| Author |
Topic: DigestMD5 LDAP Authentication Traffic |
|
authen
member
offline  |
| |
| posts: |
36 |
| joined: |
08/07/2006 |
| from: |
San Diego, CA |
|
|
 |
|
|
| DigestMD5 LDAP Authentication Traffic |
Here is a practical DIGEST-MD5 authentication example via LDAP
Server: AD on Windows Server 2003
Client: JNDI client
1. Client --> Server
LDAP Message, Bind Request
Message Id: 1
Message Type: Bind Request (0x00)
Message Length: 19
Response In: 24
Version: 3
DN: (null)
Auth Type: SASL (0x03)
Mechanism: DIGEST-MD5
2. Client <-- Server
LDAP Message, Bind Result
Message Id: 1
Message Type: Bind Result (0x01)
Message Length: 226
Response To: 23
Time: 0.000522000 seconds
Result Code: saslBindInProgress (0x0e)
Matched DN: (null)
Error Message: (null)
Server Credentials: 716F703D22617574682C617574682D696E742C617574682D...
0000 00 03 47 3f 5b 50 00 11 11 8f 93 9b 08 00 45 00 ..G?[P........E.
0010 01 19 dc a9 40 00 80 06 ef cf 0a 0b 0c cb 0a 0b ....@...........
0020 0c 85 01 85 09 7c fc 29 96 aa 45 cc ac 36 50 18 .....|.)..E..6P.
0030 ff e5 1c 1d 00 00 30 84 00 00 00 eb 02 01 01 61 ......0........a
0040 84 00 00 00 e2 0a 01 0e 04 00 04 00 87 82 00 d7 ................
0050 71 6f 70 3d 22 61 75 74 68 2c 61 75 74 68 2d 69 qop="auth,auth-i
0060 6e 74 2c 61 75 74 68 2d 63 6f 6e 66 22 2c 63 69 nt,auth-conf",ci
0070 70 68 65 72 3d 22 33 64 65 73 2c 64 65 73 2c 72 pher="3des,des,r
0080 63 34 2d 34 30 2c 72 63 34 2c 72 63 34 2d 35 36 c4-40,rc4,rc4-56
0090 22 2c 61 6c 67 6f 72 69 74 68 6d 3d 6d 64 35 2d ",algorithm=md5-
00a0 73 65 73 73 2c 6e 6f 6e 63 65 3d 22 37 61 32 65 sess,nonce="7a2e
00b0 31 64 66 62 65 61 39 61 63 36 30 31 36 31 39 35 1dfbea9ac6016195
00c0 36 66 63 39 36 35 61 31 33 65 62 32 37 37 32 31 6fc965a13eb27721
00d0 65 32 31 36 34 31 31 31 62 66 63 64 64 32 33 64 e2164111bfcdd23d
00e0 62 64 33 65 37 35 38 30 33 36 64 64 66 33 65 38 bd3e758036ddf3e8
00f0 62 36 31 66 34 65 32 31 63 37 64 39 22 2c 63 68 b61f4e21c7d9",ch
0100 61 72 73 65 74 3d 75 74 66 2d 38 2c 72 65 61 6c arset=utf-8,real
0110 6d 3d 22 6d 79 64 6f 6d 61 69 6e 6e 63 6f 6d m="mydomain.com
3. Client --> Server
LDAP Message, Bind Request
Message Id: 2
Message Type: Bind Request (0x00)
Message Length: 355
Response In: 28
Version: 3
DN: (null)
Auth Type: SASL (0x03)
Mechanism: DIGEST-MD5
Credentials: 636861727365743D7574662D382C757365726E616D653D22...
0000 00 11 11 8f 93 9b 00 03 47 3f 5b 50 08 00 45 00 ........G?[P..E.
0010 01 96 b9 55 40 00 80 06 12 a7 0a 0b 0c 85 0a 0b ...U@...........
0020 0c cb 09 7c 01 85 45 cc ac 36 fc 29 97 9b 50 18 ...|..E..6.)..P.
0030 f9 ff 19 e2 00 00 30 82 01 6a 02 01 02 60 82 01 ......0..j...`..
0040 63 02 01 03 04 00 a3 82 01 5a 04 0a 44 49 47 45 c........Z..DIGE
0050 53 54 2d 4d 44 35 04 82 01 4a 63 68 61 72 73 65 ST-MD5...Jcharse
0060 74 3d 75 74 66 2d 38 2c 75 73 65 72 6e 61 6d 65 t=utf-8,username
0070 3d 22 6d 79 6d 64 75 73 65 72 32 6d 64 74 65 74 ="mydigestmd5tes
0080 74 22 2c 72 65 6c 72 61 64 69 61 6e 74 6c 6f 67 t",realm="mydoma
0090 69 63 2e 63 6f 6d 22 2c 6e 6f 6e 63 65 3d 22 37 in.com",nonce="7
00a0 61 32 65 31 64 66 62 65 61 39 61 63 36 30 31 36 a2e1dfbea9ac6016
00b0 31 39 35 36 66 63 39 36 35 61 31 33 65 62 32 37 1956fc965a13eb27
00c0 37 32 31 65 32 31 36 34 31 31 31 62 66 63 64 64 721e2164111bfcdd
00d0 32 33 64 62 64 33 65 37 35 38 30 33 36 64 64 66 23dbd3e758036ddf
00e0 33 65 38 62 36 31 66 34 65 32 31 63 37 64 39 22 3e8b61f4e21c7d9"
00f0 2c 6e 63 3d 30 30 30 30 30 30 30 31 2c 63 6e 6f ,nc=00000001,cno
0100 6e 63 65 3d 22 32 2b 2f 4a 79 47 35 47 77 70 50 nce="2+/JyG5GwpP
0110 64 61 68 4b 51 56 30 5a 39 33 34 32 41 52 5a 34 dahKQV0Z9342ARZ4
0120 68 57 56 76 67 75 68 52 37 6f 32 6e 46 22 2c 64 hWVvguhR7o2nF",d
0130 69 67 65 73 74 2d 75 72 69 3d 22 6c 64 61 70 2f igest-uri="ldap/
0140 73 2d 72 6c 69 30 35 2d 70 64 63 77 32 6b 33 2e myad03.mydomain.
0150 63 6f 6d 22 2c 6d 61 78 62 75 66 3d 36 35 35 33 com",maxbuf=6553
0160 36 2c 72 65 73 70 6f 6e 73 65 3d 35 39 63 63 33 6,response=59cc3
0170 34 65 61 36 38 34 30 36 36 35 37 35 39 62 32 39 4ea6840665759b29
0180 63 61 64 34 39 34 32 64 39 30 65 2c 71 6f 70 3d cad4942d90e,qop=
0190 61 75 74 68 auth
4. Client <-- Server
LDAP Message, Bind Result
Message Id: 2
Message Type: Bind Result (0x01)
Message Length: 49
Response To: 27
Time: 0.002301000 seconds
Result Code: success (0x00)
Matched DN: (null)
Error Message: (null)
Server Credentials: 727370617574683D62313335373732633236646435613963...
0000 00 03 47 3f 5b 50 00 11 11 8f 93 9b 08 00 45 00 ..G?[P........E.
0010 00 68 dc aa 40 00 80 06 f0 7f 0a 0b 0c cb 0a 0b .h..@...........
0020 0c 85 01 85 09 7c fc 29 97 9b 45 cc ad a4 50 18 .....|.)..E...P.
0030 fe 77 f5 37 00 00 30 84 00 00 00 3a 02 01 02 61 .w.7..0....:...a
0040 84 00 00 00 31 0a 01 00 04 00 04 00 87 28 72 73 ....1........(rs
0050 70 61 75 74 68 3d 62 31 33 35 37 37 32 63 32 36 pauth=b135772c26
0060 64 64 35 61 39 63 31 32 31 63 64 38 62 32 63 33 dd5a9c121cd8b2c3
0070 66 62 64 39 66 36 fbd9f6
|
|
|
|
|
|
|
SteveHB
member
offline  |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
| DigestMD5 is a typical nonce based authentication protocol |
The big picture:
+----------+ +----------+
| Client | | Server |
+----------+ +----------+
| |
| --------- authentication mechanism ----------------> #
| #
# <--------------- nonce ------------------------- #
# |
# ---- username, cnonce, H(nonce,cnonce,password) ---> #
| #
# <------------ security token --------------------- #
# |
# |
# |
Specifically for this DigestMD5 example:
mechanism = DIGEST-MD5
nonce = 7a2e1dfbea9ac60161956fc965a13eb27721e2164111bfcdd23dbd3e758036ddf3e8b61f4e21c7d9
username = mydigestmd5test
cnonce = 2+/JyG5GwpPdahKQV0Z9342ARZ4hWVvguhR7o2nF
H-value = 59cc34ea6840665759b29cad4942d90e
token = b135772c26dd5a9c121cd8b2c3fbd9f6
The key point here is nonce which is an arbitrary number used only once so that the responses each time are different. Nonce is also referred to challenge as in NTLM authentication.
|
|
|
|
|
|
|
|
Email To Friend | 
Set Alert To This Topic
New Topic | 
Post Reply 
posted on: 08/07/2006 01:48:48 AM
Edit
Quote
Report
Profile
Reply