Skip to Content.
Sympa Menu

ad-assurance - RE: [AD-Assurance] Notes from last Friday's (6/21/2013) AD Assurance call

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

RE: [AD-Assurance] Notes from last Friday's (6/21/2013) AD Assurance call

Chronological Thread 
  • From: "Capehart,Jeffrey D" <>
  • To: "" <>
  • Subject: RE: [AD-Assurance] Notes from last Friday's (6/21/2013) AD Assurance call
  • Date: Mon, 24 Jun 2013 21:30:53 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=neutral (message not signed) header.i=none


There was continued discussion of the "practicality" of cracks against RC4. We will need to resolve those issues after a discussion with Microsoft to explore the likely effectiveness of their response to a "practical" attack.


I did not think the eavesdropping/hash capture/offline cracking attacks were limited to RC4, but if we are strictly speaking of NTLMv2 and RC4-HMAC (used in Kerberos) then I can see those as concerns.


Here’s what Microsoft says on the MSDN regarding NTLM:

5.1 Security Considerations for Implementers


Implementers should be aware that NTLM does not support any recent cryptographic methods, such as AES or SHA-256. It uses cyclic redundancy check (CRC) or message digest algorithms ([RFC1321]) for integrity, and it uses RC4 for encryption. Deriving a key from a password is as specified in [RFC1320] and [FIPS46-2]. Therefore, applications are generally advised not to use NTLM.


Other places where RC4 are used would be for syskey (protecting the password store) and in some cases HTTPS where the protocol is using the RC4 cipher.


Jeff C.

From: [mailto:] On Behalf Of David Walker
Sent: Monday, June 24, 2013 3:58 PM
To: InCommon AD Assurance Group
Subject: [AD-Assurance] Notes from last Friday's (6/21/2013) AD Assurance call



I've posted quick notes from last Friday's call on the wiki: .

When I sat down to do this today, I found that my notes from Friday were pretty sketchy, so please enhance the notes as you see fit.


Archive powered by MHonArc 2.6.16.

Top of Page