[jcifs] Passwords longer than 14 characters

Allen, Michael B (RSCH) Michael_B_Allen at ml.com
Wed Apr 10 09:38:15 EST 2002 

> -----Original Message-----
> From:	Zalewski, Michael J (Michael)** CTR ** [SMTP:mjzalewski at lucent.com]
> Sent:	Tuesday, April 09, 2002 7:23 PM
> To:	jcifs at lists.samba.org
> Subject:	RE: [jcifs] Passwords longer than 14 characters
> 
> > The first thing to do, I'm afraid, is to go with 0.6.2, which is the
> > current production bugfix release.  It should just drop in, I believe.
> 
> I tried upgrading to 0.6.2. Almost identical problem
> 
> java.lang.ArrayIndexOutOfBoundsException
> 	at java.lang.System.arraycopy(Native Method)
> 	at jcifs.smb.SmbSession.getPreNTLMResponse(SmbSession.java:52)
> 	at
> jcifs.smb.SmbComSessionSetupAndX.writeParameterWordsWireFormat(SmbComSession
> SetupAndX.java:59)
> 	at
> jcifs.smb.AndXServerMessageBlock.writeAndXWireFormat(AndXServerMessageBlock.
> java:102)
> 	at
> jcifs.smb.AndXServerMessageBlock.writeWireFormat(AndXServerMessageBlock.java
> :72)
> 	at jcifs.smb.SmbTransport.send(SmbTransport.java, Compiled Code)
> 	at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:149)
> 	at jcifs.smb.SmbSession.send(SmbSession.java:124)
> 	at jcifs.smb.SmbTree.treeConnect(SmbTree.java:122)
> 	at jcifs.smb.SmbTree.sendTransaction(SmbTree.java:50)
> 	at jcifs.smb.SmbFile.sendTransaction(SmbFile.java, Compiled Code)
> 	at jcifs.smb.SmbFile.queryPath(SmbFile.java:764)
> 	at jcifs.smb.SmbFile.exists(SmbFile.java:819)
> 
> This stack trace is nearly identical to the problem in 0.6b9, except for the
> line numbers.
> 
	Yes. This has never changed since encrypted authentication was added.

> This problem occurs whenever you use a password that is longer than 14
> characters, when you do something like this:
> 
> SmbFile testFile = new SmbFile(
> "smb://domain;user:a_very_long_password@machine/share/testfile");
> testFile.exists();
> 
> You can look at the method getPreNTLMResponse in source SmbSession.java
> 
>     static byte[] getPreNTLMResponse( String password, byte[] challenge ) {
>         byte[] p14 = new byte[14];
>         byte[] p21 = new byte[21];
>         byte[] p24 = new byte[24];
> 
>         System.arraycopy( password.toUpperCase().getBytes(), 0, p14, 0,
> password.length() );
> 
	This is exactly the problem. I have been digging around trying to find the limtiations
	on passwords. The description in the spec is here:

	http://ubiqx.org/cifs/rfc-draft/draft-leach-cifs-v1-spec-02.html#s2.10

	There may be a reasonable fix. I'm not sure yet.


>         E( p14, S8, p21);
>         E( p21, challenge, p24);
>         return p24;
>     }
> 
> This method allocates a 14 byte array for the password, then copies the
> password into the 14 byte array (apparently without ever truncating the
> password).
> 
> I also tried truncating the password to 14 characters. When I did that, the
> ArrayIndexOutOfBounds exception no longer appeared. But I got a
> SmbException.ERRnoAccess, which is what I would expect because I gave the
> wrong password. 
> 
	Well this rules out the possibilty that windows would just truncate the password
	to 14 characters. 

> However, this being Microsoft, I remember reading somewhere that the NT LM
> Response may get sent to a server in two forms, encrypted once with the full
> password in mixed case, and once with the password converted to upper case
> and truncated to 14 characters. JCIFS apparently is doing the upper case
> part. But there might be some trick to truncating long passwords.
> 
	There are the separate Pre NT LM 0.12 and NT LM 0.12 password hashing
	mechanism being used for historical reasons. It is possible that jcifs need only
	adjust the later mechanism and properly truncate the Pre NT LM 0.12 scheme in
	SmbSession.java. The relavent section of the Leach document is below. By all
	means if you happen to come up with a solution let me know. Otherwise I don't
	now when I'll get around to fixing such a thing.

	Mike

	2.10.1  Pre NT LM 0.12

	o The client and server both compute

	    P16 = E(P14,S8)

	        and

	    P24 = E(P21,C8)

	where:



	Leach, Naik       expires September, 1997         [Page 20] 


	INTERNET-DRAFT            CIFS/1.0                  03/19/97


	  o P14 is a 14 byte string containing the user's password in clear
	     text, upper cased, padded with spaces

	  o S8 is an eight byte string whose value is available from Microsoft
	     upon request.

	  o P21 is a twenty one byte string obtained by appending five null
	     bytes to the string P16, just computed

	  o C8 is the value of the challenge sent in the EncryptionKey field in
	     the SMB_COM_NEGPROT response for this connection.


	2.10.2  NT LM 0.12

	The client and server both compute

	    P16 = MD4(U(PN))

	        and

	    P24 = E(P21, C8)

	where:

	  o PN is a string containing the user's password in clear text, case
	     sensitive, no maximum length

	  o U(x) of an ASCII string "x" is that string converted to Unicode

	  o MD4(x) of an octet string "x" is the 16 byte MD4 message digest [6]
	     of that string

	  o P21 and C8 are as above.

More information about the jcifs mailing list