"Secure" channel demystifying?

Peter Waechtler peter at helios.de
Thu Jul 1 07:36:43 GMT 2004

Am Mittwoch, 30. Juni 2004 20:35 schrieb Dimitry V. Ketov:
> Hi, samba hackers!
> Sorry if my post is an off-topic here, but there is no other best place
> to ask :)
> As I know domain controllers and domain members use so-called "secure"
> (but actually just machine-to machine authenticated) channel in netlogon
> protocol for communications. For the (my) first sight it's rather
> strange, in comparison with the "usual" method to authenticate the
> _entity_ wich accesses information (e.g. user that logons).
> All I can guess for this is authentication and authorization for DCs
> replications, inter-domain requests and so on, that is possible without
> any user intervention (and therefore without any user's account, just by
> using machine's accounts). But what reasons to use that "secure" channel
> for the real user logon purposes?
> Spent some time looked for an answer (why that additional "security" is
> needed) in the web sources (including microsoft), and found nothing
> illustrative to prove my guesses, I've decided to ask this list for an
> explanation. :)
> - Is my guesses right or wrong?
> - In which cases that "secure" (just authenticated) channel used?
> - Give me some good points to information/documentation...

The global problem is mutual authentication. You gain 2 profits with that:

1) the server can authenticate the machine, since it was entered into the
 domain by an admin. A malicious cracker can't plug his laptop into
 a port and try to impersonate. This alone does not prevent the use
 of keyboard sniffers (local security of client machine) etc.

2) the client can be "more" sure about passing the challenge/response
 token to the "right" server. Without that a cracker could spoof his
 laptop as DC. If the passwords would be passed with a reversible algorithm
 he would get them. With NTLM he can build a dictionary of challenge->hash.
 It's not only theoretical: the server possibly downgrades the client to sent
 the  password in clear...
 The client machine wouldn't do that if SChannel is mandatory and the server
 can't prove his identity. It's like SSL certificates and fingerprints. If the
 certificate is invalid the user ignores that and sents the PIN ;)

> PS. Yes, I'm aware of today's secure channel signing and cyphering ;)

Then, why do you ask? ;)

More information about the samba-technical mailing list