idnits 2.17.1 draft-ietf-snmpv3-usm-v2-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 86 longer pages, the longest (page 2) being 60 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 87 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There is 1 instance of too long lines in the document, the longest one being 2 characters in excess of 72. ** The abstract seems to contain references ([RFC-ARCH]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 3426 has weird spacing: '...Hashing for M...' == Line 3555 has weird spacing: '...ageType any...' == Line 3612 has weird spacing: '... u_int pass...' == Line 3614 has weird spacing: '... u_int engi...' == Line 3660 has weird spacing: '... u_int pass...' == (1 more instance...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (30 October 1998) is 9309 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC-USM' is mentioned on line 158, but not defined == Missing Reference: 'MD5' is mentioned on line 3535, but not defined == Missing Reference: 'Localized-key' is mentioned on line 3367, but not defined -- Looks like a reference, but probably isn't: '64' on line 3618 -- Looks like a reference, but probably isn't: '72' on line 3666 == Unused Reference: 'Localized-Key' is defined on line 3441, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 1321 ** Obsolete normative reference: RFC 1903 (Obsoleted by RFC 2579) ** Obsolete normative reference: RFC 1905 (Obsoleted by RFC 3416) ** Obsolete normative reference: RFC 1906 (Obsoleted by RFC 3417) ** Obsolete normative reference: RFC 1907 (Obsoleted by RFC 3418) ** Downref: Normative reference to an Informational RFC: RFC 2104 == Outdated reference: A later version (-05) exists of draft-ietf-snmpv3-arch-01 == Outdated reference: A later version (-05) exists of draft-ietf-snmpv3-mpc-01 -- Possible downref: Non-RFC (?) normative reference: ref. 'Localized-Key' -- Possible downref: Non-RFC (?) normative reference: ref. 'DES-NIST' -- Possible downref: Non-RFC (?) normative reference: ref. 'DES-ANSI' -- Possible downref: Non-RFC (?) normative reference: ref. 'DESO-NIST' -- Possible downref: Non-RFC (?) normative reference: ref. 'DESO-ANSI' -- Possible downref: Non-RFC (?) normative reference: ref. 'DESG-NIST' -- Possible downref: Non-RFC (?) normative reference: ref. 'DEST-NIST' -- Possible downref: Non-RFC (?) normative reference: ref. 'DESM-NIST' -- Possible downref: Non-RFC (?) normative reference: ref. 'SHA-NIST' Summary: 16 errors (**), 0 flaws (~~), 17 warnings (==), 14 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SNMPv3 Working Group U. Blumenthal 3 Internet-Draft IBM T. J. Watson Research 4 Will Obsolete: RFC2274 B. Wijnen 5 IBM T. J. Watson Research 6 30 October 1998 8 User-based Security Model (USM) for version 3 of the 9 Simple Network Management Protocol (SNMPv3) 11 13 Status of this Memo 15 This document is an Internet-Draft. Internet-Drafts are working 16 documents of the Internet Engineering Task Force (IETF), its areas, 17 and its working groups. Note that other groups may also distribute 18 working documents as Internet-Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet- Drafts as reference 23 material or to cite them other than as ``work in progress.'' 25 To learn the current status of any Internet-Draft, please check the 26 ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow 27 Directories on ftp.ietf.org (US East Coast), nic.nordu.net 28 (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific 29 Rim). 31 Copyright Notice 33 Copyright (C) The Internet Society (1998). All Rights Reserved. 35 Abstract 37 This document describes the User-based Security Model (USM) for SNMP 38 version 3 for use in the SNMP architecture [RFC-ARCH]. It defines 39 the Elements of Procedure for providing SNMP message level security. 40 This document also includes a MIB for remotely monitoring/managing 41 the configuration parameters for this Security Model. 43 Table of Contents 45 1. Introduction 4 46 1.1. Threats 4 47 1.2. Goals and Constraints 6 48 1.3. Security Services 6 49 1.4. Module Organization 7 50 1.4.1. Timeliness Module 8 51 1.4.2. Authentication Protocol 8 52 1.4.3. Privacy Protocol 8 53 1.5. Protection against Message Replay, Delay and Redirection 9 54 1.5.1. Authoritative SNMP engine 9 55 1.5.2. Mechanisms 9 56 1.6. Abstract Service Interfaces. 11 57 1.6.1. User-based Security Model Primitives for Authentication 11 58 1.6.2. User-based Security Model Primitives for Privacy 11 59 2. Elements of the Model 12 60 2.1. User-based Security Model Users 12 61 2.2. Replay Protection 13 62 2.2.1. msgAuthoritativeEngineID 14 63 2.2.2. msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime 14 64 2.2.3. Time Window 15 65 2.3. Time Synchronization 15 66 2.4. SNMP Messages Using this Security Model 16 67 2.5. Services provided by the User-based Security Model 17 68 2.5.1. Services for Generating an Outgoing SNMP Message 17 69 2.5.2. Services for Processing an Incoming SNMP Message 19 70 2.6. Key Localization Algorithm. 21 71 3. Elements of Procedure 22 72 3.1. Generating an Outgoing SNMP Message 22 73 3.2. Processing an Incoming SNMP Message 25 74 4. Discovery 30 75 5. Definitions 31 76 6. HMAC-MD5-96 Authentication Protocol 50 77 6.1. Mechanisms 50 78 6.1.1. Digest Authentication Mechanism 50 79 6.2. Elements of the Digest Authentication Protocol 51 80 6.2.1. Users 51 81 6.2.2. msgAuthoritativeEngineID 51 82 6.2.3. SNMP Messages Using this Authentication Protocol 51 83 6.2.4. Services provided by the HMAC-MD5-96 Authentication Module 52 84 6.2.4.1. Services for Generating an Outgoing SNMP Message 52 85 6.2.4.2. Services for Processing an Incoming SNMP Message 53 86 6.3. Elements of Procedure 53 87 6.3.1. Processing an Outgoing Message 53 88 6.3.2. Processing an Incoming Message 54 89 7. HMAC-SHA-96 Authentication Protocol 56 90 7.1. Mechanisms 56 91 7.1.1. Digest Authentication Mechanism 56 92 7.2. Elements of the HMAC-SHA-96 Authentication Protocol 57 93 7.2.1. Users 57 94 7.2.2. msgAuthoritativeEngineID 57 95 7.2.3. SNMP Messages Using this Authentication Protocol 57 96 7.2.4. Services provided by the HMAC-SHA-96 Authentication Module 58 97 7.2.4.1. Services for Generating an Outgoing SNMP Message 58 98 7.2.4.2. Services for Processing an Incoming SNMP Message 59 99 7.3. Elements of Procedure 59 100 7.3.1. Processing an Outgoing Message 59 101 7.3.2. Processing an Incoming Message 60 102 8. CBC-DES Symmetric Encryption Protocol 62 103 8.1. Mechanisms 62 104 8.1.1. Symmetric Encryption Protocol 62 105 8.1.1.1. DES key and Initialization Vector. 63 106 8.1.1.2. Data Encryption. 63 107 8.1.1.3. Data Decryption 64 108 8.2. Elements of the DES Privacy Protocol 64 109 8.2.1. Users 64 110 8.2.2. msgAuthoritativeEngineID 65 111 8.2.3. SNMP Messages Using this Privacy Protocol 65 112 8.2.4. Services provided by the DES Privacy Module 65 113 8.2.4.1. Services for Encrypting Outgoing Data 65 114 8.2.4.2. Services for Decrypting Incoming Data 66 115 8.3. Elements of Procedure. 67 116 8.3.1. Processing an Outgoing Message 67 117 8.3.2. Processing an Incoming Message 67 118 9. Intellectual Property 68 119 10. Acknowledgements 68 120 11. Security Considerations 69 121 11.1. Recommended Practices 69 122 11.2. Defining Users 71 123 11.3. Conformance 72 124 12. References 73 125 13. Editors' Addresses 75 126 A.1. SNMP engine Installation Parameters 76 127 A.2. Password to Key Algorithm 78 128 A.2.1. Password to Key Sample Code for MD5 79 129 A.2.2. Password to Key Sample Code for SHA 80 130 A.3. Password to Key Sample Results 81 131 A.3.1. Password to Key Sample Results using MD5 81 132 A.3.2. Password to Key Sample Results using SHA 81 133 A.4. Sample encoding of msgSecurityParameters 82 134 A.5. Sample keyChange Results 83 135 A.5.1. Sample keyChange Results using MD5 83 136 A.5.2. Sample keyChange Results using SHA 84 137 B. Change Log 85 138 C. Full Copyright Statement 86 139 1. Introduction 141 The Architecture for describing Internet Management Frameworks [RFC- 142 ARCH] describes that an SNMP engine is composed of: 144 1) a Dispatcher 145 2) a Message Processing Subsystem, 146 3) a Security Subsystem, and 147 4) an Access Control Subsystem. 149 Applications make use of the services of these subsystems. 151 It is important to understand the SNMP architecture and the 152 terminology of the architecture to understand where the Security 153 Model described in this document fits into the architecture and 154 interacts with other subsystems within the architecture. The reader 155 is expected to have read and understood the description of the SNMP 156 architecture, as defined in [RFC-ARCH]. 158 This memo [RFC-USM] describes the User-based Security Model as it is 159 used within the SNMP Architecture. The main idea is that we use the 160 traditional concept of a user (identified by a userName) with which 161 to associate security information. 163 This memo describes the use of HMAC-MD5-96 and HMAC-SHA-96 as the 164 authentication protocols and the use of CBC-DES as the privacy 165 protocol. The User-based Security Model however allows for other such 166 protocols to be used instead of or concurrent with these protocols. 167 Therefore, the description of HMAC-MD5-96, HMAC-SHA-96 and CBC-DES 168 are in separate sections to reflect their self-contained nature and 169 to indicate that they can be replaced or supplemented in the future. 171 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 172 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 173 document are to be interpreted as described in [RFC2119]. 175 1.1. Threats 177 Several of the classical threats to network protocols are applicable 178 to the network management problem and therefore would be applicable 179 to any SNMP Security Model. Other threats are not applicable to the 180 network management problem. This section discusses principal 181 threats, secondary threats, and threats which are of lesser 182 importance. 184 The principal threats against which this SNMP Security Model should 185 provide protection are: 187 - Modification of Information 188 The modification threat is the danger that some unauthorized entity 189 may alter in-transit SNMP messages generated on behalf of an 190 authorized user in such a way as to effect unauthorized management 191 operations, including falsifying the value of an object. 193 - Masquerade 194 The masquerade threat is the danger that management operations not 195 authorized for some user may be attempted by assuming the identity 196 of another user that has the appropriate authorizations. 198 Two secondary threats are also identified. The Security Model 199 defined in this memo provides limited protection against: 201 - Disclosure 202 The disclosure threat is the danger of eavesdropping on the 203 exchanges between managed agents and a management station. 204 Protecting against this threat may be required as a matter of local 205 policy. 207 - Message Stream Modification 208 The SNMP protocol is typically based upon a connection-less 209 transport service which may operate over any sub-network service. 210 The re-ordering, delay or replay of messages can and does occur 211 through the natural operation of many such sub-network services. 212 The message stream modification threat is the danger that messages 213 may be maliciously re-ordered, delayed or replayed to an extent 214 which is greater than can occur through the natural operation of a 215 sub-network service, in order to effect unauthorized management 216 operations. 218 There are at least two threats that an SNMP Security Model need not 219 protect against. The security protocols defined in this memo do not 220 provide protection against: 222 - Denial of Service 223 This SNMP Security Model does not attempt to address the broad 224 range of attacks by which service on behalf of authorized users is 225 denied. Indeed, such denial-of-service attacks are in many cases 226 indistinguishable from the type of network failures with which any 227 viable network management protocol must cope as a matter of course. 228 - Traffic Analysis 229 This SNMP Security Model does not attempt to address traffic 230 analysis attacks. Indeed, many traffic patterns are predictable - 231 devices may be managed on a regular basis by a relatively small 232 number of management applications - and therefore there is no 233 significant advantage afforded by protecting against traffic 234 analysis. 236 1.2. Goals and Constraints 238 Based on the foregoing account of threats in the SNMP network 239 management environment, the goals of this SNMP Security Model are as 240 follows. 242 1) Provide for verification that each received SNMP message has 243 not been modified during its transmission through the network. 245 2) Provide for verification of the identity of the user on whose 246 behalf a received SNMP message claims to have been generated. 248 3) Provide for detection of received SNMP messages, which request 249 or contain management information, whose time of generation was 250 not recent. 252 4) Provide, when necessary, that the contents of each received 253 SNMP message are protected from disclosure. 255 In addition to the principal goal of supporting secure network 256 management, the design of this SNMP Security Model is also influenced 257 by the following constraints: 259 1) When the requirements of effective management in times of 260 network stress are inconsistent with those of security, the design 261 should prefer the former. 263 2) Neither the security protocol nor its underlying security 264 mechanisms should depend upon the ready availability of other 265 network services (e.g., Network Time Protocol (NTP) or key 266 management protocols). 268 3) A security mechanism should entail no changes to the basic 269 SNMP network management philosophy. 271 1.3. Security Services 273 The security services necessary to support the goals of this SNMP 274 Security Model are as follows: 276 - Data Integrity 277 is the provision of the property that data has not been altered or 278 destroyed in an unauthorized manner, nor have data sequences been 279 altered to an extent greater than can occur non-maliciously. 281 - Data Origin Authentication 282 is the provision of the property that the claimed identity of the 283 user on whose behalf received data was originated is corroborated. 285 - Data Confidentiality 286 is the provision of the property that information is not made 287 available or disclosed to unauthorized individuals, entities, or 288 processes. 290 - Message timeliness and limited replay protection 291 is the provision of the property that a message whose generation 292 time is outside of a specified time window is not accepted. Note 293 that message reordering is not dealt with and can occur in normal 294 conditions too. 296 For the protocols specified in this memo, it is not possible to 297 assure the specific originator of a received SNMP message; rather, it 298 is the user on whose behalf the message was originated that is 299 authenticated. 301 For these protocols, it not possible to obtain data integrity without 302 data origin authentication, nor is it possible to obtain data origin 303 authentication without data integrity. Further, there is no 304 provision for data confidentiality without both data integrity and 305 data origin authentication. 307 The security protocols used in this memo are considered acceptably 308 secure at the time of writing. However, the procedures allow for new 309 authentication and privacy methods to be specified at a future time 310 if the need arises. 312 1.4. Module Organization 314 The security protocols defined in this memo are split in three 315 different modules and each has its specific responsibilities such 316 that together they realize the goals and security services described 317 above: 319 - The authentication module MUST provide for: 321 - Data Integrity, 323 - Data Origin Authentication 325 - The timeliness module MUST provide for: 327 - Protection against message delay or replay (to an extent 328 greater than can occur through normal operation) 330 The privacy module MUST provide for 332 - Protection against disclosure of the message payload. 334 The timeliness module is fixed for the User-based Security Model 335 while there is provision for multiple authentication and/or privacy 336 modules, each of which implements a specific authentication or 337 privacy protocol respectively. 339 1.4.1. Timeliness Module 341 Section 3 (Elements of Procedure) uses the timeliness values in an 342 SNMP message to do timeliness checking. The timeliness check is only 343 performed if authentication is applied to the message. Since the 344 complete message is checked for integrity, we can assume that the 345 timeliness values in a message that passes the authentication module 346 are trustworthy. 348 1.4.2. Authentication Protocol 350 Section 6 describes the HMAC-MD5-96 authentication protocol which is 351 the first authentication protocol that MUST be supported with the 352 User-based Security Model. Section 7 describes the HMAC-SHA-96 353 authentication protocol which is another authentication protocol that 354 SHOULD be supported with the User-based Security Model. In the 355 future additional or replacement authentication protocols may be 356 defined as new needs arise. 358 The User-based Security Model prescribes that, if authentication is 359 used, then the complete message is checked for integrity in the 360 authentication module. 362 For a message to be authenticated, it needs to pass authentication 363 check by the authentication module and the timeliness check which is 364 a fixed part of this User-based Security model. 366 1.4.3. Privacy Protocol 368 Section 8 describes the CBC-DES Symmetric Encryption Protocol which 369 is the first privacy protocol to be used with the User-based Security 370 Model. In the future additional or replacement privacy protocols may 371 be defined as new needs arise. 373 The User-based Security Model prescribes that the scopedPDU is 374 protected from disclosure when a message is sent with privacy. 376 The User-based Security Model also prescribes that a message needs to 377 be authenticated if privacy is in use. 379 1.5. Protection against Message Replay, Delay and Redirection 381 1.5.1. Authoritative SNMP engine 383 In order to protect against message replay, delay and redirection, 384 one of the SNMP engines involved in each communication is designated 385 to be the authoritative SNMP engine. When an SNMP message contains a 386 payload which expects a response (for example a Get, GetNext, 387 GetBulk, Set or Inform PDU), then the receiver of such messages is 388 authoritative. When an SNMP message contains a payload which does 389 not expect a response (for example an SNMPv2-Trap, Response or Report 390 PDU), then the sender of such a message is authoritative. 392 1.5.2. Mechanisms 394 The following mechanisms are used: 396 1) To protect against the threat of message delay or replay (to an 397 extent greater than can occur through normal operation), a set of 398 timeliness indicators (for the authoritative SNMP engine) are 399 included in each message generated. An SNMP engine evaluates the 400 timeliness indicators to determine if a received message is 401 recent. An SNMP engine may evaluate the timeliness indicators to 402 ensure that a received message is at least as recent as the last 403 message it received from the same source. A non-authoritative 404 SNMP engine uses received authentic messages to advance its notion 405 of the timeliness indicators at the remote authoritative source. 407 An SNMP engine MUST also use a mechanism to match incoming 408 Responses to outstanding Requests and it MUST drop any Responses 409 that do not match an outstanding request. For example, a msgID can 410 be inserted in every message to cater for this functionality. 412 These mechanisms provide for the detection of authenticated 413 messages whose time of generation was not recent. 415 This protection against the threat of message delay or replay does 416 not imply nor provide any protection against unauthorized deletion 417 or suppression of messages. Also, an SNMP engine may not be able 418 to detect message reordering if all the messages involved are sent 419 within the Time Window interval. Other mechanisms defined 420 independently of the security protocol can also be used to detect 421 the re-ordering replay, deletion, or suppression of messages 422 containing Set operations (e.g., the MIB variable snmpSetSerialNo 423 [RFC1907]). 425 2) Verification that a message sent to/from one authoritative SNMP 426 engine cannot be replayed to/as-if-from another authoritative SNMP 427 engine. 429 Included in each message is an identifier unique to the 430 authoritative SNMP engine associated with the sender or intended 431 recipient of the message. 433 A Report, Response or Trap message sent by an authoritative SNMP 434 engine to one non-authoritative SNMP engine can potentially be 435 replayed to another non-authoritative SNMP engine. The latter 436 non-authoritative SNMP engine might (if it knows about the same 437 userName with the same secrets at the authoritative SNMP engine) 438 as a result update its notion of timeliness indicators of the 439 authoritative SNMP engine, but that is not considered a threat. 440 In this case, A Report or Response message will be discarded by 441 the Message Processing Model, because there should not be an 442 outstanding Request message. A Trap will possibly be accepted. 443 Again, that is not considered a threat, because the communication 444 was authenticated and timely. It is as if the authoritative SNMP 445 engine was configured to start sending Traps to the second SNMP 446 engine, which theoretically can happen without the knowledge of 447 the second SNMP engine anyway. Anyway, the second SNMP engine may 448 not expect to receive this Trap, but is allowed to see the 449 management information contained in it. 451 3) Detection of messages which were not recently generated. 453 A set of time indicators are included in the message, indicating 454 the time of generation. Messages without recent time indicators 455 are not considered authentic. In addition, an SNMP engine MUST 456 drop any Responses that do not match an outstanding request. This 457 however is the responsibility of the Message Processing Model. 459 This memo allows the same user to be defined on multiple SNMP 460 engines. Each SNMP engine maintains a value, snmpEngineID, which 461 uniquely identifies the SNMP engine. This value is included in each 462 message sent to/from the SNMP engine that is authoritative (see 463 section 1.5.1). On receipt of a message, an authoritative SNMP 464 engine checks the value to ensure that it is the intended recipient, 465 and a non-authoritative SNMP engine uses the value to ensure that the 466 message is processed using the correct state information. 468 Each SNMP engine maintains two values, snmpEngineBoots and 469 snmpEngineTime, which taken together provide an indication of time at 470 that SNMP engine. Both of these values are included in an 471 authenticated message sent to/received from that SNMP engine. On 472 receipt, the values are checked to ensure that the indicated 473 timeliness value is within a Time Window of the current time. The 474 Time Window represents an administrative upper bound on acceptable 475 delivery delay for protocol messages. 477 For an SNMP engine to generate a message which an authoritative SNMP 478 engine will accept as authentic, and to verify that a message 479 received from that authoritative SNMP engine is authentic, such an 480 SNMP engine must first achieve timeliness synchronization with the 481 authoritative SNMP engine. See section 2.3. 483 1.6. Abstract Service Interfaces. 485 Abstract service interfaces have been defined to describe the 486 conceptual interfaces between the various subsystems within an SNMP 487 entity. Similarly a set of abstract service interfaces have been 488 defined within the User-based Security Model (USM) to describe the 489 conceptual interfaces between the generic USM services and the self- 490 contained authentication and privacy services. 492 These abstract service interfaces are defined by a set of primitives 493 that define the services provided and the abstract data elements that 494 must be passed when the services are invoked. This section lists the 495 primitives that have been defined for the User-based Security Model. 497 1.6.1. User-based Security Model Primitives for Authentication 499 The User-based Security Model provides the following internal 500 primitives to pass data back and forth between the Security Model 501 itself and the authentication service: 503 statusInformation = 504 authenticateOutgoingMsg( 505 IN authKey -- secret key for authentication 506 IN wholeMsg -- unauthenticated complete message 507 OUT authenticatedWholeMsg -- complete authenticated message 508 ) 510 statusInformation = 511 authenticateIncomingMsg( 512 IN authKey -- secret key for authentication 513 IN authParameters -- as received on the wire 514 IN wholeMsg -- as received on the wire 515 OUT authenticatedWholeMsg -- complete authenticated message 516 ) 518 1.6.2. User-based Security Model Primitives for Privacy 520 The User-based Security Model provides the following internal 521 primitives to pass data back and forth between the Security Model 522 itself and the privacy service: 524 statusInformation = 525 encryptData( 526 IN encryptKey -- secret key for encryption 527 IN dataToEncrypt -- data to encrypt (scopedPDU) 528 OUT encryptedData -- encrypted data (encryptedPDU) 529 OUT privParameters -- filled in by service provider 530 ) 532 statusInformation = 533 decryptData( 534 IN decryptKey -- secret key for decrypting 535 IN privParameters -- as received on the wire 536 IN encryptedData -- encrypted data (encryptedPDU) 537 OUT decryptedData -- decrypted data (scopedPDU) 538 ) 540 2. Elements of the Model 542 This section contains definitions required to realize the security 543 model defined by this memo. 545 2.1. User-based Security Model Users 547 Management operations using this Security Model make use of a defined 548 set of user identities. For any user on whose behalf management 549 operations are authorized at a particular SNMP engine, that SNMP 550 engine must have knowledge of that user. An SNMP engine that wishes 551 to communicate with another SNMP engine must also have knowledge of a 552 user known to that engine, including knowledge of the applicable 553 attributes of that user. 555 A user and its attributes are defined as follows: 557 userName 558 A string representing the name of the user. 560 securityName 561 A human-readable string representing the user in a format that is 562 Security Model independent. 564 authProtocol 565 An indication of whether messages sent on behalf of this user can 566 be authenticated, and if so, the type of authentication protocol 567 which is used. Two such protocols are defined in this memo: 568 - the HMAC-MD5-96 authentication protocol. 569 - the HMAC-SHA-96 authentication protocol. 571 authKey 572 If messages sent on behalf of this user can be authenticated, 573 the (private) authentication key for use with the authentication 574 protocol. Note that a user's authentication key will normally 575 be different at different authoritative SNMP engines. The authKey 576 is not accessible via SNMP. The length requirements of the authKey 577 are defined by the authProtocol in use. 579 authKeyChange and authOwnKeyChange 580 The only way to remotely update the authentication key. Does 581 that in a secure manner, so that the update can be completed 582 without the need to employ privacy protection. 584 privProtocol 585 An indication of whether messages sent on behalf of this user 586 can be protected from disclosure, and if so, the type of privacy 587 protocol which is used. One such protocol is defined in this 588 memo: the CBC-DES Symmetric Encryption Protocol. 590 privKey 591 If messages sent on behalf of this user can be en/decrypted, 592 the (private) privacy key for use with the privacy protocol. 593 Note that a user's privacy key will normally be different at 594 different authoritative SNMP engines. The privKey is not 595 accessible via SNMP. The length requirements of the privKey are 596 defined by the privProtocol in use. 598 privKeyChange and privOwnKeyChange 599 The only way to remotely update the encryption key. Does that 600 in a secure manner, so that the update can be completed without 601 the need to employ privacy protection. 603 2.2. Replay Protection 605 Each SNMP engine maintains three objects: 607 - snmpEngineID, which (at least within an administrative domain) 608 uniquely and unambiguously identifies an SNMP engine. 610 - snmpEngineBoots, which is a count of the number of times the 611 SNMP engine has re-booted/re-initialized since snmpEngineID 612 was last configured; and, 614 - snmpEngineTime, which is the number of seconds since the 615 snmpEngineBoots counter was last incremented. 617 Each SNMP engine is always authoritative with respect to these 618 objects in its own SNMP entity. It is the responsibility of a 619 non-authoritative SNMP engine to synchronize with the 620 authoritative SNMP engine, as appropriate. 622 An authoritative SNMP engine is required to maintain the values of 623 its snmpEngineID and snmpEngineBoots in non-volatile storage. 625 2.2.1. msgAuthoritativeEngineID 627 The msgAuthoritativeEngineID value contained in an authenticated 628 message is used to defeat attacks in which messages from one SNMP 629 engine to another SNMP engine are replayed to a different SNMP 630 engine. It represents the snmpEngineID at the authoritative SNMP 631 engine involved in the exchange of the message. 633 When an authoritative SNMP engine is first installed, it sets its 634 local value of snmpEngineID according to a enterprise-specific 635 algorithm (see the definition of the Textual Convention for 636 SnmpEngineID in the SNMP Architecture document [RFC-ARCH]). 638 2.2.2. msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime 640 The msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime 641 values contained in an authenticated message are used to defeat 642 attacks in which messages are replayed when they are no longer 643 valid. They represent the snmpEngineBoots and snmpEngineTime 644 values at the authoritative SNMP engine involved in the exchange 645 of the message. 647 Through use of snmpEngineBoots and snmpEngineTime, there is no 648 requirement for an SNMP engine to have a non-volatile clock which 649 ticks (i.e., increases with the passage of time) even when the 650 SNMP engine is powered off. Rather, each time an SNMP engine 651 re-boots, it retrieves, increments, and then stores snmpEngineBoots 652 in non-volatile storage, and resets snmpEngineTime to zero. 654 When an SNMP engine is first installed, it sets its local values 655 of snmpEngineBoots and snmpEngineTime to zero. If snmpEngineTime 656 ever reaches its maximum value (2147483647), then snmpEngineBoots 657 is incremented as if the SNMP engine has re-booted and 658 snmpEngineTime is reset to zero and starts incrementing again. 660 Each time an authoritative SNMP engine re-boots, any SNMP engines 661 holding that authoritative SNMP engine's values of snmpEngineBoots 662 and snmpEngineTime need to re-synchronize prior to sending 663 correctly authenticated messages to that authoritative SNMP engine 664 (see Section 2.3 for (re-)synchronization procedures). Note, 665 however, that the procedures do provide for a notification to be 666 accepted as authentic by a receiving SNMP engine, when sent by an 667 authoritative SNMP engine which has re-booted since the receiving 668 SNMP engine last (re-)synchronized. 670 If an authoritative SNMP engine is ever unable to determine its 671 latest snmpEngineBoots value, then it must set its snmpEngineBoots 672 value to 2147483647. 674 Whenever the local value of snmpEngineBoots has the value 2147483647 675 it latches at that value and an authenticated message always causes 676 an notInTimeWindow authentication failure. 678 In order to reset an SNMP engine whose snmpEngineBoots value has 679 reached the value 2147483647, manual intervention is required. 680 The engine must be physically visited and re-configured, either 681 with a new snmpEngineID value, or with new secret values for the 682 authentication and privacy protocols of all users known to that 683 SNMP engine. Note that even if an SNMP engine re-boots once a second 684 that it would still take approximately 68 years before the max value 685 of 2147483647 would be reached. 687 2.2.3. Time Window 689 The Time Window is a value that specifies the window of time in 690 which a message generated on behalf of any user is valid. This 691 memo specifies that the same value of the Time Window, 150 seconds, 692 is used for all users. 694 2.3. Time Synchronization 696 Time synchronization, required by a non-authoritative SNMP engine 697 in order to proceed with authentic communications, has occurred 698 when the non-authoritative SNMP engine has obtained a local notion 699 of the authoritative SNMP engine's values of snmpEngineBoots and 700 snmpEngineTime from the authoritative SNMP engine. These values 701 must be (and remain) within the authoritative SNMP engine's Time 702 Window. So the local notion of the authoritative SNMP engine's 703 values must be kept loosely synchronized with the values stored 704 at the authoritative SNMP engine. In addition to keeping a local 705 copy of snmpEngineBoots and snmpEngineTime from the authoritative 706 SNMP engine, a non-authoritative SNMP engine must also keep one 707 local variable, latestReceivedEngineTime. This value records the 708 highest value of snmpEngineTime that was received by the 709 non-authoritative SNMP engine from the authoritative SNMP engine 710 and is used to eliminate the possibility of replaying messages 711 that would prevent the non-authoritative SNMP engine's notion of 712 the snmpEngineTime from advancing. 714 A non-authoritative SNMP engine must keep local notions of these 715 values 716 (snmpEngineBoots, snmpEngineTime and latestReceivedEngineTime) 717 for each authoritative SNMP engine with which it wishes to 718 communicate. Since each authoritative SNMP engine is uniquely 719 and unambiguously identified by its value of snmpEngineID, the 720 non-authoritative SNMP engine may use this value as a key in 721 order to cache its local notions of these values. 723 Time synchronization occurs as part of the procedures of receiving 724 an SNMP message (Section 3.2, step 7b). As such, no explicit time 725 synchronization procedure is required by a non-authoritative SNMP 726 engine. Note, that whenever the local value of snmpEngineID is 727 changed (e.g., through discovery) or when secure communications 728 are first established with an authoritative SNMP engine, the local 729 values of snmpEngineBoots and latestReceivedEngineTime should be 730 set to zero. This will cause the time synchronization to occur 731 when the next authentic message is received. 733 2.4. SNMP Messages Using this Security Model 735 The syntax of an SNMP message using this Security Model adheres 736 to the message format defined in the version-specific Message 737 Processing Model document (for example [RFC-MPD]). 739 The field msgSecurityParameters in SNMPv3 messages has a data type 740 of OCTET STRING. Its value is the BER serialization of the 741 following ASN.1 sequence: 743 USMSecurityParametersSyntax DEFINITIONS IMPLICIT TAGS ::= BEGIN 745 UsmSecurityParameters ::= 746 SEQUENCE { 747 -- global User-based security parameters 748 msgAuthoritativeEngineID OCTET STRING, 749 msgAuthoritativeEngineBoots INTEGER (0..2147483647), 750 msgAuthoritativeEngineTime INTEGER (0..2147483647), 751 msgUserName OCTET STRING (SIZE(0..32)), 752 -- authentication protocol specific parameters 753 msgAuthenticationParameters OCTET STRING, 754 -- privacy protocol specific parameters 755 msgPrivacyParameters OCTET STRING 756 } 757 END 759 The fields of this sequence are: 761 - The msgAuthoritativeEngineID specifies the snmpEngineID of the 762 authoritative SNMP engine involved in the exchange of the message. 764 - The msgAuthoritativeEngineBoots specifies the snmpEngineBoots value 765 at the authoritative SNMP engine involved in the exchange of the 766 message. 768 - The msgAuthoritativeEngineTime specifies the snmpEngineTime value 769 at the authoritative SNMP engine involved in the exchange of the 770 message. 772 - The msgUserName specifies the user (principal) on whose behalf the 773 message is being exchanged. Note that a zero-length userName will 774 not match any user, but it can be used for snmpEngineID discovery. 776 - The msgAuthenticationParameters are defined by the authentication 777 protocol in use for the message, as defined by the 778 usmUserAuthProtocol column in the user's entry in the usmUserTable. 780 - The msgPrivacyParameters are defined by the privacy protocol in use 781 for the message, as defined by the usmUserPrivProtocol column in 782 the user's entry in the usmUserTable). 784 See appendix A.4 for an example of the BER encoding of field 785 msgSecurityParameters. 787 2.5. Services provided by the User-based Security Model 789 This section describes the services provided by the User-based 790 Security Model with their inputs and outputs. 792 The services are described as primitives of an abstract service 793 interface and the inputs and outputs are described as abstract data 794 elements as they are passed in these abstract service primitives. 796 2.5.1. Services for Generating an Outgoing SNMP Message 798 When the Message Processing (MP) Subsystem invokes the User-based 799 Security module to secure an outgoing SNMP message, it must use the 800 appropriate service as provided by the Security module. These two 801 services are provided: 803 1) A service to generate a Request message. The abstract service 804 primitive is: 806 statusInformation = -- success or errorIndication 807 generateRequestMsg( 808 IN messageProcessingModel -- typically, SNMP version 809 IN globalData -- message header, admin data 810 IN maxMessageSize -- of the sending SNMP entity 811 IN securityModel -- for the outgoing message 812 IN securityEngineID -- authoritative SNMP entity 813 IN securityName -- on behalf of this principal 814 IN securityLevel -- Level of Security requested 815 IN scopedPDU -- message (plaintext) payload 816 OUT securityParameters -- filled in by Security Module 817 OUT wholeMsg -- complete generated message 818 OUT wholeMsgLength -- length of generated message 819 ) 821 2) A service to generate a Response message. The abstract service 822 primitive is: 824 statusInformation = -- success or errorIndication 825 generateResponseMsg( 826 IN messageProcessingModel -- typically, SNMP version 827 IN globalData -- message header, admin data 828 IN maxMessageSize -- of the sending SNMP entity 829 IN securityModel -- for the outgoing message 830 IN securityEngineID -- authoritative SNMP entity 831 IN securityName -- on behalf of this principal 832 IN securityLevel -- Level of Security requested 833 IN scopedPDU -- message (plaintext) payload 834 IN securityStateReference -- reference to security state 835 -- information from original 836 -- request 837 OUT securityParameters -- filled in by Security Module 838 OUT wholeMsg -- complete generated message 839 OUT wholeMsgLength -- length of generated message 840 ) 842 The abstract data elements passed as parameters in the abstract 843 service primitives are as follows: 845 statusInformation 846 An indication of whether the encoding and securing of the message 847 was successful. If not it is an indication of the problem. 848 essageProcessingModel 849 The SNMP version number for the message to be generated. This 850 data is not used by the User-based Security module. 851 globalData 852 The message header (i.e., its administrative information). This 853 data is not used by the User-based Security module. 854 maxMessageSize 855 The maximum message size as included in the message. This data is 856 not used by the User-based Security module. 857 securityParameters 858 These are the security parameters. They will be filled in by the 859 User-based Security module. 861 securityModel 862 The securityModel in use. Should be User-based Security Model. 863 This data is not used by the User-based Security module. 864 securityName 865 Together with the snmpEngineID it identifies a row in the 866 usmUserTable that is to be used for securing the message. The 867 securityName has a format that is independent of the Security 868 Model. In case of a response this parameter is ignored and the 869 value from the cache is used. 870 securityLevel 871 The Level of Security from which the User-based Security module 872 determines if the message needs to be protected from disclosure 873 and if the message needs to be authenticated. In case of a 874 response this parameter is ignored and the value from the cache is 875 used. 876 securityEngineID 877 The snmpEngineID of the authoritative SNMP engine to which a 878 Request message is to be sent. In case of a response it is implied 879 to be the processing SNMP engine's snmpEngineID and so if it is 880 specified, then it is ignored. 881 scopedPDU 882 The message payload. The data is opaque as far as the User-based 883 Security Model is concerned. 884 securityStateReference 885 A handle/reference to cachedSecurityData to be used when securing 886 an outgoing Response message. This is the exact same 887 handle/reference as it was generated by the User-based Security 888 module when processing the incoming Request message to which this 889 is the Response message. 890 wholeMsg 891 The fully encoded and secured message ready for sending on the 892 wire. 893 wholeMsgLength 894 The length of the encoded and secured message (wholeMsg). 896 Upon completion of the process, the User-based Security module 897 returns statusInformation. If the process was successful, the 898 completed message with privacy and authentication applied if such was 899 requested by the specified securityLevel is returned. If the process 900 was not successful, then an errorIndication is returned. 902 2.5.2. Services for Processing an Incoming SNMP Message 904 When the Message Processing (MP) Subsystem invokes the User-based 905 Security module to verify proper security of an incoming message, it 906 must use the service provided for an incoming message. The abstract 907 service primitive is: 909 statusInformation = -- errorIndication or success 910 -- error counter OID/value if error 911 processIncomingMsg( 912 IN messageProcessingModel -- typically, SNMP version 913 IN maxMessageSize -- of the sending SNMP entity 914 IN securityParameters -- for the received message 915 IN securityModel -- for the received message 916 IN securityLevel -- Level of Security 917 IN wholeMsg -- as received on the wire 918 IN wholeMsgLength -- length as received on the wire 919 OUT securityEngineID -- authoritative SNMP entity 920 OUT securityName -- identification of the principal 921 OUT scopedPDU, -- message (plaintext) payload 922 OUT maxSizeResponseScopedPDU -- maximum size of the Response PDU 923 OUT securityStateReference -- reference to security state 924 ) -- information, needed for response 926 The abstract data elements passed as parameters in the abstract 927 service primitives are as follows: 929 statusInformation 930 An indication of whether the process was successful or not. If 931 not, then the statusInformation includes the OID and the value of 932 the error counter that was incremented. 933 messageProcessingModel 934 The SNMP version number as received in the message. This data is 935 not used by the User-based Security module. 936 maxMessageSize 937 The maximum message size as included in the message. The User- 938 based Security module uses this value to calculate the 939 maxSizeResponseScopedPDU. 940 securityParameters 941 These are the security parameters as received in the message. 942 securityModel 943 The securityModel in use. Should be the User-based Security 944 Model. This data is not used by the User-based Security module. 945 securityLevel 946 The Level of Security from which the User-based Security module 947 determines if the message needs to be protected from disclosure 948 and if the message needs to be authenticated. 949 wholeMsg 950 The whole message as it was received. 951 wholeMsgLength 952 The length of the message as it was received (wholeMsg). 953 securityEngineID 954 The snmpEngineID that was extracted from the field 955 msgAuthoritativeEngineID and that was used to lookup the secrets 956 in the usmUserTable. 958 securityName 959 The security name representing the user on whose behalf the 960 message was received. The securityName has a format that is 961 independent of the Security Model. 962 scopedPDU 963 The message payload. The data is opaque as far as the User-based 964 Security Model is concerned. 965 maxSizeResponseScopedPDU 966 The maximum size of a scopedPDU to be included in a possible 967 Response message. The User-base Security module calculates this 968 size based on the mms (as received in the message) and the space 969 required for the message header (including the securityParameters) 970 for such a Response message. 971 securityStateReference 972 A handle/reference to cachedSecurityData to be used when securing 973 an outgoing Response message. When the Message Processing 974 Subsystem calls the User-based Security module to generate a 975 response to this incoming message it must pass this 976 handle/reference. 978 Upon completion of the process, the User-based Security module 979 returns statusInformation and, if the process was successful, the 980 additional data elements for further processing of the message. If 981 the process was not successful, then an errorIndication, possibly 982 with a OID and value pair of an error counter that was incremented. 984 2.6. Key Localization Algorithm. 986 A localized key is a secret key shared between a user U and one 987 authoritative SNMP engine E. Even though a user may have only one 988 password and therefore one key for the whole network, the actual 989 secrets shared between the user and each authoritative SNMP engine 990 will be different. This is achieved by key localization [Localized- 991 key]. 993 First, if a user uses a password, then the user's password is 994 converted into a key Ku using one of the two algorithms described in 995 Appendices A.2.1 and A.2.2. 997 To convert key Ku into a localized key Kul of user U at the 998 authoritative SNMP engine E, one appends the snmpEngineID of the 999 authoritative SNMP engine to the key Ku and then appends the key Ku 1000 to the result, thus enveloping the snmpEngineID within the two copies 1001 of user's key Ku. Then one runs a secure hash function (which one 1002 depends on the authentication protocol defined for this user U at 1003 authoritative SNMP engine E; this document defines two authentication 1004 protocols with their associated algorithms based on MD5 and SHA). The 1005 output of the hash-function is the localized key Kul for user U at 1006 the authoritative SNMP engine E. 1008 3. Elements of Procedure 1010 This section describes the security related procedures followed by an 1011 SNMP engine when processing SNMP messages according to the User-based 1012 Security Model. 1014 3.1. Generating an Outgoing SNMP Message 1016 This section describes the procedure followed by an SNMP engine 1017 whenever it generates a message containing a management operation 1018 (like a request, a response, a notification, or a report) on behalf 1019 of a user, with a particular securityLevel. 1021 1) a) If any securityStateReference is passed (Response message), 1022 then information concerning the user is extracted from the 1023 cachedSecurityData. The securityEngineID and the 1024 securityLevel are extracted from the cachedSecurityData. The 1025 cachedSecurityData can now be discarded. 1027 Otherwise, 1029 b) based on the securityName, information concerning the user at 1030 the destination snmpEngineID, specified by the 1031 securityEngineID, is extracted from the Local Configuration 1032 Datastore (LCD, usmUserTable). If information about the user 1033 is absent from the LCD, then an error indication 1034 (unknownSecurityName) is returned to the calling module. 1036 2) If the securityLevel specifies that the message is to be 1037 protected from disclosure, but the user does not support both 1038 an authentication and a privacy protocol then the message 1039 cannot be sent. An error indication 1040 (unsupportedSecurityLevel) is returned to the calling module. 1042 3) If the securityLevel specifies that the message is to be 1043 authenticated, but the user does not support an authentication 1044 protocol, then the message cannot be sent. An error indication 1045 (unsupportedSecurityLevel) is returned to the calling module. 1047 4) a) If the securityLevel specifies that the message is to be 1048 protected from disclosure, then the octet sequence 1049 representing the serialized scopedPDU is encrypted according 1050 to the user's privacy protocol. To do so a call is made to the 1051 privacy module that implements the user's privacy protocol 1052 according to the abstract primitive: 1054 statusInformation = -- success or failure 1055 encryptData( 1056 IN encryptKey -- user's localized privKey 1057 IN dataToEncrypt -- serialized scopedPDU 1058 OUT encryptedData -- serialized encryptedPDU 1059 OUT privParameters -- serialized privacy parameters 1060 ) 1062 statusInformation 1063 indicates if the encryption process was successful or not. 1064 encryptKey 1065 the user's localized private privKey is the secret key that 1066 can be used by the encryption algorithm. 1067 dataToEncrypt 1068 the serialized scopedPDU is the data to be encrypted. 1069 encryptedData 1070 the encryptedPDU represents the encrypted scopedPDU, 1071 encoded as an OCTET STRING. 1072 privParameters 1073 the privacy parameters, encoded as an OCTET STRING. 1075 If the privacy module returns failure, then the message cannot 1076 be sent and an error indication (encryptionError) is returned 1077 to the calling module. 1079 If the privacy module returns success, then the returned 1080 privParameters are put into the msgPrivacyParameters field of 1081 the securityParameters and the encryptedPDU serves as the 1082 payload of the message being prepared. 1084 Otherwise, 1086 b) If the securityLevel specifies that the message is not to be 1087 be protected from disclosure, then a zero-length OCTET STRING 1088 is encoded into the msgPrivacyParameters field of the 1089 securityParameters and the plaintext scopedPDU serves as the 1090 payload of the message being prepared. 1092 5) The securityEngineID is encoded as an OCTET STRING into the 1093 msgAuthoritativeEngineID field of the securityParameters. 1094 Note that an empty (zero length) securityEngineID is OK for a 1095 Request message, because that will cause the remote 1096 (authoritative) SNMP engine to return a Report PDU with the 1097 proper securityEngineID included in the 1098 msgAuthoritativeEngineID in the securityParameters of that 1099 returned Report PDU. 1101 6) a) If the securityLevel specifies that the message is to be 1102 authenticated, then the current values of snmpEngineBoots and 1103 snmpEngineTime corresponding to the securityEngineID from the 1104 LCD are used. 1106 Otherwise, 1108 b) If this is a Response message, then the current value of 1109 snmpEngineBoots and snmpEngineTime corresponding to the local 1110 snmpEngineID from the LCD are used. 1112 Otherwise, 1114 c) If this is a Request message, then a zero value is used for 1115 both snmpEngineBoots and snmpEngineTime. This zero value gets 1116 used if snmpEngineID is empty. 1118 The values are encoded as INTEGER respectively into the 1119 msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime fields 1120 of the securityParameters. 1122 7) The userName is encoded as an OCTET STRING into the msgUserName 1123 field of the securityParameters. 1125 8) a) If the securityLevel specifies that the message is to be 1126 authenticated, the message is authenticated according to the 1127 user's authentication protocol. To do so a call is made to the 1128 authentication module that implements the user's 1129 authentication protocol according to the abstract service 1130 primitive: 1132 statusInformation = 1133 authenticateOutgoingMsg( 1134 IN authKey -- the user's localized authKey 1135 IN wholeMsg -- unauthenticated message 1136 OUT authenticatedWholeMsg -- authenticated complete message 1137 ) 1139 statusInformation 1140 indicates if authentication was successful or not. 1141 authKey 1142 the user's localized private authKey is the secret key that 1143 can be used by the authentication algorithm. 1144 wholeMsg 1145 the complete serialized message to be authenticated. 1146 authenticatedWholeMsg 1147 the same as the input given to the authenticateOutgoingMsg 1148 service, but with msgAuthenticationParameters properly 1149 filled in. 1151 If the authentication module returns failure, then the message 1152 cannot be sent and an error indication (authenticationFailure) 1153 is returned to the calling module. 1155 If the authentication module returns success, then the 1156 msgAuthenticationParameters field is put into the 1157 securityParameters and the authenticatedWholeMsg represents 1158 the serialization of the authenticated message being prepared. 1160 Otherwise, 1162 b) If the securityLevel specifies that the message is not to be 1163 authenticated then a zero-length OCTET STRING is encoded into 1164 the msgAuthenticationParameters field of the 1165 securityParameters. The wholeMsg is now serialized and then 1166 represents the unauthenticated message being prepared. 1168 9) The completed message with its length is returned to the calling 1169 module with the statusInformation set to success. 1171 3.2. Processing an Incoming SNMP Message 1173 This section describes the procedure followed by an SNMP engine 1174 whenever it receives a message containing a management operation on 1175 behalf of a user, with a particular securityLevel. 1177 To simplify the elements of procedure, the release of state 1178 information is not always explicitly specified. As a general rule, if 1179 state information is available when a message gets discarded, the 1180 state information should also be released. Also, an error indication 1181 can return an OID and value for an incremented counter and optionally 1182 a value for securityLevel, and values for contextEngineID or 1183 contextName for the counter. In addition, the securityStateReference 1184 data is returned if any such information is available at the point 1185 where the error is detected. 1187 1) If the received securityParameters is not the serialization 1188 (according to the conventions of [RFC1906]) of an OCTET STRING 1189 formatted according to the UsmSecurityParameters defined in 1190 section 2.4, then the snmpInASNParseErrs counter [RFC1907] is 1191 incremented, and an error indication (parseError) is returned to 1192 the calling module. Note that we return without the OID and 1193 value of the incremented counter, because in this case there is 1194 not enough information to generate a Report PDU. 1196 2) The values of the security parameter fields are extracted from 1197 the securityParameters. The securityEngineID to be returned to 1198 the caller is the value of the msgAuthoritativeEngineID field. 1199 The cachedSecurityData is prepared and a securityStateReference 1200 is prepared to reference this data. Values to be cached are: 1202 msgUserName 1203 securityEngineID 1204 securityLevel 1206 3) If the value of the msgAuthoritativeEngineID field in the 1207 securityParameters is unknown then: 1209 a) a non-authoritative SNMP engine that performs discovery may 1210 optionally create a new entry in its Local Configuration 1211 Datastore (LCD) and continue processing; 1213 or 1215 b) the usmStatsUnknownEngineIDs counter is incremented, and 1216 an error indication (unknownEngineID) together with the 1217 OID and value of the incremented counter is returned to 1218 the calling module. 1220 4) Information about the value of the msgUserName and 1221 msgAuthoritativeEngineID fields is extracted from the Local 1222 Configuration Datastore (LCD, usmUserTable). If no information 1223 is available for the user, then the usmStatsUnknownUserNames 1224 counter is incremented and an error indication 1225 (unknownSecurityName) together with the OID and value of the 1226 incremented counter is returned to the calling module. 1228 5) If the information about the user indicates that it does not 1229 support the securityLevel requested by the caller, then the 1230 usmStatsUnsupportedSecLevels counter is incremented and an 1231 error indication (unsupportedSecurityLevel) together with the 1232 OID and value of the incremented counter is returned to the 1233 calling module. 1235 6) If the securityLevel specifies that the message is to be 1236 authenticated, then the message is authenticated according to 1237 the user's authentication protocol. To do so a call is made 1238 to the authentication module that implements the user's 1239 authentication protocol according to the abstract service 1240 primitive: 1242 statusInformation = -- success or failure 1243 authenticateIncomingMsg( 1244 IN authKey -- the user's localized authKey 1245 IN authParameters -- as received on the wire 1246 IN wholeMsg -- as received on the wire 1247 OUT authenticatedWholeMsg -- checked for authentication 1248 ) 1250 statusInformation 1251 indicates if authentication was successful or not. 1252 authKey 1253 the user's localized private authKey is the secret key that 1254 can be used by the authentication algorithm. 1255 wholeMsg 1256 the complete serialized message to be authenticated. 1257 authenticatedWholeMsg 1258 the same as the input given to the authenticateIncomingMsg 1259 service, but after authentication has been checked. 1261 If the authentication module returns failure, then the message 1262 cannot be trusted, so the usmStatsWrongDigests counter is 1263 incremented and an error indication (authenticationFailure) 1264 together with the OID and value of the incremented counter is 1265 returned to the calling module. 1267 If the authentication module returns success, then the message 1268 is authentic and can be trusted so processing continues. 1270 7) If the securityLevel indicates an authenticated message, then 1271 the local values of snmpEngineBoots, snmpEngineTime 1272 and latestReceivedEngineTime 1273 corresponding to the value of the msgAuthoritativeEngineID 1274 field are extracted from the Local Configuration Datastore. 1276 a) If the extracted value of msgAuthoritativeEngineID is the 1277 same as the value of snmpEngineID of the processing SNMP 1278 engine (meaning this is the authoritative SNMP engine), 1279 then if any of the following conditions is true, then the 1280 message is considered to be outside of the Time Window: 1282 - the local value of snmpEngineBoots is 2147483647; 1284 - the value of the msgAuthoritativeEngineBoots field differs 1285 from the local value of snmpEngineBoots; or, 1287 - the value of the msgAuthoritativeEngineTime field differs 1288 from the local notion of snmpEngineTime by more than 1289 +/- 150 seconds. 1291 If the message is considered to be outside of the Time Window 1292 then the usmStatsNotInTimeWindows counter is incremented and 1293 an error indication (notInTimeWindow) together with the OID, 1294 the value of the incremented counter, and an indication that 1295 the error must be reported with a securityLevel of authNoPriv, 1296 is returned to the calling module. 1298 b) If the extracted value of msgAuthoritativeEngineID is not the 1299 same as the value snmpEngineID of the processing SNMP engine 1300 (meaning this is not the authoritative SNMP engine), then: 1302 1) if at least one of the following conditions is true: 1304 - the extracted value of the msgAuthoritativeEngineBoots 1305 field is greater than the local notion of the value of 1306 snmpEngineBoots; or, 1308 - the extracted value of the msgAuthoritativeEngineBoots 1309 field is equal to the local notion of the value of 1310 snmpEngineBoots, and the extracted value of 1311 msgAuthoritativeEngineTime field is greater than the 1312 value of latestReceivedEngineTime, 1314 then the LCD entry corresponding to the extracted value 1315 of the msgAuthoritativeEngineID field is updated, by 1316 setting: 1318 - the local notion of the value of snmpEngineBoots to 1319 the value of the msgAuthoritativeEngineBoots field, 1320 - the local notion of the value of snmpEngineTime to 1321 the value of the msgAuthoritativeEngineTime field, 1322 and 1323 - the latestReceivedEngineTime to the value of the 1324 value of the msgAuthoritativeEngineTime field. 1326 2) if any of the following conditions is true, then the 1327 message is considered to be outside of the Time Window: 1329 - the local notion of the value of snmpEngineBoots is 1330 2147483647; 1332 - the value of the msgAuthoritativeEngineBoots field is 1333 less than the local notion of the value of 1334 snmpEngineBoots; or, 1336 - the value of the msgAuthoritativeEngineBoots field is 1337 equal to the local notion of the value of 1338 snmpEngineBoots and the value of the 1339 msgAuthoritativeEngineTime field is more than 150 1340 seconds less than the local notion of the value of 1341 snmpEngineTime. 1343 If the message is considered to be outside of the Time 1344 Window then an error indication (notInTimeWindow) is 1345 returned to the calling module; 1347 Note that this means that a too old (possibly replayed) 1348 message has been detected and is deemed unauthentic. 1350 Note that this procedure allows for the value of 1351 msgAuthoritativeEngineBoots in the message to be greater 1352 than the local notion of the value of snmpEngineBoots to 1353 allow for received messages to be accepted as authentic 1354 when received from an authoritative SNMP engine that has 1355 re-booted since the receiving SNMP engine last 1356 (re-)synchronized. 1358 Note that this procedure does not allow for automatic 1359 time synchronization if the non-authoritative SNMP engine 1360 has a real out-of-sync situation whereby the authoritative 1361 SNMP engine is more than 150 seconds behind the 1362 non-authoritative SNMP engine. 1364 8) a) If the securityLevel indicates that the message was protected 1365 from disclosure, then the OCTET STRING representing the 1366 encryptedPDU is decrypted according to the user's privacy 1367 protocol to obtain an unencrypted serialized scopedPDU value. 1368 To do so a call is made to the privacy module that implements 1369 the user's privacy protocol according to the abstract 1370 primitive: 1372 statusInformation = -- success or failure 1373 decryptData( 1374 IN decryptKey -- the user's localized privKey 1375 IN privParameters -- as received on the wire 1376 IN encryptedData -- encryptedPDU as received 1377 OUT decryptedData -- serialized decrypted scopedPDU 1378 ) 1380 statusInformation 1381 indicates if the decryption process was successful or not. 1382 decryptKey 1383 the user's localized private privKey is the secret key that 1384 can be used by the decryption algorithm. 1385 privParameters 1386 the msgPrivacyParameters, encoded as an OCTET STRING. 1387 encryptedData 1388 the encryptedPDU represents the encrypted scopedPDU, encoded 1389 as an OCTET STRING. 1391 decryptedData 1392 the serialized scopedPDU if decryption is successful. 1394 If the privacy module returns failure, then the message can 1395 not be processed, so the usmStatsDecryptionErrors counter is 1396 incremented and an error indication (decryptionError) together 1397 with the OID and value of the incremented counter is returned 1398 to the calling module. 1400 If the privacy module returns success, then the decrypted 1401 scopedPDU is the message payload to be returned to the calling 1402 module. 1404 Otherwise, 1406 b) The scopedPDU component is assumed to be in plain text 1407 and is the message payload to be returned to the calling 1408 module. 1410 9) The maxSizeResponseScopedPDU is calculated. This is the 1411 maximum size allowed for a scopedPDU for a possible Response 1412 message. Provision is made for a message header that allows the 1413 same securityLevel as the received Request. 1415 10) The securityName for the user is retrieved from the 1416 usmUserTable. 1418 11) The security data is cached as cachedSecurityData, so that a 1419 possible response to this message can and will use the same 1420 authentication and privacy secrets, the same securityLevel and 1421 the same value for msgAuthoritativeEngineID. Information to be 1422 saved/cached is as follows: 1424 msgUserName, 1425 usmUserAuthProtocol, usmUserAuthKey 1426 usmUserPrivProtocol, usmUserPrivKey 1427 securityEngineID, securityLevel 1429 12) The statusInformation is set to success and a return is made to 1430 the calling module passing back the OUT parameters as specified 1431 in the processIncomingMsg primitive. 1433 4. Discovery 1435 The User-based Security Model requires that a discovery process 1436 obtains sufficient information about other SNMP engines in order to 1437 communicate with them. Discovery requires an non-authoritative SNMP 1438 engine to learn the authoritative SNMP engine's snmpEngineID value 1439 before communication may proceed. This may be accomplished by 1440 generating a Request message with a securityLevel of noAuthNoPriv, a 1441 msgUserName of zero-length, a msgAuthoritativeEngineID value of zero 1442 length, and the varBindList left empty. The response to this message 1443 will be a Report message containing the snmpEngineID of the 1444 authoritative SNMP engine as the value of the 1445 msgAuthoritativeEngineID field within the msgSecurityParameters 1446 field. It contains a Report PDU with the usmStatsUnknownEngineIDs 1447 counter in the varBindList. 1449 If authenticated communication is required, then the discovery 1450 process should also establish time synchronization with the 1451 authoritative SNMP engine. This may be accomplished by sending an 1452 authenticated Request message with the value of 1453 msgAuthoritativeEngineID set to the newly learned snmpEngineID and 1454 with the values of msgAuthoritativeEngineBoots and 1455 msgAuthoritativeEngineTime set to zero. For an authenticated Request 1456 message, a valid userName must be used in the msgUserName field. The 1457 response to this authenticated message will be a Report message 1458 containing the up to date values of the authoritative SNMP engine's 1459 snmpEngineBoots and snmpEngineTime as the value of the 1460 msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime fields 1461 respectively. It also contains the usmStatsNotInTimeWindows counter 1462 in the varBindList of the Report PDU. The time synchronization then 1463 happens automatically as part of the procedures in section 3.2 step 1464 7b. See also section 2.3. 1466 5. Definitions 1468 SNMP-USER-BASED-SM-MIB DEFINITIONS ::= BEGIN 1470 IMPORTS 1471 MODULE-IDENTITY, OBJECT-TYPE, 1472 OBJECT-IDENTITY, 1473 snmpModules, Counter32 FROM SNMPv2-SMI 1474 TEXTUAL-CONVENTION, TestAndIncr, 1475 RowStatus, RowPointer, 1476 StorageType, AutonomousType FROM SNMPv2-TC 1477 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF 1478 SnmpAdminString, SnmpEngineID, 1479 snmpAuthProtocols, snmpPrivProtocols FROM SNMP-FRAMEWORK-MIB; 1481 snmpUsmMIB MODULE-IDENTITY 1482 LAST-UPDATED "9809290000Z" -- 29 Sep 1998, midnight 1483 ORGANIZATION "SNMPv3 Working Group" 1484 CONTACT-INFO "WG-email: snmpv3@tis.com 1485 Subscribe: majordomo@tis.com 1486 In msg body: subscribe snmpv3 1488 Chair: Russ Mundy 1489 Trusted Information Systems 1490 postal: 3060 Washington Rd 1491 Glenwood MD 21738 1492 USA 1493 email: mundy@tis.com 1494 phone: +1-301-854-6889 1496 Co-editor Uri Blumenthal 1497 IBM T. J. Watson Research 1498 postal: 30 Saw Mill River Pkwy, 1499 Hawthorne, NY 10532 1500 USA 1501 email: uri@watson.ibm.com 1502 phone: +1-914-784-7964 1504 Co-editor: Bert Wijnen 1505 IBM T. J. Watson Research 1506 postal: Schagen 33 1507 3461 GL Linschoten 1508 Netherlands 1509 email: wijnen@vnet.ibm.com 1510 phone: +31-348-432-794 1511 " 1512 DESCRIPTION "The management information definitions for the 1513 SNMP User-based Security Model. 1514 " 1515 -- Revision history 1516 LAST-UPDATED "9809290000Z" -- 29 Sep 1998, midnight 1517 -- RFC-Editor assigns RFCxxxx 1518 DESCRIPTION "Clarifications, published as RFCxxxx" 1520 REVISION "9711200000Z" -- 20 Nov 1997, midnight 1521 DESCRIPTION "Initial version, published as RFC2274" 1523 ::= { snmpModules 15 } 1525 -- Administrative assignments **************************************** 1527 usmMIBObjects OBJECT IDENTIFIER ::= { snmpUsmMIB 1 } 1528 usmMIBConformance OBJECT IDENTIFIER ::= { snmpUsmMIB 2 } 1530 -- Identification of Authentication and Privacy Protocols ************ 1532 usmNoAuthProtocol OBJECT-IDENTITY 1533 STATUS current 1534 DESCRIPTION "No Authentication Protocol." 1535 ::= { snmpAuthProtocols 1 } 1537 usmHMACMD5AuthProtocol OBJECT-IDENTITY 1538 STATUS current 1539 DESCRIPTION "The HMAC-MD5-96 Digest Authentication Protocol." 1540 REFERENCE "- H. Krawczyk, M. Bellare, R. Canetti HMAC: 1541 Keyed-Hashing for Message Authentication, 1542 RFC2104, Feb 1997. 1543 - Rivest, R., Message Digest Algorithm MD5, RFC1321. 1544 " 1545 ::= { snmpAuthProtocols 2 } 1547 usmHMACSHAAuthProtocol OBJECT-IDENTITY 1548 STATUS current 1549 DESCRIPTION "The HMAC-SHA-96 Digest Authentication Protocol." 1550 REFERENCE "- H. Krawczyk, M. Bellare, R. Canetti, HMAC: 1551 Keyed-Hashing for Message Authentication, 1552 RFC2104, Feb 1997. 1553 - Secure Hash Algorithm. NIST FIPS 180-1. 1554 " 1555 ::= { snmpAuthProtocols 3 } 1557 usmNoPrivProtocol OBJECT-IDENTITY 1558 STATUS current 1559 DESCRIPTION "No Privacy Protocol." 1560 ::= { snmpPrivProtocols 1 } 1562 usmDESPrivProtocol OBJECT-IDENTITY 1563 STATUS current 1564 DESCRIPTION "The CBC-DES Symmetric Encryption Protocol." 1565 REFERENCE "- Data Encryption Standard, National Institute of 1566 Standards and Technology. Federal Information 1567 Processing Standard (FIPS) Publication 46-1. 1568 Supersedes FIPS Publication 46, 1569 (January, 1977; reaffirmed January, 1988). 1571 - Data Encryption Algorithm, American National 1572 Standards Institute. ANSI X3.92-1981, 1573 (December, 1980). 1575 - DES Modes of Operation, National Institute of 1576 Standards and Technology. Federal Information 1577 Processing Standard (FIPS) Publication 81, 1578 (December, 1980). 1580 - Data Encryption Algorithm - Modes of Operation, 1581 American National Standards Institute. 1582 ANSI X3.106-1983, (May 1983). 1584 " 1585 ::= { snmpPrivProtocols 2 } 1587 -- Textual Conventions *********************************************** 1589 KeyChange ::= TEXTUAL-CONVENTION 1590 STATUS current 1591 DESCRIPTION 1592 "Every definition of an object with this syntax must identify 1593 a protocol P, a secret key K, and a hash algorithm H 1594 that produces output of L octets. 1596 The object's value is a manager-generated, partially-random 1597 value which, when modified, causes the value of the secret 1598 key K, to be modified via a one-way function. 1600 The value of an instance of this object is the concatenation 1601 of two components: first a 'random' component and then a 1602 'delta' component. 1604 The lengths of the random and delta components 1605 are given by the corresponding value of the protocol P; 1606 if P requires K to be a fixed length, the length of both the 1607 random and delta components is that fixed length; if P 1608 allows the length of K to be variable up to a particular 1609 maximum length, the length of the random component is that 1610 maximum length and the length of the delta component is any 1611 length less than or equal to that maximum length. 1612 For example, usmHMACMD5AuthProtocol requires K to be a fixed 1613 length of 16 octets and L - of 16 octets. 1614 usmHMACSHAAuthProtocol requires K to be a fixed length of 1615 20 octets and L - of 20 octets. Other protocols may define 1616 other sizes, as deemed appropriate. 1618 When a requestor wants to change the old key K to a new 1619 key keyNew on a remote entity, the 'random' component is 1620 obtained from either a true random generator, or from a 1621 pseudorandom generator, and the 'delta' component is 1622 computed as follows: 1624 - a temporary variable is initialized to the existing value 1625 of K; 1626 - if the length of the keyNew is greater than L octets, 1627 then: 1628 - the random component is appended to the value of the 1629 temporary variable, and the result is input to the 1630 the hash algorithm H to produce a digest value, and 1631 the temporary variable is set to this digest value; 1632 - the value of the temporary variable is XOR-ed with 1633 the first (next) L-octets (16 octets in case of MD5) 1634 of the keyNew to produce the first (next) L-octets 1635 (16 octets in case of MD5) of the 'delta' component. 1636 - the above two steps are repeated until the unused 1637 portion of the keyNew component is L octets or less, 1638 - the random component is appended to the value of the 1639 temporary variable, and the result is input to the 1640 hash algorithm H to produce a digest value; 1641 - this digest value, truncated if necessary to be the same 1642 length as the unused portion of the keyNew, is XOR-ed 1643 with the unused portion of the keyNew to produce the 1644 (final portion of the) 'delta' component. 1646 For example, using MD5 as the hash algorithm H: 1648 iterations = (lenOfDelta - 1)/16; /* integer division */ 1649 temp = keyOld; 1650 for (i = 0; i < iterations; i++) { 1651 temp = MD5 (temp || random); 1652 delta[i*16 .. (i*16)+15] = 1653 temp XOR keyNew[i*16 .. (i*16)+15]; 1654 } 1655 temp = MD5 (temp || random); 1656 delta[i*16 .. lenOfDelta-1] = 1657 temp XOR keyNew[i*16 .. lenOfDelta-1]; 1659 The 'random' and 'delta' components are then concatenated as 1660 described above, and the resulting octet string is sent to 1661 the receipient as the new value of an instance of this 1662 object. 1664 At the receiver side, when an instance of this object is set 1665 to a new value, then a new value of K is computed as follows: 1667 - a temporary variable is initialized to the existing value 1668 of K; 1669 - if the length of the delta component is greater than L 1670 octets, then: 1671 - the random component is appended to the value of the 1672 temporary variable, and the result is input to the 1673 the hash algorithm H to produce a digest value, and 1674 the temporary variable is set to this digest value; 1675 - the value of the temporary variable is XOR-ed with 1676 the first (next) L-octets (16 octets in case of MD5) 1677 of the delta component to produce the first (next) 1678 L-octets (16 octets in case of MD5) of the new value 1679 of K. 1680 - the above two steps are repeated until the unused 1681 portion of the delta component is L octets or less, 1682 - the random component is appended to the value of the 1683 temporary variable, and the result is input to the 1684 hash algorithm H to produce a digest value; 1685 - this digest value, truncated if necessary to be the same 1686 length as the unused portion of the delta component, is 1687 XOR-ed with the unused portion of the delta component to 1688 produce the (final portion of the) new value of K. 1690 For example, using MD5 as the hash algorithm H: 1692 iterations = (lenOfDelta - 1)/16; /* integer division */ 1693 temp = keyOld; 1694 for (i = 0; i < iterations; i++) { 1695 temp = MD5 (temp || random); 1696 keyNew[i*16 .. (i*16)+15] = 1697 temp XOR delta[i*16 .. (i*16)+15]; 1698 } 1699 temp = MD5 (temp || random); 1700 keyNew[i*16 .. lenOfDelta-1] = 1701 temp XOR delta[i*16 .. lenOfDelta-1]; 1703 The value of an object with this syntax, whenever it is 1704 retrieved by the management protocol, is always the zero 1705 length string. 1707 Note that the keyOld and keyNew are the localized keys. 1709 Note that it is probably wise that when an SNMP entity sends 1711 a SetRequest to change a key, that it keeps a copy of the old 1712 key until it has confirmed that the key change actually 1713 succeeded. 1714 " 1715 SYNTAX OCTET STRING 1717 -- Statistics for the User-based Security Model ********************** 1719 usmStats OBJECT IDENTIFIER ::= { usmMIBObjects 1 } 1721 usmStatsUnsupportedSecLevels OBJECT-TYPE 1722 SYNTAX Counter32 1723 MAX-ACCESS read-only 1724 STATUS current 1725 DESCRIPTION "The total number of packets received by the SNMP 1726 engine which were dropped because they requested a 1727 securityLevel that was unknown to the SNMP engine 1728 or otherwise unavailable. 1729 " 1730 ::= { usmStats 1 } 1732 usmStatsNotInTimeWindows OBJECT-TYPE 1733 SYNTAX Counter32 1734 MAX-ACCESS read-only 1735 STATUS current 1736 DESCRIPTION "The total number of packets received by the SNMP 1737 engine which were dropped because they appeared 1738 outside of the authoritative SNMP engine's window. 1739 " 1740 ::= { usmStats 2 } 1742 usmStatsUnknownUserNames OBJECT-TYPE 1743 SYNTAX Counter32 1744 MAX-ACCESS read-only 1745 STATUS current 1746 DESCRIPTION "The total number of packets received by the SNMP 1747 engine which were dropped because they referenced a 1748 user that was not known to the SNMP engine. 1749 " 1750 ::= { usmStats 3 } 1752 usmStatsUnknownEngineIDs OBJECT-TYPE 1753 SYNTAX Counter32 1754 MAX-ACCESS read-only 1755 STATUS current 1756 DESCRIPTION "The total number of packets received by the SNMP 1757 engine which were dropped because they referenced an 1758 snmpEngineID that was not known to the SNMP engine. 1759 " 1760 ::= { usmStats 4 } 1762 usmStatsWrongDigests OBJECT-TYPE 1763 SYNTAX Counter32 1764 MAX-ACCESS read-only 1765 STATUS current 1766 DESCRIPTION "The total number of packets received by the SNMP 1767 engine which were dropped because they didn't 1768 contain the expected digest value. 1769 " 1770 ::= { usmStats 5 } 1772 usmStatsDecryptionErrors OBJECT-TYPE 1773 SYNTAX Counter32 1774 MAX-ACCESS read-only 1775 STATUS current 1776 DESCRIPTION "The total number of packets received by the SNMP 1777 engine which were dropped because they could not be 1778 decrypted. 1779 " 1780 ::= { usmStats 6 } 1782 -- The usmUser Group ************************************************ 1784 usmUser OBJECT IDENTIFIER ::= { usmMIBObjects 2 } 1786 usmUserSpinLock OBJECT-TYPE 1787 SYNTAX TestAndIncr 1788 MAX-ACCESS read-write 1789 STATUS current 1790 DESCRIPTION "An advisory lock used to allow several cooperating 1791 Command Generator Applications to coordinate their 1792 use of facilities to alter secrets in the 1793 usmUserTable. 1794 " 1795 ::= { usmUser 1 } 1797 -- The table of valid users for the User-based Security Model ******** 1799 usmUserTable OBJECT-TYPE 1800 SYNTAX SEQUENCE OF UsmUserEntry 1801 MAX-ACCESS not-accessible 1802 STATUS current 1803 DESCRIPTION "The table of users configured in the SNMP engine's 1804 Local Configuration Datastore (LCD). 1806 To create a new user (i.e., to instantiate a new 1807 conceptual row in this table), it is recommended to 1808 follow this procedure: 1810 1) GET(usmUserSpinLock.0) and save in sValue. 1811 2) SET(usmUserSpinLock.0=sValue, 1812 usmUserCloneFrom=templateUser, 1813 usmUserStatus=createAndWait) 1814 You should use a template user to clone from 1815 which has the proper auth/priv protocol defined. 1817 If the new user is to use privacy: 1819 3) generate the keyChange value based on the secret 1820 privKey of the clone-from user and the secret key 1821 to be used for the new user. Let us call this 1822 pkcValue. 1823 4) GET(usmUserSpinLock.0) and save in sValue. 1824 5) SET(usmUserSpinLock.0=sValue, 1825 usmUserPrivKeyChange=pkcValue 1826 usmUserPublic=randomValue1) 1827 6) GET(usmUserPulic) and check it has randomValue1. 1828 If not, repeat steps 4-6. 1830 If the new user will never use privacy: 1832 7) SET(usmUserPrivProtocol=usmNoPrivProtocol) 1834 If the new user is to use authentication: 1836 8) generate the keyChange value based on the secret 1837 authKey of the clone-from user and the secret key 1838 to be used for the new user. Let us call this 1839 akcValue. 1840 9) GET(usmUserSpinLock.0) and save in sValue. 1841 10) SET(usmUserSpinLock.0=sValue, 1842 usmUserAuthKeyChange=akcValue 1843 usmUserPublic=randomValue2) 1844 11) GET(usmUserPulic) and check it has randomValue2. 1845 If not, repeat steps 9-11. 1847 If the new user will never use authenticion: 1849 12) SET(usmUserAuthProtocol=usmNoAuthProtocol) 1851 Finally, activate the new user: 1853 13) SET(usmUserStatus=active) 1855 The new user should now be available and ready to be 1856 used for SNMPv3 communication. Note however that access 1857 to MIB data must be provided via configuration of the 1858 SNMP-VIEW-BASED-ACM-MIB. 1860 The use of usmUserSpinlock is to avoid conflicts with 1861 another SNMP command responder application which may 1862 also be acting on the usmUserTable. 1863 " 1864 ::= { usmUser 2 } 1866 usmUserEntry OBJECT-TYPE 1867 SYNTAX UsmUserEntry 1868 MAX-ACCESS not-accessible 1869 STATUS current 1870 DESCRIPTION "A user configured in the SNMP engine's Local 1871 Configuration Datastore (LCD) for the User-based 1872 Security Model. 1873 " 1874 INDEX { usmUserEngineID, 1875 usmUserName 1876 } 1877 ::= { usmUserTable 1 } 1879 UsmUserEntry ::= SEQUENCE 1880 { 1881 usmUserEngineID SnmpEngineID, 1882 usmUserName SnmpAdminString, 1883 usmUserSecurityName SnmpAdminString, 1884 usmUserCloneFrom RowPointer, 1885 usmUserAuthProtocol AutonomousType, 1886 usmUserAuthKeyChange KeyChange, 1887 usmUserOwnAuthKeyChange KeyChange, 1888 usmUserPrivProtocol AutonomousType, 1889 usmUserPrivKeyChange KeyChange, 1890 usmUserOwnPrivKeyChange KeyChange, 1891 usmUserPublic OCTET STRING, 1892 usmUserStorageType StorageType, 1893 usmUserStatus RowStatus 1894 } 1896 usmUserEngineID OBJECT-TYPE 1897 SYNTAX SnmpEngineID 1898 MAX-ACCESS not-accessible 1899 STATUS current 1900 DESCRIPTION "An SNMP engine's administratively-unique identifier. 1902 In a simple agent, this value is always that agent's 1903 own snmpEngineID value. 1905 The value can also take the value of the snmpEngineID 1906 of a remote SNMP engine with which this user can 1907 communicate. 1908 " 1909 ::= { usmUserEntry 1 } 1911 usmUserName OBJECT-TYPE 1912 SYNTAX SnmpAdminString (SIZE(1..32)) 1913 MAX-ACCESS not-accessible 1914 STATUS current 1915 DESCRIPTION "A human readable string representing the name of 1916 the user. 1918 This is the (User-based Security) Model dependent 1919 security ID. 1920 " 1921 ::= { usmUserEntry 2 } 1923 usmUserSecurityName OBJECT-TYPE 1924 SYNTAX SnmpAdminString 1925 MAX-ACCESS read-only 1926 STATUS current 1927 DESCRIPTION "A human readable string representing the user in 1928 Security Model independent format. 1930 The default transformation of the User-based Security 1931 Model dependent security ID to the securityName and 1932 vice versa is the identity function so that the 1933 securityName is the same as the userName. 1934 " 1935 ::= { usmUserEntry 3 } 1937 usmUserCloneFrom OBJECT-TYPE 1938 SYNTAX RowPointer 1939 MAX-ACCESS read-create 1940 STATUS current 1941 DESCRIPTION "A pointer to another conceptual row in this 1942 usmUserTable. The user in this other conceptual 1943 row is called the clone-from user. 1945 When a new user is created (i.e., a new conceptual 1946 row is instantiated in this table), the privacy and 1947 authentication parameters of the new user must be 1948 cloned from its clone-from user. These parameters are: 1949 - authentication protocol (usmUserAuthProtocol) 1950 - privacy protocol (usmUserPrivProtocol) 1951 They will be copied regardless of what the current 1952 value is. 1954 Cloning also causes the initial values of the secret 1955 authentication key (authKey) and the secret encryption 1956 key (privKey) of the new user to be set to the same 1957 value as the corresponding secret of the clone-from 1958 user. 1960 The first time an instance of this object is set by 1961 a management operation (either at or after its 1962 instantiation), the cloning process is invoked. 1964 Subsequent writes are successful but invoke no 1965 action to be taken by the receiver. 1966 The cloning process fails with an 'inconsistentName' 1967 error if the conceptual row representing the 1968 clone-from user does not exist or is not in an active 1969 state when the cloning process is invoked. 1971 When this object is read, the ZeroDotZero OID 1972 is returned. 1973 " 1974 ::= { usmUserEntry 4 } 1976 usmUserAuthProtocol OBJECT-TYPE 1977 SYNTAX AutonomousType 1978 MAX-ACCESS read-create 1979 STATUS current 1980 DESCRIPTION "An indication of whether messages sent on behalf of 1981 this user to/from the SNMP engine identified by 1982 usmUserEngineID, can be authenticated, and if so, 1983 the type of authentication protocol which is used. 1985 An instance of this object is created concurrently 1986 with the creation of any other object instance for 1987 the same user (i.e., as part of the processing of 1988 the set operation which creates the first object 1989 instance in the same conceptual row). 1991 If an initial set operation (i.e. at row creation time) 1992 tries to set a value for an unknown or unsupported 1993 protocol, then a 'wrongValue' error must be returned. 1995 The value will be overwritten/set when a set operation 1996 is performed on the corresponding instance of 1997 usmUserCloneFrom. 1999 Once instantiated, the value of such an instance of 2000 this object can only be changed via a set operation to 2001 the value of the usmNoAuthProtocol. 2003 If a set operation tries to change the value of an 2004 existing instance of this object to any value other 2005 than usmNoAuthProtocol, then an 'inconsistentValue' 2006 error must be returned. 2008 If a set operation tries to set the value to the 2009 usmNoAuthProtocol while the usmUserPrivProtocol value 2010 in the same row is not equal to usmNoPrivProtocol, 2011 then an 'inconsistentValue' error must be returned. 2013 That means that an SNMP command generator application 2014 must first ensure that the usmUserPrivProtocol is set 2015 to the usmNoPrivProtocol value before it can set 2016 the usmUserAuthProtocol value to usmNoAuthProtocol. 2017 " 2018 DEFVAL { usmNoAuthProtocol } 2019 ::= { usmUserEntry 5 } 2021 usmUserAuthKeyChange OBJECT-TYPE 2022 SYNTAX KeyChange -- typically (SIZE (0 | 32)) for HMACMD5 2023 -- typically (SIZE (0 | 40)) for HMACSHA 2024 MAX-ACCESS read-create 2025 STATUS current 2026 DESCRIPTION "An object, which when modified, causes the secret 2027 authentication key used for messages sent on behalf 2028 of this user to/from the SNMP engine identified by 2029 usmUserEngineID, to be modified via a one-way 2030 function. 2032 The associated protocol is the usmUserAuthProtocol. 2033 The associated secret key is the user's secret 2034 authentication key (authKey). The associated hash 2035 algorithm is the algorithm used by the user's 2036 usmUserAuthProtocol. 2038 When creating a new user, it is an 'inconsistentName' 2039 error for a set operation to refer to this object 2040 unless it is previously or concurrently initialized 2041 through a set operation on the corresponding instance 2042 of usmUserCloneFrom. 2044 When the value of the corresponding usmUserAuthProtocol 2045 is usmNoAuthProtocol, then a set is successful, but 2046 effectively is a no-op. 2048 When this object is read, the zero-length (empty) 2049 string is returned. 2051 The recommended way to do a key change is as follows: 2053 1) GET(usmUserSpinLock.0) and save in sValue. 2054 2) generate the keyChange value based on the old 2055 (existing) secret key and the new secret key, 2056 let us call this kcValue. 2058 If you do the key change on behalf of another user: 2060 3) SET(usmUserSpinLock.0=sValue, 2061 usmUserAuthKeyChange=kcValue 2062 usmUserPublic=randomValue) 2064 If you do the key change for yourself: 2066 4) SET(usmUserSpinLock.0=sValue, 2067 usmUserOwnAuthKeyChange=kcValue 2068 usmUserPublic=randomValue) 2070 If you get a response with error-status of noError, 2071 then the SET succeeded and the new key is active. 2072 If you do not get a response, then you can issue a 2073 GET(usmUserPublic) and check if the value is equal 2074 to the randomValue you did send in the SET. If so, then 2075 the keychange succeeded and the new key is active 2076 (probably the response got lost). If not, then the SET 2077 reuest probably never reached the target and so you can 2078 start over with the procedure above. 2079 " 2080 DEFVAL { ''H } -- the empty string 2081 ::= { usmUserEntry 6 } 2083 usmUserOwnAuthKeyChange OBJECT-TYPE 2084 SYNTAX KeyChange -- typically (SIZE (0 | 32)) for HMACMD5 2085 -- typically (SIZE (0 | 40)) for HMACSHA 2086 MAX-ACCESS read-create 2087 STATUS current 2088 DESCRIPTION "Behaves exactly as usmUserAuthKeyChange, with one 2089 notable difference: in order for the set operation 2090 to succeed, the usmUserName of the operation 2091 requester must match the usmUserName that 2092 indexes the row which is targeted by this 2093 operation. 2094 In addition, the USM security model must be 2095 used for this operation. 2097 The idea here is that access to this column can be 2098 public, since it will only allow a user to change 2099 his own secret authentication key (authKey). 2100 Note that this can only be done once the row is active. 2102 When a set is received and the usmUserName of the 2103 requester is not the same as the umsUserName that 2104 indexes the row which is targeted by this operation, 2105 then a 'noAccess' error must be returned. 2107 When a set is received and the security model in use 2108 is not USM, then a 'noAccess' error must be returned. 2110 " 2111 DEFVAL { ''H } -- the empty string 2112 ::= { usmUserEntry 7 } 2114 usmUserPrivProtocol OBJECT-TYPE 2115 SYNTAX AutonomousType 2116 MAX-ACCESS read-create 2117 STATUS current 2118 DESCRIPTION "An indication of whether messages sent on behalf of 2119 this user to/from the SNMP engine identified by 2120 usmUserEngineID, can be protected from disclosure, 2121 and if so, the type of privacy protocol which is used. 2123 An instance of this object is created concurrently 2124 with the creation of any other object instance for 2125 the same user (i.e., as part of the processing of 2126 the set operation which creates the first object 2127 instance in the same conceptual row). 2129 If an initial set operation (i.e. at row creation time) 2130 tries to set a value for an unknown or unsupported 2131 protocol, then a 'wrongValue' error must be returned. 2133 The value will be overwritten/set when a set operation 2134 is performed on the corresponding instance of 2135 usmUserCloneFrom. 2137 Once instantiated, the value of such an instance of 2138 this object can only be changed via a set operation to 2139 the value of the usmNoPrivProtocol. 2141 If a set operation tries to change the value of an 2142 existing instance of this object to any value other 2143 than usmNoPrivProtocol, then an 'inconsistentValue' 2144 error must be returned. 2146 Note that if any privacy protocol is used, then you 2147 must also use an authentication protocol. In other 2148 words, if usmUserPrivProtocol is set to anything else 2149 than usmNoPrivProtocol, then the corresponding instance 2150 of usmUserAuthProtocol cannot have a value of 2151 usmNoAuthProtocol. If it does, then an 2152 'inconsistentValue' error must be returned. 2153 " 2154 DEFVAL { usmNoPrivProtocol } 2155 ::= { usmUserEntry 8 } 2157 usmUserPrivKeyChange OBJECT-TYPE 2158 SYNTAX KeyChange -- typically (SIZE (0 | 32)) for DES 2159 MAX-ACCESS read-create 2160 STATUS current 2161 DESCRIPTION "An object, which when modified, causes the secret 2162 encryption key used for messages sent on behalf 2163 of this user to/from the SNMP engine identified by 2164 usmUserEngineID, to be modified via a one-way 2165 function. 2167 The associated protocol is the usmUserPrivProtocol. 2168 The associated secret key is the user's secret 2169 privacy key (privKey). The associated hash 2170 algorithm is the algorithm used by the user's 2171 usmUserAuthProtocol. 2173 When creating a new user, it is an 'inconsistentName' 2174 error for a set operation to refer to this object 2175 unless it is previously or concurrently initialized 2176 through a set operation on the corresponding instance 2177 of usmUserCloneFrom. 2179 When the value of the corresponding usmUserPrivProtocol 2180 is usmNoPrivProtocol, then a set is successful, but 2181 effectively is a no-op. 2183 When this object is read, the zero-length (empty) 2184 string is returned. 2185 See the description clause of usmUserAuthKeyChange for 2186 a recommended procedure to do a key change. 2187 " 2188 DEFVAL { ''H } -- the empty string 2189 ::= { usmUserEntry 9 } 2191 usmUserOwnPrivKeyChange OBJECT-TYPE 2192 SYNTAX KeyChange -- typically (SIZE (0 | 32)) for DES 2193 MAX-ACCESS read-create 2194 STATUS current 2195 DESCRIPTION "Behaves exactly as usmUserPrivKeyChange, with one 2196 notable difference: in order for the Set operation 2197 to succeed, the usmUserName of the operation 2198 requester must match the usmUserName that indexes 2199 the row which is targeted by this operation. 2200 In addition, the USM security model must be 2201 used for this operation. 2203 The idea here is that access to this column can be 2204 public, since it will only allow a user to change 2205 his own secret privacy key (privKey). 2207 Note that this can only be done once the row is active. 2209 When a set is received and the usmUserName of the 2210 requester is not the same as the umsUserName that 2211 indexes the row which is targeted by this operation, 2212 then a 'noAccess' error must be returned. 2214 When a set is received and the security model in use 2215 is not USM, then a 'noAccess' error must be returned. 2216 " 2217 DEFVAL { ''H } -- the empty string 2218 ::= { usmUserEntry 10 } 2220 usmUserPublic OBJECT-TYPE 2221 SYNTAX OCTET STRING (SIZE(0..32)) 2222 MAX-ACCESS read-create 2223 STATUS current 2224 DESCRIPTION "A publicly-readable value which can be written as part 2225 of the procedure for changing a user's secret 2226 authentication and/or privacy key, and later read to 2227 determine whether the change of the secret was 2228 effected. 2229 " 2230 DEFVAL { ''H } -- the empty string 2231 ::= { usmUserEntry 11 } 2233 usmUserStorageType OBJECT-TYPE 2234 SYNTAX StorageType 2235 MAX-ACCESS read-create 2236 STATUS current 2237 DESCRIPTION "The storage type for this conceptual row. 2239 Conceptual rows having the value 'permanent' must 2240 allow write-access at a minimum to: 2242 - usmUserAuthKeyChange, usmUserOwnAuthKeyChange 2243 and usmUserPublic for a user who employs 2244 authentication, and 2245 - usmUserPrivKeyChange, usmUserOwnPrivKeyChange 2246 and usmUserPublic for a user who employs 2247 privacy. 2249 Note that any user who employs authentication or 2250 privacy must allow its secret(s) to be updated and 2251 thus cannot be 'readOnly'. 2253 If an initial set operation tries to set the value to 2254 'readOnly' for a user who employs authentication or 2255 privacy, then an 'inconsistentValue' error must be 2256 returned. Note that if the value has been previously 2257 set (implicit or explicit) to any value, then the rules 2258 as defined in the StorageType Textual Convention apply. 2260 It is an implementation issue to decide if a SET for 2261 a readOnly or permanent row is accepted at all. In some 2262 contexts this may make sense, in others it may not. If 2263 a SET for a readOnly or permanent row is not accepted 2264 at all, then a 'wrongValue' error must be returned. 2265 " 2266 DEFVAL { nonVolatile } 2267 ::= { usmUserEntry 12 } 2269 usmUserStatus OBJECT-TYPE 2270 SYNTAX RowStatus 2271 MAX-ACCESS read-create 2272 STATUS current 2273 DESCRIPTION "The status of this conceptual row. 2275 Until instances of all corresponding columns are 2276 appropriately configured, the value of the 2277 corresponding instance of the usmUserStatus column 2278 is 'notReady'. 2280 In particular, a newly created row for a user who 2281 employs authentication, cannot be made active until the 2282 corresponding usmUserCloneFrom and usmUserAuthKeyChange 2283 have been set. 2285 Further, a newly created row for a user who also 2286 employs privacy, cannot be made active until the 2287 usmUserPrivKeyChange has been set. 2289 The RowStatus TC [RFC1903] requires that this 2290 DESCRIPTION clause states under which circumstances 2291 other objects in this row can be modified: 2293 The value of this object has no effect on whether 2294 other objects in this conceptual row can be modified. 2295 " 2296 ::= { usmUserEntry 13 } 2298 -- Conformance Information ******************************************* 2300 usmMIBCompliances OBJECT IDENTIFIER ::= { usmMIBConformance 1 } 2301 usmMIBGroups OBJECT IDENTIFIER ::= { usmMIBConformance 2 } 2302 -- Compliance statements 2304 usmMIBCompliance MODULE-COMPLIANCE 2305 STATUS current 2306 DESCRIPTION "The compliance statement for SNMP engines which 2307 implement the SNMP-USER-BASED-SM-MIB. 2308 " 2310 MODULE -- this module 2311 MANDATORY-GROUPS { usmMIBBasicGroup } 2313 OBJECT usmUserAuthProtocol 2314 MIN-ACCESS read-only 2315 DESCRIPTION "Write access is not required." 2317 OBJECT usmUserPrivProtocol 2318 MIN-ACCESS read-only 2319 DESCRIPTION "Write access is not required." 2321 ::= { usmMIBCompliances 1 } 2323 -- Units of compliance 2324 usmMIBBasicGroup OBJECT-GROUP 2325 OBJECTS { 2326 usmStatsUnsupportedSecLevels, 2327 usmStatsNotInTimeWindows, 2328 usmStatsUnknownUserNames, 2329 usmStatsUnknownEngineIDs, 2330 usmStatsWrongDigests, 2331 usmStatsDecryptionErrors, 2332 usmUserSpinLock, 2333 usmUserSecurityName, 2334 usmUserCloneFrom, 2335 usmUserAuthProtocol, 2336 usmUserAuthKeyChange, 2337 usmUserOwnAuthKeyChange, 2338 usmUserPrivProtocol, 2339 usmUserPrivKeyChange, 2340 usmUserOwnPrivKeyChange, 2341 usmUserPublic, 2342 usmUserStorageType, 2343 usmUserStatus 2344 } 2345 STATUS current 2346 DESCRIPTION "A collection of objects providing for configuration 2347 of an SNMP engine which implements the SNMP 2348 User-based Security Model. 2349 " 2351 ::= { usmMIBGroups 1 } 2353 END 2354 6. HMAC-MD5-96 Authentication Protocol 2356 This section describes the HMAC-MD5-96 authentication protocol. This 2357 authentication protocol is the first defined for the User-based 2358 Security Model. It uses MD5 hash-function which is described in 2359 [MD5], in HMAC mode described in [RFC2104], truncating the output to 2360 96 bits. 2362 This protocol is identified by usmHMACMD5AuthProtocol. 2364 Over time, other authentication protocols may be defined either as a 2365 replacement of this protocol or in addition to this protocol. 2367 6.1. Mechanisms 2369 - In support of data integrity, a message digest algorithm is 2370 required. A digest is calculated over an appropriate portion of an 2371 SNMP message and included as part of the message sent to the 2372 recipient. 2374 - In support of data origin authentication and data integrity, 2375 a secret value is prepended to SNMP message prior to computing the 2376 digest; the calculated digest is partially inserted into the SNMP 2377 message prior to transmission, and the prepended value is not 2378 transmitted. The secret value is shared by all SNMP engines 2379 authorized to originate messages on behalf of the appropriate user. 2381 6.1.1. Digest Authentication Mechanism 2383 The Digest Authentication Mechanism defined in this memo provides 2384 for: 2386 - verification of the integrity of a received message, i.e., the 2387 message received is the message sent. 2389 The integrity of the message is protected by computing a digest 2390 over an appropriate portion of the message. The digest is computed 2391 by the originator of the message, transmitted with the message, and 2392 verified by the recipient of the message. 2394 - verification of the user on whose behalf the message was generated. 2396 A secret value known only to SNMP engines authorized to generate 2397 messages on behalf of a user is used in HMAC mode (see [RFC2104]). 2398 It also recommends the hash-function output used as Message 2399 Authentication Code, to be truncated. 2401 This protocol uses the MD5 [MD5] message digest algorithm. A 128-bit 2402 MD5 digest is calculated in a special (HMAC) way over the designated 2403 portion of an SNMP message and the first 96 bits of this digest is 2404 included as part of the message sent to the recipient. The size of 2405 the digest carried in a message is 12 octets. The size of the private 2406 authentication key (the secret) is 16 octets. For the details see 2407 section 6.3. 2409 6.2. Elements of the Digest Authentication Protocol 2411 This section contains definitions required to realize the 2412 authentication module defined in this section of this memo. 2414 6.2.1. Users 2416 Authentication using this authentication protocol makes use of a 2417 defined set of userNames. For any user on whose behalf a message must 2418 be authenticated at a particular SNMP engine, that SNMP engine must 2419 have knowledge of that user. An SNMP engine that wishes to 2420 communicate with another SNMP engine must also have knowledge of a 2421 user known to that engine, including knowledge of the applicable 2422 attributes of that user. 2424 A user and its attributes are defined as follows: 2426 2427 A string representing the name of the user. 2428 2429 A user's secret key to be used when calculating a digest. 2430 It MUST be 16 octets long for MD5. 2432 6.2.2. msgAuthoritativeEngineID 2434 The msgAuthoritativeEngineID value contained in an authenticated 2435 message specifies the authoritative SNMP engine for that particular 2436 message (see the definition of SnmpEngineID in the SNMP Architecture 2437 document [RFC-ARCH]). 2439 The user's (private) authentication key is normally different at each 2440 authoritative SNMP engine and so the snmpEngineID is used to select 2441 the proper key for the authentication process. 2443 6.2.3. SNMP Messages Using this Authentication Protocol 2445 Messages using this authentication protocol carry a 2446 msgAuthenticationParameters field as part of the 2447 msgSecurityParameters. For this protocol, the 2448 msgAuthenticationParameters field is the serialized OCTET STRING 2449 representing the first 12 octets of the HMAC-MD5-96 output done over 2450 the wholeMsg. 2452 The digest is calculated over the wholeMsg so if a message is 2453 authenticated, that also means that all the fields in the message are 2454 intact and have not been tampered with. 2456 6.2.4. Services provided by the HMAC-MD5-96 Authentication Module 2458 This section describes the inputs and outputs that the HMAC-MD5-96 2459 Authentication module expects and produces when the User-based 2460 Security module calls the HMAC-MD5-96 Authentication module for 2461 services. 2463 6.2.4.1. Services for Generating an Outgoing SNMP Message 2465 The HMAC-MD5-96 authentication protocol assumes that the selection of 2466 the authKey is done by the caller and that the caller passes the 2467 secret key to be used. 2469 Upon completion the authentication module returns statusInformation 2470 and, if the message digest was correctly calculated, the wholeMsg 2471 with the digest inserted at the proper place. The abstract service 2472 primitive is: 2474 statusInformation = -- success or failure 2475 authenticateOutgoingMsg( 2476 IN authKey -- secret key for authentication 2477 IN wholeMsg -- unauthenticated complete message 2478 OUT authenticatedWholeMsg -- complete authenticated message 2479 ) 2481 The abstract data elements are: 2483 statusInformation 2484 An indication of whether the authentication process was 2485 successful. If not it is an indication of the problem. 2486 authKey 2487 The secret key to be used by the authentication algorithm. 2488 The length of this key MUST be 16 octets. 2489 wholeMsg 2490 The message to be authenticated. 2491 authenticatedWholeMsg 2492 The authenticated message (including inserted digest) on output. 2494 Note, that authParameters field is filled by the authentication 2495 module and this field should be already present in the wholeMsg 2496 before the Message Authentication Code (MAC) is generated. 2498 6.2.4.2. Services for Processing an Incoming SNMP Message 2500 The HMAC-MD5-96 authentication protocol assumes that the selection of 2501 the authKey is done by the caller and that the caller passes the 2502 secret key to be used. 2504 Upon completion the authentication module returns statusInformation 2505 and, if the message digest was correctly calculated, the wholeMsg as 2506 it was processed. The abstract service primitive is: 2508 statusInformation = -- success or failure 2509 authenticateIncomingMsg( 2510 IN authKey -- secret key for authentication 2511 IN authParameters -- as received on the wire 2512 IN wholeMsg -- as received on the wire 2513 OUT authenticatedWholeMsg -- complete authenticated message 2514 ) 2516 The abstract data elements are: 2518 statusInformation 2519 An indication of whether the authentication process was 2520 successful. If not it is an indication of the problem. 2521 authKey 2522 The secret key to be used by the authentication algorithm. 2523 The length of this key MUST be 16 octets. 2524 authParameters 2525 The authParameters from the incoming message. 2526 wholeMsg 2527 The message to be authenticated on input and the authenticated 2528 message on output. 2529 authenticatedWholeMsg 2530 The whole message after the authentication check is complete. 2532 6.3. Elements of Procedure 2534 This section describes the procedures for the HMAC-MD5-96 2535 authentication protocol. 2537 6.3.1. Processing an Outgoing Message 2539 This section describes the procedure followed by an SNMP engine 2540 whenever it must authenticate an outgoing message using the 2541 usmHMACMD5AuthProtocol. 2543 1) The msgAuthenticationParameters field is set to the serialization, 2544 according to the rules in [RFC1906], of an OCTET STRING containing 2545 12 zero octets. 2547 2) From the secret authKey, two keys K1 and K2 are derived: 2549 a) extend the authKey to 64 octets by appending 48 zero 2550 octets; save it as extendedAuthKey 2551 b) obtain IPAD by replicating the octet 0x36 64 times; 2552 c) obtain K1 by XORing extendedAuthKey with IPAD; 2553 d) obtain OPAD by replicating the octet 0x5C 64 times; 2554 e) obtain K2 by XORing extendedAuthKey with OPAD. 2556 3) Prepend K1 to the wholeMsg and calculate MD5 digest over it 2557 according to [MD5]. 2559 4) Prepend K2 to the result of the step 4 and calculate MD5 digest 2560 over it according to [MD5]. Take the first 12 octets of the final 2561 digest - this is Message Authentication Code (MAC). 2563 5) Replace the msgAuthenticationParameters field with MAC obtained 2564 in the step 4. 2566 6) The authenticatedWholeMsg is then returned to the caller 2567 together with statusInformation indicating success. 2569 6.3.2. Processing an Incoming Message 2571 This section describes the procedure followed by an SNMP engine 2572 whenever it must authenticate an incoming message using the 2573 usmHMACMD5AuthProtocol. 2575 ti -4 2576 1) If the digest received in the msgAuthenticationParameters field 2577 is not 12 octets long, then an failure and an errorIndication 2578 (authenticationError) is returned to the calling module. 2580 2) The MAC received in the msgAuthenticationParameters field 2581 is saved. 2583 3) The digest in the msgAuthenticationParameters field is replaced 2584 by the 12 zero octets. 2586 4) From the secret authKey, two keys K1 and K2 are derived: 2588 a) extend the authKey to 64 octets by appending 48 zero 2589 octets; save it as extendedAuthKey 2590 b) obtain IPAD by replicating the octet 0x36 64 times; 2591 c) obtain K1 by XORing extendedAuthKey with IPAD; 2592 d) obtain OPAD by replicating the octet 0x5C 64 times; 2593 e) obtain K2 by XORing extendedAuthKey with OPAD. 2595 5) The MAC is calculated over the wholeMsg: 2597 a) prepend K1 to the wholeMsg and calculate the MD5 digest 2598 over it; 2599 b) prepend K2 to the result of step 5.a and calculate the 2600 MD5 digest over it; 2601 c) first 12 octets of the result of step 5.b is the MAC. 2603 The msgAuthenticationParameters field is replaced with the MAC 2604 value that was saved in step 2. 2606 6) Then the newly calculated MAC is compared with the MAC 2607 saved in step 2. If they do not match, then an failure and an 2608 errorIndication (authenticationFailure) is returned to the 2609 calling module. 2611 7) The authenticatedWholeMsg and statusInformation indicating 2612 success are then returned to the caller. 2614 7. HMAC-SHA-96 Authentication Protocol 2616 This section describes the HMAC-SHA-96 authentication protocol. This 2617 protocol uses the SHA hash-function which is described in [SHA-NIST], 2618 in HMAC mode described in [RFC2104], truncating the output to 96 2619 bits. 2621 This protocol is identified by usmHMACSHAAuthProtocol. 2623 Over time, other authentication protocols may be defined either as a 2624 replacement of this protocol or in addition to this protocol. 2626 7.1. Mechanisms 2628 - In support of data integrity, a message digest algorithm is 2629 required. A digest is calculated over an appropriate portion of an 2630 SNMP message and included as part of the message sent to the 2631 recipient. 2633 - In support of data origin authentication and data integrity, 2634 a secret value is prepended to the SNMP message prior to computing 2635 the digest; the calculated digest is then partially inserted into 2636 the message prior to transmission. The prepended secret is not 2637 transmitted. The secret value is shared by all SNMP engines 2638 authorized to originate messages on behalf of the appropriate user. 2640 7.1.1. Digest Authentication Mechanism 2642 The Digest Authentication Mechanism defined in this memo provides 2643 for: 2645 - verification of the integrity of a received message, i.e., the 2646 the message received is the message sent. 2648 The integrity of the message is protected by computing a digest 2649 over an appropriate portion of the message. The digest is computed 2650 by the originator of the message, transmitted with the message, and 2651 verified by the recipient of the message. 2653 - verification of the user on whose behalf the message was generated. 2655 A secret value known only to SNMP engines authorized to generate 2656 messages on behalf of a user is used in HMAC mode (see [RFC2104]). 2657 It also recommends the hash-function output used as Message 2658 Authentication Code, to be truncated. 2660 This mechanism uses the SHA [SHA-NIST] message digest algorithm. A 2661 160-bit SHA digest is calculated in a special (HMAC) way over the 2662 designated portion of an SNMP message and the first 96 bits of this 2663 digest is included as part of the message sent to the recipient. The 2664 size of the digest carried in a message is 12 octets. The size of the 2665 private authentication key (the secret) is 20 octets. For the details 2666 see section 7.3. 2668 7.2. Elements of the HMAC-SHA-96 Authentication Protocol 2670 This section contains definitions required to realize the 2671 authentication module defined in this section of this memo. 2673 7.2.1. Users 2675 Authentication using this authentication protocol makes use of a 2676 defined set of userNames. For any user on whose behalf a message 2677 must be authenticated at a particular SNMP engine, that SNMP engine 2678 must have knowledge of that user. An SNMP engine that wishes to 2679 communicate with another SNMP engine must also have knowledge of a 2680 user known to that engine, including knowledge of the applicable 2681 attributes of that user. 2683 A user and its attributes are defined as follows: 2685 2686 A string representing the name of the user. 2687 2688 A user's secret key to be used when calculating a digest. 2689 It MUST be 20 octets long for SHA. 2691 7.2.2. msgAuthoritativeEngineID 2693 The msgAuthoritativeEngineID value contained in an authenticated 2694 message specifies the authoritative SNMP engine for that particular 2695 message (see the definition of SnmpEngineID in the SNMP Architecture 2696 document [RFC-ARCH]). 2698 The user's (private) authentication key is normally different at each 2699 authoritative SNMP engine and so the snmpEngineID is used to select 2700 the proper key for the authentication process. 2702 7.2.3. SNMP Messages Using this Authentication Protocol 2704 Messages using this authentication protocol carry a 2705 msgAuthenticationParameters field as part of the 2706 msgSecurityParameters. For this protocol, the 2707 msgAuthenticationParameters field is the serialized OCTET STRING 2708 representing the first 12 octets of HMAC-SHA-96 output done over the 2709 wholeMsg. 2711 The digest is calculated over the wholeMsg so if a message is 2712 authenticated, that also means that all the fields in the message are 2713 intact and have not been tampered with. 2715 7.2.4. Services provided by the HMAC-SHA-96 Authentication Module 2717 This section describes the inputs and outputs that the HMAC-SHA-96 2718 Authentication module expects and produces when the User-based 2719 Security module calls the HMAC-SHA-96 Authentication module for 2720 services. 2722 7.2.4.1. Services for Generating an Outgoing SNMP Message 2724 HMAC-SHA-96 authentication protocol assumes that the selection of the 2725 authKey is done by the caller and that the caller passes the secret 2726 key to be used. 2728 Upon completion the authentication module returns statusInformation 2729 and, if the message digest was correctly calculated, the wholeMsg 2730 with the digest inserted at the proper place. The abstract service 2731 primitive is: 2733 statusInformation = -- success or failure 2734 authenticateOutgoingMsg( 2735 IN authKey -- secret key for authentication 2736 IN wholeMsg -- unauthenticated complete message 2737 OUT authenticatedWholeMsg -- complete authenticated message 2738 ) 2740 The abstract data elements are: 2742 statusInformation 2743 An indication of whether the authentication process was 2744 successful. If not it is an indication of the problem. 2745 authKey 2746 The secret key to be used by the authentication algorithm. 2747 The length of this key MUST be 20 octets. 2748 wholeMsg 2749 The message to be authenticated. 2750 authenticatedWholeMsg 2751 The authenticated message (including inserted digest) on output. 2753 Note, that authParameters field is filled by the authentication 2754 module and this field should be already present in the wholeMsg 2755 before the Message Authentication Code (MAC) is generated. 2757 7.2.4.2. Services for Processing an Incoming SNMP Message 2759 HMAC-SHA-96 authentication protocol assumes that the selection of the 2760 authKey is done by the caller and that the caller passes the secret 2761 key to be used. 2763 Upon completion the authentication module returns statusInformation 2764 and, if the message digest was correctly calculated, the wholeMsg as 2765 it was processed. The abstract service primitive is: 2767 statusInformation = -- success or failure 2768 authenticateIncomingMsg( 2769 IN authKey -- secret key for authentication 2770 IN authParameters -- as received on the wire 2771 IN wholeMsg -- as received on the wire 2772 OUT authenticatedWholeMsg -- complete authenticated message 2773 ) 2775 The abstract data elements are: 2777 statusInformation 2778 An indication of whether the authentication process was 2779 successful. If not it is an indication of the problem. 2780 authKey 2781 The secret key to be used by the authentication algorithm. 2782 The length of this key MUST be 20 octets. 2783 authParameters 2784 The authParameters from the incoming message. 2785 wholeMsg 2786 The message to be authenticated on input and the authenticated 2787 message on output. 2788 authenticatedWholeMsg 2789 The whole message after the authentication check is complete. 2791 7.3. Elements of Procedure 2793 This section describes the procedures for the HMAC-SHA-96 2794 authentication protocol. 2796 7.3.1. Processing an Outgoing Message 2798 This section describes the procedure followed by an SNMP engine 2799 whenever it must authenticate an outgoing message using the 2800 usmHMACSHAAuthProtocol. 2802 1) The msgAuthenticationParameters field is set to the 2803 serialization, according to the rules in [RFC1906], of an OCTET 2804 STRING containing 12 zero octets. 2806 2) From the secret authKey, two keys K1 and K2 are derived: 2808 a) extend the authKey to 64 octets by appending 44 zero 2809 octets; save it as extendedAuthKey 2810 b) obtain IPAD by replicating the octet 0x36 64 times; 2811 c) obtain K1 by XORing extendedAuthKey with IPAD; 2812 d) obtain OPAD by replicating the octet 0x5C 64 times; 2813 e) obtain K2 by XORing extendedAuthKey with OPAD. 2815 3) Prepend K1 to the wholeMsg and calculate the SHA digest over it 2816 according to [SHA-NIST]. 2818 4) Prepend K2 to the result of the step 4 and calculate SHA digest 2819 over it according to [SHA-NIST]. Take the first 12 octets of the 2820 final digest - this is Message Authentication Code (MAC). 2822 5) Replace the msgAuthenticationParameters field with MAC obtained 2823 in the step 5. 2825 6) The authenticatedWholeMsg is then returned to the caller 2826 together with statusInformation indicating success. 2828 7.3.2. Processing an Incoming Message 2830 This section describes the procedure followed by an SNMP engine 2831 whenever it must authenticate an incoming message using the 2832 usmHMACSHAAuthProtocol. 2834 1) If the digest received in the msgAuthenticationParameters field 2835 is not 12 octets long, then an failure and an errorIndication 2836 (authenticationError) is returned to the calling module. 2838 2) The MAC received in the msgAuthenticationParameters field 2839 is saved. 2841 3) The digest in the msgAuthenticationParameters field is 2842 replaced by the 12 zero octets. 2844 4) From the secret authKey, two keys K1 and K2 are derived: 2846 a) extend the authKey to 64 octets by appending 44 zero 2847 octets; save it as extendedAuthKey 2848 b) obtain IPAD by replicating the octet 0x36 64 times; 2849 c) obtain K1 by XORing extendedAuthKey with IPAD; 2850 d) obtain OPAD by replicating the octet 0x5C 64 times; 2851 e) obtain K2 by XORing extendedAuthKey with OPAD. 2853 5) The MAC is calculated over the wholeMsg: 2855 a) prepend K1 to the wholeMsg and calculate the SHA digest 2856 over it; 2857 b) prepend K2 to the result of step 5.a and calculate the 2858 SHA digest over it; 2859 c) first 12 octets of the result of step 5.b is the MAC. 2861 The msgAuthenticationParameters field is replaced with the MAC 2862 value that was saved in step 2. 2864 6) The the newly calculated MAC is compared with the MAC saved in 2865 step 2. If they do not match, then a failure and an 2866 errorIndication (authenticationFailure) are returned to the 2867 calling module. 2869 7) The authenticatedWholeMsg and statusInformation indicating 2870 success are then returned to the caller. 2872 8. CBC-DES Symmetric Encryption Protocol 2874 This section describes the CBC-DES Symmetric Encryption Protocol. 2875 This protocol is the first privacy protocol defined for the User- 2876 based Security Model. 2878 This protocol is identified by usmDESPrivProtocol. 2880 Over time, other privacy protocols may be defined either as a 2881 replacement of this protocol or in addition to this protocol. 2883 8.1. Mechanisms 2885 - In support of data confidentiality, an encryption algorithm is 2886 required. An appropriate portion of the message is encrypted prior 2887 to being transmitted. The User-based Security Model specifies that 2888 the scopedPDU is the portion of the message that needs to be 2889 encrypted. 2891 - A secret value in combination with a timeliness value is used 2892 to create the en/decryption key and the initialization vector. The 2893 secret value is shared by all SNMP engines authorized to originate 2894 messages on behalf of the appropriate user. 2896 8.1.1. Symmetric Encryption Protocol 2898 The Symmetric Encryption Protocol defined in this memo provides 2899 support for data confidentiality. The designated portion of an SNMP 2900 message is encrypted and included as part of the message sent to the 2901 recipient. 2903 Two organizations have published specifications defining the DES: 2904 the National Institute of Standards and Technology (NIST) [DES-NIST] 2905 and the American National Standards Institute [DES-ANSI]. There is a 2906 companion Modes of Operation specification for each definition 2907 ([DESO-NIST] and [DESO-ANSI], respectively). 2909 The NIST has published three additional documents that implementors 2910 may find useful. 2912 - There is a document with guidelines for implementing and using 2913 the DES, including functional specifications for the DES and its 2914 modes of operation [DESG-NIST]. 2916 - There is a specification of a validation test suite for the DES 2917 [DEST-NIST]. The suite is designed to test all aspects of the DES 2918 and is useful for pinpointing specific problems. 2920 - There is a specification of a maintenance test for the DES 2921 [DESM-NIST]. The test utilizes a minimal amount of data and 2922 processing to test all components of the DES. It provides a simple 2923 yes-or-no indication of correct operation and is useful to run as 2924 part of an initialization step, e.g., when a computer re-boots. 2926 8.1.1.1. DES key and Initialization Vector. 2928 The first 8 octets of the 16-octet secret (private privacy key) are 2929 used as a DES key. Since DES uses only 56 bits, the Least 2930 Significant Bit in each octet is disregarded. 2932 The Initialization Vector for encryption is obtained using the 2933 following procedure. 2935 The last 8 octets of the 16-octet secret (private privacy key) are 2936 used as pre-IV. 2938 In order to ensure that the IV for two different packets encrypted by 2939 the same key, are not the same (i.e., the IV does not repeat) we need 2940 to "salt" the pre-IV with something unique per packet. An 8-octet 2941 string is used as the "salt". The concatenation of the generating 2942 SNMP engine's 32-bit snmpEngineBoots and a local 32-bit integer, that 2943 the encryption engine maintains, is input to the "salt". The 32-bit 2944 integer is initialized to an arbitrary value at boot time. 2946 The 32-bit snmpEngineBoots is converted to the first 4 octets (Most 2947 Significant Byte first) of our "salt". The 32-bit integer is then 2948 converted to the last 4 octet (Most Significant Byte first) of our 2949 "salt". The resulting "salt" is then XOR-ed with the pre-IV to obtain 2950 the IV. The 8-octet "salt" is then put into the privParameters field 2951 encoded as an OCTET STRING. The "salt" integer is then modified. We 2952 recommend that it be incremented by one and wrap when it reaches the 2953 maximum value. 2955 How exactly the value of the "salt" (and thus of the IV) varies, is 2956 an implementation issue, as long as the measures are taken to avoid 2957 producing a duplicate IV. 2959 The "salt" must be placed in the privParameters field to enable the 2960 receiving entity to compute the correct IV and to decrypt the 2961 message. 2963 8.1.1.2. Data Encryption. 2965 The data to be encrypted is treated as sequence of octets. Its length 2966 should be an integral multiple of 8 - and if it is not, the data is 2967 padded at the end as necessary. The actual pad value is irrelevant. 2969 The data is encrypted in Cipher Block Chaining mode. 2971 The plaintext is divided into 64-bit blocks. 2973 The plaintext for each block is XOR-ed with the ciphertext of the 2974 previous block, the result is encrypted and the output of the 2975 encryption is the ciphertext for the block. This procedure is 2976 repeated until there are no more plaintext blocks. 2978 For the very first block, the Initialization Vector is used instead 2979 of the ciphertext of the previous block. 2981 8.1.1.3. Data Decryption 2983 Before decryption, the encrypted data length is verified. If the 2984 length of the OCTET STRING to be decrypted is not an integral 2985 multiple of 8 octets, the decryption process is halted and an 2986 appropriate exception noted. When decrypting, the padding is 2987 ignored. 2989 The first ciphertext block is decrypted, the decryption output is 2990 XOR-ed with the Initialization Vector, and the result is the first 2991 plaintext block. 2993 For each subsequent block, the ciphertext block is decrypted, the 2994 decryption output is XOR-ed with the previous ciphertext block and 2995 the result is the plaintext block. 2997 8.2. Elements of the DES Privacy Protocol 2999 This section contains definitions required to realize the privacy 3000 module defined by this memo. 3002 8.2.1. Users 3004 Data en/decryption using this Symmetric Encryption Protocol makes use 3005 of a defined set of userNames. For any user on whose behalf a 3006 message must be en/decrypted at a particular SNMP engine, that SNMP 3007 engine must have knowledge of that user. An SNMP engine that wishes 3008 to communicate with another SNMP engine must also have knowledge of a 3009 user known to that SNMP engine, including knowledge of the applicable 3010 attributes of that user. 3012 A user and its attributes are defined as follows: 3014 3015 An octet string representing the name of the user. 3017 3018 A user's secret key to be used as input for the DES key and IV. 3019 The length of this key MUST be 16 octets. 3021 8.2.2. msgAuthoritativeEngineID 3023 The msgAuthoritativeEngineID value contained in an authenticated 3024 message specifies the authoritative SNMP engine for that particular 3025 message (see the definition of SnmpEngineID in the SNMP Architecture 3026 document [RFC-ARCH]). 3028 The user's (private) privacy key is normally different at each 3029 authoritative SNMP engine and so the snmpEngineID is used to select 3030 the proper key for the en/decryption process. 3032 8.2.3. SNMP Messages Using this Privacy Protocol 3034 Messages using this privacy protocol carry a msgPrivacyParameters 3035 field as part of the msgSecurityParameters. For this protocol, the 3036 msgPrivacyParameters field is the serialized OCTET STRING 3037 representing the "salt" that was used to create the IV. 3039 8.2.4. Services provided by the DES Privacy Module 3041 This section describes the inputs and outputs that the DES Privacy 3042 module expects and produces when the User-based Security module 3043 invokes the DES Privacy module for services. 3045 8.2.4.1. Services for Encrypting Outgoing Data 3047 This DES privacy protocol assumes that the selection of the privKey 3048 is done by the caller and that the caller passes the secret key to be 3049 used. 3051 Upon completion the privacy module returns statusInformation and, if 3052 the encryption process was successful, the encryptedPDU and the 3053 msgPrivacyParameters encoded as an OCTET STRING. The abstract 3054 service primitive is: 3056 statusInformation = -- success of failure 3057 encryptData( 3058 IN encryptKey -- secret key for encryption 3059 IN dataToEncrypt -- data to encrypt (scopedPDU) 3060 OUT encryptedData -- encrypted data (encryptedPDU) 3061 OUT privParameters -- filled in by service provider 3062 ) 3064 The abstract data elements are: 3066 statusInformation 3067 An indication of the success or failure of the encryption 3068 process. In case of failure, it is an indication of the error. 3069 encryptKey 3070 The secret key to be used by the encryption algorithm. 3071 The length of this key MUST be 16 octets. 3072 dataToEncrypt 3073 The data that must be encrypted. 3074 encryptedData 3075 The encrypted data upon successful completion. 3076 privParameters 3077 The privParameters encoded as an OCTET STRING. 3079 8.2.4.2. Services for Decrypting Incoming Data 3081 This DES privacy protocol assumes that the selection of the privKey 3082 is done by the caller and that the caller passes the secret key to be 3083 used. 3085 Upon completion the privacy module returns statusInformation and, if 3086 the decryption process was successful, the scopedPDU in plain text. 3087 The abstract service primitive is: 3089 statusInformation = 3090 decryptData( 3091 IN decryptKey -- secret key for decryption 3092 IN privParameters -- as received on the wire 3093 IN encryptedData -- encrypted data (encryptedPDU) 3094 OUT decryptedData -- decrypted data (scopedPDU) 3095 ) 3097 The abstract data elements are: 3099 statusInformation 3100 An indication whether the data was successfully decrypted 3101 and if not an indication of the error. 3102 decryptKey 3103 The secret key to be used by the decryption algorithm. 3104 The length of this key MUST be 16 octets. 3105 privParameters 3106 The "salt" to be used to calculate the IV. 3107 encryptedData 3108 The data to be decrypted. 3109 decryptedData 3110 The decrypted data. 3112 8.3. Elements of Procedure. 3114 This section describes the procedures for the DES privacy protocol. 3116 8.3.1. Processing an Outgoing Message 3118 This section describes the procedure followed by an SNMP engine 3119 whenever it must encrypt part of an outgoing message using the 3120 usmDESPrivProtocol. 3122 1) The secret cryptKey is used to construct the DES encryption key, 3123 the "salt" and the DES pre-IV (from which the IV is computed as 3124 described in section 8.1.1.1). 3126 2) The privParameters field is set to the serialization according 3127 to the rules in [RFC1906] of an OCTET STRING representing the the 3128 "salt" string. 3130 3) The scopedPDU is encrypted (as described in section 8.1.1.2) 3131 and the encrypted data is serialized according to the rules in 3132 [RFC1906] as an OCTET STRING. 3134 4) The serialized OCTET STRING representing the encrypted 3135 scopedPDU together with the privParameters and statusInformation 3136 indicating success is returned to the calling module. 3138 8.3.2. Processing an Incoming Message 3140 This section describes the procedure followed by an SNMP engine 3141 whenever it must decrypt part of an incoming message using the 3142 usmDESPrivProtocol. 3144 1) If the privParameters field is not an 8-octet OCTET STRING, 3145 then an error indication (decryptionError) is returned to the 3146 calling module. 3148 2) The "salt" is extracted from the privParameters field. 3150 3) The secret cryptKey and the "salt" are then used to construct the 3151 DES decryption key and pre-IV (from which the IV is computed as 3152 described in section 8.1.1.1). 3154 4) The encryptedPDU is then decrypted (as described in 3155 section 8.1.1.3). 3157 5) If the encryptedPDU cannot be decrypted, then an error 3158 indication (decryptionError) is returned to the calling module. 3160 6) The decrypted scopedPDU and statusInformation indicating 3161 success are returned to the calling module. 3163 9. Intellectual Property 3165 The IETF takes no position regarding the validity or scope of any 3166 intellectual property or other rights that might be claimed to 3167 pertain to the implementation or use of the technology described in 3168 this document or the extent to which any license under such rights 3169 might or might not be available; neither does it represent that it 3170 has made any effort to identify any such rights. Information on the 3171 IETF's procedures with respect to rights in standards-track and 3172 standards-related documentation can be found in BCP-11. Copies of 3173 claims of rights made available for publication and any assurances of 3174 licenses to be made available, or the result of an attempt made to 3175 obtain a general license or permission for the use of such 3176 proprietary rights by implementors or users of this specification can 3177 be obtained from the IETF Secretariat. 3179 The IETF invites any interested party to bring to its attention any 3180 copyrights, patents or patent applications, or other proprietary 3181 rights which may cover technology that may be required to practice 3182 this standard. Please address the information to the IETF Executive 3183 Director. 3185 10. Acknowledgements 3187 This document is the result of the efforts of the SNMPv3 Working 3188 Group. Some special thanks are in order to the following SNMPv3 WG 3189 members: 3191 Dave Battle (SNMP Research, Inc.) 3192 Uri Blumenthal (IBM T.J. Watson Research Center) 3193 Jeff Case (SNMP Research, Inc.) 3194 John Curran (BBN) 3195 T. Max Devlin (Eltrax Systems) 3196 John Flick (Hewlett Packard) 3197 David Harrington (Cabletron Systems Inc.) 3198 N.C. Hien (IBM T.J. Watson Research Center) 3199 Dave Levi (SNMP Research, Inc.) 3200 Louis A Mamakos (UUNET Technologies Inc.) 3201 Paul Meyer (Secure Computing Corporation) 3202 Keith McCloghrie (Cisco Systems) 3203 Russ Mundy (Trusted Information Systems, Inc.) 3204 Bob Natale (ACE*COMM Corporation) 3205 Mike O'Dell (UUNET Technologies Inc.) 3206 Dave Perkins (DeskTalk) 3207 Peter Polkinghorne (Brunel University) 3208 Randy Presuhn (BMC Software, Inc.) 3209 David Reid (SNMP Research, Inc.) 3210 Shawn Routhier (Epilogue) 3211 Juergen Schoenwaelder (TU Braunschweig) 3212 Bob Stewart (Cisco Systems) 3213 Bert Wijnen (IBM T.J. Watson Research Center) 3215 The document is based on recommendations of the IETF Security and 3216 Administrative Framework Evolution for SNMP Advisory Team. Members 3217 of that Advisory Team were: 3219 David Harrington (Cabletron Systems Inc.) 3220 Jeff Johnson (Cisco Systems) 3221 David Levi (SNMP Research Inc.) 3222 John Linn (Openvision) 3223 Russ Mundy (Trusted Information Systems) chair 3224 Shawn Routhier (Epilogue) 3225 Glenn Waters (Nortel) 3226 Bert Wijnen (IBM T. J. Watson Research Center) 3228 As recommended by the Advisory Team and the SNMPv3 Working Group 3229 Charter, the design incorporates as much as practical from previous 3230 RFCs and drafts. As a result, special thanks are due to the authors 3231 of previous designs known as SNMPv2u and SNMPv2*: 3233 Jeff Case (SNMP Research, Inc.) 3234 David Harrington (Cabletron Systems Inc.) 3235 David Levi (SNMP Research, Inc.) 3236 Keith McCloghrie (Cisco Systems) 3237 Brian O'Keefe (Hewlett Packard) 3238 Marshall T. Rose (Dover Beach Consulting) 3239 Jon Saperia (BGS Systems Inc.) 3240 Steve Waldbusser (International Network Services) 3241 Glenn W. Waters (Bell-Northern Research Ltd.) 3243 11. Security Considerations 3245 11.1. Recommended Practices 3247 This section describes practices that contribute to the secure, 3248 effective operation of the mechanisms defined in this memo. 3250 - An SNMP engine must discard SNMP Response messages that do not 3251 correspond to any currently outstanding Request message. It is the 3252 responsibility of the Message Processing module to take care of 3253 this. For example it can use a msgID for that. 3255 An SNMP Command Generator Application must discard any Response PDU 3256 for which there is no currently outstanding Request PDU; for 3257 example for SNMPv2 [RFC1905] PDUs, the request-id component in the 3258 PDU can be used to correlate Responses to outstanding Requests. 3260 Although it would be typical for an SNMP engine and an SNMP Command 3261 Generator Application to do this as a matter of course, when using 3262 these security protocols it is significant due to the possibility 3263 of message duplication (malicious or otherwise). 3265 - If an SNMP engine uses a msgID for correlating Response messages 3266 to outstanding Request messages, then it MUST use different msgIDs 3267 in all such Request messages that it sends out during a Time Window 3268 (150 seconds) period. 3270 A Command Generator or Notification Originator Application MUST use 3271 different request-ids in all Request PDUs that it sends out during 3272 a TimeWindow (150 seconds) period. 3274 This must be done to protect against the possibility of message 3275 duplication (malicious or otherwise). 3277 For example, starting operations with a msgID and/or request-id 3278 value of zero is not a good idea. Initializing them with an 3279 unpredictable number (so they do not start out the same after each 3280 reboot) and then incrementing by one would be acceptable. 3282 - An SNMP engine should perform time synchronization using 3283 authenticated messages in order to protect against the possibility 3284 of message duplication (malicious or otherwise). 3286 - When sending state altering messages to a managed authoritative 3287 SNMP engine, a Command Generator Application should delay sending 3288 successive messages to that managed SNMP engine until a positive 3289 acknowledgement is received for the previous message or until the 3290 previous message expires. 3292 No message ordering is imposed by the SNMP. Messages may be 3293 received in any order relative to their time of generation and each 3294 will be processed in the ordered received. Note that when an 3295 authenticated message is sent to a managed SNMP engine, it will be 3296 valid for a period of time of approximately 150 seconds under 3297 normal circumstances, and is subject to replay during this period. 3298 Indeed, an SNMP engine and SNMP Command Generator Applications must 3299 cope with the loss and re-ordering of messages resulting from 3300 anomalies in the network as a matter of course. 3302 However, a managed object, snmpSetSerialNo [RFC1907], is 3303 specifically defined for use with SNMP Set operations in order to 3304 provide a mechanism to ensure that the processing of SNMP messages 3305 occurs in a specific order. 3307 - The frequency with which the secrets of a User-based Security 3308 Model user should be changed is indirectly related to the frequency 3309 of their use. 3311 Protecting the secrets from disclosure is critical to the overall 3312 security of the protocols. Frequent use of a secret provides a 3313 continued source of data that may be useful to a cryptanalyst in 3314 exploiting known or perceived weaknesses in an algorithm. Frequent 3315 changes to the secret avoid this vulnerability. 3317 Changing a secret after each use is generally regarded as the most 3318 secure practice, but a significant amount of overhead may be 3319 associated with that approach. 3321 Note, too, in a local environment the threat of disclosure may be 3322 less significant, and as such the changing of secrets may be less 3323 frequent. However, when public data networks are used as the 3324 communication paths, more caution is prudent. 3326 11.2 Defining Users 3328 The mechanisms defined in this document employ the notion of users on 3329 whose behalf messages are sent. How "users" are defined is subject 3330 to the security policy of the network administration. For example, 3331 users could be individuals (e.g., "joe" or "jane"), or a particular 3332 role (e.g., "operator" or "administrator"), or a combination (e.g., 3333 "joe-operator", "jane-operator" or "joe-admin"). Furthermore, a user 3334 may be a logical entity, such as an SNMP Application or a set of SNMP 3335 Applications, acting on behalf of an individual or role, or set of 3336 individuals, or set of roles, including combinations. 3338 Appendix A describes an algorithm for mapping a user "password" to a 3339 16/20 octet value for use as either a user's authentication key or 3340 privacy key (or both). Note however, that using the same password 3341 (and therefore the same key) for both authentication and privacy is 3342 very poor security practice and should be strongly discouraged. 3343 Passwords are often generated, remembered, and input by a human. 3344 Human-generated passwords may be less than the 16/20 octets required 3345 by the authentication and privacy protocols, and brute force attacks 3346 can be quite easy on a relatively short ASCII character set. 3347 Therefore, the algorithm is Appendix A performs a transformation on 3348 the password. If the Appendix A algorithm is used, SNMP 3349 implementations (and SNMP configuration applications) must ensure 3350 that passwords are at least 8 characters in length. Please note that 3351 longer passwords with repetitive strings may result in exactly the 3352 same key. For example, a password 'bertbert' will result in exactly 3353 the same key as password 'bertbertbert'. 3355 Because the Appendix A algorithm uses such passwords (nearly) 3356 directly, it is very important that they not be easily guessed. It 3357 is suggested that they be composed of mixed-case alphanumeric and 3358 punctuation characters that don't form words or phrases that might be 3359 found in a dictionary. Longer passwords improve the security of the 3360 system. Users may wish to input multiword phrases to make their 3361 password string longer while ensuring that it is memorable. 3363 Since it is infeasible for human users to maintain different 3364 passwords for every SNMP engine, but security requirements strongly 3365 discourage having the same key for more than one SNMP engine, the 3366 User-based Security Model employs a compromise proposed in 3367 [Localized-key]. It derives the user keys for the SNMP engines from 3368 user's password in such a way that it is practically impossible to 3369 either determine the user's password, or user's key for another SNMP 3370 engine from any combination of user's keys on SNMP engines. 3372 Note however, that if user's password is disclosed, then key 3373 localization will not help and network security may be compromised in 3374 this case. Therefore a user's password or non-localized key MUST NOT 3375 be stored on a managed device/node. Instead the localized key SHALL 3376 be stored (if at all) , so that, in case a device does get 3377 compromised, no other managed or managing devices get compromised. 3379 11.3. Conformance 3381 To be termed a "Secure SNMP implementation" based on the User-based 3382 Security Model, an SNMP implementation MUST: 3384 - implement one or more Authentication Protocol(s). The HMAC-MD5-96 3385 and HMAC-SHA-96 Authentication Protocols defined in this memo are 3386 examples of such protocols. 3388 - to the maximum extent possible, prohibit access to the secret(s) 3389 of each user about which it maintains information in a Local 3390 Configuration Datastore (LCD) under all circumstances except as 3391 required to generate and/or validate SNMP messages with respect to 3392 that user. 3394 - implement the key-localization mechanism. 3396 - implement the SNMP-USER-BASED-SM-MIB. 3398 In addition, an authoritative SNMP engine SHOULD provide initial 3399 configuration in accordance with Appendix A.1. 3401 Implementation of a Privacy Protocol (the DES Symmetric Encryption 3402 Protocol defined in this memo is one such protocol) is optional. 3404 12. References 3406 [RFC1321] Rivest, R., "Message Digest Algorithm MD5", 3407 RFC 1321, April 1992. 3409 [RFC1903] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 3410 "Textual Conventions for Version 2 of the Simple Network 3411 Management Protocol (SNMPv2)", RFC 1903, January 1996. 3413 [RFC1905] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 3414 "Protocol Operations for Version 2 of the Simple Network 3415 Management Protocol (SNMPv2)", RFC 1905, January 1996. 3417 [RFC1906] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 3418 "Transport Mappings for Version 2 of the Simple Network Management 3419 Protocol (SNMPv2)", RFC 1906, January 1996. 3421 [RFC1907] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 3422 "Management Information Base for Version 2 of the Simple Network 3423 Management Protocol (SNMPv2)", RFC 1907 January 1996. 3425 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: 3426 Keyed-Hashing for Message Authentication", RFC 2104, February 3427 1997. 3429 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3430 Requirement Levels", BCP 14, RFC 2119, March 1997. 3432 [RFC-ARCH] Harrington, D., Presuhn, R., and B. Wijnen, "An 3433 Architecture for describing SNMP Management Frameworks", draft- 3434 ietf-snmpv3-arch-01.txt, October 1998. 3436 [RFC-MPD] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, 3437 "Message Processing and Dispatching for the Simple Network 3438 Management Protocol (SNMP)", draft-ietf-snmpv3-mpc-01.txt, October 3439 1998. 3441 [Localized-Key] U. Blumenthal, N. C. Hien, B. Wijnen 3442 "Key Derivation for Network Management Applications" IEEE Network 3443 Magazine, April/May issue, 1997. 3445 [DES-NIST] Data Encryption Standard, National Institute of Standards 3446 and Technology. Federal Information Processing Standard (FIPS) 3447 Publication 46-1. Supersedes FIPS Publication 46, (January, 1977; 3448 reaffirmed January, 1988). 3450 [DES-ANSI] Data Encryption Algorithm, American National Standards 3451 Institute. ANSI X3.92-1981, (December, 1980). 3453 [DESO-NIST] DES Modes of Operation, National Institute of Standards 3454 and Technology. Federal Information Processing Standard (FIPS) 3455 Publication 81, (December, 1980). 3457 [DESO-ANSI] Data Encryption Algorithm - Modes of Operation, American 3458 National Standards Institute. ANSI X3.106-1983, (May 1983). 3460 [DESG-NIST] Guidelines for Implementing and Using the NBS Data 3461 Encryption Standard, National Institute of Standards and 3462 Technology. Federal Information Processing Standard (FIPS) 3463 Publication 74, (April, 1981). 3465 [DEST-NIST] Validating the Correctness of Hardware Implementations of 3466 the NBS Data Encryption Standard, National Institute of Standards 3467 and Technology. Special Publication 500-20. 3469 [DESM-NIST] Maintenance Testing for the Data Encryption Standard, 3470 National Institute of Standards and Technology. Special 3471 Publication 500-61, (August, 1980). 3473 [SHA-NIST] Secure Hash Algorithm. NIST FIPS 180-1, (April, 1995) 3474 http://csrc.nist.gov/fips/fip180-1.txt (ASCII) 3475 http://csrc.nist.gov/fips/fip180-1.ps (Postscript) 3477 13. Editors' Addresses 3479 Uri Blumenthal 3480 IBM T. J. Watson Research 3481 30 Saw Mill River Pkwy, 3482 Hawthorne, NY 10532 3483 USA 3485 EMail: uri@watson.ibm.com 3486 Phone: +1-914-784-7064 3488 Bert Wijnen 3489 IBM T. J. Watson Research 3490 Schagen 33 3491 3461 GL Linschoten 3492 Netherlands 3494 EMail: wijnen@vnet.ibm.com 3495 Phone: +31-348-432-794 3497 APPENDIX A - Installation 3499 A.1. SNMP engine Installation Parameters 3501 During installation, an authoritative SNMP engine SHOULD (in the 3502 meaning as defined in [RFC2119]) be configured with several initial 3503 parameters. These include: 3505 1) A security posture 3507 The choice of security posture determines if initial configuration 3508 is implemented and if so how. One of three possible choices is 3509 selected: 3511 minimum-secure, 3512 semi-secure, 3513 very-secure (i.e., no-initial-configuration) 3515 In the case of a very-secure posture, there is no initial 3516 configuration, and so the following steps are irrelevant. 3518 2) one or more secrets 3520 These are the authentication/privacy secrets for the first user to be 3521 configured. 3523 One way to accomplish this is to have the installer enter a 3524 "password" for each required secret. The password is then 3525 algorithmically converted into the required secret by: 3527 - forming a string of length 1,048,576 octets by repeating the 3528 value of the password as often as necessary, truncating 3529 accordingly, and using the resulting string as the input to the MD5 3530 algorithm [MD5]. The resulting digest, termed "digest1", is used 3531 in the next step. 3533 - a second string is formed by concatenating digest1, the SNMP 3534 engine's snmpEngineID value, and digest1. This string is used as 3535 input to the MD5 algorithm [MD5]. 3537 The resulting digest is the required secret (see Appendix A.2). 3539 With these configured parameters, the SNMP engine instantiates the 3540 following usmUserEntry in the usmUserTable: 3542 no privacy support privacy support 3543 ------------------ --------------- 3544 usmUserEngineID localEngineID localEngineID 3545 usmUserName "initial" "initial" 3546 usmUserSecurityName "initial" "initial" 3547 usmUserCloneFrom ZeroDotZero ZeroDotZero 3548 usmUserAuthProtocol usmHMACMD5AuthProtocol usmHMACMD5AuthProtocol 3549 usmUserAuthKeyChange "" "" 3550 usmUserOwnAuthKeyChange "" "" 3551 usmUserPrivProtocol none usmDESPrivProtocol 3552 usmUserPrivKeyChange "" "" 3553 usmUserOwnPrivKeyChange "" "" 3554 usmUserPublic "" "" 3555 usmUserStorageType anyValidStorageType anyValidStorageType 3556 usmUserStatus active active 3558 It is recommended to also instantiate a set of template 3559 usmUserEntries which can be used as clone-from users for newly 3560 created usmUserEntries. These are the two suggested entries: 3561 no privacy support privacy support 3562 ------------------ --------------- 3563 usmUserEngineID localEngineID localEngineID 3564 usmUserName "templateMD5" "templateMD5" 3565 usmUserSecurityName "templateMD5" "templateMD5" 3566 usmUserCloneFrom ZeroDotZero ZeroDotZero 3567 usmUserAuthProtocol usmHMACMD5AuthProtocol usmHMACMD5AuthProtocol 3568 usmUserAuthKeyChange "" "" 3569 usmUserOwnAuthKeyChange "" "" 3570 usmUserPrivProtocol none usmDESPrivProtocol 3571 usmUserPrivKeyChange "" "" 3572 usmUserOwnPrivKeyChange "" "" 3573 usmUserPublic "" "" 3574 usmUserStorageType permanent permanent 3575 usmUserStatus active active 3576 no privacy support privacy support 3577 ------------------ --------------- 3578 usmUserEngineID localEngineID localEngineID 3579 usmUserName "templateSHA" "templateSHA" 3580 usmUserSecurityName "templateSHA" "templateSHA" 3581 usmUserCloneFrom ZeroDotZero ZeroDotZero 3582 usmUserAuthProtocol usmHMACSHAAuthProtocol usmHMACSHAAuthProtocol 3583 usmUserAuthKeyChange "" "" 3584 usmUserOwnAuthKeyChange "" "" 3585 usmUserPrivProtocol none usmDESPrivProtocol 3586 usmUserPrivKeyChange "" "" 3587 usmUserOwnPrivKeyChange "" "" 3588 usmUserPublic "" "" 3589 usmUserStorageType permanent permanent 3590 usmUserStatus active active 3592 A.2. Password to Key Algorithm 3594 A sample code fragment (section A.2.1) demonstrates the password to 3595 key algorithm which can be used when mapping a password to an 3596 authentication or privacy key using MD5. The reference source code 3597 of MD5 is available in [RFC1321]. 3599 Another sample code fragment (section A.2.2) demonstrates the 3600 password to key algorithm which can be used when mapping a password 3601 to an authentication or privacy key using SHA (documented in 3602 SHA-NIST). 3604 An example of the results of a correct implementation is provided 3605 (section A.3) which an implementor can use to check if his 3606 implementation produces the same result. 3608 A.2.1. Password to Key Sample Code for MD5 3610 void password_to_key_md5( 3611 u_char *password, /* IN */ 3612 u_int passwordlen, /* IN */ 3613 u_char *engineID, /* IN - pointer to snmpEngineID */ 3614 u_int engineLength,/* IN - length of snmpEngineID */ 3615 u_char *key) /* OUT - pointer to caller 16-octet buffer */ 3616 { 3617 MD5_CTX MD; 3618 u_char *cp, password_buf[64]; 3619 u_long password_index = 0; 3620 u_long count = 0, i; 3622 MD5Init (&MD); /* initialize MD5 */ 3624 /**********************************************/ 3625 /* Use while loop until we've done 1 Megabyte */ 3626 /**********************************************/ 3627 while (count < 1048576) { 3628 cp = password_buf; 3629 for (i = 0; i < 64; i++) { 3630 /*************************************************/ 3631 /* Take the next octet of the password, wrapping */ 3632 /* to the beginning of the password as necessary.*/ 3633 /*************************************************/ 3634 *cp++ = password[password_index++ % passwordlen]; 3635 } 3636 MD5Update (&MD, password_buf, 64); 3637 count += 64; 3638 } 3639 MD5Final (key, &MD); /* tell MD5 we're done */ 3641 /*****************************************************/ 3642 /* Now localize the key with the engineID and pass */ 3643 /* through MD5 to produce final key */ 3644 /* May want to ensure that engineLength <= 32, */ 3645 /* otherwise need to use a buffer larger than 64 */ 3646 /*****************************************************/ 3647 memcpy(password_buf, key, 16); 3648 memcpy(password_buf+16, engineID, engineLength); 3649 memcpy(password_buf+16+engineLength, key, 16); 3651 MD5Init(&MD); 3652 MD5Update(&MD, password_buf, 32+engineLength); 3653 MD5Final(key, &MD); 3654 return; 3655 } 3656 A.2.2. Password to Key Sample Code for SHA 3658 void password_to_key_sha( 3659 u_char *password, /* IN */ 3660 u_int passwordlen, /* IN */ 3661 u_char *engineID, /* IN - pointer to snmpEngineID */ 3662 u_int engineLength,/* IN - length of snmpEngineID */ 3663 u_char *key) /* OUT - pointer to caller 20-octet buffer */ 3664 { 3665 SHA_CTX SH; 3666 u_char *cp, password_buf[72]; 3667 u_long password_index = 0; 3668 u_long count = 0, i; 3670 SHAInit (&SH); /* initialize SHA */ 3672 /**********************************************/ 3673 /* Use while loop until we've done 1 Megabyte */ 3674 /**********************************************/ 3675 while (count < 1048576) { 3676 cp = password_buf; 3677 for (i = 0; i < 64; i++) { 3678 /*************************************************/ 3679 /* Take the next octet of the password, wrapping */ 3680 /* to the beginning of the password as necessary.*/ 3681 /*************************************************/ 3682 *cp++ = password[password_index++ % passwordlen]; 3683 } 3684 SHAUpdate (&SH, password_buf, 64); 3685 count += 64; 3686 } 3687 SHAFinal (key, &SH); /* tell SHA we're done */ 3689 /*****************************************************/ 3690 /* Now localize the key with the engineID and pass */ 3691 /* through SHA to produce final key */ 3692 /* May want to ensure that engineLength <= 32, */ 3693 /* otherwise need to use a buffer larger than 72 */ 3694 /*****************************************************/ 3695 memcpy(password_buf, key, 20); 3696 memcpy(password_buf+20, engineID, engineLength); 3697 memcpy(password_buf+20+engineLength, key, 20); 3699 SHAInit(&SH); 3700 SHAUpdate(&SH, password_buf, 40+engineLength); 3701 SHAFinal(key, &SH); 3702 return; 3703 } 3704 A.3. Password to Key Sample Results 3706 A.3.1. Password to Key Sample Results using MD5 3708 The following shows a sample output of the password to key algorithm 3709 for a 16-octet key using MD5. 3711 With a password of "maplesyrup" the output of the password to key 3712 algorithm before the key is localized with the SNMP engine's 3713 snmpEngineID is: 3715 '9f af 32 83 88 4e 92 83 4e bc 98 47 d8 ed d9 63'H 3717 After the intermediate key (shown above) is localized with the 3718 snmpEngineID value of: 3720 '00 00 00 00 00 00 00 00 00 00 00 02'H 3722 the final output of the password to key algorithm is: 3724 '52 6f 5e ed 9f cc e2 6f 89 64 c2 93 07 87 d8 2b'H 3726 A.3.2. Password to Key Sample Results using SHA 3728 The following shows a sample output of the password to key 3729 algorithm for a 20-octet key using SHA. 3731 With a password of "maplesyrup" the output of the password to key 3732 algorithm before the key is localized with the SNMP engine's 3733 snmpEngineID is: 3735 '9f b5 cc 03 81 49 7b 37 93 52 89 39 ff 78 8d 5d 79 14 52 11'H 3737 After the intermediate key (shown above) is localized with the 3738 snmpEngineID value of: 3740 '00 00 00 00 00 00 00 00 00 00 00 02'H 3742 the final output of the password to key algorithm is: 3744 '66 95 fe bc 92 88 e3 62 82 23 5f c7 15 1f 12 84 97 b3 8f 3f'H 3746 A.4. Sample encoding of msgSecurityParameters 3748 The msgSecurityParameters in an SNMP message are represented as an 3749 OCTET STRING. This OCTET STRING should be considered opaque outside a 3750 specific Security Model. 3752 The User-based Security Model defines the contents of the OCTET 3753 STRING as a SEQUENCE (see section 2.4). 3755 Given these two properties, the following is an example of the 3756 msgSecurityParameters for the User-based Security Model, encoded as 3757 an OCTET STRING: 3759 04 3760 30 3761 04 3762 02 3763 02 3764 04 3765 04 0c 3766 04 08 3768 Here is the example once more, but now with real values (except for 3769 the digest in msgAuthenticationParameters and the salt in 3770 msgPrivacyParameters, which depend on variable data that we have not 3771 defined here): 3773 Hex Data Description 3774 -------------- ----------------------------------------------- 3775 04 39 OCTET STRING, length 57 3776 30 37 SEQUENCE, length 55 3777 04 0c 80000002 msgAuthoritativeEngineID: IBM 3778 01 IPv4 address 3779 09840301 9.132.3.1 3780 02 01 01 msgAuthoritativeEngineBoots: 1 3781 02 02 0101 msgAuthoritativeEngineTime: 257 3782 04 04 62657274 msgUserName: bert 3783 04 0c 01234567 msgAuthenticationParameters: sample value 3784 89abcdef 3785 fedcba98 3786 04 08 01234567 msgPrivacyParameters: sample value 3787 89abcdef 3789 A.5. Sample keyChange Results 3791 A.5.1. Sample keyChange Results using MD5 3793 Let us assume that a user has a current password of "maplesyrup" as 3794 in section A.3.1. and let us also assume the snmpEngineID of 12 3795 octets: 3797 '00 00 00 00 00 00 00 00 00 00 00 02'H 3799 If we now want to change the password to "newsyrup", then we first 3800 calculate the key for the new password. It is as follows: 3802 '01 ad d2 73 10 7c 4e 59 6b 4b 00 f8 2b 1d 42 a7'H 3804 If we localize it for the above snmpEngineID, then the localized new 3805 key becomes: 3807 '87 02 1d 7b d9 d1 01 ba 05 ea 6e 3b f9 d9 bd 4a'H 3809 If we then use a (not so good, but easy to test) random value of: 3811 '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'H 3813 Then the value we must send for keyChange is: 3815 '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3816 88 05 61 51 41 67 6c c9 19 61 74 e7 42 a3 25 51'H 3818 If this were for the privacy key, then it would be exactly the same. 3820 A.5.2. Sample keyChange Results using SHA 3822 Let us assume that a user has a current password of "maplesyrup" as 3823 in section A.3.2. and let us also assume the snmpEngineID of 12 3824 octets: 3826 '00 00 00 00 00 00 00 00 00 00 00 02'H 3828 If we now want to change the password to "newsyrup", then we first 3829 calculate the key for the new password. It is as follows: 3831 '3a 51 a6 d7 36 aa 34 7b 83 dc 4a 87 e3 e5 5e e4 d6 98 ac 71'H 3833 If we localize it for the above snmpEngineID, then the localized new 3834 key becomes: 3836 '78 e2 dc ce 79 d5 94 03 b5 8c 1b ba a5 bf f4 63 91 f1 cd 25'H 3838 If we then use a (not so good, but easy to test) random value of: 3840 '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'H 3842 Then the value we must send for keyChange is: 3844 '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3845 9c 10 17 f4 fd 48 3d 2d e8 d5 fa db f8 43 92 cb 06 45 70 51' 3847 For the key used for privacy, the new nonlocalized key would be: 3849 '3a 51 a6 d7 36 aa 34 7b 83 dc 4a 87 e3 e5 5e e4 d6 98 ac 71'H 3851 For the key used for privacy, the new localized key would be (note 3852 that they localized key gets truncated to 16 octets for DES): 3854 '78 e2 dc ce 79 d5 94 03 b5 8c 1b ba a5 bf f4 63'H 3856 If we then use a (not so good, but easy to test) random value of: 3858 '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'H 3860 Then the value we must send for keyChange for the privacy key is: 3862 '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3863 '7e f8 d8 a4 c9 cd b2 6b 47 59 1c d8 52 ff 88 b5'H 3865 B. Change Log 3867 Changes made since RFC2275: 3868 - Fixed msgUserName to allow size of zero and explain that this can 3869 be used for snmpEngineID discovery. 3870 - Clarified section 3.1 steps 4.b, 5, 6 and 8.b. 3871 - Clarified section 3.2 paragraph 2. 3872 - Clarified section 3.2 step 7.a last paragraph, step 7.b.1 second 3873 bullet and step 7.b.2 third bullet. 3874 - Clarified section 4 to indicate that discovery can use a userName 3875 of zero length in unAuthenticated messages, whereas a valid 3876 userName must be used in authenticated messages. 3877 - Added REVISION clauses to MODULE-IDENTITY 3878 - Clarified KeyChange TC by adding a note that localized keys must be 3879 used when calculating a KeyChange value. 3880 - Added clarifying text to the DESCRIPTION clause of usmUserTable. 3881 Added text describes a recommended procedure for adding a new user. 3882 - Clarified the use of usmUserCloneFrom object. 3883 - Clarified how and under which conditions the usmUserAuthProtocol 3884 and usmUserPrivProtocol can be initialized and/or changed. 3885 - Added comment on typical sizes for usmUserAuthKeyChange and 3886 usmUserPrivKeyChange. Also for usmUserOwnAuthKeyChange and 3887 usmUserOwnPrivKeyChange. 3888 - Added clarifications to the DESCRIPTION clauses of 3889 usmUserAuthKeyChange, usmUserOwnAuthKeychange, usmUserPrivKeyChange 3890 and usmUserOwnPrivKeychange. - Added clarification to DESCRIPTION 3891 clause of usmUserStorageType. - Added clarification to DESCRIPTION 3892 clause of usmUserStatus. 3893 - Clarified IV generation procedure in section 8.1.1.1 and in 3894 addition clarified section 8.3.1 step 1 and section 8.3.2. step 3. 3895 - Clarified section 11.2 and added a warning that different size 3896 passwords with repetitive strings may result in same key. 3897 - Added template users to appendix A for cloning process. 3898 - Fixed C-code examples in Appendix A. 3899 - Fixed examples of generated keys in Appendix A. 3900 - Added examples of KeyChange values to Appendix A. 3901 - Corrected various spelling errors and typos. 3902 - Fixed references to new/revised documents 3903 - Removed a stale/unused reference 3905 C. Full Copyright Statement 3906 Copyright (C) The Internet Society (1998). All Rights Reserved. 3908 This document and translations of it may be copied and furnished to 3909 others, and derivative works that comment on or otherwise explain it 3910 or assist in its implementation may be prepared, copied, published 3911 and distributed, in whole or in part, without restriction of any 3912 kind, provided that the above copyright notice and this paragraph are 3913 included on all such copies and derivative works. However, this 3914 document itself may not be modified in any way, such as by removing 3915 the copyright notice or references to the Internet Society or other 3916 Internet organizations, except as needed for the purpose of 3917 developing Internet standards in which case the procedures for 3918 copyrights defined in the Internet Standards process must be 3919 followed, or as required to translate it into languages other than 3920 English. 3922 The limited permissions granted above are perpetual and will not be 3923 revoked by the Internet Society or its successors or assigns. 3925 This document and the information contained herein is provided on an 3926 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 3927 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 3928 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 3929 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 3930 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.