Msg
Msg: the user name
the challenge
the response
DC: domain controller
SAM (Security Account Manager Database)
Microsoft NTLM (Cont.)
NTLM non-interactive authentication:
Step 0: A user accesses a client machine and provides a domain name, user name, and password. The client computes a cryptographic hash of the password and discards the actual password. (Interactive authentication only)
Step 1: The client sends the user name to the server (in plaintext).
Step 2: The server generates a 16-byte random number, called a challenge or nonce, and sends it to the client.
Microsoft NTLM (Cont.)
NTLM non-interactive authentication:
Step 3: The client encrypts this challenge with the hash of the user's password and returns the result to the server. This is called the response.
Step 4: The server sends the following three items to the domain controller: the user name, the challenge sent to the client, and the response received from the client.
Microsoft NTLM (Cont.)
NTLM non-interactive authentication:
Step 5: The domain controller uses the user name to retrieve the hash of the user's password from the Security Account Manager database. It uses this password hash to encrypt the challenge.
Step 6: The domain controller compares the encrypted challenge it computed (in step 5) to the response computed by the client (in step 3). If they are identical, authentication is successful.
Microsoft NTLM (Cont.)
No mutual authentication: server authenticates the client, but not vice versa. (没有相互验证:server 验证 client, client 无法验证 server.)
Microsoft Kerberos
Mutual authentication: server authenticates client, and client authenticates server. (相互验证:server 验证 client, client 验证 server.)
Microsoft Kerberos (Cont.)
Authenticator Message
Session Key
Session Key
Client
Server
Microsoft Kerberos (Cont.)
Kerberos (or Cerberus) was a figure in classical Greek mythology—a fierce, three-headed dog who kept living intruders from entering the Underworld. (Kerberos: 希腊神话中的三头怪物)

上一页下一页