svn commit: lorikeet r110 - in trunk/samba4-ad-thesis: .
abartlet at samba.org
abartlet at samba.org
Wed Oct 27 13:00:26 GMT 2004
Author: abartlet
Date: 2004-10-27 13:00:24 +0000 (Wed, 27 Oct 2004)
New Revision: 110
WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=lorikeet&path=/trunk/samba4-ad-thesis&rev=110&nolog=1
Log:
Thesis fixes again - from dad again.
Thanks!
Andrew Bartlett
Modified:
trunk/samba4-ad-thesis/chapters.lyx
Changeset:
Modified: trunk/samba4-ad-thesis/chapters.lyx
===================================================================
--- trunk/samba4-ad-thesis/chapters.lyx 2004-10-27 12:30:52 UTC (rev 109)
+++ trunk/samba4-ad-thesis/chapters.lyx 2004-10-27 13:00:24 UTC (rev 110)
@@ -910,7 +910,7 @@
Trusted Third Party Authentication
\layout Standard
-Many distributed authentication systems allow logins to occur on many hosts,
+Many distributed authentication systems allow logins to occur on numerous hosts,
but only a few hosts (possibly one) actually confirms or denies an authenticati
on request.
These are trusted third party systems; all hosts trust those with the passwords
@@ -978,7 +978,7 @@
Often abbreviated as simply SSO, the concept of Single Sign On is quite
simply a matter of usability; users wish to establish their identity once,
and not have to think about it after that.
- This allows more complex authentication procedures, if the user only has
+ This allows for more complex authentication procedures as the user only has
to tolerate them once per session.
SSO has become the expectation in modern network environments.
\layout Chapter
@@ -997,8 +997,8 @@
NTLM Challenge Response
\layout Standard
-NTLM is a challenge-response authentication scheme, designed to prevent
- direct compromised of the user's password as it passes from client to server.
+NTLM is a challenge-response authentication scheme, designed to prevent a
+ direct compromise of the user's password as it passes from client to server.
In theory, the value that the client gives the server can only be generated
with knowledge of the password, but does not reveal the password itself.
@@ -1067,7 +1067,7 @@
\end_inset
-, knowledge of this `plain-text', nor the encrypted output does not allow
+, neither knowledge of this `plaintext', nor the encrypted output allows
one to find the key.
Therefore this is a one-way hash function.
@@ -1135,7 +1135,7 @@
\end_inset
-, but is summarised here:
+, but is summarised here.
\layout Standard
The server generates an 8 bytes cryptographic challenge, consisting of random
@@ -1207,10 +1207,10 @@
\layout Standard
As part of the byproduct of NTLM authentication, a password-derived `session
- key' is produced, for use in verifying or encrypting data carried between
+ key' is produced for use in verifying or encrypting data carried between
the client and server.
- The algorithm used varies depending on the method of authentication, but
- can unfortunately be very weak - often a fixed derivative of the user's
+ The algorithm used varies depending on the method of authentication, but unfortunately
+ can be very weak - often a fixed derivative of the user's
password! This key is known as the `user session key', and is used in a
number of places within CIFS directly, as well as by the NTLMSSP suite.
\layout Subsubsection*
@@ -1250,7 +1250,7 @@
\end_inset
-NTLMSSP is a collection of protocols, which together for-fill the Microsoft
+NTLMSSP is a collection of protocols, which together fulfil the Microsoft
Security Support Provider Interface (SSPI
\begin_inset LatexCommand \citep{sspi}
@@ -1346,7 +1346,7 @@
\layout Standard
This key is then 'weakened' to various strengths, to fix export requirements.
- The irony is that the 128 bit negotiated key is far from this real strength,
+ The irony is that the 128 bit negotiated key is far from this in real strength,
due to there being at most 56 bits of key input!
\layout Subsubsection*
@@ -1456,7 +1456,7 @@
\layout Standard
The first, and easiest compromise the server can make is simply to defer
- to decision to another server.
+ the decision to another server.
In pass-though authentication, optimised by Samba's
\family typewriter
security=server
@@ -1492,8 +1492,8 @@
\end_inset
-The NETLOGON authentication process is that introduced by Microsoft Windows
- NT, to handle this problem in a more secure manner.
+The NETLOGON authentication process was introduced by Microsoft Windows
+ NT to handle this problem in a more secure manner.
Fundamentally, the challenge-response step to the remote server (the DC)
is removed, and instead the DC is presented with both the challenge and
the response.
@@ -1602,7 +1602,7 @@
need for the server to contact the KDC in real time.
Kerberos also includes mutual authentication, signing and sealing of data,
and is extensible with new encryption types, something that Microsoft did
- allowing an upgrade from Windows NT:
+ allow in an upgrade from Windows NT:
\layout Section
An upgrade compatible encryption type
@@ -1634,7 +1634,7 @@
as the shared Kerberos key, and defined a set of cryptographic operations
around this base.
- Published as an Internet-Draft
+ Published as an Internet-Draft
\begin_inset LatexCommand \citet{brezac-krb5-draft}
\end_inset
@@ -1651,11 +1651,10 @@
This is very nice in theory, but presents some practical difficulties in
mapping a Kerberos identity to a user, and their access rights.
In particular, it is the problem of performing this mapping in a network-effici
-ent manner that caused the PAC and associated infrastructure to be devised.
+ent manner that caused the PAC (Privilege Attribute Certificate) and associated infrastructure to be devised.
\layout Standard
-The PAC (Privilege Attribute Certificate) is a cryptographically signed
- blob of data, including information on a user's groups, their home directory
+ The PAC is a cryptographically signed blob of data including information on a user's groups, their home directory
location, and similar details.
This is nothing particularly special, but Microsoft created a storm by
releasing the specification for this data format under a `click-though'
@@ -1729,7 +1728,7 @@
\layout Standard
Away from protocol implementation details, the names of security mechanisms
- are associated with particular levels of security, and clients and servers
+ are associated with particular levels of security. Clients and servers
may place requirements on each other by which mechanisms they support,
but this does not have any wire artifacts.
\layout Section
@@ -1743,7 +1742,7 @@
an Object IDentifier (OID) to prefix its network messages.
OIDs are globally unique streams of numbers, delegated out of a hierarchical
name-space, and formatted (as is the case for all of GSSAPI) in ASN.1.
- (SASL uses simple text strings for the same purpose, and much clearer effect).
+ (SASL uses simple text strings for the same purpose, with much clearer effect).
\layout Standard
GSSAPI, like SASL, exchanges datagrams until both sites are happy with the
@@ -1847,7 +1846,7 @@
\layout Standard
-Because the both the WinXP and Windows 2003 machines are running under VMware
+Because both the WinXP and Windows 2003 machines are running under VMware
(which itself is run on Linux), the whole process can be monitored by listening
on the virtual Ethernet hub that VMware provides.
@@ -2203,7 +2202,7 @@
\end_inset
- shows the initial SPNEGO
+ shows the initial SPNEGO
\begin_inset LatexCommand \citet{msspnego}
\end_inset
@@ -2259,7 +2258,7 @@
shows the client requesting a Ticket Granting Ticket (TGT), allowing it
to request other tickets.
- It does so be sending the current time, encrypted with the user's password
+ It does so by sending the current time, encrypted with the user's password
(this is the pre-auth data).
Of interesting note in this TGT is the HostAddresss (network addresses
where this TGT may be validly used) is given as a NetBIOS Name, not the
@@ -2408,7 +2407,7 @@
SAMR
\family default
pipe, to create the new machine account.
- Shown in summery in Figure
+ Shown in summary in Figure
\begin_inset LatexCommand \ref{fig:SAMRAccount-creation}
\end_inset
@@ -2465,7 +2464,7 @@
\end_inset
-Up until this point, the join process is very much like that to a Samba
+Up until this point, the join process is very much like that of a Samba
or NT4 server, and could be implemented without many changes to an existing
code-base.
However, the client soon changes the problem drastically, by making a call
@@ -2505,7 +2504,7 @@
The LDAP protocol consists of a connect, and optionally a bind (authenticate
request) as a particular user.
- In the case of Active Directory, the client uses and authenticated bind,
+ In the case of Active Directory, the client uses an authenticated bind,
with the credentials of the user joining the domain.
In this case, shown in Figure
\begin_inset LatexCommand \ref{fig:The-SASL/SPENGO/Kerberos-LDAP}
@@ -2752,7 +2751,7 @@
\layout Standard
It is not worthwhile to analyse each call in detail at this point, as our
- existing knowledge provides far sufficient work for analysis and implementation
+ existing knowledge provides sufficient work for analysis and implementation
as it is.
That said, an examination of the packets shows new calls, but no new technologi
es.
More information about the samba-cvs
mailing list