[4909] in WWW Security List Archive
RE: CIFS Authentication Protocol Spec Errata
daemon@ATHENA.MIT.EDU (Paul Leach)
Thu Mar 27 04:38:20 1997
From: Paul Leach <paulle@microsoft.com>
To: "'cifs@listserv.msn.com'" <cifs@listserv.msn.com>,
"'WWW-SECURITY@ns2.rutgers.edu'" <WWW-SECURITY@ns2.rutgers.edu>,
"'NTBUGTRAQ@RC.ON.CA'" <NTBUGTRAQ@RC.ON.CA>,
"'ntsecurity@iss.net'"
<ntsecurity@iss.net>
Date: Wed, 26 Mar 1997 23:46:45 -0800
Errors-To: owner-www-security@ns2.rutgers.edu
Sharp eyed reviewers have caught the following errors in CIFS-Auth-Spec
(CIFS Authentication Protocol Specification), draft 4.
In paragraph one of section 1.1:
Was:
To gain authenticated access to server resources, the server sends a
"challenge" to the client, which the client responds to in a way that
proves it knows the client's password: a "response" is created from the
challenge by encrypting it (and possibly a nonce of the client's
choice) with a 168 bit "session key" computed from the user's password.
The response, or a subset of it, and client nonce are then returned to
the server, which can validate the response by performing the same
computation.
Should be:
To gain authenticated access to server resources, the server sends a
"challenge" to the client, which the client responds to in a way that
proves it knows the client's password: a "response" is created from the
challenge by encrypting it with a 168 bit "session key" computed from
the user's password. The response is then returned to the server, which
can validate the response by performing the same computation.
In section 1.7:
Was:
Where S16 and RN are as above. K is either 40 or 44 bytes long,
depending on the length of RN.
Should be:
Where S16 and RN are as above; K is 40 bytes long.
