[4112] in WWW Security List Archive
Re: IIS Authentication Protocol
daemon@ATHENA.MIT.EDU (Frank Willoughby)
Mon Jan 27 01:33:12 1997
Date: Sun, 26 Jan 97 23:13:52 -0500
To: Lance Travis (CPLabs Boston) <cmt@dascom.com>
From: Frank Willoughby <frankw@in.net>
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
At 12:09 PM 1/17/97 -0800, Lance Travis (CPLabs Boston) <cmt@dascom.com>
allegedly wrote:
>Hi,
>
>The Microsoft IIS documentation refers to Windows NT
>Challenge/Response authentication as one of 2 authentication methods
>supported (basic is the other). Does anyone know where I can find
>more information about the actual authentication protocol that they
>are using and what encryption algorithm it uses for password
>encryption?
>
>Thanks.
>
>Lance Travis
>Director, Internet Business Unit
>Dascom, Inc.
>+1-408-457-4510
>+1-408-457-0710 (fax)
>cmt@dascom.com
Lance,
FWIW, I would NOT recommend using any method of authentication which
does not encrypt the network traffic from end-to-end. Failure to do
so could result in an intruder implementing a "session hijacking"
attack to take over an existing connection (after the c/r has been
completed).
Best Regards,
Frank
=======================================================================
| Fortified Networks, Inc. - Expert Information Security Consulting |
| Web: http://www.fortified.com |
| Phone: (317) 573-0800 |
| Fax: (317) 573-0817 |
=======================================================================
