NTLM is a Microsoft authentication protocol used with the SMB protocol. It is the successor of LANMAN, an older Microsoft authentication protocol, and attempted to be backwards compatible with LANMAN. The NTLM initials stand for NT LanMan (i.e. LanMan for Windows NT). NTLM was followed by version two NTLMv2, at which time the original was renamed NTLMv1.
Before there was official documentation of the protocol, a lot about it was found out by the Samba team through network analysis. The cryptographic calculations are identical to that of MS-CHAP and are documented by RFC 2433 for v1 and RFC 2759 for v2. Both MS-CHAP v1 and v2 have been analyzed; Bruce Schneier, Pieter Zatko and David Wagner, among other researchers, found weaknesses in both protocols. Both protocols remain in widespread use.
We will only discuss the latest NTLMv2 protocol here and use the term NTLM to refer to it.
NTLM is a challenge response authentication protocol that is cryptographically stronger than NTLMv1. The challenge-response mechanism of the protocols involves the exchange of three messages between the client (wishing to authenticate) and the server (requesting authentication) as follows:
1. The client first sends a Type 1 message containing a set of flags of features supported or requested (such as encryption key sizes, request for mutual authentication, etc.) to the server.
2. The server responds with a Type 2 message containing a similar set of flags supported or required by the server (thus enabling an agreement on the authentication parameters between the server and the client) and, more importantly, a random challenge (8 bytes long).
3. Finally, the client uses the challenge obtained from the Type 2 message and the user's credentials to calculate the response. The calculation differs based on the NTLM authentication parameters negotiated previously, but in general they apply MD4/MD5 hashing algorithms and DES encryption to compute the response. The client then sends the response to the server in a Type 3 message.
Before there was official documentation of the protocol, a lot about it was found out by the Samba team through network analysis. The cryptographic calculations are identical to that of MS-CHAP and are documented by RFC 2433 for v1 and RFC 2759 for v2. Both MS-CHAP v1 and v2 have been analyzed; Bruce Schneier, Pieter Zatko and David Wagner, among other researchers, found weaknesses in both protocols. Both protocols remain in widespread use.
We will only discuss the latest NTLMv2 protocol here and use the term NTLM to refer to it.
NTLM is a challenge response authentication protocol that is cryptographically stronger than NTLMv1. The challenge-response mechanism of the protocols involves the exchange of three messages between the client (wishing to authenticate) and the server (requesting authentication) as follows:
1. The client first sends a Type 1 message containing a set of flags of features supported or requested (such as encryption key sizes, request for mutual authentication, etc.) to the server.
2. The server responds with a Type 2 message containing a similar set of flags supported or required by the server (thus enabling an agreement on the authentication parameters between the server and the client) and, more importantly, a random challenge (8 bytes long).
3. Finally, the client uses the challenge obtained from the Type 2 message and the user's credentials to calculate the response. The calculation differs based on the NTLM authentication parameters negotiated previously, but in general they apply MD4/MD5 hashing algorithms and DES encryption to compute the response. The client then sends the response to the server in a Type 3 message.
No comments :
Post a Comment