|
NTLM is designed to do authentication over an unencrypted channel with a shared secret (password). It's also important to appreciate there is no initialization protocol for a new user, it's just "please login user x with y". As such, the protocol exchanges everything you would need in order to crack the password in the messages themselves. Adding a salt, unless you stipulate a way to share that salt across machines ahead of time, would not prevent cracking a password by intercepting the messages, because the salt would have to be in the message exchange as well. What a public / visible salt in the message exchange does do is eliminate rainbow table (instant) cracking based on intercepting the message. To answer your question: NTLM is unsalted, and NTLMv2 adds a salt, which is exchanged in the messaging. In this case the salt is applied a bit differently -- MD5(MD5(password), salt) -- because the salt is randomly generated each time, and what's stored in the authentication database is just MD5(password). The salt is only in the challenge-response protocol, so you can still bulk-crack all the passwords in the database if you can steal it. So, you can think of NTLMv2 as "half-salted" and when you tell people that, you'll have a great story to tell (for values of "great" which include crypto-inclined audiences). EDIT: I think KMag has it right. The message has the username, domain, salt, and: MD5(MD5(MD4(password), username || domain), salt)
The nesting is because of their attempts at shoe-horning this in their legacy codebase and trying to remain backward compatible. A more secure way to hash the same data, but not backward compatible, is; HMAC(salt, username || domain || password)
|