In general, authentication is a process of determining whether someone is who they claim to be. In the computer industry, authentication is commonly performed via use of logon passwords. Knowledge of the password is assumed to guarantee a user is authentic. In many applications, each user initially registers (or is registered by someone else) using an assigned or self-declared password. On each subsequent use of a computer, the user must know and use the previously declared password in order to log onto a computer and use a respective network. For security reasons, passwords are generally not transmitted over a network in raw form. Instead, hashing functions are applied to passwords (provided by the user) prior to transmission over a respective network.
One type of authentication protocol is known as NTLM (e.g., Windows™ NT LAN Manager). In general, the NTLM authentication protocol involves a series of communications with a user attempting to use a respective network.
According to the NTLM authentication protocol, a client initially sends a respective server a Negotiate CIFS protocol request message. In the header of this CIFS message is a bit-mask indicating the client's capabilities, such as authentication methods supported by the client.
In response to receiving the CIFS NegProt_Request message, the server chooses a CIFS dialect for future communications based on the list presented in the NegProt_Request message. If the negotiated authentication scheme is NTLM, the server receiving the NegProt_Request message includes an 8-byte “challenge” in the NegProt_Response message.
Upon receipt of the challenge message from the server, the client encrypts the 8-byte challenge value using a derivation of a user provided password (e.g., an encryption key that is an MD4 hash of the password that is turned into a DES key). The result is a 24-byte challenge “response.” The challenge response is encoded into the SessionSetup CIFS message sent to the server.
Upon receipt of the challenge response from the client, the server performs the same computation (e.g., encryption of the 8-byte challenge) the client performed using a password hash function associated with the client. The password hash function used by the server is stored in a so-called Windows SAM database. If the result generated by the server matches encrypted value received from the client, the server returns an authentication-success message to the client allowing a respective connection. The server communicates with a domain controller of the respective network using the NetLogon Microsoft RPC protocol for purposes of authenticating a respective client. If authentication is successful in this last step, the client is cleared to send file operations to the server.
In addition to conventional NTLM techniques as discussed above, a so-called Kerberos V5 authentication model discloses a way for a client to delegate the authority for an intermediary system (e.g., another computer) to perform authentication on behalf of the client. This makes it possible to allow one's identity to flow through a multi-tier system where decisions about authority can be made in the originating identity at each tier. For example, if a user “JC” connects to machine “A,” through delegation, machine “A” can be granted the authority to authenticate a session to an application on machine “B” as user “JC.” Thus, on machine “B,” access control is applied in the context of user “JC” rather than the context of machine “A.”