[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security
From: |
Stevie O |
Subject: |
Re: Security |
Date: |
Mon, 17 Sep 2001 00:58:34 -0400 |
At 09:28 PM 9/16/2001 -0700, you wrote:
On Sun, Sep 16, 2001 at 08:37:26PM -0400, Stevie O wrote:
> The method I suggestion is no stronger than pserver is; it simply makes it
> harder for someone to sniff the password off the network (which is
Harder how?
I don't have to decrypt your DES encrypted password.
My password isn't DES encrypted. I think you need to re-read the post.
I just have to use my hacked cvs client to take your DES encrypted password
from the command line and use it directly.
No, you don't. You don't know my password.
It gains nothing.
This is what MS added to SMB. And it didn't gain them anything either.
I think you missed the point. You're thinking about something else (because
MS likes to fixate on one technology and apply it everywhere -- that's why
directories on your hard drive look like web pages).
Your LANMAN Password hash (which is created by DES encrypting a fixed
string, 'address@hidden' with your password) is not sent in the clear over the
network.
The server sends a challenge to the client. The client uses the LANMAN
password hash to encrypt the challenge string, then sends the result back
to the server as the response. No part of the password (or its hash) is
sent over the wire in the clear. Compare that with pserver, which simply
sends an reversibly encoded form of the password over.
--
Stevie-O
Real programmers use COPY CON PROGRAM.EXE
- Security, Stevie O, 2001/09/16
- Message not available
- Message not available