Meeting the InCommon Assurance profile criteria using Active Directory

[Eric Goodman <>]

I was going to make the same apology for unnecessarily describing what Pass-the-Hash attacks are in detail, which was of course totally unnecessary.

 

--- Eric

 

From: [mailto:] On Behalf Of Ron Thielen
Sent: Friday, June 21, 2013 10:14 AM
To:
Subject: [AD-Assurance] Sorry for the NTLMv1/v2 confusion

 

I apologize for nearly derailing the conversation.  While I still maintain that hash stealing attacks against NTLMv2 are irrelevant to Silver assertion if you can't use the hash to authenticate to a service that compromises the actual password (e.g. as long as Shib isn't using Windows authentication), the piece I confused was that NTLMv1 does actually pass the password.  So, a brute force attack on v1 does get you the actual password, not just a hash collision.

 

This just reinforces my conviction that the world would be a much better place without Windows.  If only IBM had chosen CPM instead of MS-DOS back in the day.  :-)

 

Ron