SMB 3.1 Quick Overview

Microsoft announced preview details about SMB 3.1 with the emphasis being on improved security.

SMB 3.0 already offered the ability to encrypt data packets. SMB 3.0 also offered an enhanced level of security that including signing to detect man in the middle attacks. The key shortcoming of SMB 3.0 (that is addressed in SMB 3.1) is that the SMB 3.0 signing algorithm first negotiates signing keys. These negotiation packets are vulnerable to a man in the middle attack that would cause the SMB protocol level negotiated down to CIFS (SMB 1), which is completely vulnerable. Effectively, somebody can bypass SMB 3.0 security features by making sure the data is exchanged using older less secure protocols other than SMB 3.0. SMB 3.1 allows both the client and the server to detect such attacks.

SMB 3.0 supports only AES-128-CCM as the sole encryption algorithm. SMB 3.1 extends the encryption capability in two ways:

  • SMB 3.1 allows for negotiation of the encryption algorithm and thus makes the encryption capability extensible
  • SMB 3.1 introduces AES-128-GCM as an encryption algorithm. AES-128-GCM is equally secure as AES-128-CMM, but much more conducive to computation and this enables higher IOPS and throughput.
  • SMB 3.1 continues to support Multi Channel where TCP channels are aggregated at the SMB protocol layer for both speed and reliability.

Finally, SMB 3.1 introduces the capability to have a mixed cluster where some cluster nodes are running SMB 3.0 and some are running SMB 3.1. The SMB 3.1 enhancements allow for clients that connect to a SMB 3.1 node to only failover to a node that is also running SMB 3.1

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: