb 2002 10:43:31 +0100

> On Monday 25 February 2002 09:53, Chemolli Francesco (USI) wrote:
>
> > The negotiate packet _does_ say something, there's the "flags"
> > bitfield which defines several parameters to be used in the
> > following phases (i.e. "I understand Unicode")
>
> Exacly, and is why not having it when generating the challenge packet
> is broken. The challenge generator and the browser needs to agree on
> the flags.
>
> There is at minimum two flags that is important
> - NTLMSSP_NEGOTIATE_UNICODE (0x00000001)
> - NTLMSSP_NEGOTIATE_NTLM2 (0x00008000)

Easy: the NTLMSSP helper understands neither, so those are always reset :)
If you're talking about future protocol extensions where the helpers might
not see the whole picture, I agree that it wouldn't be wise.

> As the flags field is only exchanged during the negotiation, things
> breaks down in the current scheme.
>
> Even if you were to have Squid do the flags field negotiation
> correctly (which AFAICT it does not), the the helper MUST know the
> negotiated flags when parsing the response.

Squid currently just asserts its own flags, it doesn't care about what
the other hand has to say.

> Should also note that there should be a slight difference in the
> challenge when NTLMv2 is used.

I'd need doco on this.

> Also, I fail to understand how you can reuse challenges in the
> current design. For this you really need to move the challenge
> generation into Squid and using that secure channel to verify the
> responses with the selected challenge.

There is a mapping between a client and the helper process which
generated the challenge. As long as the helper doesn't fail, that
challenge can be reused.

> Having challenge reuses per client IP could be made to work sort of..
> (95%). But will fail if there is a change in active user at the IP,
> either by another user logging on, or by multiuser stations such as
> TS.

For security reasons it would be better not to use the same challenge
on the same client, I think. It limits the possibility of replay attacks.
But since we can only have a limited number of in-use challenges
(one per helper process) it would be hard to do, and probably pointless. 

-- 
	/kinkie
Received on Mon Feb 25 2002 - 07:47:05 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:49 MST