On 062, 03 02, 2008 at 06:55:09AM +0200, Timo Sirainen wrote: > On Wed, 2008-02-27 at 12:46 +0300, Andrey Panin wrote: > > Actually there is 4 authentication submethods inside the NTLM: > > LM - server nonce only, highly vulnerable to MITM and rogue server attacks; > > NTLM - different algorithm, almost equally vulnerable as LM today; > > NTLM2 - server and client nonce, but MITM can force downgrade to > > NTLM/LM; > > NTLMv2 - server and client nonce, MITM can't force downgrade. > > > > NTLM password hash is required for NTLM, NTLM2 and NTLMv2. > > > > > > NTLMv2 can not be negotiated. It must be explicitly enabled on the client > > side > > by setting registry key below to at least 3. > > So this basically means that unless NTLMv2 is explicitly enabled on > client side, NTLM auth is insecure because MITM can force a downgrade?
Yes. Without NTLMv2 MITM can force downgrade to plain NTLM and then try dictionary attack with predefined server nonce. > Would there be a point in adding a setting to make Dovecot allow only > NTLM2/NTLMv2, so a MITM-downgrade would only fail the authentication? > For example mechanisms = NTLM enables NTLM2+v2 and mechanisms = NTLM > NTLM1 enables both? This will be good for security, but bad for backward compatibility. Separate parameter (something like Windows LMCompatibilityLevel) perhaps ? > BTW. I hope you don't mind I added your mail to wiki with small > modifications: http://wiki.dovecot.org/Authentication/Mechanisms/NTLM It's ok :) -- Andrey Panin | Linux and UNIX system administrator [EMAIL PROTECTED] | PGP key: wwwkeys.pgp.net
signature.asc
Description: Digital signature
