Authentication ....

Peter Samuelson peter at
Wed Jan 24 16:15:14 GMT 2001

  [Peter Samuelson]
> >   Use all 8 bits of each character to derive two 56-bit keys.
> >   DES-encrypt two known strings with the two keys.

> take first 7 upper-case ascii chars, use as key to DES-encrypt the
> string "!"£$%KGS".  take 2nd 7 upper-case, do same.  concatenate
> results to produce 128-bit result.

OK, s/two known strings/one string used twice/ .  I was close. (:

> significant diff. between nt-auth and unix auth is that the nt-auth
> uses the hashes as cleartext-equivalent.

Yes, that is true.  That's the problem with challenge-response, it's
trivial to implement if you have a plaintext-equivalent stored, and
much more complex if you don't.  Then again, it's not like this is a
new problem -- algorithms *do* exist in the literature (Diffie-Hellman,
etc) and Microsoft could have used them.  Maybe it had something to do
with US export licensing.  Or was it just the old security-by-obscurity
("nobody will ever reverse-engineer this stuff") sloppiness?


More information about the samba-ntdom mailing list