[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using active directory keys

On Wed, 2005-01-19 at 23:24 +0000, Dave Love wrote:
> Andrew Bartlett <abartlet@samba.org> writes:
> > Firstly, I think that the type 23 keys (arcfour-hmac-md5, aka the NT
> > hash) are now in the default key types, and while it is a limited type,
> > with less than broad support on older kerberos libs.  It's not my
> > understanding that the type 23 keys are particularly weak in any way.
> Sorry for the misinformation, then.  I've certainly seen them
> described as weak in places like bugtraq, though.  I was expecting
> Love or someone to check it anyhow.

I'm assuming (but would enjoy to hear from folks who know the kerberos
side better than aI) that this is related to it's use in NTLM challenge-
response authentication, where the use of the hash (rather than the hash
itself) is rather weak.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part