svn commit: lorikeet r110 - in trunk/samba4-ad-thesis: .

Wed Oct 27 13:00:26 GMT 2004

Author: abartlet
Date: 2004-10-27 13:00:24 +0000 (Wed, 27 Oct 2004)
New Revision: 110

WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=lorikeet&path=/trunk/samba4-ad-thesis&rev=110&nolog=1

Log:
Thesis fixes again - from dad again.

Thanks!

Andrew Bartlett

Modified:
   trunk/samba4-ad-thesis/chapters.lyx


Changeset:
Modified: trunk/samba4-ad-thesis/chapters.lyx
===================================================================

--- trunk/samba4-ad-thesis/chapters.lyx	2004-10-27 12:30:52 UTC (rev 109)
+++ trunk/samba4-ad-thesis/chapters.lyx	2004-10-27 13:00:24 UTC (rev 110)
@@ -910,7 +910,7 @@
 Trusted Third Party Authentication
 \layout Standard
 
-Many distributed authentication systems allow logins to occur on many hosts,
+Many distributed authentication systems allow logins to occur on numerous hosts,
  but only a few hosts (possibly one) actually confirms or denies an authenticati
 on request.
  These are trusted third party systems; all hosts trust those with the passwords
@@ -978,7 +978,7 @@
 Often abbreviated as simply SSO, the concept of Single Sign On is quite
  simply a matter of usability; users wish to establish their identity once,
  and not have to think about it after that.
- This allows more complex authentication procedures, if the user only has
+ This allows for more complex authentication procedures as the user only has
  to tolerate them once per session.
  SSO has become the expectation in modern network environments.
 \layout Chapter
@@ -997,8 +997,8 @@
 NTLM Challenge Response
 \layout Standard
 
-NTLM is a challenge-response authentication scheme, designed to prevent
- direct compromised of the user's password as it passes from client to server.
+NTLM is a challenge-response authentication scheme, designed to prevent a
+ direct compromise of the user's password as it passes from client to server.
  In theory, the value that the client gives the server can only be generated
  with knowledge of the password, but does not reveal the password itself.
  
@@ -1067,7 +1067,7 @@
 
 \end_inset 
 
-, knowledge of this `plain-text', nor the encrypted output does not allow
+, neither knowledge of this `plaintext', nor the encrypted output allows
  one to find the key.
  Therefore this is a one-way hash function.
  
@@ -1135,7 +1135,7 @@
 
 \end_inset 
 
-, but is summarised here:
+, but is summarised here.
 \layout Standard
 
 The server generates an 8 bytes cryptographic challenge, consisting of random
@@ -1207,10 +1207,10 @@
 \layout Standard
 
 As part of the byproduct of NTLM authentication, a password-derived `session
- key' is produced, for use in verifying or encrypting data carried between
+ key' is produced for use in verifying or encrypting data carried between
  the client and server.
- The algorithm used varies depending on the method of authentication, but
- can unfortunately be very weak - often a fixed derivative of the user's
+ The algorithm used varies depending on the method of authentication, but unfortunately 
+ can be very weak - often a fixed derivative of the user's
  password! This key is known as the `user session key', and is used in a
  number of places within CIFS directly, as well as by the NTLMSSP suite.
 \layout Subsubsection*
@@ -1250,7 +1250,7 @@
 
 \end_inset 
 
-NTLMSSP is a collection of protocols, which together for-fill the Microsoft
+NTLMSSP is a collection of protocols, which together fulfil the Microsoft
  Security Support Provider Interface (SSPI
 \begin_inset LatexCommand \citep{sspi}
 
@@ -1346,7 +1346,7 @@
 \layout Standard
 
 This key is then 'weakened' to various strengths, to fix export requirements.
- The irony is that the 128 bit negotiated key is far from this real strength,
+ The irony is that the 128 bit negotiated key is far from this in real strength,
  due to there being at most 56 bits of key input!
 \layout Subsubsection*
 
@@ -1456,7 +1456,7 @@
 \layout Standard
 
 The first, and easiest compromise the server can make is simply to defer
- to decision to another server.
+ the decision to another server.
  In pass-though authentication, optimised by Samba's 
 \family typewriter 
 security=server
@@ -1492,8 +1492,8 @@
 
 \end_inset 
 
-The NETLOGON authentication process is that introduced by Microsoft Windows
- NT, to handle this problem in a more secure manner.
+The NETLOGON authentication process was introduced by Microsoft Windows
+ NT to handle this problem in a more secure manner.
  Fundamentally, the challenge-response step to the remote server (the DC)
  is removed, and instead the DC is presented with both the challenge and
  the response.
@@ -1602,7 +1602,7 @@
  need for the server to contact the KDC in real time.
  Kerberos also includes mutual authentication, signing and sealing of data,
  and is extensible with new encryption types, something that Microsoft did
- allowing an upgrade from Windows NT:
+ allow in an upgrade from Windows NT:
 \layout Section
 
 An upgrade compatible encryption type
@@ -1634,7 +1634,7 @@
 
  as the shared Kerberos key, and defined a set of cryptographic operations
  around this base.
- Published as an Internet-Draft
+ Published as an Internet-Draft 
 \begin_inset LatexCommand \citet{brezac-krb5-draft}
 
 \end_inset 
@@ -1651,11 +1651,10 @@
  This is very nice in theory, but presents some practical difficulties in
  mapping a Kerberos identity to a user, and their access rights.
  In particular, it is the problem of performing this mapping in a network-effici
-ent manner that caused the PAC and associated infrastructure to be devised.
+ent manner that caused the PAC (Privilege Attribute Certificate) and associated infrastructure to be devised.
 \layout Standard
 
-The PAC (Privilege Attribute Certificate) is a cryptographically signed
- blob of data, including information on a user's groups, their home directory
+ The PAC is a cryptographically signed blob of data including information on a user's groups, their home directory
  location, and similar details.
  This is nothing particularly special, but Microsoft created a storm by
  releasing the specification for this data format under a `click-though'
@@ -1729,7 +1728,7 @@
 \layout Standard
 
 Away from protocol implementation details, the names of security mechanisms
- are associated with particular levels of security, and clients and servers
+ are associated with particular levels of security. Clients and servers
  may place requirements on each other by which mechanisms they support,
  but this does not have any wire artifacts.
 \layout Section
@@ -1743,7 +1742,7 @@
  an Object IDentifier (OID) to prefix its network messages.
  OIDs are globally unique streams of numbers, delegated out of a hierarchical
  name-space, and formatted (as is the case for all of GSSAPI) in ASN.1.
- (SASL uses simple text strings for the same purpose, and much clearer effect).
+ (SASL uses simple text strings for the same purpose, with much clearer effect).
 \layout Standard
 
 GSSAPI, like SASL, exchanges datagrams until both sites are happy with the
@@ -1847,7 +1846,7 @@
 
 \layout Standard
 
-Because the both the WinXP and Windows 2003 machines are running under VMware
+Because both the WinXP and Windows 2003 machines are running under VMware
  (which itself is run on Linux), the whole process can be monitored by listening
  on the virtual Ethernet hub that VMware provides.
  
@@ -2203,7 +2202,7 @@
 
 \end_inset 
 
- shows the initial SPNEGO
+ shows the initial SPNEGO 
 \begin_inset LatexCommand \citet{msspnego}
 
 \end_inset 
@@ -2259,7 +2258,7 @@
 
  shows the client requesting a Ticket Granting Ticket (TGT), allowing it
  to request other tickets.
- It does so be sending the current time, encrypted with the user's password
+ It does so by sending the current time, encrypted with the user's password
  (this is the pre-auth data).
  Of interesting note in this TGT is the HostAddresss (network addresses
  where this TGT may be validly used) is given as a NetBIOS Name, not the
@@ -2408,7 +2407,7 @@
 SAMR
 \family default 
  pipe, to create the new machine account.
- Shown in summery in Figure 
+ Shown in summary in Figure 
 \begin_inset LatexCommand \ref{fig:SAMRAccount-creation}
 
 \end_inset 
@@ -2465,7 +2464,7 @@
 
 \end_inset 
 
-Up until this point, the join process is very much like that to a Samba
+Up until this point, the join process is very much like that of a Samba
  or NT4 server, and could be implemented without many changes to an existing
  code-base.
  However, the client soon changes the problem drastically, by making a call
@@ -2505,7 +2504,7 @@
 
 The LDAP protocol consists of a connect, and optionally a bind (authenticate
  request) as a particular user.
- In the case of Active Directory, the client uses and authenticated bind,
+ In the case of Active Directory, the client uses an authenticated bind,
  with the credentials of the user joining the domain.
  In this case, shown in Figure 
 \begin_inset LatexCommand \ref{fig:The-SASL/SPENGO/Kerberos-LDAP}
@@ -2752,7 +2751,7 @@
 \layout Standard
 
 It is not worthwhile to analyse each call in detail at this point, as our
- existing knowledge provides far sufficient work for analysis and implementation
+ existing knowledge provides sufficient work for analysis and implementation
  as it is.
  That said, an examination of the packets shows new calls, but no new technologi
 es.

