"Secure" channel demystifying?

Dimitry V. Ketov Dimitry.Ketov at avalon.ru
Mon Jul 12 17:58:55 GMT 2004

> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno at squid-cache.org]

> On Wed, 7 Jul 2004, Dimitry V. Ketov wrote:
> > As I can see, it's just normal LM/NTLM challeges and
> respones inside
> > NETLOGON "secure" channel
> Yes, the NTLM challenges/responses is the same as NTLM would
> not work otherwise. But the final response (not the NTLM
> response) carrries
> additional information.
Do you mean that "user sesion key"
--- quote ---
USER_INFO (user logon info)
Note: it would be nice to know what the 16 byte user session key is for.

> > copied from client/server LM/NTLM authetication.
> But not in the same order.. Look how the challenge is
> generated. This mode of the NTLM/LANMAN protocols is only
It's generated on the member server that is accessed.

> available from the domain controller because of the trust
> chain established by the domain computer account.
Can't figure out that. Why?

> > Where is that "protection" ? :(
> It is not the NTLM challenge/response which is protected,
> this is public information. What is protected is the user
> session key contained within the netlogin response. Not
> strongly protected, but protected. The user
> session key is not part of NTLM but is used in other aspects
> related to
> authentication.
What it (session key) is used for?

> As discussed before real security is only provided if signing
> & sealing is enabled on the secure channel (which it is by
> default). The capability of signing & sealing is the
> difference between the original NT4 style domain logins and
> the secure channel used in NT4 SP4 and later..
Yes, I read that.

> > Furthermore, it seems doesn't conform to NETLOGON authentication,
> > stated in
> >
> In what sense?
I meant that protocol describes only "interactive" NETLOGON, that uses
shared secret key (based on the machine account password) for LM/NTLM
responses computation, but my traces shows "remote" NETLOGON, that uses
random challenge selected by member server for same purposes.


More information about the samba-technical mailing list