From: Andrew Bartlett <firstname.lastname@example.org> To: Jeremy Allison <email@example.com>, Steve French <firstname.lastname@example.org> Cc: linux-cifs <email@example.com>, Herbert Xu <firstname.lastname@example.org>, Eric Biggers <email@example.com>, samba-technical <firstname.lastname@example.org>, David Howells <email@example.com>, Steve French <firstname.lastname@example.org>, email@example.com, Linux Crypto Mailing List <firstname.lastname@example.org>, Ard Biesheuvel <email@example.com>, Denis Kenzior <firstname.lastname@example.org> Subject: Re: [PATCH 0/2] crypto: remove MD4 generic shash Date: Thu, 19 Aug 2021 15:49:14 +1200 [thread overview] Message-ID: <email@example.com> (raw) In-Reply-To: <YR2E2FZNdMj2xl+0@jeremy-acer> On Wed, 2021-08-18 at 15:08 -0700, Jeremy Allison via samba-technical wrote: > > My 2 cents. Preventing NTLM authentication/signing from working would > be > a negative for the Linux kernel client. I don't mind if that code has > to be isolated inside cifs.ko, but it really needs to keep working, > at least until we have a pluggable client auth in cifs.ko and Samba > that allows the single-server (non AD-Domain) case to keep working > easily. I would echo that, and also just remind folks that MD4 in NTLMSSP is used as a compression only, it has no security value. The security would be the same if the password was compressed with MD4, SHA1 or SHA256 - the security comes from the complexity of the password and the HMAC-MD5 rounds inside NTLMv2. I'll also mention the use of MD4, which is used to re-encrypt a short- term key with the long-term key out of the NTLMv2 scheme. This thankfully is an unchecksumed simple RC4 round of one random value with another, so not subject to known-plaintext attacks here. I know neither MD4 nor HMAC-MD5 is not flavour of the month any more, with good reason, but we would not want to go with way of NFSv4 which is, as I understand it, full Kerberos or bust (so folks choose no protection). Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
next prev parent reply other threads:[~2021-08-19 3:49 UTC|newest] Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-08-18 14:46 Ard Biesheuvel 2021-08-18 14:51 ` Denis Kenzior 2021-08-18 16:10 ` Ard Biesheuvel 2021-08-18 16:23 ` Denis Kenzior 2021-08-18 16:47 ` Steve French 2021-08-18 22:08 ` Jeremy Allison 2021-08-19 3:49 ` Andrew Bartlett [this message] 2021-08-19 5:18 ` Eric Biggers 2021-08-19 5:23 ` Andrew Bartlett 2021-08-18 21:11 ` ronnie sahlberg 2021-08-18 22:10 ` Ard Biesheuvel 2021-08-18 22:22 ` Denis Kenzior 2021-08-18 23:03 ` Steve French 2021-08-19 16:56 ` Denis Kenzior 2021-08-19 10:42 ` Jarkko Sakkinen 2021-08-19 17:10 ` Steve French 2021-08-19 20:54 ` ronnie sahlberg
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --subject='Re: [PATCH 0/2] crypto: remove MD4 generic shash' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).