On Tue, 6 Nov 2001 patrik.karlsson@ixsecurity.com wrote: > Windows NT/2000 login: > 1. A=>B: Requests a logon to the server. > 2. B=>A: N > 3. A=>B: E(N,H(P)) > The server can check S=D(N,E(N,H(P))) or E(N,S)=E(N,H(P)). > > If Eve eavesdrops the login she can get S by D(N,E(N,H(P))). If this was true, it would be very bad news (or very good news for certain people). Fortunately (unfortunately), according to my understanding of the protocol, A's response in step 3 is N encrypted by DES using H(P) as a *key*, and S = H(P) cannot be computed given the result of encryption (E(N,H(P))...or E(H(P),N) using a more common order of arguments) and the nonce (N) easily. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
