斯坦福密码课程07.5-authenc-annotated

组织：中国互动出版网(http://www。

china—pub。

com/）RFC文档中文翻译计划（http：//www。

/compters/emook/aboute mook.htm)E—mail：ouyang@china-pub。

com译者:陶志荣（dick_hw jerrytaowx＠）译文发布时间：2002—1—9版权：本中文翻译文档版权归中国互动出版网所有.可以用于非商业用途自由转载，但必须保留本文档的翻译及版权信息.Network Working GroupRequest for Comments：2898Category：InformationalB。

KaliskiRSA LaboratoriesSeptember 2000本备忘录的状态本文档为Internet社区提供信息. 它并未定义任何Internet标准.本备忘录的发布不受任何限制.版权声明Copyright (C) The Internet Society （2000). All Rights Reserved.摘要本备忘录代表源自RSA实验室的公钥密码系统标准（PKCS）系列的PKCS #5 v2.0的再版，变更控制仍保留在PKCS过程。

该文档的主体，除了安全性考虑一节，都是直接从那个规范中获得的.本文档提供基于口令的密码系统的实现建议,覆盖密钥导出函数，加密方案，消息鉴别方案，及与该技术等同的ASN.1语法。

建议的意图是供计算机和通信系统的一般程序使用，因此包括了相当数量的灵活性。

它们特别为敏感信息的保护设计，例如PKCS #8[25］中的私钥。

期望有基于这些规范的应用标准和实现轮廓可能包括附加的约束。

其它基于口令的密码技术,例如基于口令的密钥实体认证和密钥建立协议[4][5]［26]不在本文档范围。

口令的选取原则也不在本文档范围。

1.介绍本文档为基于口令的密钥系统的实现提供建议，包括了下列的方面：•密钥导出函数•加密方案•消息鉴别方案•与该技术等同的ASN。

CS255:Cryptography and Computer Security Winter2013Final ExamInstructions:−Answer allfive questions.−The exam is open book and open notes.Wireless devices are not allowed.−Students are bound by the Stanford honor code.−You have two hours and thirty minutes.Problem1.Questions from all over.a.Let p be a large prime and g∈Z∗p of order p−1.Is the function f(x)=g x in Z p whosedomain is{1,...,p−1}a trapdoor one-way function?Justify your answer.b.Briefly explain the main idea for building an authenticated key exchange protocol(secureagainst man in the middle attacks)from the basic Diffie-Hellman protocol.c.Let(N,e)be an RSA public key.Recall that to sign messages using RSA-FDH we usea hash function H:{0,1}n→Z N and compute the signature on a message m asσ←H(m)d in Z N.Suppose the adversary canfind two messages m1,m2such thatH(m1)=H(m2)·2e in Z N.Does this let the adversary break RSA-FDH?That is,canthe adversary create an existential forgery using a chosen message attack?d.Same question as part(c)except that the adversary canfind two messages m1,m2suchthat H(m1)=H(m2)+1in Z N.Briefly justify your answer.e.When storing hashed and salted passwords in a passwordfile,what is the purpose of usinga slow hash function?Problem2.Variants of CBC encryption.a.One problem with CBC encryption is that messages need to be padded to a multiple ofthe block length and sometimes a dummy block needs to be added.The followingfiguredescribes a variant of CBC that eliminates the need to pad:The method pads the last block with zeros if needed(a dummy block is never added),but the output ciphertext contains only the shaded parts of C1,C2,C3,C4.Note that,ignoring the IV,the ciphertext is the same length as the plaintext.This technique iscalled ciphertext stealing.(1)Explain how decryption works.(2)Can this method beused if the plaintext contains only one block?1b.Another problem with CBC encryption is that it cannot be sped up by parallel processing.The followingfigure shows a variant of CBC that supports2-way parallelism.It can besped up by a factor of two using two processors.Here E is the encryption algorithm of a secure PRP such as AES.Suppose one choosesIV0at random and sets IV1=IV0⊕B for somefixed public constant B(e.g.B=1nwhere n is the block size of E).Is the resulting system CPA-secure?If yes,briefly explainwhy(it’sfine to rely on theorems presented in class).If not,describe an attacker thatwins the CPA security game.c.Suppose one chooses IV0at random and sets IV1=k where k is part of the secretkey.That is,the secret key is(k,k )and this secret key is used to encrypt multipleplaintexts.Is the resulting system CPA-secure?If yes,briefly explain why(it’sfine torely on theorems presented in class).If not,describe an attacker that wins the CPAsecurity game.d.Suppose one chooses IV0and IV1independently at random and includes both in theciphertext.Is the resulting system CPA-secure?If yes,briefly explain why(it’sfine torely on theorems presented in class).If not,describe an attacker that wins the CPAsecurity game.Problem3.Let(E,D)be an encryption system that provides authenticated encryption.Here E does not take a nonce as input and therefore must be a randomized encryption algorithm.Which of the following systems provide authenticated encryption?For those that do briefly explain why.For those that do not,present an attack that either breaks CPA security or ciphertext integrity.a.E1(k,m)=c←E(k,m),output(c,c)and D1(k,(c1,c2))=D(k,c1)b.E2(k,m)=c←E(k,m),output(c,c)and D2(k,(c1,c2))=D(k,c1)if c1=c2fail otherwisec.E3(k,m)=E(k,m),E(k,m)and D3(k,(c1,c2))=D(k,c1)if D(k,c1)=D(k,c2)fail otherwiseTo clarify:E(k,m)is randomized so that running it twice on the same input will result in different outputs with high probability.d.E4(k,m)=E(k,m),H(m)and D4(k,(c1,c2))=D(k,c1)if H(D(k,c1))=c2fail otherwisewhere H is a collision resistant hash function.2Problem4.Two-time secure encryption.Recall that the one-time-pad is a one-time encryption system that is secure against infinitely powerful adversaries.Our goal in this question is to design a2-time secure encryption against infinitely powerful adversaries.If the encryptor can be stateful then the problem is trivial—simply use two one-time pads.Here,we de-sign a stateless2-time secure system:every encryption is done independently of the other encryptions.a.Give a precise definition for what it means for a symmetric encryption system to besemantically secure when a secret key is used to encrypt at most two messages.Makesure to define two experiments EXP(0)and EXP(1)as in the definitions of semanticsecurity and CPA security.Keep in mind that the adversary can be adaptive:its choicefor a second message to encrypt may depend on thefirst ciphertext it receives.b.Show that the one time pad is insecure under your definition from part(a).Can anydeterministic encryption system(without a nonce)be secure under your definition?c.Let p be a128-bit prime and consider the following encryption system:the secret key is arandom pair(x,y)∈(Z p)2and to encrypt a message m∈Z p do:choose a random r R←Z p and output the ciphertext(r,xr+y+m)∈Z2p.Explain how to decrypt a given ciphertext(c1,c2)using the secret key(x,y).d.Show that this system is2-time secure(using your definition from part a.)against infinitelypowerful adversaries.d.1.Let S be the set of all4-tuples(x,y,r0,r1)in Z4p such that r0=r1.First arguethat if the tuple(x,y,r0,r1)is uniform in S then the tuple(xr0+y,xr1+y,r0,r1)is also uniform in S.To do so,show that the following mapping from S to S isone-to-one:(x,y,r0,r1)→(xr0+y,xr1+y,r0,r1)All you need to do is show that this mapping is invertible.e(d.1)to argue2-time security.In particular,show that the adversary’s advan-tage is at most1/p in distinguishing EXP(0)from EXP(1).Hint:There are two cases:•First argue that if the the nonces r0,r1in the two ciphertexts given to the adver-sary are distinct then the adversary has advantage0in distinguishing EXP(0)from EXP(1).To show this observe that the property from(d.1)implies thatwhen encrypting two messages m0and m1in Z p with distinct nonces r0=r1theresulting ciphertexts(r0,xr0+y+m0)and(r1,xr1+y+m1)are distributed as(r0,s0)and(r1,s1)where s0,s0are uniform random variables in Z p independentof m0and m1(i.e.(s0,s1)are distributed the same for all(m0,m1)).•if the nonces r0,r1in the two ciphertexts given to the adversary are the samethen the adversary can distinguish EXP(0)from EXP(1).However,observe thatr0=r1happens only with probability1/p.e.Show that the system from part(c)is not3-time secure.That is,show that the adversarydistinguish EXP(0)from EXP(1)after making three chosen plaintext queries.3Problem5.Encryption-based challenge-response identification.In class we discussed MAC-based and signature-based challenge-response identification.Recall that the purpose of challenge-response identification is to defeat attackers capable of mounting an active attack on the identification system.In this question we consider a variant of challenge-response identifica-tion based on an encryption scheme rather than a MAC.Let(E,D)be a symmetric encryption system defined over(K,M,C).The identification system works as follows:•setup:generate a random key k∈K and set sk←k and vk←k.The same key k willbe used for all runs of the identification protocol.•identification:the verifier generates a random message m∈M and sends c←E(k,m)to the prover.The prover responds with m ←D(k,c).The verifier accepts if m=mand rejects otherwise.a.For each of the following encryption schemes determine if this identification method issecure.If it is secure explain why.If not,present an attack.a.1.(E,D)is the one-time pad with K=M=C={0,1}128.a.2.(E,D)is AES-based CBC encryption with a random IV where the message spaceM is{0,1}128.a.3.(E,D)is AES-based GCM encryption where the message space M is{0,1}128.b.Suppose the key k is derived from the user’s password(i.e.k is computed via a publicdeterministic function applied to the password).Can an eavesdropper who obtains thetranscript of a successful identification carry out a dictionary attack to expose k?If soexplain why.If not,explain why not.c.As is,the protocol assumes that vk is kept secret on the server.Can you propose amodification to the protocol so that making vk public would not affect security?4。

密码学总结CTF中那些脑洞⼤开的编码和加密0x00 前⾔正⽂开始之前先闲扯⼏句吧，玩CTF的⼩伙伴也许会遇到类似这样的问题:表哥，你知道这是什么加密吗？其实CTF中脑洞密码题(⾮现代加密⽅式)⼀般都是各种古典密码的变形，⼀般出题者会对密⽂进⾏⼀些处理，但是会给留⼀些线索，所以写此⽂的⽬的是想给⼩伙伴做题时给⼀些参考，当然常在CTF⾥出现的编码也可以了解⼀下。

本来是想尽快写出参考的⽂章，⽆奈期间被各种事情耽搁导致⽂章断断续续写了2个⽉，⽂章肯定有许多没有提及到，欢迎⼩伙伴补充，总之，希望对⼩伙伴们有帮助吧！最后欢迎⼩伙伴来玩耍:P0x01 ⽬录1. 常见编码:1. ASCII编码2. Base64/32/16编码3. shellcode编码4. Quoted-printable编码5. XXencode编码6. UUencode编码7. URL编码8. Unicode编码9. Escape/Unescape编码10. HTML实体编码11. 敲击码(Tap code)12. 莫尔斯电码(Morse Code)13. 编码的故事2. 各种⽂本加密3. 换位加密:1. 栅栏密码(Rail-fence Cipher)2. 曲路密码(Curve Cipher)3. 列移位密码(Columnar Transposition Cipher)4. 替换加密:1. 埃特巴什码(Atbash Cipher)2. 凯撒密码(Caesar Cipher)3. ROT5/13/18/474. 简单换位密码(Simple Substitution Cipher)5. 希尔密码(Hill Cipher)6. 猪圈密码(Pigpen Cipher)7. 波利⽐奥斯⽅阵密码（Polybius Square Cipher)8. 夏多密码(曲折加密)9. 普莱菲尔密码(Playfair Cipher)10. 维吉尼亚密码(Vigenère Cipher)11. ⾃动密钥密码(Autokey Cipher)12. 博福特密码(Beaufort Cipher)13. 滚动密钥密码(Running Key Cipher)14. Porta密码(Porta Cipher)15. 同⾳替换密码(Homophonic Substitution Cipher)16. 仿射密码(Affine Cipher)17. 培根密码(Baconian Cipher)18. ADFGX和ADFGVX密码(ADFG/VX Cipher)19. 双密码(Bifid Cipher)20. 三分密码(Trifid Cipher)21. 四⽅密码(Four-Square Cipher)22. 棋盘密码（Checkerboard Cipher)23. 跨棋盘密码(Straddle Checkerboard Cipher)24. 分组摩尔斯替换密码(Fractionated Morse Cipher)25. Bazeries密码(Bazeries Cipher)26. Digrafid密码(Digrafid Cipher)27. 格朗普雷密码(Grandpré Cipher)28. ⽐尔密码(Beale ciphers)29. 键盘密码(Keyboard Cipher)5. 其他有趣的机械密码:1. 恩尼格玛密码6. 代码混淆加密:1. asp混淆加密2. php混淆加密3. css/js混淆加密4. VBScript.Encode混淆加密5. ppencode6. rrencode7. jjencode/aaencode8. JSfuck9. jother10. brainfuck编程语⾔7. 相关⼯具8. 参考⽹站0x02 正⽂常见编码1.ASCII编码ASCII编码⼤致可以分作三部分组成：第⼀部分是：ASCII⾮打印控制字符（参详ASCII码表中0-31）;第⼆部分是：ASCII打印字符，也就是CTF中常⽤到的转换;第三部分是：扩展ASCII打印字符(第⼀第三部分详见解释)。

Authentication:a primerBurton RosenbergLast Update:September7,2006Version2:April21,2003Version1:December30,20021Password AuthenticationAuthentication is the convincing of another that you are who you say you are.The most usual procedure for authentication is the presentation of a password.The password syllogism is: Only Socretes knows the passwordThis man knows the passwordTherefore this man is SocretesIn practice proof of knowledge of the password is provided by revealing it,generally typing it into the password box of the log-on screen.So not only Socretes knows the password,so does the authenticator.Or if the authenticator didn’t know the password prior to authentication,it does so afterwards.In the electronic version of this interchange,two other concerns arise.Since the authentication belongs to the near end of a communication channel,we must assure that the other end of the channel is not diverted after authentication;and we must assure that the channel is confidential, so no third party can eavesdrop and learn the password.Finally,the assurance of authentication is only a probability.Plato can,with a certain probability,guess Socretes’password,and then be accepted as Socretes.Socretes password−→AristotleFigure1:Password authenticationWhatever its deficiencies,password presentation remains a popular authentication mechanism.A variant of the password is the PIN,a Personal Identifying Number,which is a short password drawn from the restricted alphabet of numeric characters.In applying either of these mechanisms,oneshould refer to the Federal Information Processing Standard FIPS112which makes recommenda-tions and thereby establishes minimal standards for the use of PINs and passwords.I am no lawyer,but FIPS112can be claimed as a standard of due care in the use of passwords. Security breaks which result in damage might be considered the software writer’s negligence if security measures were not equal to accepted industry practice.It might be claimed that FIPS112 provides a baseline for due care and accepted industry practice.1.1Password entropyThe authentication by password is only a probability.It is always possible for Plato to guess Socretes’password.The likelihood of this event should be quantified.If Socretes has n passwords to choose from,and he chooses one without bias,Plato’s has a1in n chance of authenticating as Socretes purely by chance.The two key elements are the space of possibilities from which Socretes can choose,and his bias in making the choice.Let P={p1,p2,...,p n}be the space of passwords,and by abuse of notation,p i also be the probability that password p i is chosen.The entropy of the space P is,p i log p i.E(P)=−p i=0Following Shannon,we take the base2logarithm so that the result is in units of“bits”.If one of 256=28passwords is chosen uniformly at random,E(P)=8bits,was we would hope.Passwords are typically case sensitive and allow for punctuation characters,to increase the size of the password space,and should not be chosen as a common word,to reduce password bias.Automated tools exist for password guessing.Authentication systems thwart on-line application of such tools by limiting in some manner the number of logon retries and reporting logon failures to a security log.These automated tools are used for off-line attacks,when a passwordfile has been collected by some means and is in the possession of the attacker.Crack is the classic Unix program for this.L0pht-crack provides the NT system administrator with the same amusement for his machines.Question:What is the entropy of user selected passwords?1.2The Unix password hashThe subject requiring the authentication,the authenticator,must know the password.It is not usu-ally stored on the authenticator without some encryption.If the database of encrypted passwords is stolen,the passwords are still safe until an attack is made against the encryption.Furthermore, the authentication decision is made by comparing encrypted versions of the password,so that passwords entered in the database are never again put clear,and perhaps it is infeasible to do so.The traditional Unix password scheme[Morris and Thompson,1979]passes the password through a modified DES encryption.Newer versions of Unix have replaced DES by other functions.FreeBSD uses an MD5has of the password.Adoption of variants was delayed due to export considerations: strong encryption can be exported from the United States only under special license.FreeBSD solved this problem by distributing the code source with or without MD5encryption.At this point in time,export controls have been eased and FreeBSD includes MD5encryption in its base release. The current FreeBSD implementation uses crypt to hash the password.Crypt has three modes of operation:traditional;extended;and modular.The the format of the password in/etc/passwd (or in the shadowfile master.passwd)determines the mode.The following entry specifies modular, with code1representing MD5:burt:$1$NtGQFzyQ$kOcs/5.VWulAk.S9euHqC1:542:15::0:0:\\Burt Rosenberg:/home/burt:/bin/tcshAn alternative is code3for blowfish.The code is between thefirst two dollar sign characters,and the salt is between the second two dollar sign characters.The remainder of thefield is the hash. The traditional unix format is invoked by13characters in the passwordfield,not beginning with a dollar sign.Thefirst two characters are salt and the remaining11characters are hash.Base-64 encoding is used,where0-63are given by the characters:.,/,0,...,9,A,...,Z,a,...,z(Note that this is not the same Base64as used by MIME:[A-Za-z0-9+/=].)The12bits of salt are used to modify the DES algorithm,specifically,its E-box.The value zero is passed through the modified DES algorithm for25iterations,using the eight character password as the encryption key.The result has the salt prepended and a check is made if the password hash is recovered.If so,authentication succeeds.If not,authentication fails.I can’t and won’t even try to describe the MD5algorithm.The password Base64encoding is also used.There are8characters of salt and22characters of hash result(6bits per character). Source code for FreeBSD implementations are found:•/usr/src/lib/libcrypt/crypt.c•/usr/src/secure/lib/libcrypt/crypt-des.c•/usr/src/lib/libcrypt/crypt-md5.cThe advantages of the salt are the following,1.It slows down brute force password search by a factor equal to the size of the salt space.2.It prevents easy identification of shared passwords by users on the same or different machines.3.It prevents the use of standard DES hardware from participating in a brute force search forpasswords.1.3The Windows NT password hashWindows NT also uses a password hash.In this case it is a simple MD4of the password,yielding a128-bit hash.However,NT uses this password hash in certain ways that makes it a complete replacement for the password.Under certain conditions,having the NT hash is as good as having the password,so their scheme does not truly increase security.1.4Trusted path,SAS,Trojans and other animalsThere is a software and hardware path between the presentation of the password and the returned authentication decision.This path is trusted to be truthful by all components using the authen-tication decision.This trust is reasonable when the authentication system has a vested interest in providing accurate decisions for use by the other components.For example.the Unix authen-tication system shares with the user the password,but it would not share this password outside its system since the authentication system is part of the operating system that it is obligated to protect.It is not easy to establish and maintain a trusted work logon,for instance,requires the use of a network system which is outside the control of the authenticator.Even the integrity of this path for a local logon can be compromised.A Trojan is a program running on the machine which tricks the user into providing it with that user’s password.It generally provides a false logon screen which the user believes to be genuine and collects the user’s password.An ultimate Trojan was an ATM placed in a shopping mall only for the purpose of collecting account numbers and corresponding PIN’ers would commence a transaction,inserting their card and entering their PIN and the machine would then reject the request with some benign message such as“Machine out of order.”The machine was collected after a day or two and the information gathered was extracted.[The Risks Digest,Vol14,Issue60,May1993.]In practice,the authenticator authenticates the user but the user relies on extra-technological clues to authenticate the authenticator.The user also depends upon the true service to support them in the case their judgment fails.Banks have worked hard to maintain user’s trust in ATM’s and credit cards in order to preserve these valuable businesses.Windows NT has a Secure Action Sequence,SAS,also known as Control-Alt-Delete,to establish a trusted path between the local keyboard and the Gina,NT’s front-end to the authentication subsystem.The NT operating system makes strong guarantees that the host will respond to an SAS by presenting an authentic logon screen.Without such a guarantee,passwords can be gathered either by Trojans or by software keyboard sniffers.A software keyboard sniffer was used by the FBIin the Scarfo case[US v.Scarfo].Even with the SAS the path can be compromised,specifically between the wire connecting the keyboard to the host.Hardware keyboard sniffers are commercially available which will record all keystrokes as they pass from the keyboard into the host.2Challenge ResponseRather than present the password as proof of knowledge,the client can be asked to perform an action which implies knowledge of the password but which does not reveal the password.A Challenge-Response protocol asks the client to perform a calculation,a function of a randomly chosen number, the challenge,and a numeric version of the password,and to return the result of the calculation, the response.The calculation should be such that the pair challenge—response assures knowledge of the password but does not reveal the password.The challenge must always be a new random number,else an attacker monitoring past sessions can present an old response to the old challenge and successfully authenticate.challenge←−Socretes Aristotleresponse−→Figure2:Challenge response authentication2.1APOPThe Post Office Protocol(POP)allows network access to a user’s email.Authentication is typically done using password authentication.The problem of password sniffing is particularly severe for POP for two reasons.First,POP is used for remote access while on travel,when the client is certainly unsure of the security of the network.Second,POP authenticates frequently,so the sniffer needn’t be lucky to be looking at just the right moment.APOP uses challenge response to address these problems.The banner of a server supporting APOP includes a unique challenge string.RFC1939gives the exact requirements for the challenge,but one acceptible format is<process-ID.clock@hostname>. The client appends a secret shared by client and server and takes the MD5hash of the resulting string.It returns this in hexidecimal to the server as the second argument of the APOP command. The server also computes the MD5hash using the shared secret and checks for agreement with the client’s returned value.S:+OK QPOP(version2.3)at starting.\\<19481.888520091@>C:APOP burt5916139512e4cc9433a24ba7d1e803f4S:+OK burt has1message(s)(3065octets).Figure3:APOP Session Example2.2MS-CHAPv1MS-CHAP is the Microsoft Challenge-Response Authentication Protocol.Version1,MS-CHAPv1 is documented by RFC2433,and Version2y RFC2759.The protocol is used in Microsoft’s remote login protocols,such as PPP and PPTP.It is also similar to Microsoft authentication protocols for SMB,which are not documented.These protocols were reverse engineered by the SAMBA group, an Open Source project to port Windowsfile sharing and remote access to unix.We discuss Version1in this section,and version2in the next.The server sends the client a8byte nonce,to which the client responds with the encryption of the nonce three times,by three keys derived from the MD4hash of the user’s password.The16-bytes MD4hash has5bytes of zeros appended and then broken into three7byte pieces.A challenge C is presented by the server and the client responds with the response R,P h=MD4(P u)P h1|P h2|P h3=P h|Z5R=DES P h1(C)|DES P h2(C)|DES P h3(C)The pair P h,R is used as a shared secret for authentication and integrity checking for the remaining messages between client and server.A serial number is set to0for the client replay and incremented to1for each message sent client to server or server to client.The MAC is calculated,MAC(serial number,message)=H(P h,R,serial number,message,[U,R]){8}and truncated to the hight order8bytes.Here,MD5is the hash function.Thefinal U,R pair is only used on thefirst message from client to server.All other hashes omit these elements.2.3MS-CHAPv2An improved version of MS-CHAP,called version2,was introduced.This description is taken from Cryptanalysis of Microsoft’s PPTP Authentication Extensions(MS-CHAPv2),by B.Schneier, Mudge and D.Wagner,September1999.The server sends a16-byte challenge SC.The client adds its own randomness by generating a random16-byte Peer Authenticator Challenge P C.The two challenges are combined to an8-byte challenge C,C=SHA(P C,SC,client username){8}←−GatesMudge SC−→GatesMudge R,P C←−GatesMudge AFigure4:MS-CHAPv2summaryThefirst8bytes of the SHA-1hash of the above information forms C.In response to the client receiving the16-byte SC it sends the24-byte response R and its16-byte P C.R is formed as in MS-CHAPv1.The protocol continues by authenticating the server.The server sends an Authenticator Response based on P C and the hashed password P h,A =SHA(MD4(P h),R,“Magic server to client constant”)A=SHA(A ,C,“Pad to make it do more than one iteration”)The20-bytes of A are sent as a response.The improvements from v1to v2include:1.The response is based on client randomness as well as server randomness,preventing a chosenplaintext attack.2.The authentication is mutual,the server authenticates to the client in the last step.3.Not shown,the LANMAN challenge response subprotocol was removed.2.4NTLMNTLM is the Microsoft authentication protocol used with the SMB protocol,also known as CIFS, which is the Microsoftfile and printer sharing technology.It is the successor of LANMAN,an older Microsoft authentication protocol,and attempted to be backwards compatible with LANMAN. During protocol negotiation,the internal name is ntlm0.12.The version number0.12has not been explained.NTLM was followed by version two,named NTLMv2,at which time the original was renamed NTLMv1.There seems to be no official documentation of the protocol,however it has been reverse engi-neered by the SAMBA team and their documentation is definitive,in particular works by Luke Kenneth Casson Leighton.The cryptographic calculations are identical to that of MS-CHAP and are documented by RFC2433for v1and RFC2759for v2.2.5NTLMv1NTLMv1is essentially MS-CHAPv1.The server authenticates the client by sending a8-byte random number,the challenge.The client performs an operation involving the challenge and a secret shared between client and server,e.g.a password.The client returns the24-byte result of the computation.In fact,in NTLMv1two computations are made using two different shared secrets and two24-byte results are returned.The server verifies that the client has computed the correct result,and from this infers possession of the secret,and hence the identity of the client. The two secrets are:•the LANMAN hash of the user’s password and•the NT HashBoth these hashes produce16-byte quantities.The NT Hash has been described in the section on MS-CHAP.The LANMAN hash is an old operation from the predecessor protocol,WIndows LAN Manager.Is is calculated by taking the user’s password to all upper case and extending (or truncating)it to14characters.The each of thefirst and last7characters are taken as a56-bit DES key to encrypt the8-byte string“KGS!@#$%”.The two resulting encrypted blocks are concatenated to get a16-byte hash.The16-byte hashes are extended to21bytes by appending5bytes of zeros.The21bytes are separated in three7bytes quantities.Each of these56bit quantities is used as a key to DES encrypt the64bit challenge.The three encryptions of the challenge are reunited to form the24-byte response.Both the response using the lanman hash and the the NT Hash are returned to the server.C=8-byte server challenge,randomK1|K2|K3=NT-Hash|5-bytes-0R1=DES(K1,C)|DES(K2,C)|DES(K3,C)K1|K2|K3=LM-Hash|5-bytes-0R2=DES(K1,C)|DES(K2,C)|DES(K3,C)response=R1|R2The server checks either of the responses to see if the calculation was done correctly.If so,it considers that the client knows the NT-Hash,or the LM-Hash,and continues the login.2.6NTLMv2NTLMv2is intended as a cryptographically strengthened replacement for NTLMv1.It consists of two different protocols,one which differs greatly from NTLMv1,and a second which shares much of NTLMv1’s structure and is similar to MS-CHAPv2.Since there is no official documentation,itis hard to describe these algorithms since there are no official names.All three subprotocols can be called NTLMv2.However,careful reading of Microsoft documentation shows a tendency to call thefirst two NTLM2,and the third,differing protocol as NTLM2Session.NTLM2sends two16-byte responses to an8-byte server challenge.The response is the HMAC-MD5hash of the server challenge,a randomly generated client challenge,and a HMAC-MD5hash of the user’s password and other identifying information.The two responses differ in the format of the client challenge.The shorter response uses an8-byte random value for this challenge.In order to verify the response,the server must receive as part of the response the client challenge.For this shorter reponse,the8-byte client challenge appended to the16-byte response makes a24-byte package which is consistent with the24-byte response format of the previous NTLMv1protocol.In certain non-official documentation(e.g.the book DCE/RPC Over SMB by Leighton)this response is termed LMv2.The second response sent by NTLM2uses a variable length client challenge which includes(1)the current NT Time(multiple of100ns since January1,1601,whatever that means),(2)an8-byte random value,(3)the domain name and(4)some standard format stuff.The response must include a copy of this client challenge,and is therefore variable length.In non-official documentation,this response is termed NTv2.Both LMv2and NTv2hash the client and server challenge with a hash of the user’s password and other identifying information.The exact formula is to begin with the NT Hash of NTLMv1,which is stored in the SAM,and continue to hash in,using HMAC-MD5,the username and domain name.SC=8-byte server challenge,randomCC=8-byte client challenge,randomCC*=(X,time,CC,domain name)v2-Hash=HMAC-MD5(NT-Hash,user name,domain name)LMv2=HMAC-MD5(v2-Hash,CS,CC)NTv2=HMAC-MD5(v2-Hash,CS,CC*)response=LMv2|CC|NTv2|CC*2.7NTLMv2-SessionThe NTLMv2Session protocol is entirely different,being very similar to MS-CHAPv2.Its descrip-tion is running around the Internet,and has been ported to SAMBA.Microsoft does not seem to have published any precise information about this protocol.This description is based on Eric Glass’ntlm page.Briefly,the NTLMv1algorithm is applied,except that a8-byte client challenge is appended to the 8-byte server challenge and MD5hashed.The least8-byte half of the hash result is the challenge utilized in the NTLMv1protocol.The client challenge is returned in one24-byte slot of the response message,the24-byte calculated response is returned in the other slot.This is a strengthed form of NTLMv1which maintains the ability to use existing Domain Controllerinfrastructure yet avoids a dictionary attack by a rogue server.For afixed X,the server computes a table where location Y has value K such that Y=DES K(X).Without the client participating in the choice of challenge,the server can send X,look up response Y in the table and get K.This attack can be made practical using a space-time tradeoffcalled the rainbow attack.However,existing NTLMv1infrastructure allows that the challenge/response pair is not verified by the server,but sent to a Domain Controller for verifiing NTLMv2Session,this infrastructure continues to work if the server substitutes for the challenge the hash of the server and client challenges.NTLMv1Client<-Server:SCClient->Server:H(P,SC)Server->DomCntl:H(P,SC)),SCServer<-DomCntl:yes or noNTLMv2-SessionClient<-Server:SCClient->Server:H(P,H’(SC,CC)),CCServer->DomCntl:H(P,H’(SC,CC)),H’(SC,CC)Server<-DomCntl:yes or no2.8NT Authentication in contextWe have described the cryptography of NT Authentication,either MS-CHAP or NTLM.In this section we describe a bit more about the login process and how the NT-Hash is stored.NT Authentication uses a module called MSV10.dll to process the challenge/response.One half of this module interacts with the user to get the password,the other half interacts with the SAM,the database containing the password hashes,to authenticate the ing Microsoft RPC,these two halves may be on different computers.Typically,in a domain situation,the user half is on the client machine and the SAM half is on the PDC,the primary domain controller.This architecture makes little distinction between a local account and a domain account.For a local account the MSV10uses the local SAM and does not need an RPC,it does an LPC(local procedure calle).For a domain account the MSV10on the PDC is involved using an RPC.The box appearing for the user’s password is called the GINA.It is presented by the SAS.The SAS and GINA are tightly coupled so that it is difficult to circumvent this trusted path.The SAS switches desktops even,and presents the GINA in a secure desktop under Operating System control.The GINA collects authentication information and calls the LSA in the kernel(Local Security Administrator).The LSA then uses some authentication service to verify the password. In current NT,LSA uses MSV10,although this is modular.There are actually two types of interactions between computers.Challenge/Response betweenclient and PDC need not be cryptographically secure.However,authentication could require three computers,with the middle computer acting as a proxy between the client and the PDC.In this case an encrypted connection is established between client and the middle computer using a shared secret.Over this secure channel the password passes clear,and the middle computer completes the Challenge/Repsonse protocol for the client.The shared secret is generated when a computer joins a domain and is automatically refereshed each week.The initial shared secret is derived in a completly public manner using the computer’s name.The shared secret is stored in the local SAM.But manipulation the protections on the SAM it can be viewed.You usually need to use both regedt32to widen permissions to see the SAM and the regedit to actually open the folders.Look for HKLM/Security/Policy/Secrets then something like Machine.There will be subkeys for CurrVal,OldVal,CupdTime,and so on,for the current secret value,old secret value and the update time.2.9Bellovin-MerrittThe challenge response schemes previously described leak password information.Any server,wish-ing to compromise a client,has access to the input-output pair under the challenge-response func-tion.From this,a brute force attack on the password can begin.A scheme by Bellovin and Merritt [Bellovin1992]uses a Diffie-Hellman key excange to mask the user’s password.As far as I know of,there are no practical protocols of major importance that use this scheme.To review Diffie-Hellman:a prime p and an generator g of F p is made public knowledge by some trusted authority.Party B sends party M the value g r B mod p;party M sends party B the value g r M mod p,where r B and r M are randomly selected values,secret to B and M.Each party computes g r B r M mod p.This value is now known to B and M but,under the D-H assumption, cannot be calculated by any other party,including a party who witnessed all other values.Bellovin-Merritt performs D-H with the exchanged partial secrets encrypted by the shared pass-word.They then confirm to each other that they know the shared secret.A dictionary attack can be attempted against K(R1|0),for instance,but recovering g rB r M mod p tells nothing of the two factors g r B mod p and g r M mod p,so a dictionary attack against the password B−M has no place to start.3One-time passwordsNote:This section draws heavily on Smith’s book,see references.A perfectly secure method of authentication is for the client to make use of a random list of passwords,shared with the server,and both client and server agree that each password will be used only once.A password’s use renders it useless.Therefore an eavesdropper learns only useless information.r B∈R ZM1=E BM(g r B mod p)B M1−→MB M2←−Mr M∈R ZK=(g r B)r M mod pM2=E BM(g r M mod p)R1∈R ZK=(g r M)r B mod p M3=E K(R1|0)B M3−→MB R1,M4←−MR2∈R ZM4=E K(R2|1) B R2−→MFigure5:Bellovin-MerrittIt is impractical to implement this scheme strictly.Rather than a list of truly random passwords, a pseudo-random generator replaces the list to generate new passwords as required.Breaking the pseudo-random generator breaks the one-time password scheme,so the pseudo-random generators are chosen with great care.3.1Lamport Hash and S/KeyThe Lamport hash[Lamport1981]uses a strong hash function to generate the list of passwords. Starting from a client secret p,the passwords are,p0=H(p)p i=H(p i−1),i>0where H is a suitably strong hash function.The passwords are used in order of descending i. Presented with an i,the client can quickly reconstruct p i.The server,having in its database a p j with j>i can quickly hash forward to verify the password.S/Key is an implementation of Lamport’s scheme[Haller94].It has been ported to FreeBSD in the original form and as OPIE(Onetime Passwrods In Everything).Each prompt the user with a counter number and a seed.The seed as appended to a memorized password and hashed counter number of times.The result is a64bit value which is transformed into a sequence of six short English words.Hitting return at the password prompt will make the password typing visible—to avoid typing the password wrong.Since it is one time,there is no security lost in this.The seed is used to make possible the use of the same user secret on various machines.The seed will be different for each machine so that the hash chain will be different on each machine.Here is an S/Key example from FreeBSD,taken from the FreeBSD handbook.%telnet Trying10.0.0.1...Connected to Escape character is’^]’.FreeBSD/i386()(ttypa)login:<username>s/key97fw13894Password:The cournter and seed are given.On the local machine,the onetime password is calculated:%key97fw13894Reminder-Do not use this program while logged in via telnet or rlogin.Enter secret password:WELD LIP ACTS ENDS ME HAAGThe password is transferred to the login prompt.In this example,we turn echo on:login:<username>s/key97fw13894Password:<return to enable echo>s/key97fw13894Password[echo on]:WELD LIP ACTS ENDS ME HAAGLast login:Tue Mar2111:56:41from10.0.0.2...3.2Counter,clock and PIN based One-time schemesAnother class of one-time password schemes are based on the hash of a shared secret combined with either a counter value or the time,or both.These implementations usually are small devices which produce the one-time password on a display when a button is pushed.Some companion machine loads the device with a random secret.To prevent unauthorized use of the device,a PIN might be included.The PIN works either by unlocking the device,or by becoming itself a part of the hash. The use of one-time password schemes has the problem of keeping client and server synchronized as to the next password to use.Counter based tokens might become unsynchronized by the user pushing the generation button several times.The system lets the user log in with with a counter value beyond the current with afixed tolerence.The server can search forward over counter values for a password match.If synchronization is still unattainable(the client counter is too far ahead of the server counter)a sequence of two good passwords will be required.。

核实过了，大部分是收费网站，共享造福你我他，请不要改密码哈~~~ 另外个别收费网站的账号密码有过期的了，大家自己试一下吧~关键词：学术资料学术资料账号密码全集汇总希望能对大家有帮助，共享...springerlink密码/(kmr ... sp?referrer=defaultuser name: und755bqpassword: rjj733un/(wf4 ... sp?referrer=defaultuser name: hjq242zs password: dnm829bzebsco密码/Logins6222955 : password/User ID: crlc Password: capebsco/Home.aspCustomer Code: SPSL, Username: Catalog, Password: Services /login.aspuser=s4122826password=p0027864 ez密码/login20500031433597205000314717872050003143938820500031455376.au ez密码https://.au/menuroot / lxrccer ez 镜像站点/logindemoovid密码hsll199/hsll199ID: nyupreviewPassword: testing/mcghand/0u8i231/autologin.cgicjf999/friendsSD入口及密码1、https:///login?url= USCID: 350263397Last Name: Maris2 /finder/dbfull.asp?DBID=151点击Offcampus进入登陆口密码：testuser / testpass3 /username: gwengpassword: scienceBlankwell密码/fylibrary/fylibrarybethisraelny/library/sejong/sejonghut/huteduProquest 密码1/pqdweb03DGG9FCSM/WELCOME03FGQH246J/WELCOMEW6K2BCJVMD/WELCOME2/pqdweb03G3C3FCGB/welcome哥仑比亚大学rm2140:5658htosuhaid.10/littlewigas/login181695181005131511181544ezproxy资源/login 6017090101639267601709010163904460170901016387316017090101637980国外资源：Username: s1003366Password: password/Sub script ion/Default-frameonline3.asp Username: lvmsPassword: leopards/pqdwebAccount Name: 4jkwssxrftPassword: welcome高权限ezproxy期刊https:///login10239433珍贵的万方资源/index.asp wfsyqc/zhnew18密码页资源/forensics/research.htm /wjshs/media/media.htm979-2005CNKI全库/index.htm帐号：ccpdzlf密码：ccpdzlfCNKI全库及硕博/index.htmshsgys/shsgys高权限proquest期刊资源/pqdweb08FCJNJG8B/welcome高权限ezproxy期刊:2048/loginstudent1/student1student2/student2EBSCO资源Username: s7984883Password : passwordproquest期刊资源地址/pqdwebUserId=0DPB2WQDPHPasswd=WELCOME超星农业科学图书馆http://168.160.58.135/bookhtm/book.asp?lib=25中国医院数字图书馆/kns50/NAME:chkdkns500152PW:3566kns1352帐户现余额1000 元云南艺术学院超星96129本http://218.194.192.251/index.asp超星分享http://218.194.192.251/index.asp清华CNKI全能资源/index.htmszxxys / szxxyssyfqxy/syfqxysythdx/sythdx/index.htmsypbxy/sypbxyCNKI医学期刊资源/index.htmbjhxys / bjhxys万方论文资源http://218.69.114.37/wf/cddb/cddbft.htmEBSCO MINITEX LIBRARY CONSORTIUM/user ID:s8892651 / password:password高权限ez入口http://www.upei.ca/~library/html/dbtitles.htmltest/test中国经济统计数据库(正式版)/welcome/index.htmjsnjue/jsnjue中国水产科学研究院超星数字图书馆(17815本)/68412 本图书，目前可用的超星登陆入口http://221.237.177.199/bookhtm/s ... x=24&Submit.y=6国家精品课程导航/cn/jpkc/index_lei.html兰州大学代理文献代理：210.26.56.62:8080所属大学：兰州大学校图书馆/超星http://202.201.7.10/BOOKHTM/文献摘要：可上超星、书生之家、方正Apabi 电子图书、万方、CNKI等数据库验证地址/验证字符：兰州大学图书馆北京师范大学代理202.112.82.252:3128所属大学：北京师范大学校图书馆/超星http://202.112.82.57/bookhtm/index.asp书生之家http://202.112.82.58/default.jsp文献摘要：可上书生、维普、CNKI等数据库验证地址http://202.112.82.58/default.jsp验证字符：书生之家加州大学berkeley分校代理169.229.50.5:8888@HTTP$6&241,771,1332#美国加州大学berkeley分校代理(Nature、ACS、SD多库代理)[EBSCO]高权限入口ebscousername:school password:password权限很高，在medline中搜到文献后，如写有在ebsco中有全文的，直接点击，然后输入密码就可以看全文了.因此资源失效挺快的，所以请使用过后发现好用的自己留备份，我们将把更新后的信息加在帖子前面，同时每次也会删除结尾处较旧的一些资源！中国医院知识仓库密码/index.htmdx0592//trqyy维普VIP密码账号:nm531密码:131420维普/帐号：nm531密码：131420免费万方入口http://218.69.114.37/wf/cddb/cddbft.htm比较好的ibrary/libweb/elib/do/loginUser Name: 68-13313Password: bigchalkOvid 高权限密码user ID: ohmc01PASSWORD500){this.resized=true;this.style.width=500;} } } }" align="absmiddle" border="0"gt;vidmd高权限ovid/gw2/o ... 05_VrgrUcAXyIitM3hr常用的Proquest入口,含disseration等/pqdweb?R ... &Passwd=welcome---ez:2048/logintestuser / testpass的ezproxy/login帐号：1306180EBSCO Duke University Medical Center Library/user ID:s9002128 / password:password的ezproxy:2048/login用户名：matbun密码：1129ez一个http://ezproxy.htu.se/loginadministrator//libpassword:8080/loginJJ000002234高权限ezproxy期刊https:///login21976000002515方硕博论文全文从1977年到2004年,免费下载http://218.69.114.37/wf/cddb/cddbft.htm国外硕博论文全文下载（这个可是重量级的！)快速检索地/theses/etd-search.html按作者名检/theses/browse/by_author/按系（专业）检索/theses/browse/by_departmentcnki全库，非常好用/用户名：dx0031密码：lhtsjy中国医院数字图书馆CHKD/index.htmjyrmyy/jyrmyydx0165/jmjtyy一些可用的cnki全文数据库/index.htm用户名及密码sypbxy/sypbxybjyyys/bjyyysK10129/gyzyjshljhd/hljhdhun /sr2015nj0084b /zjswdxsipo339/sipo339sh0118/cnqtsgxinfei/xinfeincyzys/ncyzyssyscsz/syscsz万方数据库http://218.69.114.37/wf/cddb/cddbft.htm可查期刊库:85/szhqk/index.html学位论文库维普数据库http://159.226.149.44/Chinese/Web/bin/home.htm挺好用的，可惜只到04年国外硕博论文全文下载（这个可是重量级的！)快速检索地/theses/etd-search.html按作者名检/theses/browse/by_author/按系（专业）检索/theses/browse/by_departmentcnki全库，非常好用/用户名：dx0031密码：lhtsjy数据库网用户名：bsd228 登录密码：bsd228CNKI：/index.htmhljhd/hljhd是复活的资源，要好好珍惜，最近这个资源缺的很！宁夏自治区科学信息情报研究所http://61.133.213.161/kns50/index.aspxnxkj维普：http://210.34.157.60:8086/免输用户名和密码,系统已默认为guest,也不要点击"登录"按钮.可直接检索和下载http://202.98.130.214:1011/index.asp用户名：sss 密码：sss06选择一个结点，在页面上点击帐号：fjnl 口令：fjnl2005西南节点可以使用中国博硕论文全文数据库/NewWeb/用户名/密码：cdzwys/cdzwys/newweb/帐号：syfqxy密码：syfqxyCHKI期刊全文库到2005年/index.htm用户名：dx0027密码：lhjxxyCNKI全文博硕论文库/index.htm用户名/密码heb/jc7412万方帐号/wfdhlg/344000万方资源（在弹出窗口中，输入密码）/wjly/wjlycnki（如果出现最大人数已满，请进入镜象地址）全库yszh/yszh bjyyys/bjyyys cdzwys/cdzwys syzjhz/syzjhz ncyzys/ncyzys syycxy/syycxy K10129/gyzyjs cqkcsy/cqkcsy sypbxy/sypbxy部分库ycssgz/ycssgz tzslgz/tzslgz中国医院数字图书馆CHKD/index.htmjyrmyy/jyrmyy天津外国语学院图书馆cnki/kns50/k10170/libjsb万方数据库/wjly/wjly/wfdhlg/344000维普帐户http://202.98.130.214:1011/index.aspsss/sss06维普---直接登陆入口http://210.34.157.60:8086/中国权威经济论文库http://203.207.228.101用户名:xjcjxy密码:xjcjxy湖南省委党校超星图书馆http://61.187.64.20/bookhtm/书不多，如果不能使用，请把超星设置代理为:61.187.64.20:80,然后就应该正常了河南财经学院超星(备注：注意用搜索可以看书哦，不要进入总目录使用)http://211.67.133.131/zqqsearch. ... ;I1.x=8&I1.y=11电大超星密码http://218.22.180.149/index.asp姓名a'or userlt;gt;'a学号a'or userlt;gt;'a密码a'or userlt;gt;'a清华CNKI全能资源/index.htmsypbxy/sypbxy部分库cnki/index.htmsylxkj/sylxkj教育库,包括文学、历史、心理学、体育、计算机、图书情报中国医院知识仓库密码/index.htmdx0592//trqyyCNKI期刊、博硕通库、全库密码/index.htmszxxys / szxxys可用的apabi读书卡user51173/7yu2ui武汉大学图书馆http://202.114.65.40/journal/default_new.asp进入后选择科目，点击期刊，选择中国期刊网即可.喜欢《读书》吗?这儿有/navigator ... s&journal=DuShu 79-98年的清华CNKI全能资源/index.htmbeiyong//336699CNKI全库/index.htmbjyyys/bjyyysyszh/yszhbeiyong//336699tzslgz/tzslgzCNKI共享/newweb/kt1005/kfklff万方医药期刊密码:8080/yyqk.htmwfls8568/sdsy7846巨灵金融数据库网络版219.133.37.37lxxy/lxxy珍贵万方资源期刊/wf/index.htmlncue/ncue维普全库http://61.154.14.143:8080/index.aspid:sunmm:3258135数个CNKI全库期刊随机组合资源/bbs/cnki.php中国医院数字图书馆CHKD资源/index.htmsybs/sybsCNKI超全库密码/index.htmcdzwys/cdzwysyszh/yszh万方资源库用户名：wfdhlg密码：344000南平电大数字图书馆(PDF格式)/dlib/defaults.asp用户名、密码均为guest，速度较慢，见谅。