3.1.5.2 Algorithms for Challenge/Response Authentication

There are several challenge/response algorithms supported by CIFS for use with user authentication. Note that CIFS does not support the full protocol defined in [MS-NLMP]; it makes use of the challenge/response algorithms only. CIFS does not support Extended Session Security because there is no mechanism in CIFS to negotiate Extended Session Security.

  • The LAN Manager (LM) Response

  • The LAN Manager (LM) response is computed using the DESL() operation defined in [MS-NLMP] Appendix A. Specifically:

     LM_Hash = LMOWFv1( password );
     LM_Response = DESL( LM_Hash, Challenge );
      
    

If the client is configured to send the LM response, it MUST be sent in the OEMPassword field of the SMB_COM_SESSION_SETUP_ANDX request. The LM response algorithm is described in [MS-NLMP] section 3.3.1.

  • The NT LAN Manager (NTLM) Response

  • The NT LAN Manager (NTLM) response is also computed using the DESL() operation defined in [MS-NLMP] Appendix A. Specifically:

     NTLM_Hash = NTOWFv1( password );
     NTLM_Response = DESL( NTLM_Hash, Challenge );
      
    

If the client is configured to send the NTLM response, it MUST be sent in the UnicodePassword field of the SMB_COM_SESSION_SETUP_ANDX request. The NTLM response algorithm is described in [MS-NLMP] section 3.3.1.

  • LM v2 Authentication

  • When the client is configured to use LM v2 authentication, the LM responses are replaced with the LMv2 responses:<186>

    • The LMv2 response is specified in the calculation of LmChallengeResponse in [MS-NLMP] section 3.3.2.

  • NTLM v2 Authentication

  • When the client is configured to use NTLM v2 authentication, the NTLM responses are replaced with the NTLMv2 responses:

    • The NTLMv2 response is specified in the calculation of NtChallengeResponse in [MS-NLMP] section 3.3.2.