NTLM1/NTLM2 signing and sealing
Eric
eric.glass at comcast.net
Fri Aug 22 23:17:48 GMT 2003
Luke Howard wrote:
> When confidentiality protection is requested for NTLM2 sealing, should
> the checksum (as well as the data) be RC4 encrypted with the sealing
> key?
>
I left a step out of my notes when putting together the documentation;
in signing, the first 8 bytes from the HMAC output are RC4-encrypted
(using the *sealing* key) before concatenation with the version number
and sequence number; this is also done in the signature created during
the sealing process. I just finished updating the doc to reflect this.
>
> FWIW, I can decrypt data fine but can never verify the checksum,
> regardless of whether I try to decrypt the checksum or not. Curious
> to know if I'm missing something (I have followed your document
> closely).
>
That *should* work, I think (decrypting the checksum); for a given
message such as:
0xaaaaaaaaaaaaaaaa01000000bbbbbbbbbbbbbbbb00000000
I believe you would do:
RC4(sealingKey, 0xaaaaaaaaaaaaaaaa) = message;
RC4(sealingKey, 0xbbbbbbbbbbbbbbbb) = checksum (without resetting the
cipher)
then to verify:
HMAC(signingKey, 00000000 + message)[0-8] = checksum
Note that the sealing "scheme" I used here is just the output from the
SSPI EncryptMessage function, concatenated with the contents of the
security trailer buffer produced by the same function call; I don't know
if this is actually used anywhere.
Eric
More information about the samba-technical
mailing list