Monthly Archives: October 2014

SMB 3.1 Quick Overview

Microsoft announced preview details about SMB 3.1 with the emphasis being on improved security.

SMB 3.0 already offered the ability to encrypt data packets. SMB 3.0 also offered an enhanced level of security that including signing to detect man in the middle attacks. The key shortcoming of SMB 3.0 (that is addressed in SMB 3.1) is that the SMB 3.0 signing algorithm first negotiates signing keys. These negotiation packets are vulnerable to a man in the middle attack that would cause the SMB protocol level negotiated down to CIFS (SMB 1), which is completely vulnerable. Effectively, somebody can bypass SMB 3.0 security features by making sure the data is exchanged using older less secure protocols other than SMB 3.0. SMB 3.1 allows both the client and the server to detect such attacks.

SMB 3.0 supports only AES-128-CCM as the sole encryption algorithm. SMB 3.1 extends the encryption capability in two ways:

  • SMB 3.1 allows for negotiation of the encryption algorithm and thus makes the encryption capability extensible
  • SMB 3.1 introduces AES-128-GCM as an encryption algorithm. AES-128-GCM is equally secure as AES-128-CMM, but much more conducive to computation and this enables higher IOPS and throughput.
  • SMB 3.1 continues to support Multi Channel where TCP channels are aggregated at the SMB protocol layer for both speed and reliability.

Finally, SMB 3.1 introduces the capability to have a mixed cluster where some cluster nodes are running SMB 3.0 and some are running SMB 3.1. The SMB 3.1 enhancements allow for clients that connect to a SMB 3.1 node to only failover to a node that is also running SMB 3.1