Does NetworkCredential itself encrypt user credentials?

[antonyliu2002]

I have a website (call it WinAuthWeb) that uses Integrated Windows
Authentication.

In my ASP.NET web application, I collect user name, password and
domain info and pass them to WinAuthWeb for authentication (formerly
known as NTLM).

I construct the user credentials like this:

theUserCredential = New NetworkCredential(username, userpassword,
userdomain)

And attach it to my HttpWebRequest object like this:

myRequest.Credentials = userCredential

I know that I can create an SSL channel and send this info over, but I
am specifically asking about regular HTTP transmission of such data.

I captured the traffic using Ethereal, and interestingly, I was not
able to find my user credentials in plain text in the packets. I did
see the web page returned from WinAuthWeb in plain text.

I cannot look into the implementation details of NetworkCredential, so
I am wondering if NetworkCredential class actually encrypts the user
credentials by default. Or does it Base64-encode it (I know this
isn't encryption, and thus insecure, but not human-readable)

Anyone knows about this? Thanks if you could share.

 

[bruce barker]

the security is based on the site. ntlm is challenge/response protocol.
the password is never passed, only hashes. if the site is set to basic,
then the password is only encoded in base64 and included with the request.

-- bruce (sqlwork.com)

 

[antonyliu2002]

the security is based on the site. ntlm is challenge/response protocol.
the password is never passed, only hashes. if the site is set to basic,
then the password is only encoded in base64 and included with the request.

-- bruce (sqlwork.com)

Thank you. I am a little bit confused. The security is based on the
remote site (in my case, WinAuthWeb)? And for Integrated Windows
Authentication, only the hash of the password is sent? If that's the
case, it seems to be good enough even if we send such credentials
through regular HTTP.

What does it mean by "the site is set to basic"? You meant "Basic
Authentication" which is one option at the directory security tab of
IIS configuration?

 

[antonyliu2002]

Thank you. I am a little bit confused. The security is based on the
remote site (in my case, WinAuthWeb)? And for Integrated Windows
Authentication, only the hash of the password is sent? If that's the
case, it seems to be good enough even if we send such credentials
through regular HTTP.

What does it mean by "the site is set to basic"? You meant "Basic
Authentication" which is one option at the directory security tab of
IIS configuration?

OK, I think I am clearer about the situation now.

I did a little bit research, and realized (I know this from a long
time ago, but just didn't link it properly with my current situation)
that Active Directory does not store the user password per se, but
instead stores its hash, just like a Unix system.

Therefore, just like Bruce Barker has said, if the web site is
configured for Integrated Windows Authentication, then the website
will only request the hash of the user password, in addition to user
name and domain.

I guess somehow, something in the NetworkCredential for ASP.NET or the
Microsoft.XMLHTTP for classic ASP will take care of the hashing
process.

Given this understanding, in our web application, even if we connect
to the remote web server through HTTP to transmit user credentials for
NTLM authentication, we seem to be OK (as long as the password is
strong enough to be hash-dictionary-proof).

This is my preliminary conclusion. Correct me if I am wrong.

That said, we can still easily create an SSL channel in ASP.NET to
transmit such sensitive data for added security by implementing our
own CertificatePolicy. It is a little harder to do so in classic ASP.