Principles of Windows Security Authentication [NTLM]

There are two methods for Windows Security Authentication: Kerberos and NTLM. Kerberos is the preferred authentication method, which is used in the domain environment and complex. Here, we will introduce another simple authentication protocol for Windows-NTLM (NT
LAN manager ). NTLM is used in Windows NT and Windows 2000 Server (or
In the Working Group Environment (Kerberos is used in the domain mode ). In an ad domain environment, if you need to authenticate the Windows NT System, you must also use NTLM. Compared with Kerberos, the NTLM-based authentication process is much simpler. NTLM adopts a challenge/response message exchange mode, reflecting the entire NTLM authentication process in Windows2000.

Step 1

You can log on to the client host by entering the Windows account and password. Before logon, the client caches the hash value of the entered password, and the original password is discarded ("the original password cannot be cached under any circumstances", which is a basic security rule ). If a user successfully logs on to the Windows client tries to access server resources, he/she must send a request to the other party. The request contains a user name in plaintext.

Step 2

After receiving the request, the server generates a 16-bit random number. This random number is called challenge or nonce. Before the server sends the challenge to the client, the challenge is saved first. Challenge is sent in plaintext.

Step 3

After receiving the challenge sent back from the server, the client encrypts the challenge with the password hash value saved in step 1, and then sends the encrypted challenge to the server.

Step 4

After the server receives the encrypted challenge sent back from the client, it will send a verification request to the DC (domain) for the client. The request mainly includes the client user name, challenge encrypted by client password hash, and original challenge.

 

Step 5 and 6

DC obtains the password hash value of the account based on the user name and encrypts the original challenge. If the encrypted challenge is the same as the challenge sent by the server, it means that the user has the correct password and the verification is successful. Otherwise, the verification fails. DC sends the verification result to the server and finally sends the feedback to the client.