trying to correctly handle account passwords via ldap
abartlet at samba.org
Tue Mar 28 02:53:05 GMT 2006
On Mon, 2006-03-27 at 18:45 -0800, Jeremy Allison wrote:
> On Tue, Mar 28, 2006 at 12:42:40PM +1000, Andrew Bartlett wrote:
> > On Tue, 2006-03-28 at 11:46 +1000, Luke Howard wrote:
> > > >You mean they are stored with the old format but wrapped into something
> > > >else when queried through DRS ?
> > >
> > > DRS uses application-level encryption of secret attributes in addition to
> > > the session encryption provided by the GSS-API. Nonetheless this encryption
> > > is session-specific and is in addition to the OWF obfuscation.
> > And remains on my list of crypto challenges to tackle. :-)
> I think Luke was giving you a hint by the url he posted :-).
Yes, it is much easier to handle the application-level encryption when
you know the exact form of the data below it. Now I can easily form a
password, and compute what the RID-encrypted form will be, I will have
an easier job (and most importantly, a success condition).
I'll take all the hints I can get. My current guess is that a/the
session key is mixed (MD5?) with a 16 byte nonce that appears to be
prefixed/suffixed to the value, and then used to RC4 encrypt the data
(it seems to be a stream cipher).
Interestingly, the session key should be 'SystemLibraryDTC' if the
pattern on LSA and SAMR over TCP is followed. But perhaps they get a
'real' key in there somewhere.
(This is all below the GSSAPI layer, which bulk encrypts the whole
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060328/a7be3bc3/attachment.bin
More information about the samba-technical