3.4.5.3 SEALKEY

The sealing key function produces an encryption key from the random session key and the null-terminated ASCII constants shown.

  • If extended session security is negotiated, the sealing key has either 40, 56, or 128 bits of entropy stored in a 128-bit value.

  • If extended session security is not negotiated, the sealing key has either 40 or 56 bits of entropy stored in a 64-bit value.

Note The MD5 hashes completely overwrite and fill the 64-bit or 128-bit value.

 -- Input:     
 --   ExportedSessionKey - A randomly generated session key.
 --   NegFlg - Defined in section 3.1.1.
 --   Mode - An enum that defines the local machine performing
      the computation.
      Mode always takes the value "Client" or "Server".
 --
 -- Output:     
 --   SealKey - The key used for sealing messages.
 --
 -- Functions used: 
 --   ConcatenationOf(), MD5() - Defined in Section 6.
  
 Define SEALKEY(NegFlg, ExportedSessionKey, Mode) as
 If (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag is set in NegFlg)
      If ( NTLMSSP_NEGOTIATE_128 is set in NegFlg) 
           Set SealKey to ExportedSessionKey
      ElseIf ( NTLMSSP_NEGOTIATE_56 flag is set in NegFlg) 
          Set SealKey to ExportedSessionKey[0..6]
      Else 
          Set SealKey to ExportedSessionKey[0..4]
      Endif
  
      If (Mode equals "Client")
          Set SealKey to MD5(ConcatenationOf(SealKey, "session key to
          client-to-server sealing key magic constant"))
      Else
          Set SealKey to MD5(ConcatenationOf(SealKey, "session key to
          server-to-client sealing key magic constant"))
      Endif
 ElseIf ( (NTLMSSP_NEGOTIATE_LM_KEY is set in NegFlg) or
          ( (NTLMSSP_NEGOTIATE_DATAGRAM is set in NegFlg)
             and (NTLMRevisionCurrent >= NTLMSSP_REVISION_W2K3) ) ) 
  
      If (NTLMSSP_NEGOTIATE_56 flag is set in NegFlg)
           Set SealKey to ConcatenationOf(ExportedSessionKey[0..6], 0xA0)
      Else
           Set SealKey to ConcatenationOf(ExportedSessionKey[0..4], 0xE5,
           0x38, 0xB0)
      EndIf
 Else
      Set SealKey to ExportedSessionKey
 Endif         
 EndDefine
Show: