6 Appendix A: Cryptographic Operations Reference

In the algorithms provided in this documentation, pseudocode is provided to illustrate the process used to compute keys and perform other cryptographic operations prior to protocol exchange. The following table defines the general purpose functions and operations used in this pseudocode.

 Functions

Description

Section

AddAVPair(T, Id, Value)

An auxiliary function that is used to manage AV pairs in NTLM messages. It is defined as follows.

 AddAvPair(T,   Id, Value) {
       STRING T
       USHORT Id
       STRING Value
       T = ConcatenationOf(T, Id)
       T = ConcatenationOf(T, Length(Value))
       T = ConcatenationOf(T, Value)
 }
  

3.2.5.1.1

ComputeResponse(...)

A function that computes the NT response, LM responses, and key exchange key from the response keys and challenge.

3.1.5.1.2, 3.2.5.1.2, 3.3.1, 3.3.2

ConcatenationOf(string1, string2, ... stringN)

Indicates the left-to-right concatenation of the string parameters, from the first string to the Nnth. Any numbers are converted to strings and all numeric conversions to strings retain all digits, even nonsignificant ones. The result is a string. For example, ConcatenationOf(0x00122, "XYZ", "Client") results in the string "00122XYZClient."

3.3.1, 3.3.2, 3.4.2, 3.4.3, 3.4.4, 3.4.5.1, 3.4.5.2, 3.4.5.3

CRC32(M)

Indicates a 32-bit CRC calculated over M.

3.4.3, 3.4.4

DES(K, D)

Indicates the encryption of an 8-byte data item D with the 7-byte key K using the Data Encryption Standard (DES) algorithm in Electronic Codebook (ECB) mode. The result is 8 bytes in length ([FIPS46-2]).

3.3.1, 3.4.5.1

DESL(K, D)

Indicates the encryption of an 8-byte data item D with the 16-byte key K using the Data Encryption Standard Long (DESL) algorithm. The result is 24 bytes in length. DESL(K, D) is computed as follows.

 ConcatenationOf(   DES(K[0..6], D), \
 DES(K[7..13],   D), DES( \
 ConcatenationOf(K[14..15],   Z(5)), D));

Note K[] implies a key represented as a character array.

3.3.1

GetVersion()

An auxiliary function that returns an operating system version-specific value (section 2.2.2.8).

3.1.5.1.1, 3.1.5.1.2, 3.2.5.1.1, 3.2.5.1.2

LMGETKEY(U, D)

Retrieve the user's LM response key from the server database (directory or local database).

3.2.5.1.2

NTGETKEY(U, D)

Retrieve the user's NT response key from the server database.

3.2.5.1.2

HMAC(K, M)

Indicates the encryption of data item M with the key K using the HMAC algorithm ([RFC2104]).

3.3.2, 3.4.4

HMAC_MD5(K, M)

Indicates the computation of a 16-byte HMAC-keyed MD5 message digest of the byte string M using the key K.

3.3.2, 3.4.4

KXKEY(K, LM, SC)

Produces a key exchange key from the session base key, LM response and server challenge as defined in the sections KXKEY, SIGNKEY, and SEALKEY.

3.1.5.1.2, 3.2.5.1.2, 3.4.5.1

LMOWF()

Computes a one-way function of the user's password to use as the response key. NTLM v1 and NTLM v2 define separate LMOWF NTOWF functions in the NTLM v1 authentication and NTLM v2 authentication sections, respectively.

3.1.5.1.2, 3.3.1, 3.3.2

MD4(M)

Indicates the computation of an MD4 message digest of the null-terminated byte string M ([RFC1320]).

3.3.1, 3.3.2

MD5(M)

Indicates the computation of an MD5 message digest of the null-terminated byte string M ([RFC1321]).

3.3.1, 3.3.2, 3.4.4, 3.4.5.2, 3.4.5.3

MD5_HASH(M)

Indicates the computation of an MD5 message digest of a binary blob ([RFC4121] section 4.1.1.2).

NIL

A zero-length string.

3.1.5.1.1, 3.1.5.1.2, 3.2.5.1.1, 3.2.5.2.2, 3.4.5.2

NONCE(N)

Indicates the computation of an N-byte cryptographic-strength random number.

Note The NTLM Authentication Protocol does not define the statistical properties of the random number generator. It is left to the discretion of the implementation to define the strength requirements of the NONCE(N) operation.

3.1.5.1.2, 3.2.5.1.1, 3.4.3

NTOWF()

Computes a one-way function of the user's password to use as the response key. NTLM v1 and NTLM v2 define separate NTOWF() functions in the NTLM v1 authentication and NTLM v2 authentication sections, respectively.

3.1.5.1.2, 3.3.1, 3.3.2

RC4(H, D)

The RC4 Encryption Algorithm. To obtain this stream cipher that is licensed by RSA Data Security, Inc., contact this company.

Indicates the encryption of data item D with the current session or message key state, using the RC4 algorithm. H is the handle to a key state structure initialized by RC4INIT.

3.4.3, 3.4.4

RC4K(K,D)

Indicates the encryption of data item D with the key K using the RC4 algorithm.

Note The key sizes for RC4 encryption in NTLM are defined in sections KXKEY, SIGNKEY, and SEALKEY, where they are created.

3.1.5.1.2, 3.4.4

RC4Init(H, K)

Initialization of the RC4 key and handle to a key state structure for the session.

3.1.5.1.2, 3.2.5.1.2

SEALKEY(F, K, string1)

Produces an encryption key from the session key as defined in sections KXKEY, SIGNKEY, and SEALKEY.

3.1.5.1.2, 3.4.5.3

SIGNKEY(flag, K, string1)

Produces a signing key from the session key as defined in sections KXKEY, SIGNKEY, and SEALKEY.

3.1.5.1.2, 3.4.5.2

Currenttime

Indicates the retrieval of the current time as a 64-bit value, represented as the number of 100-nanosecond ticks elapsed since midnight of January 1st, 1601 (UTC).

3.1.5.1.2

UNICODE(string)

Indicates the 2-byte little-endian byte order encoding of the Unicode UTF-16 representation of string. The Byte Order Mark (BOM) is not sent over the wire.

3.3.1, 3.3.2

UpperCase(string)

Indicates the uppercase representation of string.

3.3.1, 3.3.2

Z(N)

Indicates the creation of a byte array of length N. Each byte in the array is initialized to the value zero.

3.3.1, 3.3.2