为了过NTLM 的EPA认证, 参考了这篇文章,现在翻译过来,备查。

如果你知道NTLM,并且需要过EPA, 那么这篇文章一定是你最想知道的。

原文地址:

NTLM and Channel Binding Hash (aka Extended Protection for Authentication) – Microsoft Open Spec

=======================

Extended Protection for Authnetication (EPA) was introduced in Windows 7/WS2008R2 to thwart reflection attacks. This blog describes the changes in the implementation of NTLM Authentication that are needed to successfully authenticate to servers that have EPA enabled. Windows 7/WS 2008R2 and Windows 8/ WS2012 have EPA enabled out of the box.

认证的扩展保护(EPA) 在Windows7/WS2008R2 中引进, 用来对抗反射攻击. 本文介绍了要通过服务器端EPA认证,NTLM实现上的必要的改变.  Windows7/WS2008R2 和Windows8/WS2012默认开启了EPA.

You can read the details about EPA here http://technet.microsoft.com/en-us/security/advisory/973811

这里有EPA进一步的细节.

The concept in EPA is that authentication packets should be bound to the secure channel on which they are transmitted. This concept is not new and is known as channel binding (RFC 5056). RFC 5929 describes channel bindings for TLS that Winodws uses to bind the secure channel to authentication. Please note that EPA also uses Service Pricipal Name (SPN) but it is not used for TLS and we will not discuss it here.

EPA的概念是认证的数据包应该绑定到传输它的安全频道上.  这个概念并不是全新的, 它就是众所周知的频道绑定(RFC5056).  RFC5929描述了描述了Tls的频道绑定, Windows用它绑定安全频道到认证.  请注意, EPA同样也使用了服务主体名称(SPN), 但是这没有被用于TLS, 我们在这不讨论它.

Let’s take an example of HTTPS, a protocol that uses TLS. Once a secure channel is established and cipher change has happened, HTTP traffic starts flowing. In this example, we are only considering services that require authentication. NTLM or Kerberos will be used if you are using Windows authentication. You are most likely to use NTLM since the whole point of using HTTP and TLS is to allow clients to connect over internet (In Windows 8, Kerberos can be used on the internet but we will concentrate on NTLM here). In case of Windows client, these are the steps that are taken to incorporate channel binding in the authentication process after secure channel has been established:

我们看看HTTPS协议, 它使用了TLS.  一旦安全频道建立,并且密码交换完成, HTTP就开始传输.  在这个例子中, 我们只关心需要认证的服务.  如果你正在使用Wndows认证的话, NTLM或者Kerberos将会被应用.你很可能会使用NTLM,  因为在TLS上使用HTTP的全部原因就是允许客户端通过Internet连接. (在Windows8中, Kerberos也能引用于internet, 但是我们仍然集中在NTLM上.) 对于Windows客户端,  在安全频道建立之后, 认证过程中, 构成频道绑定的步骤如下:

1. The hashing algorithm for the signature in the certificate is identified, if present.

如果存在, 证书签名的哈希算法先被识别出来.

2. SSPI calculates a hash (almost always SHA256 hash, see below for details/exceptions) of the certificate, appends other data relevent to the type of channel bindings and returns it to the application.

SSPI 计算证书的哈希值(通常是SHA256, 后面会有细节和例外),  加上频道绑定类型的相关数据, 然后返回给应用程序.

4. SSPI calculates the MD5 hash of channel bindings and uses it in the calculation of NTLM version 2 response.

SSPI 计算频道绑定的MD5哈希值,  用于计算 NTLM version 2 的回复

5. When server recives authenticate message, it queries SSPI for channel bindings. SSPI does exactly the same thing as on the client side and returns the data to the service. The service includes it in the call to method Accept Security Context (ASC)

当服务器接收到认证消息之后, 它像SSPI查询频道绑定.  SSPI 进行域客户端完全一样的操作, 并把数据返回给服务.  服务端在 接受安全上下文(ASC)的调用中包含这个数据.

6. In the process of verifying authenticate message, SSPI also takes into account the channel bindings. It calculates the MD5 hash of the channel bindings that were provided by the application (service) and compares it to the one sent by the client. If they match and rest of the authentication requirements are met, authentication is successful.

在校验的认证消息的过程中, SSPI同样要考虑频道绑定. 它会计算应用(服务)提供的频道绑定的MD5值, 并且和客户端发送过来的值进行对比.  如果匹配, 并且人权衡的其他条件满足, 则认证成功.

I’ll now elaborate on each of the step listed above with a concrete example of RPC-over-HTTP traffic. The TLS network traffic is encrypted and I used Network Monitor expert Network Monitor Decryption Expert (NmDecrypt) to decrypt it. The decrypted network trace is attached to this blog.

下面使用一个具体的 RPC-over-HTTP 的传输来具体描述上面的每一步.  Tls的网络传输都是加密的, 我使用了 Network Monitor expert Network Monitor Decryption Expert (NmDecrypt) 来解密. 解密的网络跟踪在帖子的附件中.

If you open the network trace in Network Monitor, you’ll see that in frame 16 server sends a certificate to client, as below (copied and pasted from the trace):

打开 网络跟踪日志, 你会发现在第16帧, 服务端发送了一个证书给客户端, 如下:

……

After secure channel is established and cipher change has taken place, HTTP traffic starts flowing.

在安全频道建立之后,并且密码交换完成, HTTP传输就开始了.

In this example, HTTP is being used as a transport for RPC and RPC server requires authentication. For authentication, the client application first calculates the channel binding by using the following process(in Windows this is done by SSPI but that is not important in this discussion ). This process is based on RFC 5929.

在这个例子中, HTTP用来传输RPC, 并且RPC服务器要求认证.  对于认证, 客户端首先计算频道绑定, 过程如下(在Windows中, 由SSPI完成, 但这不重要): 这个过程基于RFC5929.

1. The channel binding type for this example is "tls-server-end-point" since a certificate is used in handshake (RFC5929).

频道绑定类型在本例中是 "tls-server-end-point", 因为在握手时使用了证书.

2. The client calculates a hash of the certificate. The hashing algorithm is SHA-256, unless all of the following conditions are met, in which case the signature algorithm in the certificate will be used.

客户端计算证书的哈希值. 哈希算法是SHA256, 除非下面的条件都满足, 此时将会使用证书的签名算法.

A certificate signature algorithm exist

证书签名算法存在

The algorithm is only implemented in CNG (ALG_ID is CALG_OID_INFO_CNG_ONLY)

(证书签名)算法只在CNG中实现(ALG_ID 为 CALG_OID_INFO_CNG_ONLY).

The algorithm has a corresponding CNG algorithm identifier string (pwszCNGAlgid)

(证书签名)算法有相应的CNG算法标示字符串(pwszCNGAlgid)

The algorithm is not SHA1

算法不是SHA1

The algorithm is not MD5

算法不是MD5

3. The SHA-256 hash of the above certificate is: ea 05 fe fe cc 6b 0b d5 71 db bc 5b aa 3e d4 53 86 d0 44 68 35 f7 b7 4c 85 62 1b 99 83 47 5f 95

上面证书的SHA-256哈希值是:  ea 05 fe fe cc 6b 0b d5 71 db bc 5b aa 3e d4 53 86 d0 44 68 35 f7 b7 4c 85 62 1b 99 83 47 5f 95

4. The Channel binding unique prefix (RFC5929) "tls-server-end-point" is prefixed to the hash above (with a colon), resulting in

74 6c 73 2d 73 65 72 76 65 72 2d 65 6e 64 2d 70 6f 69 6e 74 3a ea 05 fe fe cc 6b 0b d5 71 db bc 5b aa 3e d4 53 86 d0 44 68 35 f7 b7 4c 85 62 1b 99 83 47 5f 95

频道绑定前缀"tls-server-end-point"被附加到这个hash值得前面(冒号分隔):

74 6c 73 2d 73 65 72 76 65 72 2d 65 6e 64 2d 70 6f 69 6e 74 3a ea 05 fe fe cc 6b 0b d5 71 db bc 5b aa 3e d4 53 86 d0 44 68 35 f7 b7 4c 85 62 1b 99 83 47 5f 95

5. The above value is inserted as the value of application_data field of gss_channel_bindings_struct structure, as pointed out by MS-NLMP section 2.2.2.1

上面这个值插入到 gss_channel_bindings_struct 结构的 application_data 字段 .  这个字段在  MS-NLMP section 2.2.2.1 描述.

6. Windows always sets the other fields of gss_channel_bindings_struct as zeros (SEC_CHANNEL_BINDINGS

structure). The resulting gss_channel_bindings_struct is as follows (little endian format):

Windows 总是将 gss_channel_bindings_struct 机构的其他字段设为 0.  gss_channel_bindings_struct 结构的结果如下(小端格式):

00 00 00 00 //initiator_addtype

00 00 00 00 //initiator_address length

00 00 00 00 //initiator_address pointer

00 00 00 00 //acceptor_addrtype

00 00 00 00 //acceptor_address length

00 00 00 00 //acceptor_address pointer

35 00 00 00 //application_data length (53 bytes)

20 00 00 00 //application_data pointer (32 bytes from start of this structure)

74 6c 73 2d //application data, as calculated above

73 65 72 76

65 72 2d 65

6e 64 2d 70

6f 69 6e 74

3a ea 05 fe

fe cc 6b 0b

d5 71 db bc

5b aa 3e d4

53 86 d0 44

68 35 f7 b7

4c 85 62 1b

99 83 47 5f

95

After calculating channel binding, the client application starts authentication and include channel binding as part of authentication. In case of NTLM, the gss_channel_bindings_struct is called ClientChannelBindingUnhashed (MS-NLMP section 3.1.1.2). As explained in MS-NLMP section 3.1.5.1.2, the client adds an AV_PAIR structure and set the AvId field to MsvAvChannelBindings and the Value field to MD5(ClientChannelBindingsUnhashed). The MD5 hash of the above gss_channel_bindings_struct turns out to be:

频道绑定完成之后, 客户端开始认证, 将频道绑定作为认证的一部分包含进来.  对于NTLM, gss_channel_bindings_struct 结构 被叫做: ClientChannelBindingUnhashed (MS-NLMP section 3.1.1.2). 正如  MS-NLMP section 3.1.5.1.2, 中所介绍的,  客户端添加一个AV_PAIR  结构, AvId字段设为 MsvAvChannelBindings, 而Value字段设为 MD5(ClientChannelBindingsUnhashed). 上面的gss_channel_bindings_struct  结构的MD5值如下: 
65 86 E9 9D 81 C2 FC 98 4E 47 17 2F D4 DD 03 10

This value is part of the AUTHENTICATE_MESSAGE in frame 27 in the network trace attached (in the network trace it is shown in Base64 encoding as 45 41 42 6C 68 75 6D 64 67 63 4C 38 6D 45 35 48 46 79 2F 55 33 51 4D 51 with AvLen) .

这个值作为AUTHENTICATE_MESSAGE 认证消息的一部分, 在附件的第27帧(附件中显示为Base64的编码值:   45 41 42 6C 68 75 6D 64 67 63 4C 38 6D 45 35 48 46 79 2F 55 33 51 4D 51 包含 AvLen   ).

When server receives the AUTHENTICATE_MESSAGE, in addition to the regular authentication processing, it also verifies the channel binding hash by calculating it the same way the client did. If the channel binding hash does not match, the authentication will not be successful. The subsequent behavior is server dependent. In this example (IIS), the server will stop communication on unsuccessful authentication.

当服务端收到 AUTHENTICATE_MESSAGE 认证消息之后, 除了做常规的认证处理之外, 它还校验频道绑定数据, 与客户端同样计算一遍. 如果频道绑定数据不匹配, 认证就失败. 之后的行为就和服务器相关. 在这个例子中(IIS), 服务器会停止通信.

Please note that two step hashing is being employed here. First the application creates a hash of the certificate which becomes a part of gss_channel_bindings_struct structure. This structure is MD5 hashed again to be included in AUTHENTICATE_MESSAGE.

请注意, 这里应用了2步哈希. 首先应用程序计算证书的哈希值, 使其成为 gss_channel_bindings_struct结构的一部分.  这个结构又被计算MD5 哈希值, 用来包含在 AUTHENTICATE_MESSAGE中.

There are configurations on both Windows client and server side to disable the EPA. For the server side, please consult the server specific documentation. As for the server in this example, IIS, please consult http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication/extendedprotection.

在Windows客户端和服务端都有配置来禁用EPA.  对于服务端, 请参考服务端规范. 对于本例中使用的IIS, 请参考:

http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication/extendedprotection

On the client side, there is a registry setting that is described in KB976918 (http://support.microsoft.com/kb/976918) that can be used to configure EPA.

对于客户端,  KB976918 描述了一个注册表设置(http://support.microsoft.com/kb/976918) 能用来配置EPA.

==============================

欢迎大家访问我的个人独立博客: blog.byneil.com

本文不是完全对照翻译,但是力求主题意思清楚。  请参考原文阅读:

NTLM and Channel Binding Hash (aka Extended Protection for Authentication) – Microsoft Open Spec

欢迎大家交流讨论。

byNeil
byNeil.com

翻译,NTLM和频道绑定哈希(EPA)的更多相关文章

  1. 在后台代码中动态生成pivot项并设置EventTrigger和Action的绑定

    最近在做今日头条WP的过程中,遇到需要动态生成Pivot项的问题.第一个版本是把几个频道写死在xaml里了,事件绑定也写在xaml里,每个频道绑定一个ObservableCollection<A ...

  2. 到底什么是哈希Hash?

    知识点总结 ---------------------------------------------------------------------------------------------- ...

  3. 【翻译】WPF4.5新特性(MSDN的翻译读不太懂)

    我很在意WPF的发展,有人说微软不再维护WPF了,无所谓,随他去. MSDN上有简体版:http://msdn.microsoft.com/zh-cn/library/vstudio/bb613588 ...

  4. 再也不怕和老外交流了!我用python实现一个微信聊天翻译助手!

    前言 在前面的一篇文章如何用python“优雅的”调用有道翻译中咱们清楚的写过如何一层一层的解开有道翻译的面纱,并且笔者说过那只是脑洞的开始.现在笔者又回来了.当你遇到一些外国小哥哥小姐姐很心动.想结 ...

  5. 数据结构和算法(Golang实现)(26)查找算法-哈希表

    哈希表:散列查找 一.线性查找 我们要通过一个键key来查找相应的值value.有一种最简单的方式,就是将键值对存放在链表里,然后遍历链表来查找是否存在key,存在则更新键对应的值,不存在则将键值对链 ...

  6. XSS Filter Evasion Cheat Sheet 中文版

    前言 译者注: 翻译本文的最初原因是当我自己看到这篇文章后,觉得它是非常有价值.但是这么著名的一个备忘录却一直没有人把它翻译成中文版.很多人仅仅是简单的把文中的 各种代码复制下来,然后看起来很刁的发在 ...

  7. nodejs api 中文文档

    文档首页 英文版文档 本作品采用知识共享署名-非商业性使用 3.0 未本地化版本许可协议进行许可. Node.js v0.10.18 手册 & 文档 索引 | 在单一页面中浏览 | JSON格 ...

  8. 滥用exchage远程调用域管理员API接口

    0x00 前言 在大多数的Active Directory和Exchange中,Exchange服务器具有很高的权限,即Exchange服务器上的管理员可以很容易地将权限提升到域管理员权限,我在zdi ...

  9. Backbone事件模块及其用法

    事件模块Backbone.Events在Backbone中占有十分重要的位置,其他模块Model,Collection,View所有事件模块都依赖它.通过继承Events的方法来实现事件的管理,可以说 ...

随机推荐

  1. Envoy 源码分析--程序启动过程

    目录 Envoy 源码分析--程序启动过程 初始化 main 入口 MainCommon 初始化 服务 InstanceImpl 初始化 启动 main 启动入口 服务启动流程 LDS 服务启动流程 ...

  2. java web 程序---内置对象application的log方法的使用

    application的主要方法里,有log方法,是日志文件里可以查看到信息的. 当老师写好代码后,他发现在tomact里的log目录下找不到信息,原因是:我们用myeclipse这个客户端软件,应该 ...

  3. MySQL 高性能存储引擎:TokuDB初探

    在安装MariaDB的时候了解到代替InnoDB的TokuDB,看简介非常的棒,这里对ToduDB做一个初步的整理,使用后再做更多的分享. 什么是TokuDB? 在MySQL最流行的支持全事务的引擎为 ...

  4. Bootstrap-Plugin:附加导航(Affix)插件

    ylbtech-Bootstrap-Plugin:附加导航(Affix)插件 1.返回顶部 1. Bootstrap 附加导航(Affix)插件 附加导航(Affix)插件允许某个 <div&g ...

  5. 熟练使用Linux系统信息类命令

    系统信息类命令 – dmesg命令 dmesg命令用实例名和物理名称来标识连到系统上的设备. dmesg命令显示系统诊断信息.操作系统版本号.物理内存大小以及其他信息. 系统启动时,屏幕上会显示系统C ...

  6. 操作表单域中的value值

    HTML <form action=""> <input type="radio" name="sex" value=&q ...

  7. win7/64+python3.4+pyinstall3+tkinter+smtp=图形界面群发邮件客户端

    #file:   GUI_MAIL.py#Date:   2016/01/07#Author: lao_wan import tkinterimport smtplibfrom email.mime. ...

  8. 20165233 Java第四章学习总结

    20165233 2017-2018-2 <Java程序设计>第三周学习总结 教材学习内容总结 基础 类:包括类声明和类体. 其中类声明的变量被称作对象变量,简称对象. 类体中包括两部分: ...

  9. python 简单爬虫获取气象数据发送气象定时报-预报预警信息及时推送及阿里云短信群发接口

    !/usr/bin/python #encoding=utf-8 #Author:Ruiy #//////////////////////////////////////////////////// ...

  10. MPI 集合通信函数 MPI_Scatterv(),MPI_Gatherv(),MPI_Allgatherv(),MPI_Alltoall(),MPI_Alltoallv(),MPI_Alltoallw()

    ▶ 函数 MPI_Scatterv() 和 MPI_Gatherv() .注意到函数 MPI_Scatter() 和 MPI_Gather() 只能向每个进程发送或接受相同个数的元素,如果希望各进程获 ...