Chapter 15. Authentication | Implementing CIFS: The Common Internet File System

Car locks are there to keep the honest people honest.

Something my brother Robert once told me. (He sells cars .)

Now for the big one...

If you are familiar with authentication schemes, then this section should be comfortable for you. If not, then perhaps it's time for a fresh pot of tea. Some people find their first experience with the innards of password security to be a bit intimidating, possibly because the encryption formulae are sometimes made to look a lot like mathematics. Authentication itself isn't really that complex, though. The basic idea is that the would-be users need to prove that they are who they say they are in order to get what they want. The proof is usually in the form of something private or secret something that only the user has or knows .

Consider, for example, the key to an automobile (something you have). With the key in hand, you are able to unlock the door, turn the ignition switch, and start the engine. As far as the car is concerned , you have proven that you have the right to drive. Likewise with the password you use to access your computer (something you know). If you enter a valid username/password pair at the login prompt, then you can access the system. Unfortunately passwords, like keys, can be stolen or forged or copied . Just as locks can be picked, so passwords can be cracked. ^[1]

^[1] In addition to "something you have" and "something you know" there is another class of access tokens sometimes described as "something you are." This latter class, also known as "biometrics," includes such things as your fingerprints , your DNA pattern, your brainwaves, and your karmic aura. Some folks have argued that these features are simply "something you have" that is a little harder (or more painful) to steal. There was great hope that biometrics would offer improvements over the other authentication tokens, but it seems that they may be just as easy to crack. For example, a group of researchers in Japan was able to fool fingerprint scanners using fake fingertips created from gelatin and other common ingredients .

In the early days of SMB, when the LANs were small and sheltered, there was very little concern for the safety of the password itself. It was sent in plaintext (unencrypted) over the wire from the client to the server. Eventually, though, corporate networks got bigger, modems were installed to provide access from home and on the road, the " disgruntled employee" boogeyman learned how to use a keyboard, and everything got connected to the Internet. These were hard times for plaintext passwords, so a series of schemes was developed to keep the passwords safe each more complex than its predecessor.

For SMB, the initial attempt was called LAN Manager Challenge/Response authentication, often simply abbreviated "LM." The LM scheme turned out to be too simple and too easy to crack, and was replaced with something stronger called Windows NT Challenge/Response (known as "NTLM"). NTLM was superseded by NTLMv2 which has, in turn, been replaced with a modified version of MIT's Kerberos system.

Got that?

We'll go through them all in various degrees of detail. The LM algorithm is fairly simple, so we can provide a thorough description. At the other extreme, Kerberos is an entire system unto itself and anything more than an overview would be overkill.