Meeting the InCommon Assurance profile criteria using Active Directory

[Eric Goodman <>]

Responding to a different point in his comments

>-- 7.4
>
>   Practical attacks against NTLMv2 exist. Example:
>
>   
>http://www.irongeek.com/i.php?page=videos/derbycon2/1-2-4-zack-fasel-pw
>ned -in-60-seconds-from-network-guest-to-windows-domain-admin
>
>   Repeats the unacceptable "temporarily compromised" language.
>
>   (yes, Zack is in the running for one of the top 10 most annoying
>   presenters of all time, but still)

After watching the presentation, I think this is another "scoping" issue. Joe 
is assuming we're making global statements about NTLMv2 and security, not 
ones that are scoped to "for purposes of compliance".

There's nothing in the irongeek presentation that contradicts what we've 
said. Our assertions are basically:

1) NTLMv2 can't be used to authenticate to the IdP
and
2) it is impractical to deduce a user's password by intercepting NTLMv2 
packets

Therefore, NTLMv2 use is not in violation of the Silver IAP (assuming NTLM 
cannot be used to authenticate to the IdP).

The presentation above is about performing MITM attacks to gain access to AD 
DS resources (NOT the IdP and NOT the user's password). Quoting ourselves:

"Even though such intercepted credentials may be used to gain access to, 
e.g., file shares in the AD Domain, this does not allow the IdP 
authentication process to be compromised."


I'll note that the presentation did have an offhand comment that Windows LDAP 
allows for NTLM authentication; I wasn't able to infer the "how" from 
watching, but it did cause an eyebrow raise on my part.


--- Eric