Author: abartlet Date: 2004-11-07 05:34:10 +0000 (Sun, 07 Nov 2004) New Revision: 122
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=122 Log: Small layout fixes, and rebalance some of the images around the document . Andrew Bartlett Modified: trunk/samba4-ad-thesis/abstract.tex trunk/samba4-ad-thesis/ack.tex trunk/samba4-ad-thesis/chapters.tex trunk/samba4-ad-thesis/thesis.bib Changeset: Modified: trunk/samba4-ad-thesis/abstract.tex =================================================================== --- trunk/samba4-ad-thesis/abstract.tex 2004-11-07 05:24:49 UTC (rev 121) +++ trunk/samba4-ad-thesis/abstract.tex 2004-11-07 05:34:10 UTC (rev 122) @@ -12,8 +12,8 @@ modern network are directories of various sorts, which document and control it. -Samba is many things - a file and print server, that has for over 10 -years emulated the Microsoft products in this area. In more recent +Samba is many things, but primarily a file and print server, that has for over 10 +years emulated the Microsoft's products in this area. In more recent times, and particularly with Samba 3.0, it has taken on new roles in running networks, as a 'Domain Controller', compatible with the protocols used in NT4. Modified: trunk/samba4-ad-thesis/ack.tex =================================================================== --- trunk/samba4-ad-thesis/ack.tex 2004-11-07 05:24:49 UTC (rev 121) +++ trunk/samba4-ad-thesis/ack.tex 2004-11-07 05:34:10 UTC (rev 122) @@ -27,4 +27,4 @@ on which this thesis has been developed - this thesis has been developed in public, with a full version control history available from: -\texttt{http://websvn.samba.org/cgi-bin/viewcvs.cgi/trunk/samba4-ad-thesis/?root=lorikeet} +\texttt{http://websvn.samba.org/cgi-bin/viewcvs.cgi/trunk/samba4-ad-thesis/\\?root=lorikeet} Modified: trunk/samba4-ad-thesis/chapters.tex =================================================================== --- trunk/samba4-ad-thesis/chapters.tex 2004-11-07 05:24:49 UTC (rev 121) +++ trunk/samba4-ad-thesis/chapters.tex 2004-11-07 05:34:10 UTC (rev 122) @@ -465,22 +465,6 @@ passwords. -\subsection{Challenge-response Authentication} - -Challenge-response authentication is typically a shared-secret scheme, -where both parties to the authentication exchange have a copy of the -password, or a fixed derivative thereof. As shown in Figure \ref{fig:Challenge/Response}, -the server generates a random `challenge' to the client, and asks -the client to perform a fixed operation with inputs consisting of -the `challenge', the user's password, and possibly some random data -of the client's choosing. - -The result of this operation should not in any way disclose the user's -password, and should be repeatable on the server. Figure \ref{fig: challenge-response-block} -shows how, when the server repeats the operation using its copy of -the password, it compares the output with the value supplied by the -client. If the values match, the client must know the user's password. - % \begin{figure} \includegraphics[% @@ -500,6 +484,22 @@ \end{figure} +\subsection{Challenge-response Authentication} + +Challenge-response authentication is typically a shared-secret scheme, +where both parties to the authentication exchange have a copy of the +password, or a fixed derivative thereof. As shown in Figure \ref{fig:Challenge/Response}, +the server generates a random `challenge' to the client, and asks +the client to perform a fixed operation with inputs consisting of +the `challenge', the user's password, and possibly some random data +of the client's choosing. + +The result of this operation should not in any way disclose the user's +password, and should be repeatable on the server. Figure \ref{fig: challenge-response-block} +shows how, when the server repeats the operation using its copy of +the password, it compares the output with the value supplied by the +client. If the values match, the client must know the user's password. + % \begin{figure} \includegraphics[% @@ -527,26 +527,7 @@ an authentication request. These are trusted third party systems; all hosts trust those with the passwords (the third party in the authentication exchange) to correctly return authentications success or failure. -See Figure \ref{fig:Trusted-Third-Party}% -\begin{figure*} -\includegraphics[% - width=0.80\columnwidth, - keepaspectratio]{dia/SMB15.eps} - -\caption{\label{fig:Trusted-Third-Party}Trusted Third Party Authentication -(NTLM).} - -\begin{quote} -The Domain Controller (DC) wears a special hat. It keeps track of -the common authentication database that is shared by the SMB servers -in the Domain. The SMB servers query the DC when a client requests -access to SMB services. (Image and text (c) Chris Hertel\citep{hertel}, -\texttt{http://www.ubiqx.org/cifs/figures/smb-15.html})\end{quote} - -\end{figure*} - - For an authentication system to be secure, it must be possible to trust this third party, preferably by some cryptographic proof. Often this is by yet another shared-secret authentication scheme. @@ -854,9 +835,29 @@ In order to implement a distributed network architecture, compromises, which are invisible to the client, must be made at the server. Typically these are to somehow contact the Domain Controller (DC) to confirm -or deny an incoming user's identity. +or deny an incoming user's identity, a process shown in \ref{fig:Trusted-Third-Party}. +% +\begin{figure*} +\includegraphics[% + width=0.80\columnwidth, + keepaspectratio]{dia/SMB15.eps} + +\caption{\label{fig:Trusted-Third-Party}Trusted Third Party Authentication +(NTLM).} + +\begin{quote} +The Domain Controller (DC) wears a special hat. It keeps track of +the common authentication database that is shared by the SMB servers +in the Domain. The SMB servers query the DC when a client requests +access to SMB services. (Image and text (c) Chris Hertel\citep{hertel}, +\texttt{http://www.ubiqx.org/cifs/figures/smb-15.html})\end{quote} + +\end{figure*} + + + \subsection{Pass-though Authentication} The first, and easiest compromise the server can make is simply to Modified: trunk/samba4-ad-thesis/thesis.bib =================================================================== --- trunk/samba4-ad-thesis/thesis.bib 2004-11-07 05:24:49 UTC (rev 121) +++ trunk/samba4-ad-thesis/thesis.bib 2004-11-07 05:34:10 UTC (rev 122) @@ -353,8 +353,8 @@ @unpublished{vmware, year = 2004, URL = {http://www.vmware.com/products/server/gsx\_features.html}, - title = {VMware GSX Server 3.1}, - corpauthor = {VMware, Inc}, + title = {{VMware GSX Server 3.1}}, + corpauthor = {{VMware, Inc}}, key = {VMware} }
