3.4.5.3 SEALKEY
The sealing key function produces an encryption key from the random session key and the null-terminated ASCII constants shown.
If extended session security is negotiated, the sealing key has either 40, 56, or 128 bits of entropy stored in a 128-bit value.
If extended session security is not negotiated, the sealing key has either 40 or 56 bits of entropy stored in a 64-bit value.
Note The MD5 hashes completely overwrite and fill the 64-bit or 128-bit value.
Input:
ExportedSessionKey - A randomly generated session key.
NegFlg - Defined in section 3.1.1.
Mode - An enum that defines the local machine performingthe computation.Mode always takes the value "Client" or "Server".
Output:
SealKey - The key used for sealing messages.
Functions used:
ConcatenationOf(), MD5() - Defined in section 6.
Define SEALKEY(NegFlg, ExportedSessionKey, Mode) as If (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag is set in NegFlg) If ( NTLMSSP_NEGOTIATE_128 is set in NegFlg) Set SealKey to ExportedSessionKey ElseIf ( NTLMSSP_NEGOTIATE_56 flag is set in NegFlg) Set SealKey to ExportedSessionKey[0..6] Else Set SealKey to ExportedSessionKey[0..4] Endif If (Mode equals "Client") Set SealKey to MD5(ConcatenationOf(SealKey, "session key to client-to-server sealing key magic constant")) Else Set SealKey to MD5(ConcatenationOf(SealKey, "session key to server-to-client sealing key magic constant")) Endif ElseIf ( (NTLMSSP_NEGOTIATE_LM_KEY is set in NegFlg) or ( (NTLMSSP_NEGOTIATE_DATAGRAM is set in NegFlg) and (NTLMRevisionCurrent >= NTLMSSP_REVISION_W2K3) ) ) If (NTLMSSP_NEGOTIATE_56 flag is set in NegFlg) Set SealKey to ConcatenationOf(ExportedSessionKey[0..6], 0xA0) Else Set SealKey to ConcatenationOf(ExportedSessionKey[0..4], 0xE5, 0x38, 0xB0) EndIf Else Set SealKey to ExportedSessionKey Endif EndDefine