Secure Password Authentication

Secure Password Authentication

Secure Password Authentication is a protocol used to authenticate with a Simple Mail Transfer Protocol (SMTP) server. The protocol is attributed to Microsoft, but it is not an original protocol, but based on the NTLM authentication scheme.

NTLM Authentication Scheme for HTTP

Introduction

This is an attempt at documenting the undocumented NTLM authentication scheme used by Microsoft's browsers, proxies, and servers (Internet Explorer and IIS). This scheme is also sometimes referred to as the NT challenge/response (NTCR) scheme. Most of the info here is derived from three sources:
*Paul Ashton's work on the [http://www.argo.demon.co.uk/nt/ntie.html NTLM security holes]
* [http://de.samba.org/samba/ftp/docs/htmldocs/ENCRYPTION.html Encryption documentation] from [http://samba.anu.edu.au/samba/ Samba]
*Network snooping

Since most of this info is reverse engineered it is bound to contain errors; however, at least one client and one server have been implemented according to this data and work successfully in conjunction with Microsoft's browsers, proxies and servers.

This scheme is not as secure as digest access authentication and some other schemes; however, it is slightly better than the basic authentication scheme. This scheme is not an HTTP authentication scheme, it is a connection authentication scheme which happens to (mis-)use HTTP status codes and headers (and even those incorrectly).

NTLM Handshake

When a client needs to authenticate itself to a proxy or server using the NTLM scheme then the following 4-way handshake takes place (only parts of the request and status line and the relevant headers are shown here; "C" is the client, "S" the server):

1: C --> S GET ... 2: C <-- S 401 Unauthorized WWW-Authenticate: NTLM 3: C --> S GET ... Authorization: NTLM <base64-encoded type-1-message>

4: C <-- S 401 Unauthorized WWW-Authenticate: NTLM <base64-encoded type-2-message> 5: C --> S GET ... Authorization: NTLM <base64-encoded type-3-message> 6: C <-- S 200 Ok

Messages

The three messages sent in the handshake are binary structures. Each one is described below as a pseudo-C struct and in a memory layout diagram. byte is an 8-bit field; short is a 16-bit field. All fields are unsigned. Numbers are stored in little-endian order. Struct fields named zero contain all zeroes. An array length of "*" indicates a variable length field. Hexadecimal numbers and quoted characters in the comments of the struct indicate fixed values for the given field.

The field flags is presumed to contain flags, but their significance is unknown; the values given are just those found in the packet traces.

Type-1 Message

This message contains the host name and the NT domain name of the client.

struct { byte protocol [8] ; // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '

Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • Secure Password Authentication — NTLM (kurz für NT LAN Manager) oder auch NTCR (NT challenge/response) ist ein Authentifizierungsverfahren. Es verwendet eine Challenge Response Authentifizierung. Durch den Einsatz von NTLM über HTTP ist ein Single Sign on auf Webservern oder… …   Deutsch Wikipedia

  • Password Authentication Protocol —    Abbreviated PAP. A security protocol that requires a user to enter a user name and password before gaining access to a secure server.    See also Challenge Handshake Authentication Protocol …   Dictionary of networking

  • Secure Shell — or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. RFC 4252] Used primarily on Linux and Unix based systems to access shell accounts, SSH was designed as a replacement for TELNET… …   Wikipedia

  • Password — For other uses, see Password (disambiguation). A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password). The password… …   Wikipedia

  • Password manager — A password manager is software that helps a user organize passwords and PIN codes. The software typically has a local database or a file that holds the encrypted password data for secure logon onto computers, networks, web sites and application… …   Wikipedia

  • Password-authenticated key agreement — In cryptography, a password authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party s knowledge of a password. Contents 1 Types 2 Brief history 3 See also …   Wikipedia

  • Secure remote password protocol — The Secure Remote Password Protocol (SRP) is a password authenticated key agreement protocol. Overview The SRP protocol has a number of desirable properties: it allows a user to authenticate himself to a server, it is resistant to dictionary… …   Wikipedia

  • Authentication — (from Greek αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic , that is, that claims made by or about the thing are true. This might involve confirming the identity… …   Wikipedia

  • Password strength — is a measurement of the effectiveness of a password as an authentication credential. Specifically, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to correctly guess it. The… …   Wikipedia

  • Secure messaging — is a server based approach to protect sensitive data when sent beyond the corporate borders and provides compliance with industry regulations such as HIPAA, GLBA and SOX. Advantages over classical secure e Mail are that confidential and… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”