|
||
Theory of OperationNovell Netwareš uses an encryption algorithm to store user passwords. This algorithm is available from several sources, most notably several C and Pascal source files on the Internet. Novell also provides several functions in their ALOGIN.ZIP on CompuServe and Internet FTP sites. The algorithm used in the password encryption is a one-way process. The idea is that an encrypted password may not be processed backwards to obtain the original word used as a password. To accomplish this, the algorithm is "lossy" or looses data in a hash table. The algorithm takes a character string and a 4 byte number as input. (Shown below in the diagram)
The string and the number are combined together, and the resulting data is processed by a hash table. This table reduces from 256 value numbers to 16 value numbers. This is what makes the algorithm a one way process. To give an example of how this works, take a number between 0 and 255. For purpose of example, we will use 53. Divide the number by 16, and make note of the remainder. In the case of our example, this would be 5 remainder of 53 / 16 = 5 This can be worked backwards however there are 16 possible answers. X / 16 has a remainder of 5. X can be any of the following: 5, 21, 37, 53, 69, 85, 101, 117, 133, 149, 165, 181, 197, 213, 229, 245. If this is done to each character in a password it quickly makes the number of possible passwords that might satisfy an encrypted password very large. The NetWare server uses the user "Bindery Object ID Number" as the 4 byte value for the algorithm, and the user supplied password as the character string. The resulting encrypted password is stored in the server bindery and is not available for general users to view. When the user logs in, the password is encrypted at the workstation and the resulting value is sent via the network and the server checks to see if the encrypted values are the same. Password Inspector challenges the encrypted password by taking each word in the password dictionary and encrypting it with the user Object ID number and comparing the results to the value found stored in the bindery. If a match between the bindery and the encrypted password is found, the dictionary word used to generate the encrypted password must be the user's password. Password Inspector does not (and has no way of) working the encrypted data backwards through the encryption algorithm to obtain the original password. Encrypted logins with NetWare 3.11 and later offer greater security. The user password is encrypted once with the user object ID number, and the a second time with a log key. The login process for a NetWare server is shown in the picture below.
The log key changes each time a login request is made. The encrypted data that is transmitted over the network will change each time the user makes a request to log in. This prevents a workstation from copying a login request packet and forging a login request with only the encrypted password. As with any client-server login control mechanism for a LAN, the biggest weakness is that some data must be transmitted over the network, and that others may have the ability to capture this data. In theory, a workstation could run a cracking program that would watch all packets on the local ethernet segment. When a log key request and reply was sent, the program could obtain the user name, object ID, and log key. When the actual login happens a few seconds later, the program would be able to get the encrypted password. The program would then be able to test passwords from a dictionary by encrypting the dictionary word, and object ID,. Next it would have to encrypt the data again with the log key. If the result matched the encrypted data obtained from the network, the program will have located the original password. The idea of an insecure password is that it can be found in a list of common words or dictionary. If a user password was a simple word, or one commonly used in the English (or any other) language, it will probably be in a dictionary file, and the user password would be susceptible to a cracking program as described above. Benefits of Password Inspector: With password inspector, a system administrator has the opportunity to check user passwords to make sure they are not easily guessed. With the passwd.exe program, you can ensure your users will not use insecure passwords when they change their password. All of these steps will make it much harder for anyone to guess a user password. a) Make all users use passwords that are not common words. Passwords should be at least 5 to 6 characters long, and should contain a number or punctuation mark. b) Do not write your password down or share it with others. This sounds basic however uninformed people will often write their passcode numbers for their bank accounts on their bank cards. Remind people and explain why. c) Use encrypted passwords as provided with NetWare 3.11 and 3.12. If you do not use encrypted passwords, some workstations may send a packet with a raw password which can be viewed by any packet monitor program.
|
Secure
Design