Export (0) Print
Expand All

3.1.4.1 Signing An Outgoing Message

If the client or server sending the message requires that the message be signed, it provides the message length, the buffer containing the message, and the key to use for signing. The following steps describe the signing process:

  1. The sender MUST zero out the 16-byte signature field in the SMB2 Header of the message to be sent prior to generating the signature.

  2. If Connection.Dialect belongs to the SMB 3.x dialect family, the sender MUST compute a 16-byte hash using AES_CMAC-128 over the entire message, beginning with the SMB2 Header from step 1, and using the key provided. The AES_CMAC-128 is specified in [RFC4493]. If the message is part of a compounded chain, any padding at the end of the message MUST be used in the hash computation. The sender MUST copy the 16-byte hash into the signature field of the SMB2 header.

  3. If Connection.Dialect is "2.002" or "2.100", the sender MUST compute a 32-byte hash using HMAC-SHA256 over the entire message, beginning with the SMB2 Header from step 1, and using the key provided. The HMAC-SHA256 hash is specified in [FIPS180-2] and [RFC2104]. If the message is part of a compounded chain, any padding at the end of the message MUST be used in the hash computation. The first 16 bytes (the high-order portion) of the hash MUST be copied (beginning with the first, most significant, byte) into the 16-byte signature field of the SMB2 Header.

Determining when a client will sign an outgoing message is specified in 3.2.4.1.1, and determining when a server will sign an outgoing message is specified in 3.3.4.1.1.

 
Show:
© 2014 Microsoft