Password Maintenance And Encryption - HP NetStorage 6000 Manual

3) The domain controller in domain A will examine the request to see if the account is associated with the
domain. If it is, then it will authenticate the user and pass back the result.
4) If the account is with another domain (domain B), then domain A will verify that it has a trust relationship with
domain B. If a trust relationship does exist, then the request is passed onto a domain controller in domain B
for verification.
5) Domain B verifies the authentication request, then passes the result to domain A, which in turn passes it to the
requesting computer.
When a user is authenticated, the authenticating computer passes back an access token to the requesting
computer. The access token represents the user and contains a security identifier (SID) for the user, the SID of
each group of which the user is a member, the SID to be assigned to objects created by the user and a default
access control list.

3.3.3 Password Maintenance and Encryption

The following discussion of passwords pertains to Windows NT 4.0. The Windows 2000 encryption
mechanisms are not presented here, except to note that Windows 2000 is backward compatible with the
Windows NT 4.0 mechanisms described here.
User records are stored in the security accounts manager (SAM) database. Each user has two passwords with
which it is associated: the LAN Manager (Lan Man 1.2) compatible password and the Windows NT (NT LM
0.12) password. Each password is stored doubly encrypted in the SAM database. The first encryption is a one-
way function (OWF) version of the clear text generally considered to be non-decryptable. The second encryption
is an encryption of the user's relative ID (RID). The second encryption is decryptable by anyone who has access
to the double-encrypted password, the user's RID, and the algorithm. The second encryption is used for
obfuscation purposes.
The LAN Manager compatible password is based on the original equipment manufacturer (OEM) character set,
not case sensitive (enforced by upper casing before encryption), and up to 14 characters long. The OWF
version (called the LAN Manager OWF or ESTD version) of the password is computed by encrypting a constant
with the clear text password using DES encryption. The LAN Manager OWF password is 16 bytes long. The first
7 bytes of the clear text password are used to compute the first 8 bytes of the LAN Manager OWF password.
The second 7 bytes of the clear text password are used to computer the second 8 bytes of the LAN Manager
OWF password.
The Windows NT password is based on the Unicode character set, is case sensitive, and can be up to 128
characters long. The OWF version (called the Windows NT OWF password) is computed using the RSA MD-4
encryption algorithm, which computes a 16-byte "digest" of a variable length string of clear text password bytes.
The purpose of maintaining both versions of a password is to ensure compatibility with all clients on the network.
In no instance is the password of any user account stored as plaintext – it is always encrypted by the OWF first.
It is important to note, however, that the encrypted passwords are almost as valuable as the plaintext passwords,
and are even commonly referred to as plaintext equivalents. Even though it is not feasible to decrypt plaintext
equivalent passwords, they can be used to obtain authentication on a server.
Copyright © 2000 Hewlett-Packard Company
All Rights Reserved
Page 13 of 28