String archiveId = sessionId + ".v" + currentVersion;
            storeSessionKeyInternal(archiveId, currentKey, "AES");

            // Store new key
            storeSessionKeyInternal(sessionId, newKey, "AES");
            keyVersions.put(sessionId, newVersion);
            keyCreationTimes.put(sessionId, System.currentTimeMillis());

    }

    @Test
    @DisplayName("Should support AES-256 cipher constants")
    void testAES256CipherConstants() {
        // Verify AES-256 constants are defined
        assertEquals(0x0003, Smb2EncryptionContext.CIPHER_AES_256_CCM, "AES-256-CCM constant should be defined");
        assertEquals(0x0004, Smb2EncryptionContext.CIPHER_AES_256_GCM, "AES-256-GCM constant should be defined");

        }

        @Test
        @DisplayName("createEncryptionContext selects AES-CCM for SMB 3.0 and AES-GCM for SMB 3.1.1")
        void createEncryptionContext_happyDialects() throws Exception {
            byte[] sessionKey = new byte[16];
            byte[] preauth = new byte[16];

            // SMB 3.0 -> AES-128-CCM
            setField(transport, "smb2", true);

- [PRF](#prf): HMAC-SHA-256
- [AEAD](#aead): AES-256-GCM if the CPU supports AES-NI, ChaCha20-Poly1305 otherwise. More specifically AES-256-GCM is only selected for X86-64 CPUs with AES-NI extension.

x[:], x[:]) return x } for len(m) >= aes.BlockSize { subtle.XORBytes(x[:], m[:aes.BlockSize], x[:]) if len(m) == aes.BlockSize { // Final complete block. subtle.XORBytes(x[:], c.k1[:], x[:]) } aes.EncryptBlockInternal(&c.b, x[:], x[:]) m = m[aes.BlockSize:] } if len(m) > 0 { // Final incomplete block. subtle.XORBytes(x[:], m, x[:]) subtle.XORBytes(x[:], c.k2[:], x[:]) x[len(m)] ^= 0b10000000 aes.EncryptBlockInternal(&c.b, x[:], x[:]) } return x } // shiftLeft sets x to x << 1, and returns MSB₁(x)....

    private static final int SIGNATURE_OFFSET = 48;
    private static final int SIGNATURE_LENGTH = 16;

    @BeforeAll
    static void setupClass() {
        // Ensure BouncyCastle provider is available for AES-CMAC
        if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }

    @BeforeEach
    void setup() {

    }

    @Test
    @DisplayName("Test log encryption")
    void testLogEncryption() {
        logger.logEncryption(true, "AES-128-GCM", "SMB3.1.1");

        Map<EventType, Long> stats = logger.getStatistics();
        assertEquals(Long.valueOf(1), stats.get(EventType.ENCRYPTION_ENABLED), "Should have 1 encryption event");
    }

    @Test

            if (cipherId == -1) {
                // Default to AES-128-GCM for SMB 3.1.1 if no cipher negotiated
                cipherId = EncryptionNegotiateContext.CIPHER_AES128_GCM;
            }
        } else if (dialect.atLeast(DialectVersion.SMB300)) {
            // SMB 3.0/3.0.2 only supports AES-128-CCM
            cipherId = EncryptionNegotiateContext.CIPHER_AES128_CCM;
        } else {

```java
public class SecureHandleStorage {
    private final SecretKey encryptionKey;
    
    public void saveEncrypted(HandleInfo handle, Path file) throws Exception {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        cipher.init(Cipher.ENCRYPT_MODE, encryptionKey);
        
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        try (CipherOutputStream cos = new CipherOutputStream(baos, cipher);

     * @since 2.2
     */
    String getPreferredCiphers();

    /**
     * Property {@code jcifs.smb.client.aes256Enabled} (boolean, default true)
     *
     * @return whether AES-256 encryption ciphers are enabled for SMB3.x
     * @since 2.2
     */
    boolean isAES256Enabled();

    /**
     * Property {@code jcifs.smb.client.compressionEnabled} (boolean, default false)
     *