3.1.5.2 Algorithms for Challenge/Response Authentication

There are several challenge/response algorithms supported by CIFS for use with user authentication. Note that CIFS does not support the full protocol defined in [MS-NLMP]; it makes use of the challenge/response algorithms only. CIFS does not support Extended Session Security because there is no mechanism in CIFS to negotiate Extended Session Security.

• The LAN Manager (LM) Response

• The LAN Manager (LM) response is computed using the DESL() operation defined in [MS-NLMP] Appendix A. Specifically:

   LM_Hash = LMOWFv1( password );
   LM_Response = DESL( LM_Hash, Challenge );
    
  

If the client is configured to send the LM response, it MUST be sent in the OEMPassword field of the SMB_COM_SESSION_SETUP_ANDX request. The LM response algorithm is described in [MS-NLMP] section 3.3.1.

• The NT LAN Manager (NTLM) Response

• The NT LAN Manager (NTLM) response is also computed using the DESL() operation defined in [MS-NLMP] Appendix A. Specifically:

   NTLM_Hash = NTOWFv1( password );
   NTLM_Response = DESL( NTLM_Hash, Challenge );
    
  

If the client is configured to send the NTLM response, it MUST be sent in the UnicodePassword field of the SMB_COM_SESSION_SETUP_ANDX request. The NTLM response algorithm is described in [MS-NLMP] section 3.3.1.

• LM v2 Authentication

• When the client is configured to use LM v2 authentication, the LM responses are replaced with the LMv2 responses:<186>

  • The LMv2 response is specified in the calculation of LmChallengeResponse in [MS-NLMP] section 3.3.2.

• NTLM v2 Authentication

• When the client is configured to use NTLM v2 authentication, the NTLM responses are replaced with the NTLMv2 responses:

  • The NTLMv2 response is specified in the calculation of NtChallengeResponse in [MS-NLMP] section 3.3.2.