NTLM1/NTLM2 signing and sealing

Eric eric.glass at comcast.net
Fri Aug 22 23:17:48 GMT 2003

Luke Howard wrote:
> When confidentiality protection is requested for NTLM2 sealing, should 
> the checksum (as well as the data) be RC4 encrypted with the sealing
> key?

I left a step out of my notes when putting together the documentation; 
in signing, the first 8 bytes from the HMAC output are RC4-encrypted 
(using the *sealing* key) before concatenation with the version number 
and sequence number; this is also done in the signature created during 
the sealing process.  I just finished updating the doc to reflect this.

> FWIW, I can decrypt data fine but can never verify the checksum, 
> regardless of whether I try to decrypt the checksum or not. Curious
> to know if I'm missing something (I have followed your document 
> closely).

That *should* work, I think (decrypting the checksum); for a given 
message such as:


I believe you would do:

RC4(sealingKey, 0xaaaaaaaaaaaaaaaa) = message;

RC4(sealingKey, 0xbbbbbbbbbbbbbbbb) = checksum (without resetting the 

then to verify:

HMAC(signingKey, 00000000 + message)[0-8] = checksum

Note that the sealing "scheme" I used here is just the output from the 
SSPI EncryptMessage function, concatenated with the contents of the 
security trailer buffer produced by the same function call; I don't know 
if this is actually used anywhere.


More information about the samba-technical mailing list