Free Windows Certification
HOME OVER VIEW TUTORIALS TESTS BOOKS CONTACT US  
   
Google
 
Windows Tips
ACTIVE DIRECTORY
TCP / IP
SECURITY
RECOVERY
SYSTEM CONFIGURATIONS
PRINTING
NETWORK
RAID
RAS
SERVICE PACKS


Windows XP : Windows 2003 : Windows 2000
 

Security

What is a digital signature and how does it work?

As we saw in the previous FAQ public-private keys are used to pass sensitive information however it can also be used to provide authentication that a sender is who they say they are. It does not protect the contents of the message, it only proves it is from who it says its from.

It provides authentication and integrity but does not provide confidentiality, data is sent as normal but acts like a normal signature we use on a letter.

A digital signature works by creating a message digest which ranges from between a 128-bit and a 256-bit number which is generated by running the entire message through a hash algorithm. This generated number is then encrypted with the senders private key and added to the end of the message.

When the recipient receives the message they run the message through the same hash algorithm and generate the message digest number. They then decrypt the signature using the senders public key and providing the two numbers match they know the message is from who it says its from AND that is has not been modified.

What is a SID (Security ID)?

SID stands for Security Identifier and is used within NT/2000 as a value to uniquely identify an object such as a user or a group. The SID assigned to a user becomes part of the access token, which is then attached to any action attempted or process executed by that user or group. If a duplicate SID did exist then all users with this SID would authenticate as what would be seen as the same user. It is possible for cloned machines to have the same SID, which would be seen by the authentication mechanism as the same machine. The SID under normal operation will be unique and will identify an individual object such as a user, group or a machine.

A SID contains:

  • User and group security descriptors
  • 48-bit ID authority
  • Revision level
  • Variable sub-authority values

For example: S-1-5-21-917267712-1342860078-1792151419-500

Below is a list of the values for SIDs on a default NT 4 installation;

Notice the unique value 500 for Administrator and 501 for Guest.

- Built-In Users

DOMAINNAME\ADMINISTRATOR

S-1-5-21-917267712-1342860078-1792151419-500 (=0x1F4)

DOMAINNAME\GUEST

S-1-5-21-917267712-1342860078-1792151419-501 (=0x1F5)

- Built-In Global Groups

DOMAINNAME\DOMAIN ADMINS

S-1-5-21-917267712-1342860078-1792151419-512 (=0x200)

DOMAINNAME\DOMAIN USERS

S-1-5-21-917267712-1342860078-1792151419-513 (=0x201)

DOMAINNAME\DOMAIN GUESTS

S-1-5-21-917267712-1342860078-1792151419-514 (=0x202)

- Built-In Local Groups

BUILTIN\ADMINISTRATORS S-1-5-32-544 (=0x220)

BUILTIN\USERS S-1-5-32-545 (=0x221)

BUILTIN\GUESTS S-1-5-32-546 (=0x222)

BUILTIN\ACCOUNT OPERATORS S-1-5-32-548 (=0x224)

BUILTIN\SERVER OPERATORS S-1-5-32-549 (=0x225)

BUILTIN\PRINT OPERATORS S-1-5-32-550 (=0x226)

BUILTIN\BACKUP OPERATORS S-1-5-32-551 (=0x227)

BUILTIN\REPLICATOR S-1-5-32-552 (=0x228)

- Special Groups

\CREATOR OWNER S-1-3-0

\EVERYONE S-1-1-0

NT AUTHORITY\NETWORK S-1-5-2

NT AUTHORITY\INTERACTIVE S-1-5-4

NT AUTHORITY\SYSTEM S-1-5-18

NT AUTHORITY\authenticated users S-1-5-11 *

* For Windows NT 4.0 Service Pack 3 and later only

 

These values can be displayed by using the utility Getsid.exe from the Windows NT Resource Kit.

C:\>getsid \\MACHINE ACCOUNT \\MACHINE ACCOUNT

The SID for account MACHINE\ ACCOUNT matches account MACHINE\ ACCOUNT

The SID for account MACHINE\ ACCOUNT is

S-1-5-21-1271857391-537538043-240200450-4294967295

The SID for account MACHINE\ ACCOUNT is

S-1-5-21-1271857391-537538043-240200450-4294967295

 

For more other information, see

http://support.microsoft.com/support/kb/articles/Q163/8/46.asp

For information on extracting the SID from an ACE see

http://support.microsoft.com/support/kb/articles/q102/1/01.asp

For information on how to associate a Username with a Security Identifier (SID) see

http://support.microsoft.com/support/kb/articles/Q154/5/99.asp

Contributed by Nathan House

What is Kerberos?

Kerberos is new to Windows 2000 and is

"The hound of Hell. A three headed Dog with a Snake for a tail; guarded the entrance to the kingdom of Hades, the Underworld."

(and you wondered why the box was so big :-) ).

It replaces the Microsoft NTLM native communication for Windows 2000 computers but NTLM is still supported for compatibility with older NT 4, Windows 9x clients (as a side not NTLM version 2 is not supported in Windows 2000).

The idea is if two people know a secret they can communicate by encrypting a message with the secret and if they both know the secret they know the other person is who they say they are. The problem is the secret can’t be sent as just text over the network as anyone with a network sniffer could find the “secret”.

The Kerberos protocol solves this problem with secret key cryptography. Rather than sharing a password, communication partners share a cryptographic key which is symmetric in nature which means the single key can both encrypt and decrypt.

To communicate one side send the other an encrypted message containing their name and local time, the other machine then decrypts the packet with the symmetric key and if the time is close to its time then the match is OK.

The diagram shows this where KJB is the symmetric key shared by John and Bob.

The fact that time is part of the encryption technology is why Windows 2000 machines need to be time synchronized with a SNTP service.

But how is the shared key distributed if it can't be sent over the network? See the next FAQ.
   

Contact Us | Bookmark This Page | Make Your Home Page