[PATCH 0/2] crypto: remove MD4 generic shash

Andrew Bartlett abartlet at samba.org
Thu Aug 19 03:49:14 UTC 2021

On Wed, 2021-08-18 at 15:08 -0700, Jeremy Allison via samba-technical
> My 2 cents. Preventing NTLM authentication/signing from working would
> be
> a negative for the Linux kernel client. I don't mind if that code has
> to be isolated inside cifs.ko, but it really needs to keep working,
> at least until we have a pluggable client auth in cifs.ko and Samba
> that allows the single-server (non AD-Domain) case to keep working
> easily.

I would echo that, and also just remind folks that MD4 in NTLMSSP is
used as a compression only, it has no security value.  The security
would be the same if the password was compressed with MD4, SHA1 or
SHA256 - the security comes from the complexity of the password and the
HMAC-MD5 rounds inside NTLMv2.  

I'll also mention the use of MD4, which is used to re-encrypt a short-
term key with the long-term key out of the NTLMv2 scheme.  This
thankfully is an unchecksumed simple RC4 round of one random value with
another, so not subject to known-plaintext attacks here.

I know neither MD4 nor HMAC-MD5 is not flavour of the month any more,
with good reason, but we would not want to go with way of NFSv4 which
is, as I understand it, full Kerberos or bust (so folks choose no

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba-technical mailing list