none
Question on generating MIC in AUTHENTICATE message in NTLM V2 RRS feed

  • Question

  • I am working on a client side implementation of NTLM v2 using MS-NLMP protocol document

    First, I write the code that using NTLM v2, without MIC. It works against a Windows 2008 R2 server. Then I tried to add MIC,  and failed. I couldn't find what I did wrong based on the protocol document.

    Here are what added on top of working NTLM v2 without MIC,

    1. Add a MsvAvFlags with value 2 to CHALLENGE_MESSAGE.TargetInfoFields.

    The reason is, the protocol document said value 2 "indicates that the client is providing message integrity in the MIC field".

    The MsvAvFlags field is added, because it does not exist in the CHALLENGE_MESSAGE.TargetInfoFields.

    2. The above combined value is used as ServerName in this calculation

    Set temp to ConcatenationOf(Responserversion, HiResponserversion,
        Z(6), Time, ClientChallenge, Z(4), ServerName, Z(4))

    3. When calculating MIC

    All 16 bytes of AUTHENTICATE_MESSAGE.MIC field is set to zero.

    The key value is, HMAC_MD5(ResponseKeyNT, NTProofStr)

    4. Put the calculated MIC back to AUTHENTICATE_MESSAGE.MIC

    NOTE: If MsvAvFlags is set to 0 (which means no MIC field), it works. If set to 2, it fails. So it indicates the MIC calculation is incorrect.

    Thursday, June 19, 2014 8:52 PM

Answers

  • Forum update:

    This issue was resolved working with customer off line.

    Resolution

    -------------

    Version must be included in the authenticate message if MIC is included and the value of MsvAvFlags is set to 0x00000002.

    MsvAvFlags are described in MS-NLMP section "2.2.2.1 AV_PAIR", MIC and AUTHENTICATE_MESSAGE are described in section 2.2.1.3.


    Regards, Obaid Farooqi

    Wednesday, June 25, 2014 9:00 PM
    Owner

All replies

  • Hi HardwareHang

    I'll help you with this issue and will be in touch as soon as I have an answer.


    Regards, Obaid Farooqi

    Friday, June 20, 2014 6:24 AM
    Owner
  • Hi HardwareHang:

    To calculate MIC, you need to use a concatenation of Negotiate message, challenge message and authenticate message(MIC field zeroed out) as described in section "NLMP (http://msdn.microsoft.com/en-us/library/cc236692.aspx ) as follows:

    Set AUTHENTICATE_MESSAGE.MIC to Z(16)

    If (NTLMSSP_NEGOTIATE_KEY_EXCH flag is set in NegFlg )
                Set ExportedSessionKey to RC4K(KeyExchangeKey, AUTHENTICATE_MESSAGE.EncryptedRandomSessionKey)

                Set MIC to HMAC_MD5(ExportedSessionKey, ConcatenationOf(NEGOTIATE_MESSAGE, CHALLENGE_MESSAGE,AUTHENTICATE_MESSAGE))
    Else
                Set ExportedSessionKey to KeyExchangeKey
                Set MIC to HMAC_MD5(KeyExchangeKey, ConcatenationOf(NEGOTIATE_MESSAGE, CHALLENGE_MESSAGE,AUTHENTICATE_MESSAGE))

    Please let me know if it does not answer


    Regards, Obaid Farooqi

    Friday, June 20, 2014 5:02 PM
    Owner
  • This does not look at be the answer. Since I have been doing that.

    I experimented a little more. It worked after added Version field with value 06 01 b1 1d 00 00 00 0f, which is taken from a Windows 7 machine, to AUTHENTICATE_MESSAGE.

    Please confirm that in order to make MIC work, Version field is required in AUTHENTICATE_MESSAGE.

    Friday, June 20, 2014 7:23 PM
  • Hi HardwareHang:

    Can you please send me a network capture showing the failure of authentication with associated password when version was not included?

    As per MS-NLMP, section "2.2.1.3 AUTHENTICATE_MESSAGE":

    "A VERSION structure (section 2.2.2.10) that is present only when the
    NTLMSSP_NEGOTIATE_VERSION flag is set in the NegotiateFlags field. This structure is used
    for debugging purposes only. In normal protocol messages, it is ignored and does not affect
    the NTLM message processing.<9>"

    So the value of version is not important.

    You can send the capture to my attention at dochelp at Microsoft dot com.


    Regards, Obaid Farooqi

    Sunday, June 22, 2014 4:41 PM
    Owner
  • Here are two examples.

    NTOWFv2 value is 47ff96f4 130572b1 2166f1d1 1f35c65a


    -- Example 1
    Has NO VERSION field, and failed


    ---- NEGOTIATE ----
    4e544c4d 53535000 01000000 058208a0 00000000 00000000 00000000 00000000


    ---- CHALLENGE ----
    4e544c4d 53535000 02000000 0c000c00 38000000 058289a2 341a837a dc83a811
    00000000 00000000 c200c200 44000000 0601b11d 0000000f 4b004e00 49004700
    48005400 02000c00 4b004e00 49004700 48005400 01001c00 4a004300 31005700
    53004800 53004400 45005600 41005000 50003200 04002200 67006c00 6f006200
    61006c00 2e006b00 6e006900 67006800 74002e00 63006f00 6d000300 40004a00
    43003100 57005300 48005300 44004500 56004100 50005000 32002e00 67006c00
    6f006200 61006c00 2e006b00 6e006900 67006800 74002e00 63006f00 6d000500
    14006b00 6e006900 67006800 74002e00 63006f00 6d000700 0800d10e 6c0cec8e
    cf010000 0000


    ---- AUTHENTICATE ----
    4e544c4d 53535000 03000000 18001800 74000000 fa00fa00 8c000000 1c001c00
    50000000 08000800 6c000000 00000000 00000000 00000000 86010000 058288a0
    18353f01 356fa45c 7002b105 60760bd6 6a006300 31007700 73006800 73006400
    65007600 61007000 70003200 68007400 74007000 00000000 00000000 00000000
    00000000 00000000 00000000 99ad36e3 86a7fc6b 0d71efc2 c6524d25 01010000
    00000000 d10e6c0c ec8ecf01 3ca40034 eba4dae3 00000000 02000c00 4b004e00
    49004700 48005400 01001c00 4a004300 31005700 53004800 53004400 45005600
    41005000 50003200 04002200 67006c00 6f006200 61006c00 2e006b00 6e006900
    67006800 74002e00 63006f00 6d000300 40004a00 43003100 57005300 48005300
    44004500 56004100 50005000 32002e00 67006c00 6f006200 61006c00 2e006b00
    6e006900 67006800 74002e00 63006f00 6d000500 14006b00 6e006900 67006800
    74002e00 63006f00 6d000700 0800d10e 6c0cec8e cf010600 04000200 00000000
    00000000 0000

     

    -- Example 2
    Has VERSION field, and succeeded

    ---- NEGOTIATE ----
    4e544c4d 53535000 01000000 058208a0 00000000 00000000 00000000 00000000


    ---- CHALLENGE ----
    4e544c4d 53535000 02000000 0c000c00 38000000 058289a2 fa621b2f 8bc97d4b
    00000000 00000000 c200c200 44000000 0601b11d 0000000f 4b004e00 49004700
    48005400 02000c00 4b004e00 49004700 48005400 01001c00 4a004300 31005700
    53004800 53004400 45005600 41005000 50003200 04002200 67006c00 6f006200
    61006c00 2e006b00 6e006900 67006800 74002e00 63006f00 6d000300 40004a00
    43003100 57005300 48005300 44004500 56004100 50005000 32002e00 67006c00
    6f006200 61006c00 2e006b00 6e006900 67006800 74002e00 63006f00 6d000500
    14006b00 6e006900 67006800 74002e00 63006f00 6d000700 0800a5e5 a69aed8e
    cf010000 0000

    ---- AUTHENTICATE ----
    4e544c4d 53535000 03000000 18001800 7c000000 fa00fa00 94000000 1c001c00
    58000000 08000800 74000000 00000000 00000000 00000000 8e010000 058288a2
    0601b11d 0000000f 623762a0 c617011e d5759e1b c875514a 6a006300 31007700
    73006800 73006400 65007600 61007000 70003200 68007400 74007000 00000000
    00000000 00000000 00000000 00000000 00000000 944fe1b5 e4f33a94 164dcf8d
    598a5dd1 01010000 00000000 a5e5a69a ed8ecf01 57630901 40c83b4f 00000000
    02000c00 4b004e00 49004700 48005400 01001c00 4a004300 31005700 53004800
    53004400 45005600 41005000 50003200 04002200 67006c00 6f006200 61006c00
    2e006b00 6e006900 67006800 74002e00 63006f00 6d000300 40004a00 43003100
    57005300 48005300 44004500 56004100 50005000 32002e00 67006c00 6f006200
    61006c00 2e006b00 6e006900 67006800 74002e00 63006f00 6d000500 14006b00
    6e006900 67006800 74002e00 63006f00 6d000700 0800a5e5 a69aed8e cf010600
    04000200 00000000 00000000 0000

    Monday, June 23, 2014 2:25 PM
  • Hi HardwareHang:

    I am looking into it and will be in touch as soon as I have an answer.


    Regards, Obaid Farooqi

    Monday, June 23, 2014 7:22 PM
    Owner
  • Forum update:

    This issue was resolved working with customer off line.

    Resolution

    -------------

    Version must be included in the authenticate message if MIC is included and the value of MsvAvFlags is set to 0x00000002.

    MsvAvFlags are described in MS-NLMP section "2.2.2.1 AV_PAIR", MIC and AUTHENTICATE_MESSAGE are described in section 2.2.1.3.


    Regards, Obaid Farooqi

    Wednesday, June 25, 2014 9:00 PM
    Owner
  • Thanks Obaid for posting the resolution on the forum. I was curious about this issue.
    Wednesday, June 25, 2014 10:14 PM