Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] Sorry for the NTLMv1/v2 confusion

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] Sorry for the NTLMv1/v2 confusion


Chronological Thread 
  • From: Ron Thielen <>
  • To: "" <>
  • Subject: [AD-Assurance] Sorry for the NTLMv1/v2 confusion
  • Date: Fri, 21 Jun 2013 17:13:48 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport01.merit.edu; dkim=neutral (message not signed) header.i=none

I apologize for nearly derailing the conversation.  While I still maintain that hash stealing attacks against NTLMv2 are irrelevant to Silver assertion if you can't use the hash to authenticate to a service that compromises the actual password (e.g. as long as Shib isn't using Windows authentication), the piece I confused was that NTLMv1 does actually pass the password.  So, a brute force attack on v1 does get you the actual password, not just a hash collision.

 

This just reinforces my conviction that the world would be a much better place without Windows.  If only IBM had chosen CPM instead of MS-DOS back in the day.  :-)

 

Ron




Archive powered by MHonArc 2.6.16.

Top of Page