- Article
The following diagram demonstrates using transport (QUIC)encryption instead of SMB2 encryption for SMB2 messages.
Figure 15: Negotiating Transport Level Encryption
1. The clientestablishes a QUIC transport connection to the server. On successful QUICconnection, the client starts communicating to the server using SMB2 protocolover QUIC transport. All SMB2 messages are encapsulated inside QUIC protocol."smb" is the ALPN used to differentiate SMB2 messages over QUIC. Bydefault, all QUIC message payloads are encrypted on the wire and so are SMB2messages.
2. The client sendsSMB2 NEGOTIATE request with dialect 0x0311 in the Dialects array.SMB2_TRANSPORT_CAPABILITIES Negotiate context is added to NegotiateContextListto indicate whether transport level encryption is used or not.
When SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY is set inthe context, transport level security is accepted and SMB2 encryption isskipped. Otherwise, SMB2 encryption is offered over QUIC connection.
SMB2 Header SMB2 Negotiate Protocol Request (0x00) StructureSize: 0x0024 DialectCount: 5 SecurityMode: 0x01, Signing enabled Reserved: 0 Capabilities: 0x0000007F ClientGuid: 21a63604-ef37-11ea-bb9e-00155d546615 NegotiateContextOffset: 0x00000070 NegotiateContextCount: 4 Reserved: 0 Dialect: SMB 2.0.2 (0x0202) Dialect: SMB 2.1 (0x0210) Dialect: SMB 3.0 (0x0300) Dialect: SMB 3.0.2 (0x0302) Dialect: SMB 3.1.1 (0x0311) Negotiate Context: SMB2_PREAUTH_INTEGRITY_CAPABILITIES Negotiate Context: SMB2_TRANSPORT_CAPABILITIES ContextType: SMB2_TRANSPORT_CAPABILITIES (0x0006) DataLength: 4 Reserved: 0 Flags: SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY (0x00000001)
3. The serverresponds with SMB2 NEGOTIATE response with required Negotiate contextsincluding SMB2_TRANSPORT_CAPABILITIES context. The server responds withSMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY Flag set in the Negotiate Contextindicating that transport level encryption is accepted and SMB2 encryption isskipped over QUIC connection.
SMB2 Header SMB2 Negotiate Protocol Response (0x00) StructureSize: 0x0041 SecurityMode: 0x03, Signing enabled, Signing required DialectRevision: SMB 3.1.1 (0x0311) NegotiateContextCount: 4 ServerGuid: f782a72d-49f9-47a5-84de-fefd411065df Capabilities: 0x0000007F MaxTransactSize: 8388608 MaxReadSize: 8388608 MaxWriteSize: 8388608 SystemTime: Jul 16, 2021 07:42:53.634690300 UTC ServerStartTime: 0 SecurityBufferOffset: 0x00000080 SecurityBufferLength: 120 SecurityBlob: 607606062b0601050502a06c306aa03c303a060a2b06010401823702021e06092a864882… NegotiateContextOffset: 0x000000F8 NegotiateContext: SMB2_PREAUTH_INTEGRITY_CAPABILITIES Negotiate Context: SMB2_TRANSPORT_CAPABILITIES ContextType: SMB2_TRANSPORT_CAPABILITIES (0x0006) DataLength: 4 Reserved: 0 Flags: SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY (0x00000001)
4. SMB2 messagescontinue to flow over QUIC connection. There is no change in SMB2 protocolmessages when the transport is QUIC.