RE: [squid-users] Re: ntlm won't prompt from Henrik Nordstrom on 2003-07-11 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: 11 Jul 2003 16:51:40 +0200

fre 2003-07-11 klockan 15.08 skrev Robert Collins:

> We support nonces, but not client nonces. md5-sess requires client nonce
> support.

Err.. Squid support client nounces, just not capable of trigger md5-sess
HHA1 calculation, and lacks an helper interface for md5-sess HA1
exchanges.

> NT Provides Digest for IIS, but under some constraints:
> * You MUST have an AD Domain
> * You MUST turn on 'store passwords with reversible encryption' in the
> AD policies.

Rumor is that the IIS must also be a domain controller, but I have not
seen this verified.

> To enlarge on my other message, this is actually less secure in a funny
> way.
>
> lets compare a hypothetical digest SSO, and a hypothetical basic/ssl SSO

Sure, basic over ssl is less secure than Digest, but probably provides a
reasonable level for most uses and is a whole lot easier to integrate
with existing directory services.

> squid creates a nonce, challenges the client.
> the client gets the challenge, creates it's own nonce, hands both to the
> directory service over its *already existing* secured link, and recieves
> back a one-time HHA1 - specific to the two nonces. the client then sends
> the calculated digest response using the HHA1.
> squid recieves the response, with the new client nonce. squid then
> requests a HHA1 to match (user, realm, squid-nonce, client-nonce) from
> its connection to the directory service. squid then is able to validate
> the response.

Correct, except that the nounce creation should be done by the
OS/Directory for secure MD5-sess exchanges as outlined in my previous
message. If not the system is vulnerable to cryptographic attacks on the
MD5-sess exchange. If the OS/Directory can establish full trust on the
application/server then nounce creation may be left to the
application/server, but I see no valid reason to why do this.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
Please consult the Squid FAQ and other available documentation before
asking Squid questions, and use the squid-users mailing-list when no
answer can be found. Private support questions is only answered
for a fee or as part of a commercial Squid support contract.
If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com

Received on Fri Jul 11 2003 - 08:51:46 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:56 MST