NTLM2 signing question

Eric Glass eric.glass at gmail.com
Wed Aug 23 14:52:01 GMT 2006

I am doing a bit of documentation revision, and had some questions
around NTLM2 signing (I see it was worked out a couple of years back,
good stuff).  When I had looked at it previously (just examining
output of the MakeSignature SSPI function rather than as part of
MSRPC) I observed the following as the signing process:

1. A sequence number is obtained; this starts at zero and is
incremented after each message is signed. The number is represented as
a 32-bit little-endian value.

2. The sequence number is concatenated with the message; the HMAC-MD5
message authentication code algorithm is applied to this value, using
the appropriate (client-to-server or server-to-client) Signing Key.
This yields a 16-byte value.

3. If Key Exchange has been negotiated, an RC4 cipher is initialized
using the appropriate Sealing key. This is done once (during the first
operation), and the keystream is never reset; the first eight bytes
from the HMAC result are encrypted using this RC4 cipher.  If Key
Exchange has not been negotiated, this sealing operation is not

4. A version number ("0x01000000") is concatenated with the result
from the previous step and the sequence number to form the signature.

It would seem the on-wire process is basically the same, but used as
part of an AEAD generic composition; i.e. the sealed buffer is a
subset of the signed buffer (in the RPC case the entire PDU is signed
while only the "payload" is sealed).  Is this correct, or am I missing
some additional intricacies?


More information about the samba-technical mailing list