2.2.41 SMB2 TRANSFORM_HEADER
The SMB2 TRANSFORM_HEADER is used by the client or server when sending encrypted messages. The SMB2 TRANSFORM_HEADER is only valid for the SMB 3.x dialect family.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ProtocolId |
|||||||||||||||||||||||||||||||
|
Signature |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Nonce |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
OriginalMessageSize |
|||||||||||||||||||||||||||||||
|
Reserved |
Flags/EncryptionAlgorithm |
||||||||||||||||||||||||||||||
|
SessionId |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
ProtocolId (4 bytes): The protocol identifier. The value MUST be set to 0x424D53FD, also represented as (in network order) 0xFD, 'S', 'M', and 'B'.
Signature (16 bytes): The 16-byte signature of the message generated using negotiated encryption algorithm.
Nonce (16 bytes): An implementation-specific value assigned for every encrypted message. This MUST NOT be reused for all encrypted messages within a session.
-
If the AES-128-CCM or AES-256-CCM cipher is used, Nonce MUST be interpreted as a structure, as follows:
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1AES_CCM_Nonce
...
...
Reserved
...
-
AES_CCM_Nonce (11 bytes): An implementation-specific value assigned for every encrypted message. This MUST NOT be reused for all encrypted messages within a session.
-
Reserved (5 bytes): The sender SHOULD<83> set this field to 0.
-
If the AES-128-GCM or AES-256-GCM cipher is used, Nonce MUST be interpreted as a structure, as follows:
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1AES_GCM_Nonce
...
...
Reserved
-
AES_GCM_Nonce (12 bytes): An implementation-specific value assigned for every encrypted message. This MUST NOT be reused for all encrypted messages within a session.
-
Reserved (4 bytes): The sender MUST set this field to 0.
OriginalMessageSize (4 bytes): The size, in bytes, of the SMB2 message.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set this to zero, and the server MUST ignore it on receipt.
Flags/EncryptionAlgorithm (2 bytes): This field is interpreted in different ways depending on the SMB2 dialect.
-
In the SMB 3.1.1 dialect, this field is interpreted as the Flags field, which indicates how the SMB2 message was transformed. This field MUST be set to one of the following values:
-
Value
Meaning
Encrypted
0x0001
The message is encrypted using the cipher that was negotiated for this connection.
-
In the SMB 3.0 and SMB 3.0.2 dialects, this field is interpreted as the EncryptionAlgorithm field, which contains the algorithm used for encrypting the SMB2 message. This field MUST be set to one of the following values:
-
Value
Meaning
SMB2_ENCRYPTION_AES128_CCM
0x0001
The message is encrypted using the AES128 CCM algorithm.
SessionId (8 bytes): Uniquely identifies the established session for the command.