"Secure" channel demystifying?
Dimitry V. Ketov
Dimitry.Ketov at avalon.ru
Mon Jul 12 17:58:55 GMT 2004
> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno at squid-cache.org]
> On Wed, 7 Jul 2004, Dimitry V. Ketov wrote:
> > As I can see, it's just normal LM/NTLM challeges and
> respones inside
> > NETLOGON "secure" channel
>
> Yes, the NTLM challenges/responses is the same as NTLM would
> not work otherwise. But the final response (not the NTLM
> response) carrries
> additional information.
Do you mean that "user sesion key"
(http://www.samba.org/samba/devel/docs/html/Samba-Developers-Guide.html#
id2869784)
--- quote ---
USER_INFO (user logon info)
Note: it would be nice to know what the 16 byte user session key is for.
-------------
> > copied from client/server LM/NTLM authetication.
>
> But not in the same order.. Look how the challenge is
> generated. This mode of the NTLM/LANMAN protocols is only
It's generated on the member server that is accessed.
> available from the domain controller because of the trust
> chain established by the domain computer account.
Can't figure out that. Why?
> > Where is that "protection" ? :(
>
> It is not the NTLM challenge/response which is protected,
> this is public information. What is protected is the user
> session key contained within the netlogin response. Not
> strongly protected, but protected. The user
> session key is not part of NTLM but is used in other aspects
> related to
> authentication.
What it (session key) is used for?
> As discussed before real security is only provided if signing
> & sealing is enabled on the secure channel (which it is by
> default). The capability of signing & sealing is the
> difference between the original NT4 style domain logins and
> the secure channel used in NT4 SP4 and later..
Yes, I read that.
> > Furthermore, it seems doesn't conform to NETLOGON authentication,
> > stated in
> >
>
http://www.samba.org/samba/devel/docs/html/Samba-Developers-Guide.html#i
d2878012
>
> In what sense?
I meant that protocol describes only "interactive" NETLOGON, that uses
shared secret key (based on the machine account password) for LM/NTLM
responses computation, but my traces shows "remote" NETLOGON, that uses
random challenge selected by member server for same purposes.
Dimitry.
More information about the samba-technical
mailing list