Hi Darwood. A hash is not an encoded version of the password per se, but the
password is used to encrytp the challenge. A hash function [such as MD4, MD5, and
SHA1] takes a variable length binary input and produces a fixed length binary output
that is irreversible. When a Windows computer tries to authenticate with another
Windows computer a challenge/response takes place. The client sends its username to
the server. The server sends a variable length number [the challenge] back to the
client. The client uses it's password hash to encrypt the challenge and sends the
response to the server. The server decrypts the challenge with the clients password
hash stored in its local sam or from a domain controller. If the challenge matches,
then the client is given access. At no time during this process does the actual
password go over the network. The irreversible means that you supposedly can not
"reverse engineer" the hash function. The server could decrypt the challenge because
it had a key or copy of the hash function. There are a few versions used for lan
authentication. The older LM used in Windows 9X can be easily cracked these days.
Then there is NTLM [originally in NT] which is better, but again crackable. Then they
came out with NTLMV2 which is much harder to crack and now kerberos which today is
very secure. If you are still studying for your MCSE, I highly recommend you read the
new Windows Security Resource Kit. I wish it was around when I did mine. Practically
all of the MCSE books are very weak on security. The book by Microsoft Press for
designing network security is an excellent book also with some good info on setting
up firewalls, dmz, certificate authority, etc.. But I consider the Windows Security
Resource Kit an absolute must for anyone interested in managing a Windows
etwork. --- Steve
http://www.bookpool.com/.x/q94qtzjjw0/sm/0735618682
Darwood said:
Thank you for your help. I am currently studying for my Network
Infrastructure 2000 exam and have read about the various encyption and
authentication algorithms. One of the things I know little about is the
password 'hash'. I presume it is the encoded version of the password. Some
methods are cited as non-reversible. I am intrigued to know how that is
possible? If it can't be reversed, how can the receiving computer validate
it? If you could shed a little more light on this I would be very grateful.
Cheers
--
Darwood - MCP, MCSE
Steven L Umbach said:
Pttp works with older non ipsec aware clients and is easier to
configure. However L2tp uses much more robust encryption such as 3DES
instead of MPPE. L2tp uses both user and machine authentication [usually
certificate] vs just the user authentication of pptp. I also believe that
for pptp, the user password hash is transmitted before tunnel
encryption
is
established, but that is not the case for l2tp. --- Steve
Does anybody have a definitive description of the advantages /
disadvantages
of PPTP vs L2TP/IPSEC?
The only difference I know of is that PPTP supports NAT. I am sure L2TP
must
have advantages that outway the difficulties with NAT.
