NTLMSSP in SMB
Sarat G
sarath.ginjupalli89 at gmail.com
Sun Jul 26 04:36:59 UTC 2015
Thanks you Richard and Brad,
For providing the useful info to go with. My concern is not about what
Microsoft says about. I found it very simple, and I thought why can't
someone make it effective rather than obsoleting it.
I taken into consideration of downgrading attacks(thanks to Freak and
Logjam for giving me better knowledge on it) and MITM attacks in my
proposed approach.
I posted in IETF community, I haven't received any response from them, I'll
try post to the mailing list what Richard mentioned.
Once again thanks for the info.
Regards,
Sarat G
On Sun, Jul 26, 2015 at 4:35 AM, Brad Hards <bradh at frogmouth.net> wrote:
> On Sat, 25 Jul 2015 12:25:29 PM Sarat G wrote:
> > Hi,
> > Few months back, as a part of my project I have been into SMB and Samba
> > Code. In my scenario I'm using NTLMV2 for authentication. I read in
> > microsoft specs and everywhere that NTLM hashed are strong enough. Being
> a
> > post graduate in Information Security, it's easy for me to understand
> that.
> > So, here my question is like suppose if I want suggest some things to
> NTLM,
> > whom should I have to contact.
> I think the first question is "should you contact someone?" Does this make
> sense in a larger context?
>
> > Because I have few things in mind that, why can't they negotiate hash
> > algorithms also in NTLMSSP if they much about the use of week MD4 in
> > NTLMSSP.
> As pointed out by Richard, NTLM is a legacy protocol, retained for
> interoperability. In general, there are older systems aren't getting any
> updates (perhaps even end-of-life for support). If you make a change like
> negotiating algorithms, then every client and server would need to support
> it.
> That would be a breaking change, which is contrary to the point of legacy
> interoperability.
>
> For the specific case of negotiating hash algorithms, you'd also need to
> deal
> with the possibility of a downgrade attack, where a MITM negotiates back to
> something weak anyway.
>
> > I have been worked on this for a month, and come up with my suggestions
> to
> > make NTLM much secure.
> It would depend on who you ask, but guess the Microsoft suggestion would
> be
> "disable it and use Kerberos". See (for example)
> https://technet.microsoft.com/en-us/library/jj865680%28v=ws.10%29.aspx
>
> > Can some let me the know point of contact for these kind of things, if
> > Samba team like to here more from I'm happy to share my thoughts.
> I'm not a member of the Samba team (or Microsoft), and don't speak for
> them.
>
> You could always publish a new NTLM-like protocol (e.g. IETF), and
> depending
> on what the changes were, people might pick up on it. It would probably
> need
> to be measurably better than what is already out there to be successful
> though.
>
> Sorry if this isn't what you hoped to hear, and remember its just my
> opinion,
> not anything authoritative, so free to ignore it if you think I've got it
> wrong.
>
> Brad
>
>
>
More information about the samba-technical
mailing list