3.4.5.3 SEALKEY

The sealing key function produces an encryption key from the random session key and the null-terminated ASCII constants shown.

  • If extended session security is negotiated, the sealing key has either 40, 56, or 128 bits of entropy stored in a 128-bit value.

  • If extended session security is not negotiated, the sealing key has either 40 or 56 bits of entropy stored in a 64-bit value.

Note The MD5 hashes completely overwrite and fill the 64-bit or 128-bit value.

Input:

  • ExportedSessionKey - A randomly generated session key.

  • NegFlg - Defined in section 3.1.1.

  • Mode - An enum that defines the local machine performingthe computation.Mode always takes the value "Client" or "Server".

Output:

  • SealKey - The key used for sealing messages.

Functions used:

  • ConcatenationOf(), MD5() - Defined in section 6.

      
     Define SEALKEY(NegFlg, ExportedSessionKey, Mode) as
     If (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag is set in NegFlg)
          If ( NTLMSSP_NEGOTIATE_128 is set in NegFlg) 
               Set SealKey to ExportedSessionKey
          ElseIf ( NTLMSSP_NEGOTIATE_56 flag is set in NegFlg) 
              Set SealKey to ExportedSessionKey[0..6]
          Else 
              Set SealKey to ExportedSessionKey[0..4]
          Endif
      
          If (Mode equals "Client")
              Set SealKey to MD5(ConcatenationOf(SealKey, "session key to
              client-to-server sealing key magic constant"))
          Else
              Set SealKey to MD5(ConcatenationOf(SealKey, "session key to
              server-to-client sealing key magic constant"))
          Endif
     ElseIf ( (NTLMSSP_NEGOTIATE_LM_KEY is set in NegFlg) or
              ( (NTLMSSP_NEGOTIATE_DATAGRAM is set in NegFlg)
                 and (NTLMRevisionCurrent >= NTLMSSP_REVISION_W2K3) ) ) 
      
          If (NTLMSSP_NEGOTIATE_56 flag is set in NegFlg)
               Set SealKey to ConcatenationOf(ExportedSessionKey[0..6], 0xA0)
          Else
               Set SealKey to ConcatenationOf(ExportedSessionKey[0..4], 0xE5,
               0x38, 0xB0)
          EndIf
     Else
          Set SealKey to ExportedSessionKey
     Endif         
     EndDefine