3.4.2 Message Integrity
The function to sign a message MUST be calculated as follows:
-- Input: -- SigningKey - The key used to sign the message. -- Message - The message being sent between the client and server. -- SeqNum - Defined in section 3.1.1. -- Handle - The handle to a key state structure corresponding to -- the current state of the SealingKey -- -- Output: Signed message -- Functions used: -- ConcatenationOf() - Defined in Section 6. -- MAC() - Defined in sections 22.214.171.124 and 126.96.36.199. Define SIGN(Handle, SigningKey, SeqNum, Message) as ConcatenationOf(Message, MAC(Handle, SigningKey, SeqNum, Message)) EndDefine
The format of the message integrity data that is appended to each message for signing and sealing purposes is defined by the NTLMSSP_MESSAGE_SIGNATURE structure (section 188.8.131.52).
Note If the client is sending the message, the signing key is the one that the client calculated. If the server is sending the message, the signing key is the one that the server calculated. The same is true for the sealing key. The sequence number can be explicitly provided by the application protocol or by the NTLM security service provider. If the latter is chosen, the sequence number is initialized to zero and then incremented by one for each message sent.