3.4.5.1 KXKEY
If NTLM v1 is used and extended session security is not negotiated, the 128-bit key exchange key value is calculated as follows:
-
-- Input: -- SessionBaseKey - A session key calculated from the user's password. -- LmChallengeResponse - The LM response to the server challenge. Computed by the client. -- NegFlg - Defined in section 3.1.1. -- -- Output: -- KeyExchangeKey - The Key Exchange Key. -- -- Functions used: -- ConcatenationOf() - Defined in Section 6. -- DES() - Defined in Section 6. Define KXKEY(SessionBaseKey, LmChallengeResponse, ServerChallenge) as If ( NTLMSSP_NEGOTIATE_LMKEY flag is set in NegFlg) Set KeyExchangeKey to ConcatenationOf(DES(LMOWF[0..6], LmChallengeResponse[0..7]), DES(ConcatenationOf(LMOWF[7], 0xBDBDBDBDBDBD), LmChallengeResponse[0..7])) Else If ( NTLMSSP_REQUEST_NON_NT_SESSION_KEY flag is set in NegFlg) Set KeyExchangeKey to ConcatenationOf(LMOWF[0..7], Z(8)), Else Set KeyExchangeKey to SessionBaseKey Endif Endif EndDefine
If NTLM v1 is used and extended session security is negotiated, the key exchange key value is calculated as follows:
-
-- Input: -- SessionBaseKey - A session key calculated from the user's password. -- ServerChallenge - The 8-byte challenge message generated by the server. -- LmChallengeResponse - The LM response to the server challenge. Computed by the client. -- -- Output: -- KeyExchangeKey - The Key Exchange Key. -- -- Functions used: -- ConcatenationOf() - Defined in Section 6. -- HMAC_MD5() - Defined in Section 6. Define KXKEY(SessionBaseKey, LmChallengeResponse, ServerChallenge) as Set KeyExchangeKey to HMAC_MD5(SessionBaseKey, ConcatenationOf(ServerChallenge, LmChallengeResponse [0..7])) EndDefine
If NTLM v2 is used, KeyExchangeKey MUST be set to the given 128-bit SessionBaseKey value.