2.2.41 SMB2 TRANSFORM_HEADER

The SMB2 Transform Header is used by the client or server when sending encrypted messages. The SMB2 TRANSFORM_HEADER is only valid for the SMB 3.x dialect family.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

ProtocolId

Signature

...

...

...

Nonce

...

...

...

OriginalMessageSize

Reserved

Flags/EncryptionAlgorithm

SessionId

...

ProtocolId (4 bytes): The protocol identifier. The value MUST be (in network order) 0xFD, 'S', 'M', and 'B'.

Signature (16 bytes): The 16-byte signature of the encrypted message generated by using Session.EncryptionKey.

Nonce (16 bytes): An implementation-specific value assigned for every encrypted message. This MUST NOT be reused for all encrypted messages within a session.

If the AES-128-CCM cipher is used, Nonce MUST be interpreted as a structure, as follows:


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

AES128CCM_Nonce

...

...

Reserved

...

AES128CCM_Nonce (11 bytes): An implementation-specific value assigned for every encrypted message. This MUST NOT be reused for all encrypted messages within a session.

Reserved (5 bytes): The sender SHOULD<71> set this field to 0.

If the AES-128-GCM cipher is used, Nonce MUST be interpreted as a structure, as follows:


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

AES128GCM_Nonce

...

...

Reserved

AES128GCM_Nonce (12 bytes): An implementation-specific value assigned for every encrypted message. This MUST NOT be reused for all encrypted messages within a session.

Reserved (4 bytes): The sender MUST set this field to 0.

OriginalMessageSize (4 bytes): The size, in bytes, of the SMB2 message.

Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set this to zero, and the server MUST ignore it on receipt.

Flags/EncryptionAlgorithm (2 bytes): This field is interpreted in different ways depending on the SMB2 dialect.

In the SMB 3.1.1 dialect, this field is interpreted as the Flags field, which indicates how the SMB2 message was transformed. This field MUST be set to one of the following values:

Value

Meaning

Encrypted

0x0001

The message is encrypted using the cipher that was negotiated for this connection.

In the SMB 3.0 and SMB 3.0.2 dialects, this field is interpreted as the EncryptionAlgorithm field, which contains the algorithm used for encrypting the SMB2 message. This field MUST be set to one of the following values:

Value

Meaning

SMB2_ENCRYPTION_AES128_CCM

0x0001

The message is encrypted using the AES128 CCM algorithm.

SessionId (8 bytes): Uniquely identifies the established session for the command.

Show: