3.4.2 Message Integrity
The function to sign a message MUST be calculated as follows:
-- Input: -- SigningKey - The key used to sign the message. -- Message - The message being sent between the client and server. -- SeqNum - Defined in section 3.1.1. -- Handle - The handle to a key state structure corresponding to -- the current state of the SealingKey -- -- Output: Signed message -- Functions used: -- ConcatenationOf() - Defined in Section 6. -- MAC() - Defined in sections 220.127.116.11 and 18.104.22.168. Define SIGN(Handle, SigningKey, SeqNum, Message) as ConcatenationOf(Message, MAC(Handle, SigningKey, SeqNum, Message)) EndDefine
The format of the message integrity data that is appended to each message for signing and sealing purposes is defined by the NTLMSSP_MESSAGE_SIGNATURE structure (section 22.214.171.124).
Note If the client is sending the message, the signing key is the one that the client calculated. If the server is sending the message, the signing key is the one that the server calculated. The same is true for the sealing key. The sequence number can be explicitly provided by the application protocol or by the NTLM security service provider. If the latter is chosen, the sequence number is initialized to zero and then incremented by one for each message sent.