跳转到主内容

为什么在SVM上同时启用加密和SMB签名时CIFS会话不会签名?

Views:
26
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

适用场景

  • ONTAP 9
  • CIFS
  • SMB签名
  • SMB 加密

问题解答

  • 如果CIFS会话同时标记为签名和加密 、则SMB加密将取代SMB签名
    • Microsoft在以下有关 SMB安全增强功能的段落中讨论了这一特定交互
      • "SMB加密使用高级加密标准(Advanced Encryption Standard、AES)-GCM和CCM算法对数据进行加密和解密。AES-CMAC和AES-GMAC还为加密文件共享提供数据完整性验证(签名)、而不管SMB签名设置如何。"
  • 由于SMB加密是一种更高级别的消息安全性、同时还可以保持完整性、因此加密会话不会使用SMB签名

示例:

Cluster01::> vserver cifs security show -vserver SVM1 -fields is-signing-required,is-smb-encryption-required
vserver     is-signing-required is-smb-encryption-required
----------- ------------------- --------------------------
SVM1        true                true

Cluster01::> vserver cifs session show -vserver SVM1 -fields is-session-signed,smb-encryption-status
node         vserver    session-id          connection-id is-session-signed smb-encryption-status
------------ ---------- ------------------- ------------- ----------------- ---------------------
Cluster01-02 SVM1       5783747821497729909 952531972     false             encrypted
Cluster01-02 SVM1       5783747821497731202 952532894     false             encrypted
Cluster01-02 SVM1       5783747821497731343 952532985     false             encrypted
3 entries were displayed.

  • 如果 在共享级别而不是服务器级别实施加密、则仍可能会看到通过部分加密会话实施签名

示例:

Cluster01::> vserver cifs security show -vserver SVM1 -fields is-signing-required,is-smb-encryption-required
vserver     is-signing-required is-smb-encryption-required
----------- ------------------- --------------------------
SVM1        true                false

Cluster01::> cifs share show -vserver SVM1 -share-name encrypted_share -fields share-properties
vserver  share-name      share-properties
-------- ------------------- -----------------
SVM1   encrypted_share   encrypt-data

Cluster01::> vserver cifs session show -vserver SVM1 -fields is-session-signed,smb-encryption-status,share-names
node         vserver session-id      connection-id is-session-signed smb-encryption-status share-names
------------ ------- ------------------- ------------- ----------------- --------------------- -----------
Cluster01-02 SVM1    5783747821497729909 952531972     true        partially-encrypted  encrypted_share

追加信息

其他信息文本

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.