CONTI’2008 The 8th INTERNATIONAL CONFERENCE ON TECHNICAL INFORMATICS, 5-6 June 2008, TIMISOARA, ROMANIA On the security of some authentication mechanisms from Windows Bogdan Groza*, Andrei Alexandroni**, Ioan Silea***, Victor-Valeriu Patriciu**** *Politehnica University of Timisoara, Faculty of Automatics and Computers, Timisoara, Romania, E-Mail: [email protected], WWW: http://www.aut.upt.ro/~bgroza/ **Pensive S.A., Brussels, Belgium, E-Mail: [email protected] ***Politehnica University of Timisoara, Faculty of Automatics and Computers, Timisoara, Romania, E-Mail: [email protected], WWW: http://www.aut.upt.ro/~isilea/ ****Military Technical Academy, Department of Computer Engineering, Bucharest, Romania, E-Mail: [email protected], WWW: http://www.mta.ro/conducere/victor_patriciu.php Abstract – The paper investigates some authentication practice and offer a stronger security level. The main ideea mechanisms used in Windows. In particular, the NTLM is that the identity of a user is verified based on a response authentication protocol, which is commonly used in to a particullar challenge that is usually a random value, several solutions from Microsoft, is analyzed. The NTLM therefore, even if an attacker captures a response for some authentication is completely unsafe in several variants of challenge, it can not be used for subsequent impersonation use and some of its weaknesses previously known. A of the user, because future challenges will be different. critical analysis is done, the weaknesses are explained Challenge-response protocols can be built on both and the safe solutions are underlined. As a practical symmetric or assymetric cryptographic primitives. Zero- example it is shown how the NTLM authentication from knowledge protocols are the most advanced authentication SharePoint based portals can be exploited to steal protocols, however, they are more computational intensive passwords and how to configure the NTLM for a safe use. and more difficult to implement, and because of this are not This analysis is relevant as SharePoint becomes widely frequent in practice. As will be discused in what follows, used and NTLM is still the default option and the only both password based authentication and challenge-response authentication mechanism available when there is no authentication are present in Windows. support for Kerberos. Nevertheless, a comparison between the password based authentication from UNIX based OS Although there are numerous solutions with a strong and Windows is done. foundation and provable security, still protocols that are known to be insecure continue to be used in practice. One Keywords: authentication, cryptography, NTLM, example of such protocol is the NTLM (NT LAN protocol. Manager) protocol used by some Microsoft products with the SMB protocol. NTLM is a challenge-response protocol consisting of three phases between the client and the I. INTRODUCTION server: the negotiation phase, when the client sends a message to the server; the challenge phase, when the server Authentication, and in particular entity authentication or responds to the client message with a challenge and the identification, is a major security objective nowadays as authentication phase, which is the most important part proving someone’s identity is the most common action in when it comes to cryptography. In the authentication phase all systems. Also there is a large variety of authentication the client replies to the server challenge and the access to protocols based on cryptographic techniques, which have the requested resource is granted or denied. More details on been studied for a long time by the security community, the protocol will be given in the forthcoming section. some of them are known to be secure others are known for Although some of its weaknesses are known [4], [10], [14] their weaknesses. A basic textbook [3], [12] or a survey [5] it continues to be used in several situations. One such can be consulted for more on authentication protocols. example, that will be outlined in this paper, is the use in web portals developed through Microsoft SharePoint. It may be relevant to note that there are three types of entity authentication mechanisms: password based, challenge- SharePoint (http://www.microsoft.com/sharepoint) is the response and zero-knowledge. Password based document management and collaboration platform from authentication is the most commonly used mechanism and Microsoft. It is a platform used by organizations to it is based on the use of a secret known as password. facilitate content management across the enterprise, to Because passwords can be stolen, one-time passwords are easily manage and track business processes and to provide an improved mechanism which makes passwords valid collaborative spaces for different groups of users. only once, however their use in practice is limited. SharePoint is becoming one of the preferred solutions for Challenge-response mechanisms are also frequent in companies because of the ease of use and the large number 1 of issues addressed by its features. The first versions of the 1. Client→ Server : Type 1 Message product were released in 2001, advancing over time to the current versions which are Windows SharePoint Services 2. Server→ Client : Type 2 Message (includes the 64 bit 3.0 - a free product coming as an additional component of challenge from the server) Windows Server 2003 and Windows Server 2008, and 3. Client→ Server : Type 3 Message (includes the Microsoft Office SharePoint Server 2007 (MOSS 2007) - response from the client) the full-featured product coming as an additional server. SharePoint solutions can be used in a large variety of environments, starting from collaborative spaces for The type 1 message is used only to negotiate the type of universities to eGovernment resource sharing platforms. authentication and for this exposition details are not useful. The type 2 message contains a challenge from the server Regarding authentication on the SharePoint web which is an 8 byte Nonce. The type 3 message, which is the application, which is a practical example for this paper, response to the challenge, is constructed different for all there are two main possibilities of configuration: NTLM five variants. authentication (which is the default), and Kerberos authentication. A great number of real world Three variants are based on the LM Response with DES [7] implementations of SharePoint use NTLM authentication, as the underlying cryptographic primitive. The response although the ticketing-based protocol Kerberos is known to stage for LM Response and NTLM Response is the be more secure. NTLM is the preferred choice for the following: authentication protocol to be used mainly because it does not require any additional configurations. On the other side, Client→ Server : Kerberos requires a trusted connection to the Active DESKK123( challenge) || DES( challenge) || DES K( challenge) Directory domain Key Distribution Center for both the client and the server. The client, willing to authenticate by In the case of NTLM2 Session Response the challenge is using Kerberos, in order to get access to a protected concatenated with a Nonce generated by the client in order resource, must construct a service principal name, which to avoid dictionary attacks. This value is hashed using should be previously configured (by using the Setspn.exe MD5 [13] and only the first 64 bits are preserved to obtain tool included in the Windows Support Tools for example). the session hash NTLM is still used in some situations: client is sessionHash= ⎢⎥ MD5|| challenge Nonce : authenticating to a server using an IP address; client is ⎣⎦( ) 64−bits authenticating to a server that belongs to a different Active Directory; no Active Directory domain exists; if a firewall Client→ Server : restrict the ports required by Kerberos. Consequently, in DES sessionHash|| DES sessionHash || DES sessionHash many cases, the default NTLM authentication is chosen for KK123( ) ( ) K( ) SharePoint implementations. The keys for the DES encryption in step 3 are based on a The paper is organized as follows. Section II holds an 16 byte KeyMaterial generated from the user password. For overview of the NTLM authentication protocol. In section the LM Response the first 14 bytes of the password are III some design weaknesses of the used cryptographic used to create a DES key (if the key is smaller than 14 primitives and of the protocol are presented, also a bytes it is null padded). Then these two values are used as comparison between the pasword based security from keys to encrypt the constant “KGS!@#$%” also called Windows and Unix is done, and the insecurity of NTLM “magic constant”. This encrypted value is also known as for use in SharePoint solutions is inspected. Section IV the LMHash: holds the conclusions of the paper. KeyMaterial = DESKE1( password )("KGS!@#$%") || DES KE 2( password ) ("KGS!@#$%") II. AN OVERVIEW OF THE NTLM AUTHENTICATION Here, by KE1 and KE2 we denote two key extraction functions which are used to extract the DES keys from the Besides the anonymous response variant in which no password. These functions perform some non- authentication takes place, five variants of authentication, cryptographic operations on the password which are not based on the response for the given challenge, are relevant, except for the fact that all letters are turned to available: LM Response, NTLM Response, NTLMv2 upper-case (for details see [9]). For the NTLM Response Response, LMv2 Response, NTLM2 Session Response. A and NTLM2 SessionResponse the password bytes are complete description can be found in [9] and another good simply passed through the MD4 hash function to obtain: reference is [10]. All five variants are challenge-response mechanisms based on the following three round paradigm: KeyMaterial= MD4( password ) 2 Now these 128 bits are null-padded with 40 bits and used However the problem is even bigger at the generation of to create the 3 DES keys, i.e. K1, K2, K3, as follows: the DES keys since the third key, i.e. K3(= Transform KeyMaterial15,16 ||0) 17,22 , has only 16 bits K1(= Transform KeyMaterial1,7 ) of random information while the last 40 bits are all set to 0.