From MSNLD Wiki

GateKeeper Authentication

GateKeeper authentication was designed specifically for clients who connected to MSN Chat.


GateKeeper is a simple HMAC-MD5 based authentication algorithm. The header consists of a signature, 2 unknown bytes, a GateKeeper version, and a sequence.

Here's an example of a client sending an initial authentication request for version three.

AUTH GateKeeper I :GKSSP\0JD\0x03\0\0\0\0x01\0\0\0\r\n

The breakdown of the above GateKeeper header is as follows

Signature: GKSSP\0
Unknown (2 bytes): J D
Version: \0x03 \0 \0 \0
Sequence: \0x01 \0 \0 \0

The signature and version should remain unchanged for each subsequent request/response, and the sequence should be increased for each request.

  • Sequence 1: Client requests authentication
  • Sequence 2: Server provides an 8 byte authentication challenge
  • Sequence 3: Client provides a HMAC-MD5 calculation using the key SRFMKSJANDRESKKC of the authentication challenge, appended with the server's hostname if GateKeeper Authentication v3 is used.
  • Additionally, a GUID is sent (read from the Windows registry) immediately after sequence 3, if GateKeeper v2 or higher is used.


GateKeeperPassport was an extension of GateKeeper, allowing those with a .net Passport (now known as a Microsoft Account) to authenticate to the chat network with an 8 byte unique ID.

The authentication was completed exactly as per GateKeeper, but an additional subsequent authentication request was sent by the server that just contained OK and the client would send the PassportTicket and PassportProfile cookies to complete the GateKeeperPassport authentication.

AUTH GateKeeper S :OK\r\n


  • zmic - Decompiled the OCX and provided a pre-optimised hash calculator in python
  • User:Ozjd and User:Sky Figured out the HMAC-MD5 key, the hashing method used, and a full understanding of the various versions of GateKeeper