On 062, 03 02, 2008 at 06:55:09AM +0200, Timo Sirainen wrote:
On Wed, 2008-02-27 at 12:46 +0300, Andrey Panin wrote:
Actually there is 4 authentication submethods inside the NTLM: LM - server nonce only, highly vulnerable to MITM and rogue server attacks; NTLM - different algorithm, almost equally vulnerable as LM today; NTLM2 - server and client nonce, but MITM can force downgrade to NTLM/LM; NTLMv2 - server and client nonce, MITM can't force downgrade.
NTLM password hash is required for NTLM, NTLM2 and NTLMv2.
NTLMv2 can not be negotiated. It must be explicitly enabled on the client side by setting registry key below to at least 3.
So this basically means that unless NTLMv2 is explicitly enabled on client side, NTLM auth is insecure because MITM can force a downgrade?
Yes. Without NTLMv2 MITM can force downgrade to plain NTLM and then try dictionary attack with predefined server nonce.
Would there be a point in adding a setting to make Dovecot allow only NTLM2/NTLMv2, so a MITM-downgrade would only fail the authentication? For example mechanisms = NTLM enables NTLM2+v2 and mechanisms = NTLM NTLM1 enables both?
This will be good for security, but bad for backward compatibility. Separate parameter (something like Windows LMCompatibilityLevel) perhaps ?
BTW. I hope you don't mind I added your mail to wiki with small modifications: http://wiki.dovecot.org/Authentication/Mechanisms/NTLM
It's ok :)
-- Andrey Panin | Linux and UNIX system administrator pazke@donpac.ru | PGP key: wwwkeys.pgp.net