Skip to Content.
Sympa Menu

ad-assurance - Re: [AD-Assurance] Notes from last Friday's (6/21/2013) AD Assurance call

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

Re: [AD-Assurance] Notes from last Friday's (6/21/2013) AD Assurance call


Chronological Thread 
  • From: David Walker <>
  • To:
  • Subject: Re: [AD-Assurance] Notes from last Friday's (6/21/2013) AD Assurance call
  • Date: Mon, 24 Jun 2013 14:41:27 -0700
  • Authentication-results: sfpop-ironport07.merit.edu; dkim=pass (signature verified)
Thanks, Jeff.  Regarding...

Other places where RC4 are used would be for syskey (protecting the password store) and in some cases HTTPS where the protocol is using the RC4 cipher.

I think we've decided that RC4 is not strong enough for encryption of the password store (hence the BitLocker recommendation), but its use in NTLMv2, Kerberos (and HTTPS?) is still in question.

David

On Mon, 2013-06-24 at 21:30 +0000, Capehart,Jeffrey D wrote:
Regarding:

There was continued discussion of the "practicality" of cracks against RC4. We will need to resolve those issues after a discussion with Microsoft to explore the likely effectiveness of their response to a "practical" attack.

 

I did not think the eavesdropping/hash capture/offline cracking attacks were limited to RC4, but if we are strictly speaking of NTLMv2 and RC4-HMAC (used in Kerberos) then I can see those as concerns.

 

Here’s what Microsoft says on the MSDN regarding NTLM:

5.1 Security Considerations for Implementers

http://msdn.microsoft.com/en-us/library/cc236715.aspx

 

Implementers should be aware that NTLM does not support any recent cryptographic methods, such as AES or SHA-256. It uses cyclic redundancy check (CRC) or message digest algorithms ([RFC1321]) for integrity, and it uses RC4 for encryption. Deriving a key from a password is as specified in [RFC1320] and [FIPS46-2]. Therefore, applications are generally advised not to use NTLM.

 

Other places where RC4 are used would be for syskey (protecting the password store) and in some cases HTTPS where the protocol is using the RC4 cipher.

 

Jeff C.

From: [mailto:] On Behalf Of David Walker
Sent: Monday, June 24, 2013 3:58 PM
To: InCommon AD Assurance Group
Cc: DHW
Subject: [AD-Assurance] Notes from last Friday's (6/21/2013) AD Assurance call


 

Everyone,

I've posted quick notes from last Friday's call on the wiki:  https://spaces.internet2.edu/x/DBFOAg .

When I sat down to do this today, I found that my notes from Friday were pretty sketchy, so please enhance the notes as you see fit.

David




Archive powered by MHonArc 2.6.16.

Top of Page