This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
NCP Primary Authentication Protocol
NCP Primary Authentication Protocol

Version management

Difference between version and

At line 1 added 40 lines
!!! Overview
[{$pagename}] is an [Authentication Method] where the goal of the is to prove to an NDS server in the target tree, that the user has entered the correct password. The actual [password] is never passed over the wire in any form.
Refer to Figure for the following description of [NCP]'s [{$pagename}].
[{Image src='NCP Primary Authentication Protocol/ncp-primary-auth.png' width='1080' height='640' border='0' alt='NCP Primary Auth Protocol'}]
1 - The user enters his or her name and password into a login dialog running on the workstation. The workstation sends the user's distinguished name encapsulated in an authentication request to the designated primary NDS server in the NDS tree.
2 - The NDS server connected to the client uses the received [distinguished name|Distinguished Name] to obtain a reference to the user's object which contains the user's [public Key] and [Private Keys] and password hash. \\ndsChallenge is a random number that NDS has already generated to use in [authentication] transactions. The NDS server connected to the client generates another random number especially for this [authentication] session that we will call serverChallenge. The server then sends serverChallenge and ndsChallenge along with NDS's own [Public Key] to the client workstation.
3 - The workstation [hashes|Hash Function] the [password] together with the received ndsChallenge to obtain a value, clientX. The workstation generates another random number we will call clientChallenge and hashes clientX with it to obtain clientY
* The workstation performs [asymmetric Key] [encryption] on clientY and clientChallenge using the NDS [Public Key] and sends the message to the server.
* The server performs [Asymmetric Key Cryptography] of the received message using the NDS [Private Key] to obtain clientY and clientChallenge.
* The server hashes the password hash (obtained from the user's object) with ndsChallenge to obtain a value we will call serverX.
* The server hashes serverX with clientChallenge to obtain serverY.
* The server compares serverY with received clientY. If they are the same, then NDS determines that the client must have the correct password.
4 - Using the user's [encrypted] [Private Key] (obtained from the user's object) and an [authentication] period timeout value, the server uses a variant of the [Gillou-Quisquater] algorithm to generate a [symmetric Key] we will call shortTimeKey. The unique thing about this key is that it is equivalent to the user's [Private Key] but only for a limited length of time.\\The server [Symmetric Key] encrypts the shortTimeKey using clientY as the Secret Key and sends the encrypted message to the workstation. Then it promptly throws the client's shortTimeKey and other authentication materials away.
5 - The workstation performs [symmetric key decryption|Symmetric Key Cryptography] on the received message using clientY as the [Private Key] to obtain shortTimeKey.
The workstation is now authenticated to the NDS tree. The workstation will use the shortTimeKey to background [authenticate] with other NDS servers on the tree until the shortTimeKey expires (the authenticated period timeout occurs).
!!! [NCP] Background [Authentication] [Protocol]
Once a client workstation has what we have referred to as a shortTimeKey, the client will be able to use background [authentication] to any other [NDS server|ncpServer] on the tree using the protocol described below. Refer to Figure for the following discussion.
[{Image src='NCP Primary Authentication Protocol/ncp-background-auth.png' width='1080' height='640' border='0' alt='NCP Backgroud Auth Protocol'}]
The following steps are completed during server-side background [authentication]:
1 - The Netware client will pass the user's [distinguished name|DN] to the new server when any application on its workstation attempts to get a connection to a secondary NDS server participating on a tree to which the client has already performed a primary authentication. The client will also send the server an asymmetric key encrypted handshake message using the shortTimeKey it obtained from the primary authentication process as the [Private Key].
2 - The NDS server uses the distinguished name from the client to obtain a reference to the user's object (which it can use to obtain the user's security information). The server then attempts to asymmetric key decrypt the client's handshake message using the user's [Public Key]. If the handshake message decrypts to a usable handshake, then the server determines that the client must possess a valid shortTimeKey and so must already be authenticated to the tree. If the client is authenticated, the NDS server authenticates the connection on its side and generates a sessionKey for symmetrical encryption and decryption on both sides. It then encrypts the sessionKey with the user's [Public Key] and sends it to the client.
3 - The workstation and NDS server will sign all messages sent to each other with the sessionKey to ensure the integrity of transmitted data.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop