snoopysecurity
commented
4 years ago I noticed this github issue, Doesn't the NTLM protocol in general use DES-ECB?
Closed Fotiman closed 4 years ago
snoopysecurity
commented
4 years ago I noticed this github issue, Doesn't the NTLM protocol in general use DES-ECB?
Fotiman
commented
4 years ago Yes, it would appear so. Please excuse my ignorance with regards to the NTLM protocol. I will close this issue. Thank you.
snoopysecurity
commented
4 years ago I looked a bit deeper into this, NTLM v1 uses DES for generating hashes but NTLM v2 doesn't and this project doesn't support NTLM V2. This thread seems to offer some alternative solutions https://github.com/SamDecrock/node-http-ntlm/issues/59. Hope this helps @Fotiman
Fotiman
commented
4 years ago Thanks.
The file ntlm.js calls crypto.createCipheriv with 'DES-ECB' (multiple times throughout the file).
According to Coverity security scans: An attacker with modern hardware can break DES encryption in a matter of days by exhaustive key search. Use a strong, well-vetted algorithm that supports longer keys, such as AES with a key size of at least 128 bits.
Are there any plans to modify this to use a stronger algorithm?