Encrypting the Message

This optional interface is applicable only for the SMB 3.x dialect family.<75>

The sender MUST construct the SMB2 TRANSFORM_HEADER specified in section 2.2.41 as follows:

  • OriginalMessageSize is set to the size of the SMB2 message being sent.

  • SessionId is set to Session.SessionId.

  • EncryptionAlgorithm/Flags is set to 0x0001.

  •  Nonce is set to a newly generated implementation-specific value that is not used for any other encrypted message within the session.

  • Signature is set to a value generated using either the AES-128-CCM or AES-128-GCM algorithm as specified in [RFC5084] with the following input:

    • Nonce.AES128CCM_Nonce or Nonce.AES128GCM_Nonce based on the cipher specified by Connection.CipherId.

    • The SMB2 TRANSFORM_HEADER, excluding the ProtocolId and Signature fields, as the optional authenticated data.

    • The SMB2 message, including the header and the payload, as the data to be signed.

    • Session.EncryptionKey as the key to be used for signing.

The sender MUST encrypt the SMB2 message using Session.EncryptionKey. If Connection.Dialect is "3.1.1", then the cipher specified by Connection.CipherId is used. Otherwise, AES-128-CCM is used to encrypt, as specified in [RFC4309]. The sender MUST append the encrypted SMB2 message to the SMB2 TRANSFORM_HEADER and send it to the receiver.