Metze,

Generally speaking, decryption occurs as an outer layer. It is expected that 
Windows server does not complain if the client encrypts SESSION_SETUP (for 
reauth/or channel bind) and TREE_CONNECTS. What the protocol prescribes for 
client side encryption is specified in 3.2.4.1.8 Encrypting the Message, and we 
are reviewing this for the re-authentication and channel binding.

Regarding an encrypted SESSION_SETUP for re-authentication or channel binding, 
it is expected that Windows server will decrypt the message, as specified in 
3.3.5.2.1 Decrypting the Message.
Re-authentication or channel binding requires an existing session. If the 
server finds the Decryptionkey based on the SessionId in the transform header, 
it will be able to proceed decryption.
A document bug has been opened to clarify Windows 8 client behavior on 
encrypting SESSION_SETUP for re-authentication or channel binding.

Regarding the encryption of TREE_CONNECT, this is controlled by 
Session.EncryptData = TRUE, as documented in 3.2.4.1.8 Encrypting the Message, 
3.3.4.1.4 Encrypting the Message.
As mentioned previously, the decryption depends on the ability to find the 
Decryptionkey based on the SessionId in the transform header.
The following blog entry may be helpful. It describes Windows configuration for 
SMB3 encryption. 
http://blogs.msdn.com/b/openspecification/archive/2012/06/08/encryption-in-smb3.aspx

Regards,
Edgar


-----Original Message-----
From: Edgar Olougouna 
Sent: Thursday, August 23, 2012 3:06 PM
To: Stefan (metze) Metzmacher
Cc: p...@tridgell.net; cifs-protocol@cifs.org
Subject: RE: [REG:112080864018345] SMB3 encryption over multiple requests

Metze,

In order to track document bugs properly, I will be following up on these new 
questions in two separate cases. I will start a new thread for each case:
112082370902333 SMB3 encryption of SESSION_SETUP (for reauth/or channel 
binding) and TREE_CONNECT
112082371227089 SMB3 encryption and Oplock/Lease break notifications

Thanks,
Edgar

-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:me...@samba.org] 
Sent: Wednesday, August 22, 2012 9:19 AM
To: Edgar Olougouna
Cc: p...@tridgell.net; cifs-protocol@cifs.org
Subject: Re: [REG:112080864018345] SMB3 encryption over multiple requests

Hi Edgar,

thanks for the answers, I have some more questions inline.

> What about async responses with STATUS_PENDING, are they also encrypted?
> 
> [Answer] 
> Yes. The exceptions that are not encrypted are SMB2 NEGOTIATE, SMB2 
> SESSION_SETUP or SMB2 TREE_CONNECT as documented in 3.2.4.1.8   Encrypting 
> the Message, 3.3.4.1.4   Encrypting the Message.

Windows doesn't complain if the client encrypt SESSION_SETUP (for reauth/or 
channel bind) and TREE_CONNECTS.

> How does it work, when the last request in a compound chain goes async?
> 
> [Answer]
> There is no change of processing rules for the encryption due to the last 
> request in a compounded chain going async. 
>  
> Are Oplock/Lease Break Notifications encrypted?
> 
> [Answer] Yes, see previous answer and references.

For Oplocks the server known the session from the file_id, but what session is 
used for leases?

To my understanding a lease key can be shared between sessions, is that correct?

metze

_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

Reply via email to