[jcifs] jCifs' NTLMSSP: is it secure and sound?

Michael B Allen miallen at ioplex.com
Wed Apr 9 15:29:47 GMT 2008

On Wed, 9 Apr 2008 11:00:24 +0200
"Giampaolo Tomassoni" <Giampaolo at Tomassoni.biz> wrote:

> > -----Original Message-----
> > From: Michael B Allen [mailto:miallen at ioplex.com]
> > Sent: Wednesday, April 09, 2008 2:24 AM
> > To: Giampaolo Tomassoni
> > Cc: jcifs at lists.samba.org
> > Subject: Re: [jcifs] jCifs' NTLMSSP: is it secure and sound?
> > 
> > On Wed, 9 Apr 2008 01:30:07 +0200
> > "Giampaolo Tomassoni" <Giampaolo at Tomassoni.biz> wrote:
> > 
> > > What are your thoughts about this?
> > 
> > If NTLM does not provide the level of security you require then I
> > recommend that you use Kerberos instead.
> > 
> > Mike
> Well, I probably wasn't clean enough. It is not that I don't like NTLMSSP.
> It is that the jCifs' implementation of NTLMSSP (NtlmHttpFilter  and
> relatives) is not correct and thereby is more easily spoofed.

First, this has nothing to do with NTLMSSP or how it's
implemented. NTLMSSP is just a messaging protocol. The problem of spoofing
by session id is common to any application that bypasses subsequent
authentications by caching the authentication in the session.

The solution to the session id spoofing issue is to simply not cache
the authentication in the session. You could probably comment out one
line somewhere in the filter to stop it from putting anything in the
session. Technically I believe that is how things are supposed to work
(I would have to get a capture of IIS to confirm that). We chose to
cache the authentication at the expense of speed.

But still, if you really care that much about security then you should
be using Kerberos. Kerberos does not require communication with a central
authority so authenticating each request can more efficient.


Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the jcifs mailing list