How SMB3 is used in macOS
Server Message Block 3 (SMB3) is the default protocol for sharing files in macOS. SMB3 helps protect against tampering and eavesdropping by encrypting and signing data in flight. SMB3 also takes advantage of the following features:
Encryption: SMB3 provides end-to-end encryption to protect data and secure communication on untrusted networks. SMB3 in Yosemite uses AES-CCM for encryption to ensure communications between client and server are private.
Signing: To guard against tampering, SMB3 adds a signature to every packet transmitted over the wire. SMB3 uses AES-CMAC to validate the integrity of the signature, ensuring the packets haven’t been intercepted, changed, or replayed and that communication between hosts is authenticated and authorized.
Power efficiency: Both AES-CCM for encryption and AES-CMAC for signing are accelerated on modern Intel CPUs with AES instruction support.
Authentication: SMB supports Extended Authentication Security using Kerberos and NTLMv2.
Request concatenation: SMB features Resource Compounding, allowing multiple requests to be sent in a single request. In addition, SMB can use large reads and writes to make better use of faster networks as well as large maximum transmission unit (MTU) support for fast speeds on 10 Gigabit Ethernet. SMB aggressively caches file and folder properties and uses opportunistic locking to enable better caching of data. It can also transparently reconnect to servers in the event of a temporary disconnect.
Transparent reconnect: macOS supports Persistent Handles for transparent failover and reconnects to enterprise SMB3 file servers.
Compatibility: SMB automatically shares files between two Mac computers and between a Windows computer running Windows 8 and a Mac. In addition to supporting SMB3, Mac computers support SMB2 and SMB protocols, automatically selecting the appropriate protocol as needed. macOS 10.13 or later supports only AFP if the volume is formatted as HFS+. APFS-formatted volumes don’t support AFP.