Metze, The following changes will appear in a future release of MS-SMB2. Note that the clause on "Session.EncryptData is TRUE" will exclude encryption of the initial session setup. This clarifies that SESSION_SETUP for re-authentication or session binding will be encrypted.
This statement: If Session.EncryptData is TRUE and the response being sent is not SMB2_NEGOTIATE or SMB2 SESSION_SETUP. will be updated to: If Session.EncryptData is TRUE and the response being sent is not SMB2_NEGOTIATE. 3.2.4.1.8 Encrypting the Message If the client implements the SMB 3.0 dialect, the client MUST encrypt the message before sending, if any of the following conditions is satisfied: If Session.EncryptData is TRUE and the request being sent is not SMB2 NEGOTIATE. If Session.EncryptData is FALSE, the request being sent is not SMB2 NEGOTIATE or SMB2 SESSION_SETUP or SMB2 TREE_CONNECT, and TreeConnect.EncryptData is TRUE. 3.3.4.1.4 Encrypting the Message If Connection.Dialect is "3.000", the server MUST encrypt the message before sending, if any of the following conditions is satisfied: If Session.EncryptData is TRUE and the response being sent is not SMB2_NEGOTIATE. If Session.EncryptData is FALSE, the response being sent is not SMB2_NEGOTIATE or SMB2 SESSION_SETUP or SMB2 TREE_CONNECT, and Share.EncryptData for the share associated with the TreeId in the SMB2 header of the response is TRUE. Regards, Edgar From: Edgar Olougouna Sent: Thursday, August 23, 2012 11:54 PM To: 'Stefan (metze) Metzmacher' Cc: 'p...@tridgell.net'; 'cifs-protocol@cifs.org' Subject: [REG: 112082370902333] SMB3 encryption of SESSION_SETUP (for reauth/or channel binding) and TREE_CONNECT Metze, Generally speaking, decryption occurs as an outer layer. It is expected that Windows server does not complain if the client encrypts SESSION_SETUP (for reauth/or channel bind) and TREE_CONNECTS. What the protocol prescribes for client side encryption is specified in 3.2.4.1.8 Encrypting the Message, and we are reviewing this for the re-authentication and channel binding. Regarding an encrypted SESSION_SETUP for re-authentication or channel binding, it is expected that Windows server will decrypt the message, as specified in 3.3.5.2.1 Decrypting the Message. Re-authentication or channel binding requires an existing session. If the server finds the Decryptionkey based on the SessionId in the transform header, it will be able to proceed decryption. A document bug has been opened to clarify Windows 8 client behavior on encrypting SESSION_SETUP for re-authentication or channel binding. Regarding the encryption of TREE_CONNECT, this is controlled by Session.EncryptData = TRUE, as documented in 3.2.4.1.8 Encrypting the Message, 3.3.4.1.4 Encrypting the Message. As mentioned previously, the decryption depends on the ability to find the Decryptionkey based on the SessionId in the transform header. The following blog entry may be helpful. It describes Windows configuration for SMB3 encryption. http://blogs.msdn.com/b/openspecification/archive/2012/06/08/encryption-in-smb3.aspx Regards, Edgar -----Original Message----- From: Edgar Olougouna Sent: Thursday, August 23, 2012 3:06 PM To: Stefan (metze) Metzmacher Cc: p...@tridgell.net; cifs-protocol@cifs.org Subject: RE: [REG:112080864018345] SMB3 encryption over multiple requests Metze, In order to track document bugs properly, I will be following up on these new questions in two separate cases. I will start a new thread for each case: 112082370902333 SMB3 encryption of SESSION_SETUP (for reauth/or channel binding) and TREE_CONNECT 112082371227089 SMB3 encryption and Oplock/Lease break notifications Thanks, Edgar -----Original Message----- From: Stefan (metze) Metzmacher [mailto:me...@samba.org] Sent: Wednesday, August 22, 2012 9:19 AM To: Edgar Olougouna Cc: p...@tridgell.net; cifs-protocol@cifs.org Subject: Re: [REG:112080864018345] SMB3 encryption over multiple requests Hi Edgar, thanks for the answers, I have some more questions inline. > What about async responses with STATUS_PENDING, are they also encrypted? > > [Answer] > Yes. The exceptions that are not encrypted are SMB2 NEGOTIATE, SMB2 > SESSION_SETUP or SMB2 TREE_CONNECT as documented in 3.2.4.1.8 Encrypting > the Message, 3.3.4.1.4 Encrypting the Message. Windows doesn't complain if the client encrypt SESSION_SETUP (for reauth/or channel bind) and TREE_CONNECTS. > How does it work, when the last request in a compound chain goes async? > > [Answer] > There is no change of processing rules for the encryption due to the last > request in a compounded chain going async. > > Are Oplock/Lease Break Notifications encrypted? > > [Answer] Yes, see previous answer and references. For Oplocks the server known the session from the file_id, but what session is used for leases? To my understanding a lease key can be shared between sessions, is that correct? metze _______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
