how to sign in smb2

Question

There is an example blow (https://blogs.msdn.microsoft.com/openspecification/2015/09/09/smb-3-1-1-encryption-in-windows-10/, in Appendix A.2 Test vector with AES-CCM):

    --- Encryption ---

    SessionId 0x100000000021
    SessionKey 0x07B7F69C1E2581662DF6987E88F9E891
    SigningKey 0x3DCC82C5795AE27F383242761078C59B
    EncryptionKey 0xDFAAA31AAE40A2485D47AC4DF09FDA1D
    DecryptionKey 0x95C544AEF6072680DA1CE49A68A97FA6
    ApplicationKey 0x7A2F0F73EC2D530879B2913BBFCE242F
    Header.Command 0x0009 WRITE

    Encryption of the request ---

    Key 0xDFAAA31AAE40A2485D47AC4DF09FDA1D

    Nonce Length 0xb
    AES-128-CCM nonce 0x9F6F1EAAD7E9F24AACD38F

    SMB2 packet
    FE534D42400001000000000009000100
    08000000000000000500000000000000
    FFFE0000010000002100000000100000
    00000000000000000000000000000000
    31007000170000000000000000000000
    05000000040000000100000004000000
    00000000000000007000000000000000
    536D623320656E6372797074696F6E20
    74657374696E67

    transform_header.ProtocolId 0x424d53fd
    transform_header.Signature 0xE89551D666DAB8993488F5A97103116C
    transform_header.Nonce 0x9F6F1EAAD7E9F24AACD38F0000000000
    transform_header.OriginalMessageSize 0x87
    transform_header.Reserved 0x0
    transform_header.Flags 0x0001
    transform_header.SessionId 0x100000000021

    Encrypted message
    56A74778199A9D2B6E9C3A376FD88D27
    680694FED253A313BEB07381AE8689F9
    73ACDB8D716E4477803BCE53A92E1B81
    FA3E965AD9AF2C89C08CE66A34466445
    3B8FC88118EDC9814CF58E92AA465E6E
    FB09958A9FDAD96FBD55B36A710C30D5
    E7C64AD7B9449F9F17EDD024FE8BA791
    54F340A82740D1D5180C69B0A2DE6A4B
    A893BD55D3210E

    Transformed message
    FD534D42E89551D666DAB8993488F5A9
    7103116C9F6F1EAAD7E9F24AACD38F00
    00000000870000000000010021000000
    0010000056A74778199A9D2B6E9C3A37
    6FD88D27680694FED253A313BEB07381
    AE8689F973ACDB8D716E4477803BCE53
    A92E1B81FA3E965AD9AF2C89C08CE66A
    344664453B8FC88118EDC9814CF58E92
    AA465E6EFB09958A9FDAD96FBD55B36A
    710C30D5E7C64AD7B9449F9F17EDD024
    FE8BA79154F340A82740D1D5180C69B0
    A2DE6A4BA893BD55D3210E

I want to get the signature of Transformed message(0xE89551D666DAB8993488F5A97103116C), then,

    1) Message with signature zeroed out(the signature of transform header)

        FD534D42000000000000000000000000
        000000009F6F1EAAD7E9F24AACD38F00
        00000000870000000000010021000000
        0010000056A74778199A9D2B6E9C3A37
        6FD88D27680694FED253A313BEB07381
        AE8689F973ACDB8D716E4477803BCE53
        A92E1B81FA3E965AD9AF2C89C08CE66A
        344664453B8FC88118EDC9814CF58E92
        AA465E6EFB09958A9FDAD96FBD55B36A
        710C30D5E7C64AD7B9449F9F17EDD024
        FE8BA79154F340A82740D1D5180C69B0
        A2DE6A4BA893BD55D3210E

        Message    = transform header + encrypted data

    2) Message length
        187    = 52(transform header) + 135(encrypted data)

    3) use signing key
    
        0x3DCC82C5795AE27F383242761078C59B

    4) signing algorithm

        aes-128-cmac

The signature I compute is(incorrect) : 0x40F1AC475EE5B9F285B7C1FDA8FFAE18

however, the right one is : 0xE89551D666DAB8993488F5A97103116C

why?

Can anyone tell me how to get the signature(0xE89551D666DAB8993488F5A97103116C)?

Answer 1

Hi, thank you for this inquiry. Can you please contact me at the following alias: dochelp [at] microsoft [dot] com

Please address your message to my attention and mention this thread.

Thanks,

Edgar

Answer 2

Edgar,

  pls check the mail 

Answer 3

Hi,

I did. Thank you!

Edgar

Answer 4

As a summary of closure, we worked offline and this issue has been resolved.

You confirmed that you can get the correct encrypted message. You identified the field that represents the output signature from the API you are using.

Per AES-CCM RFC5084, the encryption algorithm provides message authentication, meaning it generates a signature as well.

The Signature in the transform_header is one of the outputs of the encryption algorithm. The signature is U in as defined in [RFC3610] Section 2.3. Encryption https://tools.ietf.org/html/rfc3610. The authentication value U is truncated to the desired length. You found the equivalent of U for the AES-128-CCM library that you are using, and by supplying the right parameter values to the algorithm, that gave the signature with the desired length.

As a background, the signature in the SMB2 TRANSFORM_HEADER authenticates the encrypted message. It is calculated as specified in Section [MS-SMB2] 3.1.4.3 Encrypting the Message. This is not about calculating the SMB2 message signature. When you encrypt, the encryption algorithms (AES-128-CCM or AES-128-GCM) have integrity property built-in and produces a signature. See reference [RFC5084].

[MS-SMB2] 3.1.4.3 Encrypting the Message

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/24d74c0c-3de1-40d9-a949-d169ad84361d

. . .

Signature is set to a value generated using either the AES-128-CCM or AES-128-GCM algorithm as specified in [RFC5084] with the following input:

• Nonce.AES128CCM_Nonce or Nonce.AES128GCM_Nonce based on the cipher specified by Connection.CipherId.
• The SMB2 TRANSFORM_HEADER, excluding the ProtocolId and Signature fields, as the optional authenticated data.
• The SMB2 message, including the header and the payload, as the data to be signed.

 

Thanks,

Edgar