[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Agentx] SNMP v3 Security Considerations

To: <agentx at ietf.org>
Subject: Re: [Agentx] SNMP v3 Security Considerations
From: "Randy Presuhn" <randy_presuhn at mindspring.com>
Date: Fri, 13 Jun 2008 10:36:42 -0700
Delivered-to: ietfarch-agentx-web-archive at core3.amsl.com
Delivered-to: agentx at core3.amsl.com
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=mindspring.com; b=PaxgbchXeIRYx3VAWq8anv3mw8Iv4L4Embbm6QY4W5OUTsfllQyoMDQaMC1Bt2TH; h=Received:Message-ID:From:To:References:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP;
List-archive: <http://www.ietf.org/pipermail/agentx>
List-help: <mailto:agentx-request@ietf.org?subject=help>
List-id: SNMP Agent Extensibility <agentx.ietf.org>
List-post: <mailto:agentx@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/agentx>, <mailto:agentx-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/agentx>, <mailto:agentx-request@ietf.org?subject=unsubscribe>
References: <48528A12.3020800@aa.aeonnet.ne.jp>
Sender: agentx-bounces at ietf.org

Hi -

Though slightly off-topic for this list....

> From: <wbenton at aa.aeonnet.ne.jp>
> To: <agentx at ietf.org>
> Sent: Friday, June 13, 2008 7:54 AM
> Subject: [Agentx] SNMP v3 Security Considerations
...
> In that concern, I think a WARNING should be added for the following
> combinatoric usage:
> 
> 1) If SNMP v3 AuthPriv is used in combination with AuthNoPriv
> 2) If SNMP v3 AuthPriv is used in combination with NoAuthNoPriv
> 3) If SNMP v3 AuthPriv is used in combination with SNMP v2c
> 4) If SNMP v3 AuthPriv is used in combination with SNMP v1
> 
> All 4 of the above combinations include Encrypted data as well as
> PlainText data.
> 
> If any device is configured simultaneously with any one or more of the
> above combinations, they will be virtually giving away their Encryption
> Key because if a device is configured with any PlainText along side
> Encrypted text, it will make it very easy to crack the key!

It may be "very easy to crack the key" (for differing opinions of "very easy"),
but having some unencrypted messages available doesn't really make
the job significantly "easier."

First, the queries coming from most management systems are
rather predictable, except perhaps for the request-id.    Furthermore,
ASN.1 BER  encoding is predictable enough to allow an automated
brute-force attack to determine whether it has found the key. Having
access to other request/response pairs which are not encrypted
doesn't provide the attacker with a plaintext that is better known.

Secondly, and more importantly, having a plaintext is not all that
helpful in figuring out the key for CBC-DES - it just provides a
way of verifying that one has found the correct key.  However,
BER encoding is brittle enough that if the result of decrypting
with an attack key passes the parse unscathed, the key is likely
to be the right one. 

RFC 3826 could also be used if you wanted a different value for
"very easy".

Randy

References:
- [Agentx] SNMP v3 Security Considerations
  - From: wbenton at aa.aeonnet.ne.jp

Prev by Date: [Agentx] SNMP v3 Security Considerations
Next by Date: Learning Cas1no Games at Home
Previous by thread: [Agentx] SNMP v3 Security Considerations
Next by thread: Learning Cas1no Games at Home
Index(es):
- Date
- Thread