Re: Windows .PWL cracker implemented as a Word Basic virus
On Fri, 8 Dec 1995 19:51:55 -0800 you wrote:
Also, does NT use the same algorithm for saving network passwords?
No, but they're doing something that makes me very uncomfortable: As I read this, they're hashing the password and some other user information using MD4 then doing some proprietary permutations on that. Given their record with security, I'd rather they used straight MD4, rather than throwing in something that we can't analyze. Dan Bailey
From the Microsoft Knowledge Base article Q102716
Storage of the Passwords in the SAM Database -------------------------------------------- User records are stored in the security accounts manager (SAM) database. Each user has two passwords with which it is associated: the LAN Manager compatible password and the Windows NT password. Each password is stored doubly encrypted in the SAM database. The first encryption is a one-way function (OWF) version of the clear text generally considered to be non-decryptable. The second encryption is an encryption of the user's relative ID (RID). The second encryption is decryptable by anyone who has access to the double-encrypted password, the user's RID, and the algorithm. The second encryption is used for obfuscation purposes. [snip] The Windows NT password is based on the Unicode character set, is case sensitive, and can be up to 128 characters long. The OWF version (called the Windows NT OWF password) is computed using the RSA MD-4 encryption algorithm, which computes a 16-byte "digest" of a variable length string of clear text password bytes. *************************************************************** #define private public dan@milliways.org Worcester Polytechnic Institute and The Restaurant at the End of the Universe ***************************************************************
On Sat, 9 Dec 1995, Dan Bailey wrote:
On Fri, 8 Dec 1995 19:51:55 -0800 you wrote:
Also, does NT use the same algorithm for saving network passwords?
No, but they're doing something that makes me very uncomfortable: As I read this, they're hashing the password and some other user information using MD4 then doing some proprietary permutations on that. Given their record with security, I'd rather they used straight MD4, rather than throwing in something that we can't analyze. Dan Bailey
From the Microsoft Knowledge Base article Q102716
That would be http://www.microsoft.com/kb/bussys/winnt/q102716.htm. Seems reasonable to me. It's good enough for NT to get the guvment's imprimatur for the guvment's own use. Does anyone have any technical information on the problem referred to in http://www.microsoft.com/KB/PEROPSYS/windows/Q131675.htm (below)? It says "The password encryption method used by Windows NT is different from the method used by Windows 95," and offers some curious workarounds. Microsoft has not been very cooperative. In other news (just to combine four subjects in one message), in our meeting with Microsoft today on DHCP issues (that's in the gopher archive; finger me), a Highly Placed Source said that Microsoft would release the details on the new Win95 .PWL encryption Soon, and that a release candidate is in internal beta testing now, but that there would be no outside testing prior to the public release. Q131675 SYMPTOMS You may not be able to connect to a shared folder on a Windows 95 computer from a Microsoft Windows NT workstation. CAUSE The password encryption method used by Windows NT is different from the method used by Windows 95. RESOLUTION You may be able to work around this problem by using one of the following methods: - Use all uppercase or all lowercase characters in the Windows 95 shared folder password. - Remove password protection from the shared folder. - Use user-level access control instead of share-level access control. STATUS Microsoft is researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.
Dan Bailey writes: # No, but they're doing something that makes me very uncomfortable: As # I read this, they're hashing the password and some other user # information using MD4 then doing some proprietary permutations on # that. Given their record with security, I'd rather they used straight # MD4, rather than throwing in something that we can't analyze. I don't quite agree with the last part. It might be educational to do a spot of cryptanalysis in an attempt to determine the nature of the proprietary algorithm used. It wouldn't be "cracking" the password protection, but I think the general effort to "out" proprietary crypto algorithms is productive, particularly in the case of major software packages. Microsoft Knowledge Base article Q102716 says:
Storage of the Passwords in the SAM Database [...] The second encryption is decryptable by anyone who has access to the double-encrypted password, the user's RID, and the algorithm. The second encryption is used for obfuscation purposes.
Anyone feel like putting together some sample plaintext/ciphertext pairs ? -Futplex <futplex@pseudonym.com>
Futplex wrote:
someone quoted: Microsoft Knowledge Base article Q102716 says:
Storage of the Passwords in the SAM Database [...] The second encryption is decryptable by anyone who has access to the double-encrypted password, the user's RID, and the algorithm. The second encryption is used for obfuscation purposes.
Anyone feel like putting together some sample plaintext/ciphertext pairs ?
This will be really difficult, and in practice rather pointless. NT does not allow any user, priviliged or not, to gain access to any form (encrypted or not) of the passwords. They are stored in a protected area of the system registry that only the OS itself can access. The best that you can do is to ask the OS whether a given username/password pair is valid or not, and it took until version 3.51 before MS let you do even that! Of course, rebooting the PC and inspecting the disk with another OS is not an answer since in any decent environment you will not be able to march up to the server with a floppy and hit the reset button! - Andy
Dan Bailey writes:
No, but they're doing something that makes me very uncomfortable: As I read this, they're hashing the password and some other user information using MD4 then doing some proprietary permutations on that. Given their record with security, I'd rather they used straight MD4, rather than throwing in something that we can't analyze.
MD4 has been broken. I thought that was common knowledge. MD5 is still safe, of course. Perry
MD4 has been broken. I thought that was common knowledge. MD5 is still safe, of course.
Perry
My understanding was that MD4 had been broken once, at the cost of much computer time. Is it not still considered strong enough for casual use, much as a 512-bit RSA key is?
SINCLAIR DOUGLAS N writes:
My understanding was that MD4 had been broken once, at the cost of much computer time. Is it not still considered strong enough for casual use, much as a 512-bit RSA key is?
You can get export licenses for systems using 512 bit RSA. I'll leave the rest to your imagination. I generally don't believe in using stupid algorithms if good ones are around and cost no more. MD5 isn't more expensive than MD4 except if you are in some very borderline sort of case. Perry
participants (6)
-
Andy Brown -
dan@milliways.org -
futplex@pseudonym.com -
Perry E. Metzger -
Rich Graves -
SINCLAIR DOUGLAS N