// Determine key size based on cipher ID for AES-256 support
        int keyLength = getKeyLength();
        String transformation;

        // Select appropriate AES algorithm based on key length
        if (keyLength == 32) {
            // AES-256 support
            transformation = "AES/GCM/NoPadding";
        } else if (keyLength == 16) {
            // AES-128 (existing)

    /**
     * Processes access control entries (ACEs) for the given SMB1 file and adds them to the response data.
     *
     * @param responseData the response data to update
     * @param file the SMB1 file to process
     */
    protected void processAccessControlEntries(final ResponseData responseData, final SmbFile file) {
        try {
            final ACE[] aces = file.getSecurity(resolveSids);
            if (aces != null) {

            ms_usage = 8;
        case 23:
            ms_usage = 13;
        }
        return ms_usage;
    }

    /**
     * Calculates a MAC using HMAC-SHA1 with AES key derivation.
     * This method supports both AES-128 and AES-256 encryption types.
     *
     * @param usage the Kerberos key usage number for this operation
     * @param baseKey the base Kerberos key for key derivation

    public static final int NEGO_CTX_ENC_TYPE = 0x2;

    /**
     * AES 128 CCM
     */
    public static final int CIPHER_AES128_CCM = 0x1;

    /**
     * AES 128 GCM
     */
    public static final int CIPHER_AES128_GCM = 0x2;

    /**
     * AES 256 CCM
     */
    public static final int CIPHER_AES256_CCM = 0x3;

    /**
     * AES 256 GCM
     */
    public static final int CIPHER_AES256_GCM = 0x4;

- Configurable: Min/max versions can be set via configuration properties

### SMB3 Encryption Support
- **SMB2 Transform Header**: Encrypted message wrapping
- **AES-CCM/GCM Support**: Both AES-128-CCM (SMB 3.0/3.0.2) and AES-128-GCM (SMB 3.1.1) cipher suites
- **Encryption Context**: Per-session encryption state management
- **Key Derivation**: SMB3 KDF implementation with dialect-specific parameters

 * the access mask of the ACE, the access check is successful. Otherwise,
 * more ACEs are evaluated until all desired access bits (combined)
 * are "allowed". If all of the desired access bits are not "allowed"
 * the then same process is repeated for inherited ACEs.
 * <p>
 * For example, if user <code>WNET\alice</code> tries to open a file

e.g.:
To download `2021/taxes.csv` archived in `financial.zip` and stored under a bucket named `company-data`, you can issue a GET request using the following path 'company-data/financial.zip/2021/taxes.csv`

## Contents properties

    }

    /**
     * Processes access control entries (ACEs) for the given SMB file and adds them to the response data.
     *
     * @param responseData the response data to update
     * @param file the SMB file to process
     */
    protected void processAccessControlEntries(final ResponseData responseData, final SmbFile file) {
        try {
            final ACE[] aces = file.getSecurity(resolveSids);
            if (aces != null) {

    }

    @Test
    @DisplayName("Should handle AES encryption operations")
    void testAESOperations() throws Exception {
        // Given
        byte[] key = new byte[16]; // 128-bit key
        byte[] iv = new byte[16]; // 128-bit IV
        byte[] plaintext = "This is test data for AES encryption test".getBytes();

        new SecureRandom().nextBytes(key);

            assertNotNull(security1, "Security ACEs should not be null");
            assertNotNull(security2, "Security ACEs with resolve should not be null");
            assertNotNull(shareSecurity, "Share security ACEs should not be null");
            assertEquals(1, security1.length, "Should return expected number of ACEs");
            assertEquals(1, security2.length, "Should return expected number of ACEs");