NTLM does in fact offer integrity and confidentiality protection of
messages after the initial handshake. The session key is a function of
the OWF(password) and the challenge. In the case of pass-through
authentication, the session key is passed from the authority to the
server over a secure channel.

For those interested, I provide an overview of how NTLM works in my
book, Programming Windows Security (Addison Wesley, 2000).

Keith
http://www.develop.com/kbrown

-----Original Message-----
From: Dimitrios Petropoulos [mailto:d.petropoulosENCODE-SEC.COM]
Sent: Thursday, March 21, 2002 12:21 AM
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Re: Potential vulnerabilities of the Microsoft RVP-based
Instant Messaging

Russ/Greg,

> Further to Greg's comments about this Encode Security Labs
> analysis of MS Instant Messaging, a couple of things seem not
> to be pointed out in the analysis.
>
> 1. Exchange Server 2000 Instant Messaging supports the use of
> NTLM for authentication, as opposed to the Digest
> Authentication described and used in the analysis. The use of
> NTLM significantly alters the analysis, since it addresses
> man-in-the-middle attacks, unilateral authentication, and
> data origin authentication.

I may be mistaken but I don't think that NTLM authentication alters the
findings significantly. Here's why:

NTLM is a unilateral authentication protocol where the server
authenticates the client (the client receives the challenge from the
server, calculates the hash of the user's password and uses this to
encrypt the challenge). The fact therefore remains that a malicious user
could masquerade as a server and convince the client to perform NTLM
authentication with the malicious user.

Furthermore, an initial NTLM authentication exchange does not offer any
subsequent data origin authentication guarantees. Two parties
communicating via IM -even if they have both successfully performed NTLM
authentication- do not share any common secrets or any other mechanism
in order to perform some data origin/integrity calculation (e.g. a
message authentication code or a digital signature). The fact therefore
remains that messages between two legitimate users could be altered in
transit and the recipient will not know that they have been tampered
with.

Based on the two points above I think that man-in-the-middle attacks are
still possible even after NTLM authentication.

Regarding the comparison of IM and SMTP security, I strongly agree: SMTP
does not offer any more security than IM. In the case of SMTP however,
the confidentiality and data origin of a message can be adequately
protected using S/MIME. This report is only pointing out that the IM
implementation under examination is lacking similar mechanisms.

As I said before, I may be mistaken so I'd be grateful if any flaws in
the above reasoning could be pointed out to me.

Regards,
-----------------------
Dimitrios Petropoulos
MSc InfoSec, CISSP

Director, Security Research & Development

ENCODE S.A.
3, R.Melodou Str
151 25 Marousi
Athens, Greece
Tel: +3010-6178410
Fax: +3010-6109579
web: www.encode-sec.com
------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]