RE: Basic/NT: Case sensitivity of the passwords.

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Wed, 9 May 2001 08:48:53 +0200

> Hello.
>
> I am currently looking at the Basic/NT authentication system of Squid,
> and I found out that whatever password entered, it will be considered
> as case-insensitive by the PDC when sent in clear.
>
> Does any body knows how to change this behavior as it could be a
> potential issue? According to the last samba code I looked at, the
> behavior should be exactly the same (so, passwords are
> case-insensitives), even if the password is crypted (using
> SMBEncrypt).

This is a "feature" of the authentication scheme.
NT authentication can use two different hashes for auth
purposes. One is the (more recent) "NT hash", which is case-sensitive.
The other is the (older) "LM hash" (as in Lan Manager hash) which is
case-insensitive, and is the one used by the auth code.
The problem is, I'm not really sure on HOW (if it's possible at all)
to use the stronger NT hash scheme.

This case-insensitivity is one of the most dangerous aspects
of the NT authentication schemes. Since it reduces the key space
enormously, brute-forcing an LM password is not hard at all.

-- 
	/kinkie
Received on Wed May 09 2001 - 00:43:51 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:00 MST