NCP Primary Authentication Protocol


NCP Primary Authentication Protocol is an Authentication Method where the goal of the is to prove to an NDS server in the target tree, that the user has entered the correct password. The actual password is never passed over the wire in any form.

Refer to Figure for the following description of NCP's NCP Primary Authentication Protocol.

NCP Primary Auth Protocol

1 - The user enters his or her name and password into a login dialog running on the workstation. The workstation sends the user's distinguished name encapsulated in an authentication request to the designated primary NDS server in the NDS tree.

2 - The NDS server connected to the client uses the received distinguished name to obtain a reference to the user's object which contains the user's public Key and Private Keys and password hash.
ndsChallenge is a random number that NDS has already generated to use in authentication transactions. The NDS server connected to the client generates another random number especially for this authentication session that we will call serverChallenge. The server then sends serverChallenge and ndsChallenge along with NDS's own Public Key to the client workstation.

3 - The workstation hashes the password together with the received ndsChallenge to obtain a value, clientX. The workstation generates another random number we will call clientChallenge and hashes clientX with it to obtain clientY

  • The workstation performs asymmetric Key encryption on clientY and clientChallenge using the NDS Public Key and sends the message to the server.
  • The server performs Asymmetric Key Cryptography of the received message using the NDS Private Key to obtain clientY and clientChallenge.
  • The server hashes the password hash (obtained from the user's object) with ndsChallenge to obtain a value we will call serverX.
  • The server hashes serverX with clientChallenge to obtain serverY.
  • The server compares serverY with received clientY. If they are the same, then NDS determines that the client must have the correct password.

4 - Using the user's encrypted Private Key (obtained from the user's object) and an authentication period timeout value, the server uses a variant of the Gillou-Quisquater algorithm to generate a symmetric Key we will call shortTimeKey. The unique thing about this key is that it is equivalent to the user's Private Key but only for a limited length of time.
The server Symmetric Key encrypts the shortTimeKey using clientY as the Secret Key and sends the encrypted message to the workstation. Then it promptly throws the client's shortTimeKey and other authentication materials away.

5 - The workstation performs symmetric key decryption on the received message using clientY as the Private Key to obtain shortTimeKey.

The workstation is now authenticated to the NDS tree. The workstation will use the shortTimeKey to background authenticate with other NDS servers on the tree until the shortTimeKey expires (the authenticated period timeout occurs).

NCP Background Authentication Protocol#

Once a client workstation has what we have referred to as a shortTimeKey, the client will be able to use background authentication to any other NDS server on the tree using the protocol described below. Refer to Figure for the following discussion.

NCP Backgroud Auth Protocol

The following steps are completed during server-side background authentication:

1 - The Netware client will pass the user's distinguished name to the new server when any application on its workstation attempts to get a connection to a secondary NDS server participating on a tree to which the client has already performed a primary authentication. The client will also send the server an asymmetric key encrypted handshake message using the shortTimeKey it obtained from the primary authentication process as the Private Key.

2 - The NDS server uses the distinguished name from the client to obtain a reference to the user's object (which it can use to obtain the user's security information). The server then attempts to asymmetric key decrypt the client's handshake message using the user's Public Key. If the handshake message decrypts to a usable handshake, then the server determines that the client must possess a valid shortTimeKey and so must already be authenticated to the tree. If the client is authenticated, the NDS server authenticates the connection on its side and generates a sessionKey for symmetrical encryption and decryption on both sides. It then encrypts the sessionKey with the user's Public Key and sends it to the client.

3 - The workstation and NDS server will sign all messages sent to each other with the sessionKey to ensure the integrity of transmitted data.

More Information#

There might be more information for this subject on one of the following: