From: dan@milliways.org (Dan Bailey)
Date: Sat, 9 Dec 95 06:32:34 PST
To: futplex@pseudonym.com
Subject: Re: Win NT proprietary pw encryption (Was: Re: Windows .PW
Message-ID: <199512091433.OAA27353@pop01.ny.us.ibm.net>
MIME-Version: 1.0
Content-Type: text/plain


On Sat, 9 Dec 1995 03:15:51 -0500 (EST) you wrote:

>I don't quite agree with the last part. It might be educational to do a spot
>of cryptanalysis in an attempt to determine the nature of the proprietary
>algorithm used. It wouldn't be "cracking" the password protection, but I
>think the general effort to "out" proprietary crypto algorithms is productive,
>particularly in the case of major software packages.
>
>
>Anyone feel like putting together some sample plaintext/ciphertext pairs ?
>

Well, the problem with coming up with plaintext/ciphertext is that
I've never been able to find out exactly where the the SAM database is
physically stored.  Using Registry Editor, it's visible but not
accessible as part of the Registry.  Microsoft's APIs won't give you
access to the stored ciphertext, so some serious hacking is required
here, I'm just not sure where to begin.  I think a hacked version of
the Registry APIs that allow you to read the ciphertext would be a
good place to start, but again, I'm not sure where to begin writing
such a thing.
	The second problem is that we're not sure exactly what gets hashed
and in what order.  Is it username0x00password0x00domainname0x00SID or
something similar?  Tough to tell and MSoft wants to rely on the
"tamper-proofness" of NT rather than on algorithmic security.  If
anyone has more information on these issues, I'd love to know what's
really going on there.
						Dan

***************************************************************
#define private public						dan@milliways.org
Worcester Polytechnic Institute and The Restaurant at the End of the Universe
***************************************************************