[7943] in cryptography@c2.net mail archive
Windows "secure channels"
daemon@ATHENA.MIT.EDU (Rick Smith at Secure Computing)
Tue Oct 10 17:42:50 2000
Message-Id: <4.3.2.7.0.20001010131811.00bcfe40@mailhost.sctc.com>
Date: Tue, 10 Oct 2000 13:40:29 -0500
To: cryptography@c2.net
From: Rick Smith at Secure Computing <rick_smith@securecomputing.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
I've been trying to track down some information for my authentication book,
and I'm currently wrestling with the lack of easy to find Microsoft
internal specs. So I thought I'd ask the community.
I've been writing about what I call "indirect authentication" which refers
to the use of an authentication server like RADIUS, or when a server defers
to a domain controller on a Windows LAN. I'm trying to nail down the
details of what Microsoft is really up to.
According to one of their docs, a workstation can access a server and the
server can authenticate the workstation's user by passing the logon API
call across a "secure channel" to the domain controller. This "secure
channel" is very poorly described. According to Stephen Sutton's "NT
Security Guide" the secure channel sounds like it uses our old friend,
Microsoft Point to Point Encryption (MPPE). At least, he describes a
similar key exchange algorithm (the old, weak one) and notes that it uses
RC4. Now, for my questions:
1) Are appearances true? Is it reasonable to say that the secure channel
uses MPPE?
2) Does anyone have copies of the old Internet-Drafts that published the
MPPE v1 and v2 protocols? They've all expired and my searches failed to
find any online.
3) There is a bug fix in Service Pack 4 that adds "integrity protection" to
the secure channel (still not referring to it as MPPE). Does anyone know
what this integrity protection consists of?
4) PPTP uses MPPE, and several PPTP weaknesses described by Schneier and
Mudge back in '97-99 probably apply to this "secure channel." I searched
the NT service pack descriptions and didn't find any bug fixes for the
secure channel protocol, except the one that added "integrity protection."
Does anyone know if Microsoft has indeed tried to fix the secure channel
protocol with an NT service pack?
5) Does anyone know if the secure channel protocol got fixed in Windows 2K?
Or are they expecting the whole thing to die, and be replaced by
Microsoft's version of Kerberos?
Inquiring minds, etc.
Rick.
smith@securecomputing.com
