none
how to sign in smb2 RRS feed

  • Question

  • There is an example blow (https://blogs.msdn.microsoft.com/openspecification/2015/09/09/smb-3-1-1-encryption-in-windows-10/, in Appendix A.2 Test vector with AES-CCM):

        --- Encryption ---

        SessionId 0x100000000021
        SessionKey 0x07B7F69C1E2581662DF6987E88F9E891
        SigningKey 0x3DCC82C5795AE27F383242761078C59B
        EncryptionKey 0xDFAAA31AAE40A2485D47AC4DF09FDA1D
        DecryptionKey 0x95C544AEF6072680DA1CE49A68A97FA6
        ApplicationKey 0x7A2F0F73EC2D530879B2913BBFCE242F
        Header.Command 0x0009 WRITE

        Encryption of the request ---

        Key 0xDFAAA31AAE40A2485D47AC4DF09FDA1D

        Nonce Length 0xb
        AES-128-CCM nonce 0x9F6F1EAAD7E9F24AACD38F

        SMB2 packet
        FE534D42400001000000000009000100
        08000000000000000500000000000000
        FFFE0000010000002100000000100000
        00000000000000000000000000000000
        31007000170000000000000000000000
        05000000040000000100000004000000
        00000000000000007000000000000000
        536D623320656E6372797074696F6E20
        74657374696E67

        transform_header.ProtocolId 0x424d53fd
        transform_header.Signature 0xE89551D666DAB8993488F5A97103116C
        transform_header.Nonce 0x9F6F1EAAD7E9F24AACD38F0000000000
        transform_header.OriginalMessageSize 0x87
        transform_header.Reserved 0x0
        transform_header.Flags 0x0001
        transform_header.SessionId 0x100000000021

        Encrypted message
        56A74778199A9D2B6E9C3A376FD88D27
        680694FED253A313BEB07381AE8689F9
        73ACDB8D716E4477803BCE53A92E1B81
        FA3E965AD9AF2C89C08CE66A34466445
        3B8FC88118EDC9814CF58E92AA465E6E
        FB09958A9FDAD96FBD55B36A710C30D5
        E7C64AD7B9449F9F17EDD024FE8BA791
        54F340A82740D1D5180C69B0A2DE6A4B
        A893BD55D3210E

        Transformed message
        FD534D42E89551D666DAB8993488F5A9
        7103116C9F6F1EAAD7E9F24AACD38F00
        00000000870000000000010021000000
        0010000056A74778199A9D2B6E9C3A37
        6FD88D27680694FED253A313BEB07381
        AE8689F973ACDB8D716E4477803BCE53
        A92E1B81FA3E965AD9AF2C89C08CE66A
        344664453B8FC88118EDC9814CF58E92
        AA465E6EFB09958A9FDAD96FBD55B36A
        710C30D5E7C64AD7B9449F9F17EDD024
        FE8BA79154F340A82740D1D5180C69B0
        A2DE6A4BA893BD55D3210E

    I want to get the signature of Transformed message(0xE89551D666DAB8993488F5A97103116C), then,

        1) Message with signature zeroed out(the signature of transform header)

            FD534D42000000000000000000000000
            000000009F6F1EAAD7E9F24AACD38F00
            00000000870000000000010021000000
            0010000056A74778199A9D2B6E9C3A37
            6FD88D27680694FED253A313BEB07381
            AE8689F973ACDB8D716E4477803BCE53
            A92E1B81FA3E965AD9AF2C89C08CE66A
            344664453B8FC88118EDC9814CF58E92
            AA465E6EFB09958A9FDAD96FBD55B36A
            710C30D5E7C64AD7B9449F9F17EDD024
            FE8BA79154F340A82740D1D5180C69B0
            A2DE6A4BA893BD55D3210E

            Message    = transform header + encrypted data

        2) Message length
            187    = 52(transform header) + 135(encrypted data)

        3) use signing key
        
            0x3DCC82C5795AE27F383242761078C59B

        4) signing algorithm

            aes-128-cmac

    The signature I compute is(incorrect) : 0x40F1AC475EE5B9F285B7C1FDA8FFAE18

    however, the right one is : 0xE89551D666DAB8993488F5A97103116C

    why?

    Can anyone tell me how to get the signature(0xE89551D666DAB8993488F5A97103116C)?
    Monday, October 28, 2019 1:29 PM

Answers

  • As a summary of closure, we worked offline and this issue has been resolved.

    You confirmed that you can get the correct encrypted message. You identified the field that represents the output signature from the API you are using.

    Per AES-CCM RFC5084, the encryption algorithm provides message authentication, meaning it generates a signature as well.

    The Signature in the transform_header is one of the outputs of the encryption algorithm. The signature is U in as defined in [RFC3610] Section 2.3. Encryption https://tools.ietf.org/html/rfc3610. The authentication value U is truncated to the desired length. You found the equivalent of U for the AES-128-CCM library that you are using, and by supplying the right parameter values to the algorithm, that gave the signature with the desired length.

    As a background, the signature in the SMB2 TRANSFORM_HEADER authenticates the encrypted message. It is calculated as specified in Section [MS-SMB2] 3.1.4.3 Encrypting the Message. This is not about calculating the SMB2 message signature. When you encrypt, the encryption algorithms (AES-128-CCM or AES-128-GCM) have integrity property built-in and produces a signature. See reference [RFC5084].

    [MS-SMB2] 3.1.4.3 Encrypting the Message

    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/24d74c0c-3de1-40d9-a949-d169ad84361d

    . . .

    Signature is set to a value generated using either the AES-128-CCM or AES-128-GCM algorithm as specified in [RFC5084] with the following input:

    • Nonce.AES128CCM_Nonce or Nonce.AES128GCM_Nonce based on the cipher specified by Connection.CipherId.
    • The SMB2 TRANSFORM_HEADER, excluding the ProtocolId and Signature fields, as the optional authenticated data.
    • The SMB2 message, including the header and the payload, as the data to be signed.

     

    Thanks,

    Edgar

    Thursday, October 31, 2019 3:30 PM
    Moderator

All replies

  • Hi, thank you for this inquiry. Can you please contact me at the following alias: dochelp [at] microsoft [dot] com

    Please address your message to my attention and mention this thread.

    Thanks,

    Edgar

    Monday, October 28, 2019 4:22 PM
    Moderator
  • Edgar,

      pls check the mail 

    Tuesday, October 29, 2019 8:56 AM
  • Hi,

    I did. Thank you!

    Edgar

    Tuesday, October 29, 2019 3:26 PM
    Moderator
  • As a summary of closure, we worked offline and this issue has been resolved.

    You confirmed that you can get the correct encrypted message. You identified the field that represents the output signature from the API you are using.

    Per AES-CCM RFC5084, the encryption algorithm provides message authentication, meaning it generates a signature as well.

    The Signature in the transform_header is one of the outputs of the encryption algorithm. The signature is U in as defined in [RFC3610] Section 2.3. Encryption https://tools.ietf.org/html/rfc3610. The authentication value U is truncated to the desired length. You found the equivalent of U for the AES-128-CCM library that you are using, and by supplying the right parameter values to the algorithm, that gave the signature with the desired length.

    As a background, the signature in the SMB2 TRANSFORM_HEADER authenticates the encrypted message. It is calculated as specified in Section [MS-SMB2] 3.1.4.3 Encrypting the Message. This is not about calculating the SMB2 message signature. When you encrypt, the encryption algorithms (AES-128-CCM or AES-128-GCM) have integrity property built-in and produces a signature. See reference [RFC5084].

    [MS-SMB2] 3.1.4.3 Encrypting the Message

    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/24d74c0c-3de1-40d9-a949-d169ad84361d

    . . .

    Signature is set to a value generated using either the AES-128-CCM or AES-128-GCM algorithm as specified in [RFC5084] with the following input:

    • Nonce.AES128CCM_Nonce or Nonce.AES128GCM_Nonce based on the cipher specified by Connection.CipherId.
    • The SMB2 TRANSFORM_HEADER, excluding the ProtocolId and Signature fields, as the optional authenticated data.
    • The SMB2 message, including the header and the payload, as the data to be signed.

     

    Thanks,

    Edgar

    Thursday, October 31, 2019 3:30 PM
    Moderator