Re: Where can I find NTLMSSP Spec?

Henrik Nordstrom wrote:
>
> Some terminology to ensure we all talk about the same things..

Some random jottings on the terms, just for interest:

> LANMAN password hash
> User password hashed using the LANMAN method (DES)

Its use of two 7 byte blocks, and uppercased ASCII makes it easy to
attack.

> NT password hash
> User password hashed using the NT method (MD5)

It is an MD4 hash. (Four)
(I'm sure that was just a typo on your part).

It is also based on the unicode, which allows for sane international
passwords.

> LANMAN challenge/response
> The LANMAN challenge/response mechanism, based on the LANMAN hash
>
> NTLM challenge/response
> The NT challenge/response mechanism. Designed to address some major
> security flaws of LANMAN challenge/response algorithm. Based on the
> NT hash.

While it uses the NT hash, it still uses DES to do the
challange-response check.

> NTLMv2 challenge/response
> The improved NT challenge/response mechanism to address some major
> security flaws in NTLM challenge/response algorithm. Also based on
> the NT hash.

Implemented in Samba TNG for a couple of years, an implementation was
merged into HEAD last year, but does not function with NTLMSSP (yet).
As such not used or tested.

Uses MD5 for the challange-response work.

> NTLMSSP
> The binary message format used by the Microsoft NTLM Security Support
> Provider. The Microsoft NTLM SSP supports LANMAN, NTLM and NTLMv2
> challenge/response algorithms for password verification, and a wide
> variety of protocol options for different identification purposes..

Known open source implementations (at least):

Samba (authenticated pipes)
Samba TNG (authenticated pipes)

Samba (Session Setup)

Squid
modntlm.sf.net

Fetchmail (?) libntlm(?) (just names I've heard, clients)

> NTLM over HTTP
> This is actually NTLMSSP over HTTP. The MS Proprietary authentication
> sheme allowing IE to log on automatically to web servers/proxies.
> Uses base64 encoded NTLMSSP messages.

Known implementations:

Squid
modntlm.sf.net

> MS CHAP
> Microsoft variant of CHAP, using NTLM challenge/response

Simple hack to backend CHAP into NT domains. Backend via winbind would
be trivial.

> MSCHAPv2
> Second version of Microsoft CHAP to address serious security flaw.
> Also uses NTLM challenge/response.

Of particular note becouse it uses a mutually agreed challange (rather
than a server-specified/spoofable one).

Backends onto standard NTLM server-trust-account RPC connections, uses
session key.

I intend (and my current winbind changes work towards this) to allow
pppd on linux to backend via winbind to an NT domain for this.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net