Authentication

• Challenge/response authentication protocol (CHAP)

• LAN Manager: saves passwords as hashes:

  • as a 128-bit number, with passwords up to14 digits, but with two 7 digits parts, not case sensitive, easier to break
  • change possible combinations from 284 to 2 37
  • uses old, easy to break DES encryption
  • saved on SAM (Windows Security Accounts Manager) at %systemroot%\system32\config\SAM

• NTLM and NTLM2: improved LAN Manager

  • NTLM -- MD4 encryption, case sensitive, password up to 127 characters, supports up 56 bit encryption.
  • NTLM2 -- improves NTLM to authenticate by session, and supports up to 128-bit encryption

• Kerberos: uses AES encryption and very secure.

Previous slide

Next slide

Back to first slide

View graphic version