- **Encryption Context**: Per-session encryption state management
- **Key Derivation**: SMB3 KDF implementation with dialect-specific parameters
- **Pre-Authentication Integrity**: SMB 3.1.1 PAI for preventing downgrade attacks
- **Automatic Detection**: Encryption automatically enabled when servers require it
- **Secure Key Management**: Proper key derivation and nonce generation

### Core Features

import jcifs.internal.util.SMBUtil;

/**
 * SMB2 Pre-authentication Integrity Negotiate Context.
 *
 * This negotiate context is used in SMB 3.1.1 to establish
 * pre-authentication integrity protection against downgrade attacks.
 *
 * @author mbechler
 */
public class PreauthIntegrityNegotiateContext implements NegotiateContextRequest, NegotiateContextResponse {

    /**
     * Context type
     */

 */
package jcifs.ntlmssp.av;

import jcifs.internal.util.SMBUtil;

/**
 * NTLMSSP AV pair representing timestamp information in NTLM authentication.
 * Contains time-based data used to prevent replay attacks and ensure message freshness.
 *
 * @author mbechler
 */
public class AvTimestamp extends AvPair {

    /**
     * Constructs an AvTimestamp from raw byte data
     *

import java.util.Collection;
import java.util.Map;
import org.jspecify.annotations.Nullable;

/**
 * An implementation of ImmutableMultiset backed by a JDK Map and a list of entries. Used to protect
 * against hash flooding attacks.
 *
 * @author Louis Wasserman
 */
@GwtCompatible
final class JdkBackedImmutableMultiset<E> extends ImmutableMultiset<E> {
  private final Map<E, Integer> delegateMap;
  private final ImmutableList<Entry<E>> entries;

 */
package jcifs.util;

import java.util.regex.Pattern;

/**
 * Comprehensive input validation utility for SMB protocol implementation.
 * Provides validation methods to prevent buffer overflows, injection attacks,
 * and other security vulnerabilities.
 */
public final class InputValidator {

    private InputValidator() {
        // Utility class
    }

import java.util.concurrent.atomic.AtomicLong;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import jcifs.smb.SmbException;

/**
 * Rate limiter for authentication attempts to prevent brute force attacks.
 *
 * Features:
 * - Per-account rate limiting
 * - Per-IP rate limiting
 * - Global rate limiting
 * - Exponential backoff for repeated failures
 * - Account lockout after threshold

        constantTimeCopy(output, message.length, authTag, 0, tagLength);

        return new EncryptionResult(ciphertext, authTag);
    }

    /**
     * Perform constant-time encryption to prevent timing attacks
     */
    private byte[] performConstantTimeEncryption(Cipher cipher, byte[] message) throws Exception {
        // Pad to fixed block size to prevent timing leaks
        int blockSize = cipher.getBlockSize();

            final byte[] cmp = new byte[SIGNATURE_LENGTH];
            System.arraycopy(mac.doFinal(), 0, cmp, 0, SIGNATURE_LENGTH);

            // Use constant-time comparison to prevent timing attacks
            if (!MessageDigest.isEqual(sig, cmp)) {
                return false; // Signature verification failed
            }
            return true; // Signature verification succeeded
        } finally {

import jcifs.internal.smb2.nego.PreauthIntegrityNegotiateContext;

/**
 * Enhanced Pre-Authentication Integrity Service for SMB 3.1.1.
 *
 * Provides comprehensive pre-authentication integrity protection against
 * downgrade attacks by maintaining cryptographic hash chains of all
 * negotiation and session setup messages.
 */
public class PreauthIntegrityService {

import java.util.regex.Pattern;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import jcifs.smb.SmbException;

/**
 * Path validation utility to prevent directory traversal and other path-based attacks.
 *
 * Features:
 * - Directory traversal prevention
 * - Path normalization
 * - Blacklist/whitelist support
 * - UNC path validation
 * - Special character filtering
 * - Length validation
 */