ad-assurance - RE: [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: "Capehart,Jeffrey D" <>
- To: "" <>
- Subject: RE: [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC
- Date: Mon, 20 May 2013 16:25:44 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport02.merit.edu; dkim=neutral (message not signed) header.i=none
We should probably consider some of the assumptions in NIST SP 800-63 and apply those assumptions to Bronze and Silver. For example, authentications over the
internal network for AD-DS probably use the internal (controlled) network, whereas Federated Shibboleth and SAML 2.0 authentications and assertions would be more likely to use the external network.
“The guidelines in this document assume the authentication and transaction take place across an open network such as the Internet.
In cases where the authentication and transaction take place over a controlled network, agencies may take these security controls into account as part of their risk assessment.” How to take those security controls into account is a question we should probably consider. More assumptions from SP800-63:
•
A trusted entity is considered to be implemented appropriately if it complies with the recommendations in this document and does not behave maliciously.
•
While it is generally assumed that trusted entities will not behave maliciously, this document does contain some recommendations to reduce and isolate any damage done by a malicious or negligent
trusted entity. Assumptions about the NETWORK: An open communications medium, typically the Internet, that is used to transport messages between the Claimant and other parties. Unless otherwise stated, no assumptions are made about the security of the network;
it is assumed to be open and subject to active (i.e., impersonation, man-in-the-middle, session hijacking) and passive (i.e., eavesdropping) attack at any point between the parties (e.g., Claimant, Verifier, CSP or RP).
See also SP800-63 section 8.2.2. Threat Mitigation Strategies
•
Eavesdropping resistance
•
Replay resistance
•
Hijacking resistance
•
Man-in-the-middle resistance Jeff From: [mailto:]
On Behalf Of Brian Arkills I think this is pretty accurate. There are eavesdropper & replay attacks for both NTLMv2 & Kerberos, but they aren't isolated to attacks solely of those natures. Instead they are combination
attacks which include eavesdropping, replay, and man-in-the-middle to achieve a session to the destination host whose pre-authentication exchange was previously eavesdropped. I might wordsmith this sentence: "There are currently no known off-the-shelf methods for
breaking these protocols resistance to eavesdropper attacks in real-world environments." to something slightly different, like: "The only known method of breaking these protocols resistance to X attacks involves a combination of multiple attacks and styles of attack. For the purposes
of the IAP, that method can be mitigated by employing reasonable security practices to domain controllers." or perhaps it'd be cleaner to just drop that sentence. From:
[]
On Behalf Of David Walker I went through the relevant IAP sections to determine which need an Alternative means statement for NTLMv2 and Kerberos with RC4-HMAC. What I came up with is that none do. See: https://spaces.internet2.edu/x/hAlOAg
|
- [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC, David Walker, 05/17/2013
- RE: [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC, Brian Arkills, 05/20/2013
- Re: [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC, David Walker, 05/20/2013
- Re: [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC, David Walker, 05/20/2013
- RE: [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC, Eric Goodman, 05/20/2013
- Re: [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC, David Walker, 05/20/2013
- RE: [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC, Michael W. Brogan, 05/20/2013
- RE: [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC, Eric Goodman, 05/20/2013
- Re: [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC, David Walker, 05/20/2013
- RE: [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC, Capehart,Jeffrey D, 05/20/2013
- Re: [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC, David Walker, 05/20/2013
- RE: [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC, Capehart,Jeffrey D, 05/20/2013
- Re: [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC, David Walker, 05/20/2013
- Re: [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC, David Walker, 05/20/2013
- RE: [AD-Assurance] NTLMv2 and Kerberos with RC4-HMAC, Brian Arkills, 05/20/2013
Archive powered by MHonArc 2.6.16.