SMB 3.1.1 Pre-authentication integrity in Windows 10
Pre-authentication integrity is one of the new SMB 3.1.1 security improvements in Windows 10 and Windows Server 2016 TP2 (technical preview 2). It improves protection from a man-in-the-middle (MITM) attacker in tampering with SMB2’s connection establishment and authentication messages. This new feature supersedes “secure dialect negotiation” introduced in SMB 3.0, which only protected against MITM attempt to downgrade the initially negotiated dialect and capabilities. This blog also provides test vectors for SMB 3.1.1 pre-authentication integrity.
Pre-authentication integrity is a mandatory feature in SMB 3.1.1. It protects against any tampering with SMB2’s Negotiate and Session Setup messages by leveraging cryptographic hashing. The resulting hash is used as input to derive the session’s cryptographic keys, including its signing key. This enables the client and server to mutually trust the connection and session properties.
Signing has been a feature in SMB2 protocol since its inception. In the first two dialects 2.0.2, and 2.1, signing is effectively applied to message exchange once authentication is completed. Prior to SMB 3.0, there was no tampering protection to messages before authentication completion. SMB 3.0 “negotiate validation” provides some interesting but limited protection; the negotiate validation occurs after the session setup.
SMB 3.1.1 provides end-to-end integrity of pre-authentication messages. The session’s cryptographic keys are derived based on a hash of pre-authentication messages:
• This allows the client and server to validate signature or decryption of subsequent authenticated messages.
• The final session setup response is always signed, and as a result the client would fail signature validation in case of pre-authentication message tampering.
• The client must either sign or encrypt the Tree Connect request. This confirms to the server that both mutually derived the same keys, and validates there was no pre-authentication message tampering.
Please note that for guest and anonymous sessions, there is no protection since no keys can be derived.
Pre-authentication is the exchange of negotiate and session setup messages until the session’s cryptographic keys can be derived, which is the point where authentication is completed.
Let’s take the example of an n-leg GSS-API authentication, pre-authentication integrity hash will consist of these SMB2 messages:
• Negotiate request,
• Negotiate response,
• Session setup request (leg-1),
• Session setup response (leg-1),
• . . .
• Session setup request (leg-n),
The processing of Session setup request (leg-n) results in an authentication “completed” state. The server then calculates the session’s signing key. The key derivation takes one of its inputs as the cumulative hash of Negotiate request through Session setup request (leg-n).
Pre-auth-integrity-hash (x) = PreauthIntegrityHash (Concatenate (Pre-auth-integrity-hash (x-1), pre-auth-message (x)))
Where:
x = 1, …, 2n + 1,
Pre-auth-integrity-hash (0) = zeros,
pre-auth-message (1) = Negotiate request,
. . .
pre-auth-message (2n + 1) = Session setup request (leg-n).
For SMB 3.1.1, the PreauthIntegrityHash function is SHA-512, the standard specified in [FIPS180-4].
The hash value used as input for key derivation is:
Session.PreauthIntegrityHashValue = Pre-auth-integrity-hash (2n + 1)
Note that the final session setup response is not part of the integrity hash calculation.
• Session setup response(leg-n)
However, this session setup response is signed (for SMB 3.1.1, AES-128-CMAC with SigningKey), allowing the client to verify the signature, and authenticate the source of the data. A successful signature verification, of a subsequent message (e.g. TreeConnect), validates that the client and server computed the same PreauthIntegrityHashValue and derived the same key.
NOTE: Since the hash is cumulative and there is no validation until the final step, implementers could approach the PreauthIntegrityHashValue calculation in many ways. One could choose to compute the temporary hash at each step, i.e. message sent or received. Another way is to calculate the temporary hash on a pair of request and response at a time except for the final session setup leg. Yet, another approach is to iterate through a number requests and responses at once. It all depends on whether the design can temporarily hold vectors of requests and responses. This should be a design consideration in case the implementation intends to handle applications where sessions will be very short lived, or on a server with a high volume of authenticated sessions.
If the client includes 0x0311 in the SMB2 NEGOTIATE’s Dialects array (i.e. the client supports SMB 3.1.1), it must add the SMB2_PREAUTH_INTEGRITY_CAPABILITIES negotiate context, as specified in MS-SMB2.
If the server selects SMB 3.1.1 dialect, it must convey the selected integrity hash algorithm by including a SMB2_PREAUTH_INTEGRITY_CAPABILITIES negotiate context in the NEGOTIATE response.
The pre-authentication integrity negotiate context has the same format in the Negotiate request and response, except that the response context must have a HashAlgorithmCount set to 1. In Windows 10, the pre-authentication integrity hash algorithm is SHA-512.
Note that Windows 10 and Windows Server 2016 TP2 use 32 bytes of randomly generated Salt. The salt value and its length are implementation-dependent, and as a result, it is recommended to use a secure PRNG to prevent from dictionary attacks.
The signing key is derived as specified in [MS-SMB2]:
SigningKey = SMB3KDF (SessionKey, "SMBSigningKey\0", Session.PreauthIntegrityHashValue)
SMB3KDF() is defined as the key derivation function (KDF) in Counter Mode, as specified in [SP800-108] section 5.1, with 'r' value of 32 and 'L' value of 128, and HMAC-SHA256 as the PRF.
SigningKey is the leftmost L bits of KDF result.
The SessionKey is the key derivation key. It set to the first 16 bytes of the cryptographic key queried from the GSS protocol (e.g. Kerberos [MS-KILE], or NTLM [MS-NLMP]) for this authenticated context. If the cryptographic key is less than 16 bytes, it is right-padded with zero bytes. Extracting the session key from GSS-API is implementation-dependent. In SSPI (Microsoft’s implementation of GSS-API), the session key is extracted by using QueryContextAttributes with SECPKG_ATTR_SESSION_KEY.
In NTLM, the SessionKey is the ExportedSessionKey returned when QueryContextAttributes is called with SECPKG_ATTR_SESSION_KEY. ExportedSessionKey is described in MS-NLMP.
In Kerberos [RFC4120], the SessionKey returned for QueryContextAttributes call with SECPKG_ATTR_SESSION_KEY is either the sub-session key (subkey) if it was negotiated during KRB_AP_REQ/KRB_AP_REP exchange, or the session key from the ticket if no subkey was negotiated.
The label is “SMBSigningKey\0”.
The context is Session.PreauthIntegrityHashValue.
Session.PreauthIntegrityHashValue is calculated as outlined earlier.
Pre-authentication integrity might hinder solutions that rely on modifying SMB2 packets. For example, a so-called WAN accelerator needs to accept negotiate contexts. Any change to the pre-authentication packets would require to be transparent to the client (Kerberos constraint delegation, authentication token). On one hand, the client and device in the middle must derive the same keys. One the other hand, the device and server must arrive at the same keys once the authenticated context is completed.
This should not be seen as an issue. If the device was able to decode traffic, it is because it somehow has access to the user’s secret password or is allowed to act on behalf on the user. This is typically enabled through participating in a domain, or performing constraint delegation.
When a Windows 10 negotiates SMB 2.x.x or 3.0.x with a down-level server (e.g. Windows 2008 / 2008, R2, Windows Server 2012 / 2012 R2), it will always send FSCTL_VALIDATE_NEGOTIATE_INFO to attempt performing dialect negotiation validation. Most, if not all, third party implementations comply to secure negotiate validation IOCTL, or lack thereof, to proper handling of an unsupported IOCTL. This makes unnecessary the need for a RequireSecureNegotiate workaround.
In a nutshell, the RequireSecureNegotiate registry setting has been removed in Windows 10 release. It is no longer allowed to disable secure negotiate from Windows 10 clients when connecting to down-level servers.
Down-level servers which do not support the FSCTL_VALIDATE_NEGOTIATE_INFO are mandated to sign the error response since the request is signed. Typical error codes are STATUS_NOT_SUPPORTED, STATUS_INVALID_DEVICE_REQUEST or STATUS_FILE_CLOSED.
While pre-authentication integrity protects the session establishment phase in SMB 3.1.1, enabling signing would generally offer integrity check at large and protect from an attacker tampering with any packet. Signing has a cost, but its benefit generally outweighs the performance effect.
This sample data should be considered “as-is”. It should also be noted that
examples do not replace normative protocol specifications. The reference must
be [MS-SMB2].
Our test client negotiates SMB 3.1.1 and communicates with a Windows server
2016 TP2.
Here are examples of the major steps for pre-authentication integrity
computation:
Header.Command 0x0000 NEGOTIATE
Preauth integrity hash capabilities ---
PreauthIntegrityCaps.HashAlgorithmCount 0x1
PreauthIntegrityCaps.SaltLength 0x20
PreauthIntegrityCaps.HashAlgorithms 0x0001
PreauthIntegrityCaps.Salt
FA49E6578F1F3A9F4CD3E9CC14A67AA884B3D05844E0E5A118225C15887F32FF
Encryption capabilites ---
EncryptionCaps.CipherCount 0x2
EncryptionCaps.Ciphers[0] 0x0002
EncryptionCaps.Ciphers[1] 0x0001
Connection.PreauthIntegrityHashId 0x0001
NEGOTIATE Request
Preauth integrity hash ---
Current
Connection.PreauthIntegrityHashValue
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000
Negotiate request packet
FE534D4240000100000000000000800000000000000000000100000000000000FFFE000000000000
00000000000000000000000000000000000000000000000024000500000000003F000000ECD86F32
6276024F9F7752B89BB33F3A70000000020000000202100200030203110300000100260000000000
010020000100FA49E6578F1F3A9F4CD3E9CC14A67AA884B3D05844E0E5A118225C15887F32FF0000
0200060000000000020002000100
Concatenate Connection.PreauthIntegrityHashValue and Negotiate request
packet
SHA-512 Input Hash Data
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000FE534D42400001000000000000008000
00000000000000000100000000000000FFFE00000000000000000000000000000000000000000000
000000000000000024000500000000003F000000ECD86F326276024F9F7752B89BB33F3A70000000
020000000202100200030203110300000100260000000000010020000100FA49E6578F1F3A9F4CD3
E9CC14A67AA884B3D05844E0E5A118225C15887F32FF00000200060000000000020002000100
New
Connection.PreauthIntegrityHashValue
DD94EFC5321BB618A2E208BA8920D2F422992526947A409B5037DE1E0FE8C7362B8C47122594CDE0
CE26AA9DFC8BCDBDE0621957672623351A7540F1E54A0426
NEGOTIATE Response
Updating Preauth integrity hash ---
Current
Connection.PreauthIntegrityHashValue
DD94EFC5321BB618A2E208BA8920D2F422992526947A409B5037DE1E0FE8C7362B8C47122594CDE0
CE26AA9DFC8BCDBDE0621957672623351A7540F1E54A0426
Negotiate response packet
FE534D4240000100000000000000010001000000000000000100000000000000FFFE000000000000
000000000000000000000000000000000000000000000000410001001103020039CBCAF329714942
BDCE5D60F09AB3FB2F000000000080000000800000008000D8DAE5ADCBAED00109094AB095AED001
80004001C00100006082013C06062B0601050502A08201303082012CA01A3018060A2B0601040182
3702021E060A2B06010401823702020AA282010C048201084E45474F455854530100000000000000
60000000700000007C7CC0FD06D6362D02DDE1CF343BFE292900F49750B4AA97934D9C4296B26E51
FD370471B235E15A50DAE15BD5489C87000000000000000060000000010000000000000000000000
5C33530DEAF90D4DB2EC4AE3786EC3084E45474F4558545303000000010000004000000098000000
7C7CC0FD06D6362D02DDE1CF343BFE295C33530DEAF90D4DB2EC4AE3786EC3084000000058000000
3056A05430523027802530233121301F06035504031318546F6B656E205369676E696E6720507562
6C6963204B65793027802530233121301F06035504031318546F6B656E205369676E696E67205075
626C6963204B6579010026000000000001002000010060A3C3B95C3C7CCD51EC536648D9B3AC74C4
83CA5B65385A251117BEB30712E50000020004000000000001000200
Concatenate Connection.PreauthIntegrityHashValue and Negotiate response
packet
SHA-512 Input Hash Data
DD94EFC5321BB618A2E208BA8920D2F422992526947A409B5037DE1E0FE8C7362B8C47122594CDE0
CE26AA9DFC8BCDBDE0621957672623351A7540F1E54A0426FE534D42400001000000000000000100
01000000000000000100000000000000FFFE00000000000000000000000000000000000000000000
0000000000000000410001001103020039CBCAF329714942BDCE5D60F09AB3FB2F00000000008000
0000800000008000D8DAE5ADCBAED00109094AB095AED00180004001C00100006082013C06062B06
01050502A08201303082012CA01A3018060A2B06010401823702021E060A2B06010401823702020A
A282010C048201084E45474F45585453010000000000000060000000700000007C7CC0FD06D6362D
02DDE1CF343BFE292900F49750B4AA97934D9C4296B26E51FD370471B235E15A50DAE15BD5489C87
0000000000000000600000000100000000000000000000005C33530DEAF90D4DB2EC4AE3786EC308
4E45474F45585453030000000100000040000000980000007C7CC0FD06D6362D02DDE1CF343BFE29
5C33530DEAF90D4DB2EC4AE3786EC30840000000580000003056A05430523027802530233121301F
06035504031318546F6B656E205369676E696E67205075626C6963204B6579302780253023312130
1F06035504031318546F6B656E205369676E696E67205075626C6963204B65790100260000000000
01002000010060A3C3B95C3C7CCD51EC536648D9B3AC74C483CA5B65385A251117BEB30712E50000
020004000000000001000200
New
Connection.PreauthIntegrityHashValue
324BFA92A4F3A190E466EBEA08D9C110DC88BFED758D9846ECC6F541CC1D02AE3C94A79F36011E99
7E13F841B91B50957AD07B19C8E2539C0B23FDAE09D2C513
Add NEW SessionId 0x17592186044441 to Preauth Integrity hash table with
value
Connection.PreauthIntegrityHashValue
324BFA92A4F3A190E466EBEA08D9C110DC88BFED758D9846ECC6F541CC1D02AE3C94A79F36011E99
7E13F841B91B50957AD07B19C8E2539C0B23FDAE09D2C513
SESSION SETUP Request
PreauthSession.SessionId 0x17592186044441
Current
PreauthSession.PreauthIntegrityHashValue
324BFA92A4F3A190E466EBEA08D9C110DC88BFED758D9846ECC6F541CC1D02AE3C94A79F36011E99
7E13F841B91B50957AD07B19C8E2539C0B23FDAE09D2C513
SessionSetup request packet
FE534D4240000100000000000100800000000000000000000200000000000000FFFE000000000000
00000000000000000000000000000000000000000000000019000001010000000000000058004A00
0000000000000000604806062B0601050502A03E303CA00E300C060A2B06010401823702020AA22A
04284E544C4D5353500001000000978208E200000000000000000000000000000000060380250000
000F
Concatenate PreauthSession.PreauthIntegrityHashValue and Session Setup
request packet
SHA-512 Input Hash Data
324BFA92A4F3A190E466EBEA08D9C110DC88BFED758D9846ECC6F541CC1D02AE3C94A79F36011E99
7E13F841B91B50957AD07B19C8E2539C0B23FDAE09D2C513FE534D42400001000000000001008000
00000000000000000200000000000000FFFE00000000000000000000000000000000000000000000
000000000000000019000001010000000000000058004A000000000000000000604806062B060105
0502A03E303CA00E300C060A2B06010401823702020AA22A04284E544C4D53535000010000009782
08E200000000000000000000000000000000060380250000000F
PreauthSession.PreauthIntegrityHashValue
AC0B0F2B9986257700365E416D142A6EDC96DF03594A19E52A15F6BD0D041CD5D432F8ED42C55E33
197A50C9EC00F1462B50C592211B1471A04B56088FDFD5F9
SESSION SETUP Response
--- STATUS_MORE_PROCESSING_REQUIRED
- Updating Preauth integrity hash ---
PreauthSession.SessionId 0x17592186044441
Current
PreauthSession.PreauthIntegrityHashValue
AC0B0F2B9986257700365E416D142A6EDC96DF03594A19E52A15F6BD0D041CD5D432F8ED42C55E33
197A50C9EC00F1462B50C592211B1471A04B56088FDFD5F9
SessionSetup response packet
FE534D4240000100160000C00100010001000000000000000200000000000000FFFE000000000000
190000000010000000000000000000000000000000000000090000004800B300A181B03081ADA003
0A0101A10C060A2B06010401823702020AA281970481944E544C4D53535000020000000C000C0038
00000015828AE20D1D8BA31179D008000000000000000050005000440000000A0092270000000F53
005500540033003100310002000C0053005500540033003100310001000C00530055005400330031
00310004000C0053005500540033003100310003000C0053005500540033003100310007000800A1
A1F5ADCBAED00100000000
SessionSetup response header signature 0x00000000000000000000000000000000
Concatenate PreauthSession.PreauthIntegrityHashValue and Session Setup
response packet
SHA-512 Input Hash Data
AC0B0F2B9986257700365E416D142A6EDC96DF03594A19E52A15F6BD0D041CD5D432F8ED42C55E33
197A50C9EC00F1462B50C592211B1471A04B56088FDFD5F9FE534D4240000100160000C001000100
01000000000000000200000000000000FFFE00000000000019000000001000000000000000000000
0000000000000000090000004800B300A181B03081ADA0030A0101A10C060A2B0601040182370202
0AA281970481944E544C4D53535000020000000C000C003800000015828AE20D1D8BA31179D00800
0000000000000050005000440000000A0092270000000F53005500540033003100310002000C0053
005500540033003100310001000C0053005500540033003100310004000C00530055005400330031
00310003000C0053005500540033003100310007000800A1A1F5ADCBAED00100000000
PreauthSession.PreauthIntegrityHashValue
2729E3440DFDDD839E37193F6E8F20C20CEFB3469E453A70CD980EEC06B8835740A7376008563336
4C8989895ECE81BF102DEEB14D4B7D48AFA76901A7A38387
SESSION SETUP Request
PreauthSession.SessionId 0x17592186044441
Current
PreauthSession.PreauthIntegrityHashValue
2729E3440DFDDD839E37193F6E8F20C20CEFB3469E453A70CD980EEC06B8835740A7376008563336
4C8989895ECE81BF102DEEB14D4B7D48AFA76901A7A38387
SessionSetup request packet
FE534D4240000100000000000100800000000000000000000300000000000000FFFE000000000000
1900000000100000000000000000000000000000000000001900000101000000000000005800CF01
0000000000000000A18201CB308201C7A0030A0101A28201AA048201A64E544C4D53535000030000
001800180090000000EE00EE00A80000000C000C00580000001A001A0064000000120012007E0000
001000100096010000158288E2060380250000000FECAC77A5F385A8BF9C38C706EEEDDCD3530055
005400330031003100610064006D0069006E006900730074007200610074006F0072004400520049
0056004500520033003100310000000000000000000000000000000000000000000000000063078E
B639FE03E20A231C3AE3BF23080101000000000000A1A1F5ADCBAED001BC4AD05F223CC90F000000
0002000C0053005500540033003100310001000C0053005500540033003100310004000C00530055
00540033003100310003000C0053005500540033003100310007000800A1A1F5ADCBAED001060004
00020000000800300030000000000000000000000000300000B61FEFCAA857EA57BF1EDCEBF8974B
8E0EBA5A6DFD9D07A31D11B548F8C9D0CC0A00100000000000000000000000000000000000090016
0063006900660073002F005300550054003300310031000000000000000000000000003B9BDFF38F
5EE8F9663F11A0F4C03A78A31204100100000063775A9A5FD97F0600000000
Concatenate PreauthSession.PreauthIntegrityHashValue and Session Setup
request packet
SHA-512 Input Hash Data
2729E3440DFDDD839E37193F6E8F20C20CEFB3469E453A70CD980EEC06B8835740A7376008563336
4C8989895ECE81BF102DEEB14D4B7D48AFA76901A7A38387FE534D42400001000000000001008000
00000000000000000300000000000000FFFE00000000000019000000001000000000000000000000
00000000000000001900000101000000000000005800CF010000000000000000A18201CB308201C7
A0030A0101A28201AA048201A64E544C4D53535000030000001800180090000000EE00EE00A80000
000C000C00580000001A001A0064000000120012007E0000001000100096010000158288E2060380
250000000FECAC77A5F385A8BF9C38C706EEEDDCD3530055005400330031003100610064006D0069
006E006900730074007200610074006F007200440052004900560045005200330031003100000000
00000000000000000000000000000000000000000063078EB639FE03E20A231C3AE3BF2308010100
0000000000A1A1F5ADCBAED001BC4AD05F223CC90F0000000002000C005300550054003300310031
0001000C0053005500540033003100310004000C0053005500540033003100310003000C00530055
00540033003100310007000800A1A1F5ADCBAED00106000400020000000800300030000000000000
000000000000300000B61FEFCAA857EA57BF1EDCEBF8974B8E0EBA5A6DFD9D07A31D11B548F8C9D0
CC0A001000000000000000000000000000000000000900160063006900660073002F005300550054
003300310031000000000000000000000000003B9BDFF38F5EE8F9663F11A0F4C03A78A312041001
00000063775A9A5FD97F0600000000
PreauthSession.PreauthIntegrityHashValue
0DD13628CC3ED218EF9DF9772D436D0887AB9814BFAE63A80AA845F36909DB7928622DDDAD522D97
51640A459762C5A9D6BB084CBB3CE6BDADEF5D5BCE3C6C01
SESSION SETUP Response
SessionId 0x17592186044441 COMPLETED
SessionSetup response packet
FE534D4240000100000000000100800009000000000000000300000000000000FFFE000000000000
1900000000100000EBE146DA120BA25FC3376A49DFE31BC10900000048001D00A11B3019A0030A01
00A3120410010000003B453CDC3524164200000000
SessionSetup response header signature 0xEBE146DA120BA25FC3376A49DFE31BC1
PreauthSession.PreauthIntegrityHashValue
0DD13628CC3ED218EF9DF9772D436D0887AB9814BFAE63A80AA845F36909DB7928622DDDAD522D97
51640A459762C5A9D6BB084CBB3CE6BDADEF5D5BCE3C6C01
Input cryptographicKey (SessionKey) 0x270E1BA896585EEB7AF3472D3B4C75A7
(queried from GSS authenticated context)
--- Dialect 0x0311 ---
preauthIntegrityHashValue
0DD13628CC3ED218EF9DF9772D436D0887AB9814BFAE63A80AA845F36909DB7928622DDDAD522D97
51640A459762C5A9D6BB084CBB3CE6BDADEF5D5BCE3C6C01
CypherId 0x0002
SessionKey 0x270E1BA896585EEB7AF3472D3B4C75A7
SigningKey 0x73FE7A9A77BEF0BDE49C650D8CCB5F76
Header.Command 0x0000 NEGOTIATE
Preauth integrity hash capabilities ---
PreauthIntegrityCaps.HashAlgorithmCount 0x1
PreauthIntegrityCaps.SaltLength 0x20
PreauthIntegrityCaps.HashAlgorithms 0x0001
PreauthIntegrityCaps.Salt
BE43C3C288C4D3992CD82559E382F0AACEB5A1D936A1BFF07AD1E0C18DB0CA86
Encryption capabilites ---
EncryptionCaps.CipherCount 0x1
EncryptionCaps.Ciphers[0] 0x0001
Connection.PreauthIntegrityHashId 0x0001
NEGOTIATE Request
Preauth integrity hash ---
Current
Connection.PreauthIntegrityHashValue
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000
Negotiate request packet
FE534D4240000100000000000000800000000000000000000100000000000000FFFE000000000000
00000000000000000000000000000000000000000000000024000500000000003F000000C318232F
0EDFFB4D99991F725DA93B3E70000000020000000202100200030203110300000100260000000000
010020000100BE43C3C288C4D3992CD82559E382F0AACEB5A1D936A1BFF07AD1E0C18DB0CA860000
020004000000000001000100
Concatenate Connection.PreauthIntegrityHashValue and Negotiate request
packet
SHA-512 Input Hash Data
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000FE534D42400001000000000000008000
00000000000000000100000000000000FFFE00000000000000000000000000000000000000000000
000000000000000024000500000000003F000000C318232F0EDFFB4D99991F725DA93B3E70000000
020000000202100200030203110300000100260000000000010020000100BE43C3C288C4D3992CD8
2559E382F0AACEB5A1D936A1BFF07AD1E0C18DB0CA860000020004000000000001000100
New
Connection.PreauthIntegrityHashValue
BD11D3C338C8F993B3C9CD75420F331FCBFD6A389ADCEA930593C14D5EFDA3E38F1B0320BD03AACC
78CEA25D9DEFD89324ECA8595F2DAE4C0E01FBEA4A54A428
NEGOTIATE Response
Updating Preauth integrity hash ---
Current
Connection.PreauthIntegrityHashValue
BD11D3C338C8F993B3C9CD75420F331FCBFD6A389ADCEA930593C14D5EFDA3E38F1B0320BD03AACC
78CEA25D9DEFD89324ECA8595F2DAE4C0E01FBEA4A54A428
Negotiate response packet
FE534D4240000100000000000000010001000000000000000100000000000000FFFE000000000000
000000000000000000000000000000000000000000000000410001001103020039CBCAF329714942
BDCE5D60F09AB3FB2F000000000080000000800000008000CDCEA973CAAED00109094AB095AED001
80004001C00100006082013C06062B0601050502A08201303082012CA01A3018060A2B0601040182
3702021E060A2B06010401823702020AA282010C048201084E45474F455854530100000000000000
6000000070000000747CC0FD06D6362D02DDE1CF343BFE299B5A978ED39ECF7F343F2F72B151E5C2
F427966D191C624A19F30E0F7132F3D5000000000000000060000000010000000000000000000000
5C33530DEAF90D4DB2EC4AE3786EC3084E45474F4558545303000000010000004000000098000000
747CC0FD06D6362D02DDE1CF343BFE295C33530DEAF90D4DB2EC4AE3786EC3084000000058000000
3056A05430523027802530233121301F06035504031318546F6B656E205369676E696E6720507562
6C6963204B65793027802530233121301F06035504031318546F6B656E205369676E696E67205075
626C6963204B65790100260000000000010020000100ED81E13FE1C5E910AE1299BE60FCA6F54B09
42FA0FB2A92285A947C68AB988810000020004000000000001000100
Concatenate Connection.PreauthIntegrityHashValue and Negotiate response
packet
SHA-512 Input Hash Data
BD11D3C338C8F993B3C9CD75420F331FCBFD6A389ADCEA930593C14D5EFDA3E38F1B0320BD03AACC
78CEA25D9DEFD89324ECA8595F2DAE4C0E01FBEA4A54A428FE534D42400001000000000000000100
01000000000000000100000000000000FFFE00000000000000000000000000000000000000000000
0000000000000000410001001103020039CBCAF329714942BDCE5D60F09AB3FB2F00000000008000
0000800000008000CDCEA973CAAED00109094AB095AED00180004001C00100006082013C06062B06
01050502A08201303082012CA01A3018060A2B06010401823702021E060A2B06010401823702020A
A282010C048201084E45474F4558545301000000000000006000000070000000747CC0FD06D6362D
02DDE1CF343BFE299B5A978ED39ECF7F343F2F72B151E5C2F427966D191C624A19F30E0F7132F3D5
0000000000000000600000000100000000000000000000005C33530DEAF90D4DB2EC4AE3786EC308
4E45474F4558545303000000010000004000000098000000747CC0FD06D6362D02DDE1CF343BFE29
5C33530DEAF90D4DB2EC4AE3786EC30840000000580000003056A05430523027802530233121301F
06035504031318546F6B656E205369676E696E67205075626C6963204B6579302780253023312130
1F06035504031318546F6B656E205369676E696E67205075626C6963204B65790100260000000000
010020000100ED81E13FE1C5E910AE1299BE60FCA6F54B0942FA0FB2A92285A947C68AB988810000
020004000000000001000100
New
Connection.PreauthIntegrityHashValue
7744458C12FB7387C68B767ED06E8A684BB0AA1F4E49E6C195B55CB47138F2BCDD9489EC5CF10FEE
04EF5192817EE3D6694F34965D33C177F296F915452B929B
Add NEW SessionId 0x17592186044425 to Preauth Integrity hash table with
value
Connection.PreauthIntegrityHashValue
7744458C12FB7387C68B767ED06E8A684BB0AA1F4E49E6C195B55CB47138F2BCDD9489EC5CF10FEE
04EF5192817EE3D6694F34965D33C177F296F915452B929B
SESSION SETUP Request
PreauthSession.SessionId 0x17592186044425
Current
PreauthSession.PreauthIntegrityHashValue
7744458C12FB7387C68B767ED06E8A684BB0AA1F4E49E6C195B55CB47138F2BCDD9489EC5CF10FEE
04EF5192817EE3D6694F34965D33C177F296F915452B929B
SessionSetup request packet
FE534D4240000100000000000100800000000000000000000200000000000000FFFE000000000000
00000000000000000000000000000000000000000000000019000001010000000000000058004A00
0000000000000000604806062B0601050502A03E303CA00E300C060A2B06010401823702020AA22A
04284E544C4D5353500001000000978208E200000000000000000000000000000000060380250000
000F
Concatenate PreauthSession.PreauthIntegrityHashValue and Session Setup
request packet
SHA-512 Input Hash Data
7744458C12FB7387C68B767ED06E8A684BB0AA1F4E49E6C195B55CB47138F2BCDD9489EC5CF10FEE
04EF5192817EE3D6694F34965D33C177F296F915452B929BFE534D42400001000000000001008000
00000000000000000200000000000000FFFE00000000000000000000000000000000000000000000
000000000000000019000001010000000000000058004A000000000000000000604806062B060105
0502A03E303CA00E300C060A2B06010401823702020AA22A04284E544C4D53535000010000009782
08E200000000000000000000000000000000060380250000000F
PreauthSession.PreauthIntegrityHashValue
983C28E03CE2F30CA2CF648C95D489DD16E51E027A4A9F7C05A1F9E888AF289C112C77C8A77ACEB1
2EEC19DD6BD550C2303233B11A08F70609D4484D7CDEC58C
SESSION SETUP Response
--- STATUS_MORE_PROCESSING_REQUIRED
- Updating Preauth integrity hash ---
PreauthSession.SessionId 0x17592186044425
Current
PreauthSession.PreauthIntegrityHashValue
983C28E03CE2F30CA2CF648C95D489DD16E51E027A4A9F7C05A1F9E888AF289C112C77C8A77ACEB1
2EEC19DD6BD550C2303233B11A08F70609D4484D7CDEC58C
SessionSetup response packet
FE534D4240000100160000C00100010001000000000000000200000000000000FFFE000000000000
090000000010000000000000000000000000000000000000090000004800B300A181B03081ADA003
0A0101A10C060A2B06010401823702020AA281970481944E544C4D53535000020000000C000C0038
00000015828AE2395571B0B34E928C000000000000000050005000440000000A0092270000000F53
005500540033003100310002000C0053005500540033003100310001000C00530055005400330031
00310004000C0053005500540033003100310003000C0053005500540033003100310007000800CC
2FBB73CAAED00100000000
SessionSetup response header signature 0x00000000000000000000000000000000
Concatenate PreauthSession.PreauthIntegrityHashValue and Session Setup
response packet
SHA-512 Input Hash Data
983C28E03CE2F30CA2CF648C95D489DD16E51E027A4A9F7C05A1F9E888AF289C112C77C8A77ACEB1
2EEC19DD6BD550C2303233B11A08F70609D4484D7CDEC58CFE534D4240000100160000C001000100
01000000000000000200000000000000FFFE00000000000009000000001000000000000000000000
0000000000000000090000004800B300A181B03081ADA0030A0101A10C060A2B0601040182370202
0AA281970481944E544C4D53535000020000000C000C003800000015828AE2395571B0B34E928C00
0000000000000050005000440000000A0092270000000F53005500540033003100310002000C0053
005500540033003100310001000C0053005500540033003100310004000C00530055005400330031
00310003000C0053005500540033003100310007000800CC2FBB73CAAED00100000000
PreauthSession.PreauthIntegrityHashValue
C9CA587360D51A1DA5E61E208391B6E5C1846ADC5E5C961614A3A533DE3943E6314C8AE9DE7CDBD1
7E4068ED21F97DEBE879F13724CF3FF21B2C86D99BA59B87
SESSION SETUP Request
PreauthSession.SessionId 0x17592186044425
Current
PreauthSession.PreauthIntegrityHashValue
C9CA587360D51A1DA5E61E208391B6E5C1846ADC5E5C961614A3A533DE3943E6314C8AE9DE7CDBD1
7E4068ED21F97DEBE879F13724CF3FF21B2C86D99BA59B87
SessionSetup request packet
FE534D4240000100000000000100800000000000000000000300000000000000FFFE000000000000
0900000000100000000000000000000000000000000000001900000101000000000000005800CF01
0000000000000000A18201CB308201C7A0030A0101A28201AA048201A64E544C4D53535000030000
001800180090000000EE00EE00A80000000C000C00580000001A001A0064000000120012007E0000
001000100096010000158288E2060380250000000F308F9AF7839280D351E663E84AD3957F530055
005400330031003100610064006D0069006E006900730074007200610074006F0072004400520049
005600450052003300310031000000000000000000000000000000000000000000000000001EAF5A
8F20782DD3B7DFC1562EBFE9240101000000000000CC2FBB73CAAED0012B6C3234196EE8BF000000
0002000C0053005500540033003100310001000C0053005500540033003100310004000C00530055
00540033003100310003000C0053005500540033003100310007000800CC2FBB73CAAED001060004
00020000000800300030000000000000000000000000300000B61FEFCAA857EA57BF1EDCEBF8974B
8E0EBA5A6DFD9D07A31D11B548F8C9D0CC0A00100000000000000000000000000000000000090016
0063006900660073002F00530055005400330031003100000000000000000000000000AEF242481A
FBFB82BEDBE68A4F5742F2A3120410010000007FEE0708D69AD22600000000
Concatenate PreauthSession.PreauthIntegrityHashValue and Session Setup
request packet
SHA-512 Input Hash Data
C9CA587360D51A1DA5E61E208391B6E5C1846ADC5E5C961614A3A533DE3943E6314C8AE9DE7CDBD1
7E4068ED21F97DEBE879F13724CF3FF21B2C86D99BA59B87FE534D42400001000000000001008000
00000000000000000300000000000000FFFE00000000000009000000001000000000000000000000
00000000000000001900000101000000000000005800CF010000000000000000A18201CB308201C7
A0030A0101A28201AA048201A64E544C4D53535000030000001800180090000000EE00EE00A80000
000C000C00580000001A001A0064000000120012007E0000001000100096010000158288E2060380
250000000F308F9AF7839280D351E663E84AD3957F530055005400330031003100610064006D0069
006E006900730074007200610074006F007200440052004900560045005200330031003100000000
0000000000000000000000000000000000000000001EAF5A8F20782DD3B7DFC1562EBFE924010100
0000000000CC2FBB73CAAED0012B6C3234196EE8BF0000000002000C005300550054003300310031
0001000C0053005500540033003100310004000C0053005500540033003100310003000C00530055
00540033003100310007000800CC2FBB73CAAED00106000400020000000800300030000000000000
000000000000300000B61FEFCAA857EA57BF1EDCEBF8974B8E0EBA5A6DFD9D07A31D11B548F8C9D0
CC0A001000000000000000000000000000000000000900160063006900660073002F005300550054
00330031003100000000000000000000000000AEF242481AFBFB82BEDBE68A4F5742F2A312041001
0000007FEE0708D69AD22600000000
PreauthSession.PreauthIntegrityHashValue
BD57317658D28E7599C2491165F5D6FB36AD0AD65833774A6684D07F83EF2EBAB8726C1D76704AF3
25285A70FCBAD053F39EF4C031AE67C56006C50C6D349EC6
SESSION SETUP Response
SessionId 0x17592186044425 COMPLETED
SessionSetup response packet
FE534D4240000100000000000100800009000000000000000300000000000000FFFE000000000000
090000000010000021AC4DB12F2F6431207BA653FB805C290900000048001D00A11B3019A0030A01
00A312041001000000F19063CADAA8BE2100000000
SessionSetup response header signature 0x21AC4DB12F2F6431207BA653FB805C29
PreauthSession.PreauthIntegrityHashValue
BD57317658D28E7599C2491165F5D6FB36AD0AD65833774A6684D07F83EF2EBAB8726C1D76704AF3
25285A70FCBAD053F39EF4C031AE67C56006C50C6D349EC6
Input cryptographicKey (SessionKey) 0xFD67875E7DF37605F5A9D226991A8782
(queried from GSS authenticated context)
--- Dialect 0x0311 ---
preauthIntegrityHashValue
BD57317658D28E7599C2491165F5D6FB36AD0AD65833774A6684D07F83EF2EBAB8726C1D76704AF3
25285A70FCBAD053F39EF4C031AE67C56006C50C6D349EC6
CypherId 0x0001
SessionKey 0xFD67875E7DF37605F5A9D226991A8782
SigningKey 0xD9AE56D84460F692E15673D7AC357904
Header.Command 0x0000 NEGOTIATE
Preauth integrity hash ---
PreauthIntegrityCaps.HashAlgorithmCount 0x1
PreauthIntegrityCaps.SaltLength 0x20
PreauthIntegrityCaps.HashAlgorithms 0x0001
PreauthIntegrityCaps.Salt
E2D024DB75ED67B6323EDB6BD24FC4C97ECD893481CE1BEFDBD1DE3D09DF9DB5
Connection.PreauthIntegrityHashId 0x0001
NEGOTIATE Request
Preauth integrity hash ---
Current
Connection.PreauthIntegrityHashValue
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000
Negotiate request packet
FE534D4240000100000000000000800000000000000000000100000000000000FFFE000000000000
00000000000000000000000000000000000000000000000024000500000000003F0000004C3DB6FB
51377A45AB915E5700F9D91B70000000010000000202100200030203110300000100260000000000
010020000100E2D024DB75ED67B6323EDB6BD24FC4C97ECD893481CE1BEFDBD1DE3D09DF9DB5
Concatenate Connection.PreauthIntegrityHashValue and Negotiate request
packet
SHA-512 Input Hash Data
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000FE534D42400001000000000000008000
00000000000000000100000000000000FFFE00000000000000000000000000000000000000000000
000000000000000024000500000000003F0000004C3DB6FB51377A45AB915E5700F9D91B70000000
010000000202100200030203110300000100260000000000010020000100E2D024DB75ED67B6323E
DB6BD24FC4C97ECD893481CE1BEFDBD1DE3D09DF9DB5
New
Connection.PreauthIntegrityHashValue
EF7D572595297374B39788024797DAA020D66D3DF9D3A893CF2CA0442AEE16C6C154F1BC185CAF3F
660139347B9C4CA231161CA8A16073F058B5422045DE7C65
NEGOTIATE Response
Updating Preauth integrity hash ---
Current
Connection.PreauthIntegrityHashValue
EF7D572595297374B39788024797DAA020D66D3DF9D3A893CF2CA0442AEE16C6C154F1BC185CAF3F
660139347B9C4CA231161CA8A16073F058B5422045DE7C65
Negotiate response packet
FE534D4240000100000000000000010001000000000000000100000000000000FFFE000000000000
00000000000000000000000000000000000000000000000041000100110301001DE6C96123D11C40
9509F58B06CEB6E52F000000000080000000800000008000ECAC634232B1D001112265502BB1D001
80004001C00100006082013C06062B0601050502A08201303082012CA01A3018060A2B0601040182
3702021E060A2B06010401823702020AA282010C048201084E45474F455854530100000000000000
6000000070000000E396D6D84D7EBFC97CE3BD8B1761B727F0DDDDFF536372E805A6CD3A8CCC5C0F
54F850C98DF6C8C9F7A88AE1FF70590A000000000000000060000000010000000000000000000000
5C33530DEAF90D4DB2EC4AE3786EC3084E45474F4558545303000000010000004000000098000000
E396D6D84D7EBFC97CE3BD8B1761B7275C33530DEAF90D4DB2EC4AE3786EC3084000000058000000
3056A05430523027802530233121301F06035504031318546F6B656E205369676E696E6720507562
6C6963204B65793027802530233121301F06035504031318546F6B656E205369676E696E67205075
626C6963204B657901002600000000000100200001003208BCEB8827C388303D3E51E2D90F710898
D12B04522B5D871A0C031FC7B7B5
Concatenate Connection.PreauthIntegrityHashValue and Negotiate response
packet
SHA-512 Input Hash Data
EF7D572595297374B39788024797DAA020D66D3DF9D3A893CF2CA0442AEE16C6C154F1BC185CAF3F
660139347B9C4CA231161CA8A16073F058B5422045DE7C65FE534D42400001000000000000000100
01000000000000000100000000000000FFFE00000000000000000000000000000000000000000000
000000000000000041000100110301001DE6C96123D11C409509F58B06CEB6E52F00000000008000
0000800000008000ECAC634232B1D001112265502BB1D00180004001C00100006082013C06062B06
01050502A08201303082012CA01A3018060A2B06010401823702021E060A2B06010401823702020A
A282010C048201084E45474F4558545301000000000000006000000070000000E396D6D84D7EBFC9
7CE3BD8B1761B727F0DDDDFF536372E805A6CD3A8CCC5C0F54F850C98DF6C8C9F7A88AE1FF70590A
0000000000000000600000000100000000000000000000005C33530DEAF90D4DB2EC4AE3786EC308
4E45474F4558545303000000010000004000000098000000E396D6D84D7EBFC97CE3BD8B1761B727
5C33530DEAF90D4DB2EC4AE3786EC30840000000580000003056A05430523027802530233121301F
06035504031318546F6B656E205369676E696E67205075626C6963204B6579302780253023312130
1F06035504031318546F6B656E205369676E696E67205075626C6963204B65790100260000000000
0100200001003208BCEB8827C388303D3E51E2D90F710898D12B04522B5D871A0C031FC7B7B5
New
Connection.PreauthIntegrityHashValue
7ECC09ACEC6034FF40F8B0C9F6662C95E2532E6F54D29E922138A65D592FD58FA437712034CD2542
55EAA10BB823507EFCF1654195512A8445D9DE2609F47741
Add NEW SessionId 0x30786325577741 to Preauth Integrity hash table with
value
Connection.PreauthIntegrityHashValue
7ECC09ACEC6034FF40F8B0C9F6662C95E2532E6F54D29E922138A65D592FD58FA437712034CD2542
55EAA10BB823507EFCF1654195512A8445D9DE2609F47741
SESSION SETUP Request
PreauthSession.SessionId 0x30786325577741
Current
PreauthSession.PreauthIntegrityHashValue
7ECC09ACEC6034FF40F8B0C9F6662C95E2532E6F54D29E922138A65D592FD58FA437712034CD2542
55EAA10BB823507EFCF1654195512A8445D9DE2609F47741
SessionSetup request packet
FE534D4240000100000000000100800000000000000000000200000000000000FFFE000000000000
00000000000000000000000000000000000000000000000019000001010000000000000058004A00
0000000000000000604806062B0601050502A03E303CA00E300C060A2B06010401823702020AA22A
04284E544C4D5353500001000000978208E200000000000000000000000000000000060380250000
000F
Concatenate PreauthSession.PreauthIntegrityHashValue and Session Setup
request packet
SHA-512 Input Hash Data
7ECC09ACEC6034FF40F8B0C9F6662C95E2532E6F54D29E922138A65D592FD58FA437712034CD2542
55EAA10BB823507EFCF1654195512A8445D9DE2609F47741FE534D42400001000000000001008000
00000000000000000200000000000000FFFE00000000000000000000000000000000000000000000
000000000000000019000001010000000000000058004A000000000000000000604806062B060105
0502A03E303CA00E300C060A2B06010401823702020AA22A04284E544C4D53535000010000009782
08E200000000000000000000000000000000060380250000000F
PreauthSession.PreauthIntegrityHashValue
96D0F138CFE59B45465B2241727FADE2F74E5F6E4F88392C53A6DDC8E03B9BA5D7405FD37963906B
D7256648BDD43537A3A29C2CD0FE4FE5FE18E124EAD0B663
SESSION SETUP Response
--- STATUS_MORE_PROCESSING_REQUIRED
- Updating Preauth integrity hash ---
PreauthSession.SessionId 0x30786325577741
Current
PreauthSession.PreauthIntegrityHashValue
96D0F138CFE59B45465B2241727FADE2F74E5F6E4F88392C53A6DDC8E03B9BA5D7405FD37963906B
D7256648BDD43537A3A29C2CD0FE4FE5FE18E124EAD0B663
SessionSetup response packet
FE534D4240000100160000C00100010001000000000000000200000000000000FFFE000000000000
0D000000001C000000000000000000000000000000000000090000004800B300A181B03081ADA003
0A0101A10C060A2B06010401823702020AA281970481944E544C4D53535000020000000C000C0038
00000015828AE2CBB1D86ED8A26BBE000000000000000050005000440000000A0092270000000F53
005500540033003100310002000C0053005500540033003100310001000C00530055005400330031
00310004000C0053005500540033003100310003000C005300550054003300310031000700080083
C4744232B1D00100000000
SessionSetup response header signature 0x00000000000000000000000000000000
Concatenate PreauthSession.PreauthIntegrityHashValue and Session Setup
response packet
SHA-512 Input Hash Data
96D0F138CFE59B45465B2241727FADE2F74E5F6E4F88392C53A6DDC8E03B9BA5D7405FD37963906B
D7256648BDD43537A3A29C2CD0FE4FE5FE18E124EAD0B663FE534D4240000100160000C001000100
01000000000000000200000000000000FFFE0000000000000D000000001C00000000000000000000
0000000000000000090000004800B300A181B03081ADA0030A0101A10C060A2B0601040182370202
0AA281970481944E544C4D53535000020000000C000C003800000015828AE2CBB1D86ED8A26BBE00
0000000000000050005000440000000A0092270000000F53005500540033003100310002000C0053
005500540033003100310001000C0053005500540033003100310004000C00530055005400330031
00310003000C005300550054003300310031000700080083C4744232B1D00100000000
PreauthSession.PreauthIntegrityHashValue
F2243F95EEF00B4218D5A00DFBDAB515B9CC1F7C5F8DA99AAFBAFB72EB9424F6845C79A94EC5796C
9D69402D103EDD72805ACB38CF62E7DA3BE94B3BED3EE8FC
SESSION SETUP Request
PreauthSession.SessionId 0x30786325577741
Current
PreauthSession.PreauthIntegrityHashValue
F2243F95EEF00B4218D5A00DFBDAB515B9CC1F7C5F8DA99AAFBAFB72EB9424F6845C79A94EC5796C
9D69402D103EDD72805ACB38CF62E7DA3BE94B3BED3EE8FC
SessionSetup request packet
FE534D4240000100000000000100800000000000000000000300000000000000FFFE000000000000
0D000000001C0000000000000000000000000000000000001900000101000000000000005800CF01
0000000000000000A18201CB308201C7A0030A0101A28201AA048201A64E544C4D53535000030000
001800180090000000EE00EE00A80000000C000C00580000001A001A0064000000120012007E0000
001000100096010000158288E2060380250000000F268C28C948C2E1EF3A481C34A7100C97530055
005400330031003100610064006D0069006E006900730074007200610074006F0072004400520049
0056004500520033003100310000000000000000000000000000000000000000000000000030EF61
6190C8A662E721E2F8EDC40E98010100000000000083C4744232B1D001A529012472765972000000
0002000C0053005500540033003100310001000C0053005500540033003100310004000C00530055
00540033003100310003000C005300550054003300310031000700080083C4744232B1D001060004
000200000008003000300000000000000000000000003000009B52C033A82790F6F74C0E851E924C
504FDC52EF290D80D5322FBE536429D6D50A00100000000000000000000000000000000000090016
0063006900660073002F005300550054003300310031000000000000000000000000008A393FC3E9
D7FFD7CDE5BECCBF864F29A31204100100000071B9DE9A4248980D00000000
Concatenate PreauthSession.PreauthIntegrityHashValue and Session Setup
request packet
SHA-512 Input Hash Data
F2243F95EEF00B4218D5A00DFBDAB515B9CC1F7C5F8DA99AAFBAFB72EB9424F6845C79A94EC5796C
9D69402D103EDD72805ACB38CF62E7DA3BE94B3BED3EE8FCFE534D42400001000000000001008000
00000000000000000300000000000000FFFE0000000000000D000000001C00000000000000000000
00000000000000001900000101000000000000005800CF010000000000000000A18201CB308201C7
A0030A0101A28201AA048201A64E544C4D53535000030000001800180090000000EE00EE00A80000
000C000C00580000001A001A0064000000120012007E0000001000100096010000158288E2060380
250000000F268C28C948C2E1EF3A481C34A7100C97530055005400330031003100610064006D0069
006E006900730074007200610074006F007200440052004900560045005200330031003100000000
00000000000000000000000000000000000000000030EF616190C8A662E721E2F8EDC40E98010100
000000000083C4744232B1D001A5290124727659720000000002000C005300550054003300310031
0001000C0053005500540033003100310004000C0053005500540033003100310003000C00530055
0054003300310031000700080083C4744232B1D00106000400020000000800300030000000000000
0000000000003000009B52C033A82790F6F74C0E851E924C504FDC52EF290D80D5322FBE536429D6
D50A001000000000000000000000000000000000000900160063006900660073002F005300550054
003300310031000000000000000000000000008A393FC3E9D7FFD7CDE5BECCBF864F29A312041001
00000071B9DE9A4248980D00000000
PreauthSession.PreauthIntegrityHashValue
CB3320852ED35231F1087E6A4828C129384F7041005FF76543B46B1590574300B376771109C29903
D0A5E6EB124A3BCA8DD9CF0FBF2EF60F2FED746A70CE0533
SESSION SETUP Response
SessionId 0x30786325577741 COMPLETED
SessionSetup response packet
FE534D4240000100000000000100800009000000000000000300000000000000FFFE000000000000
0D000000001C0000BCE812303D9BCD5D3295EF0572553AEB0900000048001D00A11B3019A0030A01
00A31204100100000017DD19D27E10A55D00000000
SessionSetup response header signature 0xBCE812303D9BCD5D3295EF0572553AEB
PreauthSession.PreauthIntegrityHashValue
CB3320852ED35231F1087E6A4828C129384F7041005FF76543B46B1590574300B376771109C29903
D0A5E6EB124A3BCA8DD9CF0FBF2EF60F2FED746A70CE0533
Input cryptographicKey (SessionKey) 0xA8B3FCB8C96884BA9126132AE5B076AF
(queried from GSS authenticated context)
--- Dialect 0x0311 ---
preauthIntegrityHashValue
CB3320852ED35231F1087E6A4828C129384F7041005FF76543B46B1590574300B376771109C29903
D0A5E6EB124A3BCA8DD9CF0FBF2EF60F2FED746A70CE0533
SessionKey 0xA8B3FCB8C96884BA9126132AE5B076AF
SigningKey 0x5756AC382298721282D4D9F61CF1195F
[References]
[MS-SMB2]: Server Message Block (SMB) Protocol Versions 2
and 3 Specification
SMB3 Secure Dialect Negotiation
https://blogs.msdn.com/b/openspecification/archive/2012/06/28/smb3-secure-dialect-negotiation.aspx
What’s new in SMB 3.1.1 in the Windows Server 2016 Technical
Preview 2
[SP800-108] National Institute of Standards and Technology.
"Special Publication 800-108, Recommendation for Key Derivation Using
Pseudorandom Functions", October 2009, https://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf
[FIPS180-4] FIPS PUBS, "Secure Hash Standards
(SHS)", March 2012, https://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
[RFC4493]. The AES-CMAC Algorithm, https://www.ietf.org/rfc/rfc4493.txt