idnits 2.17.1 draft-ietf-snmpv3-usm-v2-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 86 longer pages, the longest (page 2) being 60 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 87 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([RFC-ARCH]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 3453 has weird spacing: '...Hashing for M...' == Line 3586 has weird spacing: '...ageType any...' == Line 3644 has weird spacing: '... u_int pass...' == Line 3646 has weird spacing: '... u_int engi...' == Line 3692 has weird spacing: '... u_int pass...' == (1 more instance...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (10 February 1999) is 9200 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC-USM' is mentioned on line 161, but not defined == Missing Reference: 'MD5' is mentioned on line 3566, but not defined == Missing Reference: 'Localized-key' is mentioned on line 3376, but not defined == Missing Reference: 'RFC-VACM' is mentioned on line 3429, but not defined -- Looks like a reference, but probably isn't: '64' on line 3650 -- Looks like a reference, but probably isn't: '72' on line 3698 == Unused Reference: 'SNMP-VACM' is defined on line 3468, but no explicit reference was found in the text == Unused Reference: 'Localized-Key' is defined on line 3472, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 1321 ** Obsolete normative reference: RFC 1903 (Obsoleted by RFC 2579) ** Obsolete normative reference: RFC 1905 (Obsoleted by RFC 3416) ** Obsolete normative reference: RFC 1906 (Obsoleted by RFC 3417) ** Obsolete normative reference: RFC 1907 (Obsoleted by RFC 3418) ** Downref: Normative reference to an Informational RFC: RFC 2104 -- Possible downref: Non-RFC (?) normative reference: ref. 'SNMP-VACM' -- Possible downref: Non-RFC (?) normative reference: ref. 'Localized-Key' -- Possible downref: Non-RFC (?) normative reference: ref. 'DES-NIST' -- Possible downref: Non-RFC (?) normative reference: ref. 'DES-ANSI' -- Possible downref: Non-RFC (?) normative reference: ref. 'DESO-NIST' -- Possible downref: Non-RFC (?) normative reference: ref. 'DESO-ANSI' -- Possible downref: Non-RFC (?) normative reference: ref. 'DESG-NIST' -- Possible downref: Non-RFC (?) normative reference: ref. 'DEST-NIST' -- Possible downref: Non-RFC (?) normative reference: ref. 'DESM-NIST' -- Possible downref: Non-RFC (?) normative reference: ref. 'SHA-NIST' Summary: 12 errors (**), 0 flaws (~~), 17 warnings (==), 15 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 SNMPv3 Working Group U. Blumenthal 2 Internet-Draft IBM T. J. Watson Research 3 Will Obsolete: RFC2274 B. Wijnen 4 IBM T. J. Watson Research 5 10 February 1999 7 User-based Security Model (USM) for version 3 of the 8 Simple Network Management Protocol (SNMPv3) 10 12 Status of this Memo 14 This document is an Internet-Draft and is in full conformance with 15 all provisions of Section 10 of RFC2026. Internet-Drafts are working 16 documents of the Internet Engineering Task Force (IETF), its areas, 17 and its working groups. Note that other groups may also distribute 18 working documents as Internet-Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html 31 Copyright Notice 33 Copyright (C) The Internet Society (1999). All Rights Reserved. 35 Abstract 37 This document describes the User-based Security Model (USM) for SNMP 38 version 3 for use in the SNMP architecture [RFC-ARCH]. It defines 39 the Elements of Procedure for providing SNMP message level security. 40 This document also includes a MIB for remotely monitoring/managing 41 the configuration parameters for this Security Model. 43 Table of Contents 45 1. Introduction 4 46 1.1. Threats 4 47 1.2. Goals and Constraints 6 48 1.3. Security Services 6 49 1.4. Module Organization 7 50 1.4.1. Timeliness Module 8 51 1.4.2. Authentication Protocol 8 52 1.4.3. Privacy Protocol 8 53 1.5. Protection against Message Replay, Delay and Redirection 9 54 1.5.1. Authoritative SNMP engine 9 55 1.5.2. Mechanisms 9 56 1.6. Abstract Service Interfaces. 11 57 1.6.1. User-based Security Model Primitives for Authentication 11 58 1.6.2. User-based Security Model Primitives for Privacy 11 59 2. Elements of the Model 12 60 2.1. User-based Security Model Users 12 61 2.2. Replay Protection 13 62 2.2.1. msgAuthoritativeEngineID 14 63 2.2.2. msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime 14 64 2.2.3. Time Window 15 65 2.3. Time Synchronization 15 66 2.4. SNMP Messages Using this Security Model 16 67 2.5. Services provided by the User-based Security Model 17 68 2.5.1. Services for Generating an Outgoing SNMP Message 17 69 2.5.2. Services for Processing an Incoming SNMP Message 19 70 2.6. Key Localization Algorithm. 21 71 3. Elements of Procedure 22 72 3.1. Generating an Outgoing SNMP Message 22 73 3.2. Processing an Incoming SNMP Message 25 74 4. Discovery 30 75 5. Definitions 31 76 6. HMAC-MD5-96 Authentication Protocol 50 77 6.1. Mechanisms 50 78 6.1.1. Digest Authentication Mechanism 50 79 6.2. Elements of the Digest Authentication Protocol 51 80 6.2.1. Users 51 81 6.2.2. msgAuthoritativeEngineID 51 82 6.2.3. SNMP Messages Using this Authentication Protocol 51 83 6.2.4. Services provided by the HMAC-MD5-96 Authentication Module 52 84 6.2.4.1. Services for Generating an Outgoing SNMP Message 52 85 6.2.4.2. Services for Processing an Incoming SNMP Message 53 86 6.3. Elements of Procedure 53 87 6.3.1. Processing an Outgoing Message 53 88 6.3.2. Processing an Incoming Message 54 89 7. HMAC-SHA-96 Authentication Protocol 56 90 7.1. Mechanisms 56 91 7.1.1. Digest Authentication Mechanism 56 92 7.2. Elements of the HMAC-SHA-96 Authentication Protocol 57 93 7.2.1. Users 57 94 7.2.2. msgAuthoritativeEngineID 57 95 7.2.3. SNMP Messages Using this Authentication Protocol 57 96 7.2.4. Services provided by the HMAC-SHA-96 Authentication Module 58 97 7.2.4.1. Services for Generating an Outgoing SNMP Message 58 98 7.2.4.2. Services for Processing an Incoming SNMP Message 59 99 7.3. Elements of Procedure 59 100 7.3.1. Processing an Outgoing Message 59 101 7.3.2. Processing an Incoming Message 60 102 8. CBC-DES Symmetric Encryption Protocol 62 103 8.1. Mechanisms 62 104 8.1.1. Symmetric Encryption Protocol 62 105 8.1.1.1. DES key and Initialization Vector. 63 106 8.1.1.2. Data Encryption. 63 107 8.1.1.3. Data Decryption 64 108 8.2. Elements of the DES Privacy Protocol 64 109 8.2.1. Users 64 110 8.2.2. msgAuthoritativeEngineID 65 111 8.2.3. SNMP Messages Using this Privacy Protocol 65 112 8.2.4. Services provided by the DES Privacy Module 65 113 8.2.4.1. Services for Encrypting Outgoing Data 65 114 8.2.4.2. Services for Decrypting Incoming Data 66 115 8.3. Elements of Procedure. 67 116 8.3.1. Processing an Outgoing Message 68 117 8.3.2. Processing an Incoming Message 68 118 9. Intellectual Property 68 119 10. Acknowledgements 68 120 11. Security Considerations 70 121 11.1. Recommended Practices 70 122 11.2. Defining Users 71 123 11.3. Conformance 72 124 11.4. Use of Reports 73 125 11.5. Access to the SNMP-USER-BASED-SM-MIB 73 126 12. References 74 127 13. Editors' Addresses 76 128 A.1. SNMP engine Installation Parameters 77 129 A.2. Password to Key Algorithm 79 130 A.2.1. Password to Key Sample Code for MD5 80 131 A.2.2. Password to Key Sample Code for SHA 81 132 A.3. Password to Key Sample Results 82 133 A.3.1. Password to Key Sample Results using MD5 82 134 A.3.2. Password to Key Sample Results using SHA 82 135 A.4. Sample encoding of msgSecurityParameters 83 136 A.5. Sample keyChange Results 84 137 A.5.1. Sample keyChange Results using MD5 84 138 A.5.2. Sample keyChange Results using SHA 85 139 B. Change Log 86 140 C. Full Copyright Statement 87 142 1. Introduction 144 The Architecture for describing Internet Management Frameworks [RFC- 145 ARCH] describes that an SNMP engine is composed of: 147 1) a Dispatcher 148 2) a Message Processing Subsystem, 149 3) a Security Subsystem, and 150 4) an Access Control Subsystem. 152 Applications make use of the services of these subsystems. 154 It is important to understand the SNMP architecture and the 155 terminology of the architecture to understand where the Security 156 Model described in this document fits into the architecture and 157 interacts with other subsystems within the architecture. The reader 158 is expected to have read and understood the description of the SNMP 159 architecture, as defined in [RFC-ARCH]. 161 This memo [RFC-USM] describes the User-based Security Model as it is 162 used within the SNMP Architecture. The main idea is that we use the 163 traditional concept of a user (identified by a userName) with which 164 to associate security information. 166 This memo describes the use of HMAC-MD5-96 and HMAC-SHA-96 as the 167 authentication protocols and the use of CBC-DES as the privacy 168 protocol. The User-based Security Model however allows for other such 169 protocols to be used instead of or concurrent with these protocols. 170 Therefore, the description of HMAC-MD5-96, HMAC-SHA-96 and CBC-DES 171 are in separate sections to reflect their self-contained nature and 172 to indicate that they can be replaced or supplemented in the future. 174 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 175 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 176 document are to be interpreted as described in [RFC2119]. 178 1.1. Threats 180 Several of the classical threats to network protocols are applicable 181 to the network management problem and therefore would be applicable 182 to any SNMP Security Model. Other threats are not applicable to the 183 network management problem. This section discusses principal 184 threats, secondary threats, and threats which are of lesser 185 importance. 187 The principal threats against which this SNMP Security Model should 188 provide protection are: 190 - Modification of Information 191 The modification threat is the danger that some unauthorized entity 192 may alter in-transit SNMP messages generated on behalf of an 193 authorized principal in such a way as to effect unauthorized 194 management operations, including falsifying the value of an object. 196 - Masquerade 197 The masquerade threat is the danger that management operations not 198 authorized for some user may be attempted by assuming the identity 199 of another user that has the appropriate authorizations. 201 Two secondary threats are also identified. The Security Model 202 defined in this memo provides limited protection against: 204 - Disclosure 205 The disclosure threat is the danger of eavesdropping on the 206 exchanges between managed agents and a management station. 207 Protecting against this threat may be required as a matter of local 208 policy. 210 - Message Stream Modification 211 The SNMP protocol is typically based upon a connection-less 212 transport service which may operate over any sub-network service. 213 The re-ordering, delay or replay of messages can and does occur 214 through the natural operation of many such sub-network services. 215 The message stream modification threat is the danger that messages 216 may be maliciously re-ordered, delayed or replayed to an extent 217 which is greater than can occur through the natural operation of a 218 sub-network service, in order to effect unauthorized management 219 operations. 221 There are at least two threats that an SNMP Security Model need not 222 protect against. The security protocols defined in this memo do not 223 provide protection against: 225 - Denial of Service 226 This SNMP Security Model does not attempt to address the broad 227 range of attacks by which service on behalf of authorized users is 228 denied. Indeed, such denial-of-service attacks are in many cases 229 indistinguishable from the type of network failures with which any 230 viable network management protocol must cope as a matter of course. 231 - Traffic Analysis 232 This SNMP Security Model does not attempt to address traffic 233 analysis attacks. Indeed, many traffic patterns are predictable - 234 devices may be managed on a regular basis by a relatively small 235 number of management applications - and therefore there is no 236 significant advantage afforded by protecting against traffic 237 analysis. 239 1.2. Goals and Constraints 241 Based on the foregoing account of threats in the SNMP network 242 management environment, the goals of this SNMP Security Model are as 243 follows. 245 1) Provide for verification that each received SNMP message has 246 not been modified during its transmission through the network. 248 2) Provide for verification of the identity of the user on whose 249 behalf a received SNMP message claims to have been generated. 251 3) Provide for detection of received SNMP messages, which request 252 or contain management information, whose time of generation was 253 not recent. 255 4) Provide, when necessary, that the contents of each received 256 SNMP message are protected from disclosure. 258 In addition to the principal goal of supporting secure network 259 management, the design of this SNMP Security Model is also influenced 260 by the following constraints: 262 1) When the requirements of effective management in times of 263 network stress are inconsistent with those of security, the design 264 should prefer the former. 266 2) Neither the security protocol nor its underlying security 267 mechanisms should depend upon the ready availability of other 268 network services (e.g., Network Time Protocol (NTP) or key 269 management protocols). 271 3) A security mechanism should entail no changes to the basic 272 SNMP network management philosophy. 274 1.3. Security Services 276 The security services necessary to support the goals of this SNMP 277 Security Model are as follows: 279 - Data Integrity 280 is the provision of the property that data has not been altered or 281 destroyed in an unauthorized manner, nor have data sequences been 282 altered to an extent greater than can occur non-maliciously. 284 - Data Origin Authentication 285 is the provision of the property that the claimed identity of the 286 user on whose behalf received data was originated is corroborated. 288 - Data Confidentiality 289 is the provision of the property that information is not made 290 available or disclosed to unauthorized individuals, entities, or 291 processes. 293 - Message timeliness and limited replay protection 294 is the provision of the property that a message whose generation 295 time is outside of a specified time window is not accepted. Note 296 that message reordering is not dealt with and can occur in normal 297 conditions too. 299 For the protocols specified in this memo, it is not possible to 300 assure the specific originator of a received SNMP message; rather, it 301 is the user on whose behalf the message was originated that is 302 authenticated. 304 For these protocols, it not possible to obtain data integrity without 305 data origin authentication, nor is it possible to obtain data origin 306 authentication without data integrity. Further, there is no 307 provision for data confidentiality without both data integrity and 308 data origin authentication. 310 The security protocols used in this memo are considered acceptably 311 secure at the time of writing. However, the procedures allow for new 312 authentication and privacy methods to be specified at a future time 313 if the need arises. 315 1.4. Module Organization 317 The security protocols defined in this memo are split in three 318 different modules and each has its specific responsibilities such 319 that together they realize the goals and security services described 320 above: 322 - The authentication module MUST provide for: 324 - Data Integrity, 326 - Data Origin Authentication 328 - The timeliness module MUST provide for: 330 - Protection against message delay or replay (to an extent 331 greater than can occur through normal operation) 333 - The privacy module MUST provide for 335 - Protection against disclosure of the message payload. 337 The timeliness module is fixed for the User-based Security Model 338 while there is provision for multiple authentication and/or privacy 339 modules, each of which implements a specific authentication or 340 privacy protocol respectively. 342 1.4.1. Timeliness Module 344 Section 3 (Elements of Procedure) uses the timeliness values in an 345 SNMP message to do timeliness checking. The timeliness check is only 346 performed if authentication is applied to the message. Since the 347 complete message is checked for integrity, we can assume that the 348 timeliness values in a message that passes the authentication module 349 are trustworthy. 351 1.4.2. Authentication Protocol 353 Section 6 describes the HMAC-MD5-96 authentication protocol which is 354 the first authentication protocol that MUST be supported with the 355 User-based Security Model. Section 7 describes the HMAC-SHA-96 356 authentication protocol which is another authentication protocol that 357 SHOULD be supported with the User-based Security Model. In the 358 future additional or replacement authentication protocols may be 359 defined as new needs arise. 361 The User-based Security Model prescribes that, if authentication is 362 used, then the complete message is checked for integrity in the 363 authentication module. 365 For a message to be authenticated, it needs to pass authentication 366 check by the authentication module and the timeliness check which is 367 a fixed part of this User-based Security model. 369 1.4.3. Privacy Protocol 371 Section 8 describes the CBC-DES Symmetric Encryption Protocol which 372 is the first privacy protocol to be used with the User-based Security 373 Model. In the future additional or replacement privacy protocols may 374 be defined as new needs arise. 376 The User-based Security Model prescribes that the scopedPDU is 377 protected from disclosure when a message is sent with privacy. 379 The User-based Security Model also prescribes that a message needs to 380 be authenticated if privacy is in use. 382 1.5. Protection against Message Replay, Delay and Redirection 384 1.5.1. Authoritative SNMP engine 386 In order to protect against message replay, delay and redirection, 387 one of the SNMP engines involved in each communication is designated 388 to be the authoritative SNMP engine. When an SNMP message contains a 389 payload which expects a response (those messages that contain a 390 Confirmed Class PDU [RFC-ARCH]), then the receiver of such messages 391 is authoritative. When an SNMP message contains a payload which does 392 not expect a response (those messages that contain an Unconfirmed 393 Class PDU [RFC-ARCH]), then the sender of such a message is 394 authoritative. 396 1.5.2. Mechanisms 398 The following mechanisms are used: 400 1) To protect against the threat of message delay or replay (to an 401 extent greater than can occur through normal operation), a set of 402 timeliness indicators (for the authoritative SNMP engine) are 403 included in each message generated. An SNMP engine evaluates the 404 timeliness indicators to determine if a received message is 405 recent. An SNMP engine may evaluate the timeliness indicators to 406 ensure that a received message is at least as recent as the last 407 message it received from the same source. A non-authoritative 408 SNMP engine uses received authentic messages to advance its notion 409 of the timeliness indicators at the remote authoritative source. 411 An SNMP engine MUST also use a mechanism to match incoming 412 Responses to outstanding Requests and it MUST drop any Responses 413 that do not match an outstanding request. For example, a msgID can 414 be inserted in every message to cater for this functionality. 416 These mechanisms provide for the detection of authenticated 417 messages whose time of generation was not recent. 419 This protection against the threat of message delay or replay does 420 not imply nor provide any protection against unauthorized deletion 421 or suppression of messages. Also, an SNMP engine may not be able 422 to detect message reordering if all the messages involved are sent 423 within the Time Window interval. Other mechanisms defined 424 independently of the security protocol can also be used to detect 425 the re-ordering replay, deletion, or suppression of messages 426 containing Set operations (e.g., the MIB variable snmpSetSerialNo 427 [RFC1907]). 429 2) Verification that a message sent to/from one authoritative SNMP 430 engine cannot be replayed to/as-if-from another authoritative SNMP 431 engine. 433 Included in each message is an identifier unique to the 434 authoritative SNMP engine associated with the sender or intended 435 recipient of the message. 437 A message containing an Unconfirmed Class PDU sent by an 438 authoritative SNMP engine to one non-authoritative SNMP engine can 439 potentially be replayed to another non-authoritative SNMP engine. 440 The latter non-authoritative SNMP engine might (if it knows about 441 the same userName with the same secrets at the authoritative SNMP 442 engine) as a result update its notion of timeliness indicators of 443 the authoritative SNMP engine, but that is not considered a 444 threat. In this case, A Report or Response message will be 445 discarded by the Message Processing Model, because there should 446 not be an outstanding Request message. A Trap will possibly be 447 accepted. Again, that is not considered a threat, because the 448 communication was authenticated and timely. It is as if the 449 authoritative SNMP engine was configured to start sending Traps to 450 the second SNMP engine, which theoretically can happen without the 451 knowledge of the second SNMP engine anyway. Anyway, the second 452 SNMP engine may not expect to receive this Trap, but is allowed to 453 see the management information contained in it. 455 3) Detection of messages which were not recently generated. 457 A set of time indicators are included in the message, indicating 458 the time of generation. Messages without recent time indicators 459 are not considered authentic. In addition, an SNMP engine MUST 460 drop any Responses that do not match an outstanding request. This 461 however is the responsibility of the Message Processing Model. 463 This memo allows the same user to be defined on multiple SNMP 464 engines. Each SNMP engine maintains a value, snmpEngineID, which 465 uniquely identifies the SNMP engine. This value is included in each 466 message sent to/from the SNMP engine that is authoritative (see 467 section 1.5.1). On receipt of a message, an authoritative SNMP 468 engine checks the value to ensure that it is the intended recipient, 469 and a non-authoritative SNMP engine uses the value to ensure that the 470 message is processed using the correct state information. 472 Each SNMP engine maintains two values, snmpEngineBoots and 473 snmpEngineTime, which taken together provide an indication of time at 474 that SNMP engine. Both of these values are included in an 475 authenticated message sent to/received from that SNMP engine. On 476 receipt, the values are checked to ensure that the indicated 477 timeliness value is within a Time Window of the current time. The 478 Time Window represents an administrative upper bound on acceptable 479 delivery delay for protocol messages. 481 For an SNMP engine to generate a message which an authoritative SNMP 482 engine will accept as authentic, and to verify that a message 483 received from that authoritative SNMP engine is authentic, such an 484 SNMP engine must first achieve timeliness synchronization with the 485 authoritative SNMP engine. See section 2.3. 487 1.6. Abstract Service Interfaces. 489 Abstract service interfaces have been defined to describe the 490 conceptual interfaces between the various subsystems within an SNMP 491 entity. Similarly a set of abstract service interfaces have been 492 defined within the User-based Security Model (USM) to describe the 493 conceptual interfaces between the generic USM services and the self- 494 contained authentication and privacy services. 496 These abstract service interfaces are defined by a set of primitives 497 that define the services provided and the abstract data elements that 498 must be passed when the services are invoked. This section lists the 499 primitives that have been defined for the User-based Security Model. 501 1.6.1. User-based Security Model Primitives for Authentication 503 The User-based Security Model provides the following internal 504 primitives to pass data back and forth between the Security Model 505 itself and the authentication service: 507 statusInformation = 508 authenticateOutgoingMsg( 509 IN authKey -- secret key for authentication 510 IN wholeMsg -- unauthenticated complete message 511 OUT authenticatedWholeMsg -- complete authenticated message 512 ) 514 statusInformation = 515 authenticateIncomingMsg( 516 IN authKey -- secret key for authentication 517 IN authParameters -- as received on the wire 518 IN wholeMsg -- as received on the wire 519 OUT authenticatedWholeMsg -- complete authenticated message 520 ) 522 1.6.2. User-based Security Model Primitives for Privacy 524 The User-based Security Model provides the following internal 525 primitives to pass data back and forth between the Security Model 526 itself and the privacy service: 528 statusInformation = 529 encryptData( 530 IN encryptKey -- secret key for encryption 531 IN dataToEncrypt -- data to encrypt (scopedPDU) 532 OUT encryptedData -- encrypted data (encryptedPDU) 533 OUT privParameters -- filled in by service provider 534 ) 536 statusInformation = 537 decryptData( 538 IN decryptKey -- secret key for decrypting 539 IN privParameters -- as received on the wire 540 IN encryptedData -- encrypted data (encryptedPDU) 541 OUT decryptedData -- decrypted data (scopedPDU) 542 ) 544 2. Elements of the Model 546 This section contains definitions required to realize the security 547 model defined by this memo. 549 2.1. User-based Security Model Users 551 Management operations using this Security Model make use of a defined 552 set of user identities. For any user on whose behalf management 553 operations are authorized at a particular SNMP engine, that SNMP 554 engine must have knowledge of that user. An SNMP engine that wishes 555 to communicate with another SNMP engine must also have knowledge of a 556 user known to that engine, including knowledge of the applicable 557 attributes of that user. 559 A user and its attributes are defined as follows: 561 userName 562 A string representing the name of the user. 564 securityName 565 A human-readable string representing the user in a format that is 566 Security Model independent. 568 authProtocol 569 An indication of whether messages sent on behalf of this user can 570 be authenticated, and if so, the type of authentication protocol 571 which is used. Two such protocols are defined in this memo: 572 - the HMAC-MD5-96 authentication protocol. 573 - the HMAC-SHA-96 authentication protocol. 575 authKey 576 If messages sent on behalf of this user can be authenticated, 577 the (private) authentication key for use with the authentication 578 protocol. Note that a user's authentication key will normally 579 be different at different authoritative SNMP engines. The authKey 580 is not accessible via SNMP. The length requirements of the authKey 581 are defined by the authProtocol in use. 583 authKeyChange and authOwnKeyChange 584 The only way to remotely update the authentication key. Does 585 that in a secure manner, so that the update can be completed 586 without the need to employ privacy protection. 588 privProtocol 589 An indication of whether messages sent on behalf of this user 590 can be protected from disclosure, and if so, the type of privacy 591 protocol which is used. One such protocol is defined in this 592 memo: the CBC-DES Symmetric Encryption Protocol. 594 privKey 595 If messages sent on behalf of this user can be en/decrypted, 596 the (private) privacy key for use with the privacy protocol. 597 Note that a user's privacy key will normally be different at 598 different authoritative SNMP engines. The privKey is not 599 accessible via SNMP. The length requirements of the privKey are 600 defined by the privProtocol in use. 602 privKeyChange and privOwnKeyChange 603 The only way to remotely update the encryption key. Does that 604 in a secure manner, so that the update can be completed without 605 the need to employ privacy protection. 607 2.2. Replay Protection 609 Each SNMP engine maintains three objects: 611 - snmpEngineID, which (at least within an administrative domain) 612 uniquely and unambiguously identifies an SNMP engine. 614 - snmpEngineBoots, which is a count of the number of times the 615 SNMP engine has re-booted/re-initialized since snmpEngineID 616 was last configured; and, 618 - snmpEngineTime, which is the number of seconds since the 619 snmpEngineBoots counter was last incremented. 621 Each SNMP engine is always authoritative with respect to these 622 objects in its own SNMP entity. It is the responsibility of a 623 non-authoritative SNMP engine to synchronize with the 624 authoritative SNMP engine, as appropriate. 626 An authoritative SNMP engine is required to maintain the values of 627 its snmpEngineID and snmpEngineBoots in non-volatile storage. 629 2.2.1. msgAuthoritativeEngineID 631 The msgAuthoritativeEngineID value contained in an authenticated 632 message is used to defeat attacks in which messages from one SNMP 633 engine to another SNMP engine are replayed to a different SNMP 634 engine. It represents the snmpEngineID at the authoritative SNMP 635 engine involved in the exchange of the message. 637 When an authoritative SNMP engine is first installed, it sets its 638 local value of snmpEngineID according to a enterprise-specific 639 algorithm (see the definition of the Textual Convention for 640 SnmpEngineID in the SNMP Architecture document [RFC-ARCH]). 642 2.2.2. msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime 644 The msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime 645 values contained in an authenticated message are used to defeat 646 attacks in which messages are replayed when they are no longer 647 valid. They represent the snmpEngineBoots and snmpEngineTime 648 values at the authoritative SNMP engine involved in the exchange 649 of the message. 651 Through use of snmpEngineBoots and snmpEngineTime, there is no 652 requirement for an SNMP engine to have a non-volatile clock which 653 ticks (i.e., increases with the passage of time) even when the 654 SNMP engine is powered off. Rather, each time an SNMP engine 655 re-boots, it retrieves, increments, and then stores snmpEngineBoots 656 in non-volatile storage, and resets snmpEngineTime to zero. 658 When an SNMP engine is first installed, it sets its local values 659 of snmpEngineBoots and snmpEngineTime to zero. If snmpEngineTime 660 ever reaches its maximum value (2147483647), then snmpEngineBoots 661 is incremented as if the SNMP engine has re-booted and 662 snmpEngineTime is reset to zero and starts incrementing again. 664 Each time an authoritative SNMP engine re-boots, any SNMP engines 665 holding that authoritative SNMP engine's values of snmpEngineBoots 666 and snmpEngineTime need to re-synchronize prior to sending 667 correctly authenticated messages to that authoritative SNMP engine 668 (see Section 2.3 for (re-)synchronization procedures). Note, 669 however, that the procedures do provide for a notification to be 670 accepted as authentic by a receiving SNMP engine, when sent by an 671 authoritative SNMP engine which has re-booted since the receiving 672 SNMP engine last (re-)synchronized. 674 If an authoritative SNMP engine is ever unable to determine its 675 latest snmpEngineBoots value, then it must set its snmpEngineBoots 676 value to 2147483647. 678 Whenever the local value of snmpEngineBoots has the value 2147483647 679 it latches at that value and an authenticated message always causes 680 an notInTimeWindow authentication failure. 682 In order to reset an SNMP engine whose snmpEngineBoots value has 683 reached the value 2147483647, manual intervention is required. 684 The engine must be physically visited and re-configured, either 685 with a new snmpEngineID value, or with new secret values for the 686 authentication and privacy protocols of all users known to that 687 SNMP engine. Note that even if an SNMP engine re-boots once a second 688 that it would still take approximately 68 years before the max value 689 of 2147483647 would be reached. 691 2.2.3. Time Window 693 The Time Window is a value that specifies the window of time in 694 which a message generated on behalf of any user is valid. This 695 memo specifies that the same value of the Time Window, 150 seconds, 696 is used for all users. 698 2.3. Time Synchronization 700 Time synchronization, required by a non-authoritative SNMP engine 701 in order to proceed with authentic communications, has occurred 702 when the non-authoritative SNMP engine has obtained a local notion 703 of the authoritative SNMP engine's values of snmpEngineBoots and 704 snmpEngineTime from the authoritative SNMP engine. These values 705 must be (and remain) within the authoritative SNMP engine's Time 706 Window. So the local notion of the authoritative SNMP engine's 707 values must be kept loosely synchronized with the values stored 708 at the authoritative SNMP engine. In addition to keeping a local 709 copy of snmpEngineBoots and snmpEngineTime from the authoritative 710 SNMP engine, a non-authoritative SNMP engine must also keep one 711 local variable, latestReceivedEngineTime. This value records the 712 highest value of snmpEngineTime that was received by the 713 non-authoritative SNMP engine from the authoritative SNMP engine 714 and is used to eliminate the possibility of replaying messages 715 that would prevent the non-authoritative SNMP engine's notion of 716 the snmpEngineTime from advancing. 718 A non-authoritative SNMP engine must keep local notions of these 719 values 720 (snmpEngineBoots, snmpEngineTime and latestReceivedEngineTime) 721 for each authoritative SNMP engine with which it wishes to 722 communicate. Since each authoritative SNMP engine is uniquely 723 and unambiguously identified by its value of snmpEngineID, the 724 non-authoritative SNMP engine may use this value as a key in 725 order to cache its local notions of these values. 727 Time synchronization occurs as part of the procedures of receiving 728 an SNMP message (Section 3.2, step 7b). As such, no explicit time 729 synchronization procedure is required by a non-authoritative SNMP 730 engine. Note, that whenever the local value of snmpEngineID is 731 changed (e.g., through discovery) or when secure communications 732 are first established with an authoritative SNMP engine, the local 733 values of snmpEngineBoots and latestReceivedEngineTime should be 734 set to zero. This will cause the time synchronization to occur 735 when the next authentic message is received. 737 2.4. SNMP Messages Using this Security Model 739 The syntax of an SNMP message using this Security Model adheres 740 to the message format defined in the version-specific Message 741 Processing Model document (for example [RFC-MPD]). 743 The field msgSecurityParameters in SNMPv3 messages has a data type 744 of OCTET STRING. Its value is the BER serialization of the 745 following ASN.1 sequence: 747 USMSecurityParametersSyntax DEFINITIONS IMPLICIT TAGS ::= BEGIN 749 UsmSecurityParameters ::= 750 SEQUENCE { 751 -- global User-based security parameters 752 msgAuthoritativeEngineID OCTET STRING, 753 msgAuthoritativeEngineBoots INTEGER (0..2147483647), 754 msgAuthoritativeEngineTime INTEGER (0..2147483647), 755 msgUserName OCTET STRING (SIZE(0..32)), 756 -- authentication protocol specific parameters 757 msgAuthenticationParameters OCTET STRING, 758 -- privacy protocol specific parameters 759 msgPrivacyParameters OCTET STRING 760 } 761 END 763 The fields of this sequence are: 765 - The msgAuthoritativeEngineID specifies the snmpEngineID of the 766 authoritative SNMP engine involved in the exchange of the message. 768 - The msgAuthoritativeEngineBoots specifies the snmpEngineBoots value 769 at the authoritative SNMP engine involved in the exchange of the 770 message. 772 - The msgAuthoritativeEngineTime specifies the snmpEngineTime value 773 at the authoritative SNMP engine involved in the exchange of the 774 message. 776 - The msgUserName specifies the user (principal) on whose behalf the 777 message is being exchanged. Note that a zero-length userName will 778 not match any user, but it can be used for snmpEngineID discovery. 780 - The msgAuthenticationParameters are defined by the authentication 781 protocol in use for the message, as defined by the 782 usmUserAuthProtocol column in the user's entry in the usmUserTable. 784 - The msgPrivacyParameters are defined by the privacy protocol in use 785 for the message, as defined by the usmUserPrivProtocol column in 786 the user's entry in the usmUserTable). 788 See appendix A.4 for an example of the BER encoding of field 789 msgSecurityParameters. 791 2.5. Services provided by the User-based Security Model 793 This section describes the services provided by the User-based 794 Security Model with their inputs and outputs. 796 The services are described as primitives of an abstract service 797 interface and the inputs and outputs are described as abstract data 798 elements as they are passed in these abstract service primitives. 800 2.5.1. Services for Generating an Outgoing SNMP Message 802 When the Message Processing (MP) Subsystem invokes the User-based 803 Security module to secure an outgoing SNMP message, it must use the 804 appropriate service as provided by the Security module. These two 805 services are provided: 807 1) A service to generate a Request message. The abstract service 808 primitive is: 810 statusInformation = -- success or errorIndication 811 generateRequestMsg( 812 IN messageProcessingModel -- typically, SNMP version 813 IN globalData -- message header, admin data 814 IN maxMessageSize -- of the sending SNMP entity 815 IN securityModel -- for the outgoing message 816 IN securityEngineID -- authoritative SNMP entity 817 IN securityName -- on behalf of this principal 818 IN securityLevel -- Level of Security requested 819 IN scopedPDU -- message (plaintext) payload 820 OUT securityParameters -- filled in by Security Module 821 OUT wholeMsg -- complete generated message 822 OUT wholeMsgLength -- length of generated message 823 ) 825 2) A service to generate a Response message. The abstract service 826 primitive is: 828 statusInformation = -- success or errorIndication 829 generateResponseMsg( 830 IN messageProcessingModel -- typically, SNMP version 831 IN globalData -- message header, admin data 832 IN maxMessageSize -- of the sending SNMP entity 833 IN securityModel -- for the outgoing message 834 IN securityEngineID -- authoritative SNMP entity 835 IN securityName -- on behalf of this principal 836 IN securityLevel -- Level of Security requested 837 IN scopedPDU -- message (plaintext) payload 838 IN securityStateReference -- reference to security state 839 -- information from original 840 -- request 841 OUT securityParameters -- filled in by Security Module 842 OUT wholeMsg -- complete generated message 843 OUT wholeMsgLength -- length of generated message 844 ) 846 The abstract data elements passed as parameters in the abstract 847 service primitives are as follows: 849 statusInformation 850 An indication of whether the encoding and securing of the message 851 was successful. If not it is an indication of the problem. 852 messageProcessingModel 853 The SNMP version number for the message to be generated. This 854 data is not used by the User-based Security module. 855 globalData 856 The message header (i.e., its administrative information). This 857 data is not used by the User-based Security module. 858 maxMessageSize 859 The maximum message size as included in the message. This data is 860 not used by the User-based Security module. 861 securityParameters 862 These are the security parameters. They will be filled in by the 863 User-based Security module. 865 securityModel 866 The securityModel in use. Should be User-based Security Model. 867 This data is not used by the User-based Security module. 868 securityName 869 Together with the snmpEngineID it identifies a row in the 870 usmUserTable that is to be used for securing the message. The 871 securityName has a format that is independent of the Security 872 Model. In case of a response this parameter is ignored and the 873 value from the cache is used. 874 securityLevel 875 The Level of Security from which the User-based Security module 876 determines if the message needs to be protected from disclosure 877 and if the message needs to be authenticated. 878 securityEngineID 879 The snmpEngineID of the authoritative SNMP engine to which a 880 Request message is to be sent. In case of a response it is implied 881 to be the processing SNMP engine's snmpEngineID and so if it is 882 specified, then it is ignored. 883 scopedPDU 884 The message payload. The data is opaque as far as the User-based 885 Security Model is concerned. 886 securityStateReference 887 A handle/reference to cachedSecurityData to be used when securing 888 an outgoing Response message. This is the exact same 889 handle/reference as it was generated by the User-based Security 890 module when processing the incoming Request message to which this 891 is the Response message. 892 wholeMsg 893 The fully encoded and secured message ready for sending on the 894 wire. 895 wholeMsgLength 896 The length of the encoded and secured message (wholeMsg). 898 Upon completion of the process, the User-based Security module 899 returns statusInformation. If the process was successful, the 900 completed message with privacy and authentication applied if such was 901 requested by the specified securityLevel is returned. If the process 902 was not successful, then an errorIndication is returned. 904 2.5.2. Services for Processing an Incoming SNMP Message 906 When the Message Processing (MP) Subsystem invokes the User-based 907 Security module to verify proper security of an incoming message, it 908 must use the service provided for an incoming message. The abstract 909 service primitive is: 911 statusInformation = -- errorIndication or success 912 -- error counter OID/value if error 913 processIncomingMsg( 914 IN messageProcessingModel -- typically, SNMP version 915 IN maxMessageSize -- of the sending SNMP entity 916 IN securityParameters -- for the received message 917 IN securityModel -- for the received message 918 IN securityLevel -- Level of Security 919 IN wholeMsg -- as received on the wire 920 IN wholeMsgLength -- length as received on the wire 921 OUT securityEngineID -- authoritative SNMP entity 922 OUT securityName -- identification of the principal 923 OUT scopedPDU, -- message (plaintext) payload 924 OUT maxSizeResponseScopedPDU -- maximum size of the Response PDU 925 OUT securityStateReference -- reference to security state 926 ) -- information, needed for response 928 The abstract data elements passed as parameters in the abstract 929 service primitives are as follows: 931 statusInformation 932 An indication of whether the process was successful or not. If 933 not, then the statusInformation includes the OID and the value of 934 the error counter that was incremented. 935 messageProcessingModel 936 The SNMP version number as received in the message. This data is 937 not used by the User-based Security module. 938 maxMessageSize 939 The maximum message size as included in the message. The User- 940 based Security module uses this value to calculate the 941 maxSizeResponseScopedPDU. 942 securityParameters 943 These are the security parameters as received in the message. 944 securityModel 945 The securityModel in use. Should be the User-based Security 946 Model. This data is not used by the User-based Security module. 947 securityLevel 948 The Level of Security from which the User-based Security module 949 determines if the message needs to be protected from disclosure 950 and if the message needs to be authenticated. 951 wholeMsg 952 The whole message as it was received. 953 wholeMsgLength 954 The length of the message as it was received (wholeMsg). 955 securityEngineID 956 The snmpEngineID that was extracted from the field 957 msgAuthoritativeEngineID and that was used to lookup the secrets 958 in the usmUserTable. 960 securityName 961 The security name representing the user on whose behalf the 962 message was received. The securityName has a format that is 963 independent of the Security Model. 964 scopedPDU 965 The message payload. The data is opaque as far as the User-based 966 Security Model is concerned. 967 maxSizeResponseScopedPDU 968 The maximum size of a scopedPDU to be included in a possible 969 Response message. The User-based Security module calculates this 970 size based on the msgMaxSize (as received in the message) and the 971 space required for the message header (including the 972 securityParameters) for such a Response message. 973 securityStateReference 974 A handle/reference to cachedSecurityData to be used when securing 975 an outgoing Response message. When the Message Processing 976 Subsystem calls the User-based Security module to generate a 977 response to this incoming message it must pass this 978 handle/reference. 980 Upon completion of the process, the User-based Security module 981 returns statusInformation and, if the process was successful, the 982 additional data elements for further processing of the message. If 983 the process was not successful, then an errorIndication, possibly 984 with a OID and value pair of an error counter that was incremented. 986 2.6. Key Localization Algorithm. 988 A localized key is a secret key shared between a user U and one 989 authoritative SNMP engine E. Even though a user may have only one 990 password and therefore one key for the whole network, the actual 991 secrets shared between the user and each authoritative SNMP engine 992 will be different. This is achieved by key localization [Localized- 993 key]. 995 First, if a user uses a password, then the user's password is 996 converted into a key Ku using one of the two algorithms described in 997 Appendices A.2.1 and A.2.2. 999 To convert key Ku into a localized key Kul of user U at the 1000 authoritative SNMP engine E, one appends the snmpEngineID of the 1001 authoritative SNMP engine to the key Ku and then appends the key Ku 1002 to the result, thus enveloping the snmpEngineID within the two copies 1003 of user's key Ku. Then one runs a secure hash function (which one 1004 depends on the authentication protocol defined for this user U at 1005 authoritative SNMP engine E; this document defines two authentication 1006 protocols with their associated algorithms based on MD5 and SHA). The 1007 output of the hash-function is the localized key Kul for user U at 1008 the authoritative SNMP engine E. 1010 3. Elements of Procedure 1012 This section describes the security related procedures followed by an 1013 SNMP engine when processing SNMP messages according to the User-based 1014 Security Model. 1016 3.1. Generating an Outgoing SNMP Message 1018 This section describes the procedure followed by an SNMP engine 1019 whenever it generates a message containing a management operation 1020 (like a request, a response, a notification, or a report) on behalf 1021 of a user, with a particular securityLevel. 1023 1) a) If any securityStateReference is passed (Response or Report 1024 message), then information concerning the user is extracted 1025 from the cachedSecurityData. The cachedSecurityData can now 1026 be discarded. The securityEngineID is set to the local 1027 snmpEngineID. The securityLevel is set to the value specified 1028 by the calling module. 1030 Otherwise, 1032 b) based on the securityName, information concerning the user at 1033 the destination snmpEngineID, specified by the 1034 securityEngineID, is extracted from the Local Configuration 1035 Datastore (LCD, usmUserTable). If information about the user 1036 is absent from the LCD, then an error indication 1037 (unknownSecurityName) is returned to the calling module. 1039 2) If the securityLevel specifies that the message is to be 1040 protected from disclosure, but the user does not support both an 1041 authentication and a privacy protocol then the message cannot be 1042 sent. An error indication (unsupportedSecurityLevel) is returned 1043 to the calling module. 1045 3) If the securityLevel specifies that the message is to be 1046 authenticated, but the user does not support an authentication 1047 protocol, then the message cannot be sent. An error indication 1048 (unsupportedSecurityLevel) is returned to the calling module. 1050 4) a) If the securityLevel specifies that the message is to be 1051 protected from disclosure, then the octet sequence 1052 representing the serialized scopedPDU is encrypted according 1053 to the user's privacy protocol. To do so a call is made to the 1054 privacy module that implements the user's privacy protocol 1055 according to the abstract primitive: 1057 statusInformation = -- success or failure 1058 encryptData( 1059 IN encryptKey -- user's localized privKey 1060 IN dataToEncrypt -- serialized scopedPDU 1061 OUT encryptedData -- serialized encryptedPDU 1062 OUT privParameters -- serialized privacy parameters 1063 ) 1065 statusInformation 1066 indicates if the encryption process was successful or not. 1067 encryptKey 1068 the user's localized private privKey is the secret key that 1069 can be used by the encryption algorithm. 1070 dataToEncrypt 1071 the serialized scopedPDU is the data to be encrypted. 1072 encryptedData 1073 the encryptedPDU represents the encrypted scopedPDU, 1074 encoded as an OCTET STRING. 1075 privParameters 1076 the privacy parameters, encoded as an OCTET STRING. 1078 If the privacy module returns failure, then the message cannot 1079 be sent and an error indication (encryptionError) is returned 1080 to the calling module. 1082 If the privacy module returns success, then the returned 1083 privParameters are put into the msgPrivacyParameters field of 1084 the securityParameters and the encryptedPDU serves as the 1085 payload of the message being prepared. 1087 Otherwise, 1089 b) If the securityLevel specifies that the message is not to be 1090 be protected from disclosure, then a zero-length OCTET STRING 1091 is encoded into the msgPrivacyParameters field of the 1092 securityParameters and the plaintext scopedPDU serves as the 1093 payload of the message being prepared. 1095 5) The securityEngineID is encoded as an OCTET STRING into the 1096 msgAuthoritativeEngineID field of the securityParameters. Note 1097 that an empty (zero length) securityEngineID is OK for a Request 1098 message, because that will cause the remote (authoritative) SNMP 1099 engine to return a Report PDU with the proper securityEngineID 1100 included in the msgAuthoritativeEngineID in the 1101 securityParameters of that returned Report PDU. 1103 6) a) If the securityLevel specifies that the message is to be 1104 authenticated, then the current values of snmpEngineBoots and 1105 snmpEngineTime corresponding to the securityEngineID from the 1106 LCD are used. 1108 Otherwise, 1110 b) If this is a Response or Report message, then the current 1111 value of snmpEngineBoots and snmpEngineTime corresponding to 1112 the local snmpEngineID from the LCD are used. 1114 Otherwise, 1116 c) If this is a Request message, then a zero value is used for 1117 both snmpEngineBoots and snmpEngineTime. This zero value gets 1118 used if snmpEngineID is empty. 1120 The values are encoded as INTEGER respectively into the 1121 msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime fields 1122 of the securityParameters. 1124 7) The userName is encoded as an OCTET STRING into the msgUserName 1125 field of the securityParameters. 1127 8) a) If the securityLevel specifies that the message is to be 1128 authenticated, the message is authenticated according to the 1129 user's authentication protocol. To do so a call is made to the 1130 authentication module that implements the user's 1131 authentication protocol according to the abstract service 1132 primitive: 1134 statusInformation = 1135 authenticateOutgoingMsg( 1136 IN authKey -- the user's localized authKey 1137 IN wholeMsg -- unauthenticated message 1138 OUT authenticatedWholeMsg -- authenticated complete message 1139 ) 1141 statusInformation 1142 indicates if authentication was successful or not. 1143 authKey 1144 the user's localized private authKey is the secret key that 1145 can be used by the authentication algorithm. 1146 wholeMsg 1147 the complete serialized message to be authenticated. 1148 authenticatedWholeMsg 1149 the same as the input given to the authenticateOutgoingMsg 1150 service, but with msgAuthenticationParameters properly 1151 filled in. 1153 If the authentication module returns failure, then the message 1154 cannot be sent and an error indication (authenticationFailure) 1155 is returned to the calling module. 1157 If the authentication module returns success, then the 1158 msgAuthenticationParameters field is put into the 1159 securityParameters and the authenticatedWholeMsg represents 1160 the serialization of the authenticated message being prepared. 1162 Otherwise, 1164 b) If the securityLevel specifies that the message is not to be 1165 authenticated then a zero-length OCTET STRING is encoded into 1166 the msgAuthenticationParameters field of the 1167 securityParameters. The wholeMsg is now serialized and then 1168 represents the unauthenticated message being prepared. 1170 9) The completed message with its length is returned to the calling 1171 module with the statusInformation set to success. 1173 3.2. Processing an Incoming SNMP Message 1175 This section describes the procedure followed by an SNMP engine 1176 whenever it receives a message containing a management operation on 1177 behalf of a user, with a particular securityLevel. 1179 To simplify the elements of procedure, the release of state 1180 information is not always explicitly specified. As a general rule, if 1181 state information is available when a message gets discarded, the 1182 state information should also be released. Also, an error indication 1183 can return an OID and value for an incremented counter and optionally 1184 a value for securityLevel, and values for contextEngineID or 1185 contextName for the counter. In addition, the securityStateReference 1186 data is returned if any such information is available at the point 1187 where the error is detected. 1189 1) If the received securityParameters is not the serialization 1190 (according to the conventions of [RFC1906]) of an OCTET STRING 1191 formatted according to the UsmSecurityParameters defined in 1192 section 2.4, then the snmpInASNParseErrs counter [RFC1907] is 1193 incremented, and an error indication (parseError) is returned to 1194 the calling module. Note that we return without the OID and 1195 value of the incremented counter, because in this case there is 1196 not enough information to generate a Report PDU. 1198 2) The values of the security parameter fields are extracted from 1199 the securityParameters. The securityEngineID to be returned to 1200 the caller is the value of the msgAuthoritativeEngineID field. 1202 The cachedSecurityData is prepared and a securityStateReference 1203 is prepared to reference this data. Values to be cached are: 1205 msgUserName 1207 3) If the value of the msgAuthoritativeEngineID field in the 1208 securityParameters is unknown then: 1210 a) a non-authoritative SNMP engine that performs discovery may 1211 optionally create a new entry in its Local Configuration 1212 Datastore (LCD) and continue processing; 1214 or 1216 b) the usmStatsUnknownEngineIDs counter is incremented, and 1217 an error indication (unknownEngineID) together with the 1218 OID and value of the incremented counter is returned to 1219 the calling module. 1221 Note in the event that a zero-length, or other illegally 1222 sized msgAuthoritativeEngineID is received, b) should be 1223 chosen to facilitate engineID discovery. 1224 Otherwise the choice between a) and b) is an implementation 1225 issue. 1227 4) Information about the value of the msgUserName and 1228 msgAuthoritativeEngineID fields is extracted from the Local 1229 Configuration Datastore (LCD, usmUserTable). If no information 1230 is available for the user, then the usmStatsUnknownUserNames 1231 counter is incremented and an error indication 1232 (unknownSecurityName) together with the OID and value of the 1233 incremented counter is returned to the calling module. 1235 5) If the information about the user indicates that it does not 1236 support the securityLevel requested by the caller, then the 1237 usmStatsUnsupportedSecLevels counter is incremented and an 1238 error indication (unsupportedSecurityLevel) together with the 1239 OID and value of the incremented counter is returned to the 1240 calling module. 1242 6) If the securityLevel specifies that the message is to be 1243 authenticated, then the message is authenticated according to 1244 the user's authentication protocol. To do so a call is made 1245 to the authentication module that implements the user's 1246 authentication protocol according to the abstract service 1247 primitive: 1249 statusInformation = -- success or failure 1250 authenticateIncomingMsg( 1251 IN authKey -- the user's localized authKey 1252 IN authParameters -- as received on the wire 1253 IN wholeMsg -- as received on the wire 1254 OUT authenticatedWholeMsg -- checked for authentication 1255 ) 1257 statusInformation 1258 indicates if authentication was successful or not. 1259 authKey 1260 the user's localized private authKey is the secret key that 1261 can be used by the authentication algorithm. 1262 wholeMsg 1263 the complete serialized message to be authenticated. 1264 authenticatedWholeMsg 1265 the same as the input given to the authenticateIncomingMsg 1266 service, but after authentication has been checked. 1268 If the authentication module returns failure, then the message 1269 cannot be trusted, so the usmStatsWrongDigests counter is 1270 incremented and an error indication (authenticationFailure) 1271 together with the OID and value of the incremented counter is 1272 returned to the calling module. 1274 If the authentication module returns success, then the message 1275 is authentic and can be trusted so processing continues. 1277 7) If the securityLevel indicates an authenticated message, then 1278 the local values of snmpEngineBoots, snmpEngineTime 1279 and latestReceivedEngineTime 1280 corresponding to the value of the msgAuthoritativeEngineID 1281 field are extracted from the Local Configuration Datastore. 1283 a) If the extracted value of msgAuthoritativeEngineID is the 1284 same as the value of snmpEngineID of the processing SNMP 1285 engine (meaning this is the authoritative SNMP engine), 1286 then if any of the following conditions is true, then the 1287 message is considered to be outside of the Time Window: 1289 - the local value of snmpEngineBoots is 2147483647; 1291 - the value of the msgAuthoritativeEngineBoots field differs 1292 from the local value of snmpEngineBoots; or, 1294 - the value of the msgAuthoritativeEngineTime field differs 1295 from the local notion of snmpEngineTime by more than 1296 +/- 150 seconds. 1298 If the message is considered to be outside of the Time Window 1299 then the usmStatsNotInTimeWindows counter is incremented and 1300 an error indication (notInTimeWindow) together with the OID, 1301 the value of the incremented counter, and an indication that 1302 the error must be reported with a securityLevel of authNoPriv, 1303 is returned to the calling module. 1305 b) If the extracted value of msgAuthoritativeEngineID is not the 1306 same as the value snmpEngineID of the processing SNMP engine 1307 (meaning this is not the authoritative SNMP engine), then: 1309 1) if at least one of the following conditions is true: 1311 - the extracted value of the msgAuthoritativeEngineBoots 1312 field is greater than the local notion of the value of 1313 snmpEngineBoots; or, 1315 - the extracted value of the msgAuthoritativeEngineBoots 1316 field is equal to the local notion of the value of 1317 snmpEngineBoots, and the extracted value of 1318 msgAuthoritativeEngineTime field is greater than the 1319 value of latestReceivedEngineTime, 1321 then the LCD entry corresponding to the extracted value 1322 of the msgAuthoritativeEngineID field is updated, by 1323 setting: 1325 - the local notion of the value of snmpEngineBoots to 1326 the value of the msgAuthoritativeEngineBoots field, 1327 - the local notion of the value of snmpEngineTime to 1328 the value of the msgAuthoritativeEngineTime field, 1329 and 1330 - the latestReceivedEngineTime to the value of the 1331 value of the msgAuthoritativeEngineTime field. 1333 2) if any of the following conditions is true, then the 1334 message is considered to be outside of the Time Window: 1336 - the local notion of the value of snmpEngineBoots is 1337 2147483647; 1339 - the value of the msgAuthoritativeEngineBoots field is 1340 less than the local notion of the value of 1341 snmpEngineBoots; or, 1343 - the value of the msgAuthoritativeEngineBoots field is 1344 equal to the local notion of the value of 1345 snmpEngineBoots and the value of the 1346 msgAuthoritativeEngineTime field is more than 150 1347 seconds less than the local notion of the value of 1348 snmpEngineTime. 1350 If the message is considered to be outside of the Time 1351 Window then an error indication (notInTimeWindow) is 1352 returned to the calling module. 1354 Note that this means that a too old (possibly replayed) 1355 message has been detected and is deemed unauthentic. 1357 Note that this procedure allows for the value of 1358 msgAuthoritativeEngineBoots in the message to be greater 1359 than the local notion of the value of snmpEngineBoots to 1360 allow for received messages to be accepted as authentic 1361 when received from an authoritative SNMP engine that has 1362 re-booted since the receiving SNMP engine last 1363 (re-)synchronized. 1365 8) a) If the securityLevel indicates that the message was protected 1366 from disclosure, then the OCTET STRING representing the 1367 encryptedPDU is decrypted according to the user's privacy 1368 protocol to obtain an unencrypted serialized scopedPDU value. 1369 To do so a call is made to the privacy module that implements 1370 the user's privacy protocol according to the abstract 1371 primitive: 1373 statusInformation = -- success or failure 1374 decryptData( 1375 IN decryptKey -- the user's localized privKey 1376 IN privParameters -- as received on the wire 1377 IN encryptedData -- encryptedPDU as received 1378 OUT decryptedData -- serialized decrypted scopedPDU 1379 ) 1381 statusInformation 1382 indicates if the decryption process was successful or not. 1383 decryptKey 1384 the user's localized private privKey is the secret key that 1385 can be used by the decryption algorithm. 1386 privParameters 1387 the msgPrivacyParameters, encoded as an OCTET STRING. 1388 encryptedData 1389 the encryptedPDU represents the encrypted scopedPDU, encoded 1390 as an OCTET STRING. 1391 decryptedData 1392 the serialized scopedPDU if decryption is successful. 1394 If the privacy module returns failure, then the message can 1395 not be processed, so the usmStatsDecryptionErrors counter is 1396 incremented and an error indication (decryptionError) together 1397 with the OID and value of the incremented counter is returned 1398 to the calling module. 1400 If the privacy module returns success, then the decrypted 1401 scopedPDU is the message payload to be returned to the calling 1402 module. 1404 Otherwise, 1406 b) The scopedPDU component is assumed to be in plain text 1407 and is the message payload to be returned to the calling 1408 module. 1410 9) The maxSizeResponseScopedPDU is calculated. This is the 1411 maximum size allowed for a scopedPDU for a possible Response 1412 message. Provision is made for a message header that allows the 1413 same securityLevel as the received Request. 1415 10) The securityName for the user is retrieved from the 1416 usmUserTable. 1418 11) The security data is cached as cachedSecurityData, so that a 1419 possible response to this message can and will use the same 1420 authentication and privacy secrets. Information to be 1421 saved/cached is as follows: 1423 msgUserName, 1424 usmUserAuthProtocol, usmUserAuthKey 1425 usmUserPrivProtocol, usmUserPrivKey 1427 12) The statusInformation is set to success and a return is made to 1428 the calling module passing back the OUT parameters as specified 1429 in the processIncomingMsg primitive. 1431 4. Discovery 1433 The User-based Security Model requires that a discovery process 1434 obtains sufficient information about other SNMP engines in order to 1435 communicate with them. Discovery requires an non-authoritative SNMP 1436 engine to learn the authoritative SNMP engine's snmpEngineID value 1437 before communication may proceed. This may be accomplished by 1438 generating a Request message with a securityLevel of noAuthNoPriv, a 1439 msgUserName of zero-length, a msgAuthoritativeEngineID value of zero 1440 length, and the varBindList left empty. The response to this message 1441 will be a Report message containing the snmpEngineID of the 1442 authoritative SNMP engine as the value of the 1443 msgAuthoritativeEngineID field within the msgSecurityParameters 1444 field. It contains a Report PDU with the usmStatsUnknownEngineIDs 1445 counter in the varBindList. 1447 If authenticated communication is required, then the discovery 1448 process should also establish time synchronization with the 1449 authoritative SNMP engine. This may be accomplished by sending an 1450 authenticated Request message with the value of 1451 msgAuthoritativeEngineID set to the newly learned snmpEngineID and 1452 with the values of msgAuthoritativeEngineBoots and 1453 msgAuthoritativeEngineTime set to zero. For an authenticated Request 1454 message, a valid userName must be used in the msgUserName field. The 1455 response to this authenticated message will be a Report message 1456 containing the up to date values of the authoritative SNMP engine's 1457 snmpEngineBoots and snmpEngineTime as the value of the 1458 msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime fields 1459 respectively. It also contains the usmStatsNotInTimeWindows counter 1460 in the varBindList of the Report PDU. The time synchronization then 1461 happens automatically as part of the procedures in section 3.2 step 1462 7b. See also section 2.3. 1464 5. Definitions 1466 SNMP-USER-BASED-SM-MIB DEFINITIONS ::= BEGIN 1468 IMPORTS 1469 MODULE-IDENTITY, OBJECT-TYPE, 1470 OBJECT-IDENTITY, 1471 snmpModules, Counter32 FROM SNMPv2-SMI 1472 TEXTUAL-CONVENTION, TestAndIncr, 1473 RowStatus, RowPointer, 1474 StorageType, AutonomousType FROM SNMPv2-TC 1475 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF 1476 SnmpAdminString, SnmpEngineID, 1477 snmpAuthProtocols, snmpPrivProtocols FROM SNMP-FRAMEWORK-MIB; 1479 snmpUsmMIB MODULE-IDENTITY 1480 LAST-UPDATED "9901200000Z" -- 20 Jan 1999, midnight 1481 ORGANIZATION "SNMPv3 Working Group" 1482 CONTACT-INFO "WG-email: snmpv3@tis.com 1483 Subscribe: majordomo@tis.com 1484 In msg body: subscribe snmpv3 1486 Chair: Russ Mundy 1487 Trusted Information Systems 1488 postal: 3060 Washington Rd 1489 Glenwood MD 21738 1490 USA 1491 email: mundy@tis.com 1492 phone: +1-301-854-6889 1494 Co-editor Uri Blumenthal 1495 IBM T. J. Watson Research 1496 postal: 30 Saw Mill River Pkwy, 1497 Hawthorne, NY 10532 1498 USA 1499 email: uri@watson.ibm.com 1500 phone: +1-914-784-7964 1502 Co-editor: Bert Wijnen 1503 IBM T. J. Watson Research 1504 postal: Schagen 33 1505 3461 GL Linschoten 1506 Netherlands 1507 email: wijnen@vnet.ibm.com 1508 phone: +31-348-432-794 1509 " 1510 DESCRIPTION "The management information definitions for the 1511 SNMP User-based Security Model. 1512 " 1513 -- Revision history 1514 REVISION "9901200000Z" -- 20 Jan 1999, midnight 1515 -- RFC-Editor assigns RFCxxxx 1516 DESCRIPTION "Clarifications, published as RFCxxxx" 1518 REVISION "9711200000Z" -- 20 Nov 1997, midnight 1519 DESCRIPTION "Initial version, published as RFC2274" 1521 ::= { snmpModules 15 } 1523 -- Administrative assignments **************************************** 1525 usmMIBObjects OBJECT IDENTIFIER ::= { snmpUsmMIB 1 } 1526 usmMIBConformance OBJECT IDENTIFIER ::= { snmpUsmMIB 2 } 1528 -- Identification of Authentication and Privacy Protocols ************ 1530 usmNoAuthProtocol OBJECT-IDENTITY 1531 STATUS current 1532 DESCRIPTION "No Authentication Protocol." 1533 ::= { snmpAuthProtocols 1 } 1535 usmHMACMD5AuthProtocol OBJECT-IDENTITY 1536 STATUS current 1537 DESCRIPTION "The HMAC-MD5-96 Digest Authentication Protocol." 1538 REFERENCE "- H. Krawczyk, M. Bellare, R. Canetti HMAC: 1539 Keyed-Hashing for Message Authentication, 1540 RFC2104, Feb 1997. 1541 - Rivest, R., Message Digest Algorithm MD5, RFC1321. 1542 " 1543 ::= { snmpAuthProtocols 2 } 1545 usmHMACSHAAuthProtocol OBJECT-IDENTITY 1546 STATUS current 1547 DESCRIPTION "The HMAC-SHA-96 Digest Authentication Protocol." 1548 REFERENCE "- H. Krawczyk, M. Bellare, R. Canetti, HMAC: 1549 Keyed-Hashing for Message Authentication, 1550 RFC2104, Feb 1997. 1551 - Secure Hash Algorithm. NIST FIPS 180-1. 1552 " 1553 ::= { snmpAuthProtocols 3 } 1555 usmNoPrivProtocol OBJECT-IDENTITY 1556 STATUS current 1557 DESCRIPTION "No Privacy Protocol." 1558 ::= { snmpPrivProtocols 1 } 1560 usmDESPrivProtocol OBJECT-IDENTITY 1561 STATUS current 1562 DESCRIPTION "The CBC-DES Symmetric Encryption Protocol." 1563 REFERENCE "- Data Encryption Standard, National Institute of 1564 Standards and Technology. Federal Information 1565 Processing Standard (FIPS) Publication 46-1. 1566 Supersedes FIPS Publication 46, 1567 (January, 1977; reaffirmed January, 1988). 1569 - Data Encryption Algorithm, American National 1570 Standards Institute. ANSI X3.92-1981, 1571 (December, 1980). 1573 - DES Modes of Operation, National Institute of 1574 Standards and Technology. Federal Information 1575 Processing Standard (FIPS) Publication 81, 1576 (December, 1980). 1578 - Data Encryption Algorithm - Modes of Operation, 1579 American National Standards Institute. 1580 ANSI X3.106-1983, (May 1983). 1581 " 1582 ::= { snmpPrivProtocols 2 } 1584 -- Textual Conventions *********************************************** 1585 KeyChange ::= TEXTUAL-CONVENTION 1586 STATUS current 1587 DESCRIPTION 1588 "Every definition of an object with this syntax must identify 1589 a protocol P, a secret key K, and a hash algorithm H 1590 that produces output of L octets. 1592 The object's value is a manager-generated, partially-random 1593 value which, when modified, causes the value of the secret 1594 key K, to be modified via a one-way function. 1596 The value of an instance of this object is the concatenation 1597 of two components: first a 'random' component and then a 1598 'delta' component. 1600 The lengths of the random and delta components 1601 are given by the corresponding value of the protocol P; 1602 if P requires K to be a fixed length, the length of both the 1603 random and delta components is that fixed length; if P 1604 allows the length of K to be variable up to a particular 1605 maximum length, the length of the random component is that 1606 maximum length and the length of the delta component is any 1607 length less than or equal to that maximum length. 1608 For example, usmHMACMD5AuthProtocol requires K to be a fixed 1609 length of 16 octets and L - of 16 octets. 1610 usmHMACSHAAuthProtocol requires K to be a fixed length of 1611 20 octets and L - of 20 octets. Other protocols may define 1612 other sizes, as deemed appropriate. 1614 When a requester wants to change the old key K to a new 1615 key keyNew on a remote entity, the 'random' component is 1616 obtained from either a true random generator, or from a 1617 pseudorandom generator, and the 'delta' component is 1618 computed as follows: 1620 - a temporary variable is initialized to the existing value 1621 of K; 1622 - if the length of the keyNew is greater than L octets, 1623 then: 1624 - the random component is appended to the value of the 1625 temporary variable, and the result is input to the 1626 the hash algorithm H to produce a digest value, and 1627 the temporary variable is set to this digest value; 1628 - the value of the temporary variable is XOR-ed with 1629 the first (next) L-octets (16 octets in case of MD5) 1630 of the keyNew to produce the first (next) L-octets 1631 (16 octets in case of MD5) of the 'delta' component. 1632 - the above two steps are repeated until the unused 1633 portion of the keyNew component is L octets or less, 1634 - the random component is appended to the value of the 1635 temporary variable, and the result is input to the 1636 hash algorithm H to produce a digest value; 1637 - this digest value, truncated if necessary to be the same 1638 length as the unused portion of the keyNew, is XOR-ed 1639 with the unused portion of the keyNew to produce the 1640 (final portion of the) 'delta' component. 1642 For example, using MD5 as the hash algorithm H: 1644 iterations = (lenOfDelta - 1)/16; /* integer division */ 1645 temp = keyOld; 1646 for (i = 0; i < iterations; i++) { 1647 temp = MD5 (temp || random); 1648 delta[i*16 .. (i*16)+15] = 1649 temp XOR keyNew[i*16 .. (i*16)+15]; 1650 } 1651 temp = MD5 (temp || random); 1652 delta[i*16 .. lenOfDelta-1] = 1653 temp XOR keyNew[i*16 .. lenOfDelta-1]; 1655 The 'random' and 'delta' components are then concatenated as 1656 described above, and the resulting octet string is sent to 1657 the recipient as the new value of an instance of this object. 1659 At the receiver side, when an instance of this object is set 1660 to a new value, then a new value of K is computed as follows: 1662 - a temporary variable is initialized to the existing value 1663 of K; 1664 - if the length of the delta component is greater than L 1665 octets, then: 1666 - the random component is appended to the value of the 1667 temporary variable, and the result is input to the 1668 hash algorithm H to produce a digest value, and the 1669 temporary variable is set to this digest value; 1670 - the value of the temporary variable is XOR-ed with 1671 the first (next) L-octets (16 octets in case of MD5) 1672 of the delta component to produce the first (next) 1673 L-octets (16 octets in case of MD5) of the new value 1674 of K. 1675 - the above two steps are repeated until the unused 1676 portion of the delta component is L octets or less, 1677 - the random component is appended to the value of the 1678 temporary variable, and the result is input to the 1679 hash algorithm H to produce a digest value; 1680 - this digest value, truncated if necessary to be the same 1681 length as the unused portion of the delta component, is 1682 XOR-ed with the unused portion of the delta component to 1683 produce the (final portion of the) new value of K. 1685 For example, using MD5 as the hash algorithm H: 1687 iterations = (lenOfDelta - 1)/16; /* integer division */ 1688 temp = keyOld; 1689 for (i = 0; i < iterations; i++) { 1690 temp = MD5 (temp || random); 1691 keyNew[i*16 .. (i*16)+15] = 1692 temp XOR delta[i*16 .. (i*16)+15]; 1693 } 1694 temp = MD5 (temp || random); 1695 keyNew[i*16 .. lenOfDelta-1] = 1696 temp XOR delta[i*16 .. lenOfDelta-1]; 1698 The value of an object with this syntax, whenever it is 1699 retrieved by the management protocol, is always the zero 1700 length string. 1702 Note that the keyOld and keyNew are the localized keys. 1704 Note that it is probably wise that when an SNMP entity sends 1705 a SetRequest to change a key, that it keeps a copy of the old 1706 key until it has confirmed that the key change actually 1707 succeeded. 1708 " 1709 SYNTAX OCTET STRING 1711 -- Statistics for the User-based Security Model ********************** 1713 usmStats OBJECT IDENTIFIER ::= { usmMIBObjects 1 } 1715 usmStatsUnsupportedSecLevels OBJECT-TYPE 1716 SYNTAX Counter32 1717 MAX-ACCESS read-only 1718 STATUS current 1719 DESCRIPTION "The total number of packets received by the SNMP 1720 engine which were dropped because they requested a 1721 securityLevel that was unknown to the SNMP engine 1722 or otherwise unavailable. 1723 " 1725 ::= { usmStats 1 } 1727 usmStatsNotInTimeWindows OBJECT-TYPE 1728 SYNTAX Counter32 1729 MAX-ACCESS read-only 1730 STATUS current 1731 DESCRIPTION "The total number of packets received by the SNMP 1732 engine which were dropped because they appeared 1733 outside of the authoritative SNMP engine's window. 1734 " 1735 ::= { usmStats 2 } 1737 usmStatsUnknownUserNames OBJECT-TYPE 1738 SYNTAX Counter32 1739 MAX-ACCESS read-only 1740 STATUS current 1741 DESCRIPTION "The total number of packets received by the SNMP 1742 engine which were dropped because they referenced a 1743 user that was not known to the SNMP engine. 1744 " 1745 ::= { usmStats 3 } 1747 usmStatsUnknownEngineIDs OBJECT-TYPE 1748 SYNTAX Counter32 1749 MAX-ACCESS read-only 1750 STATUS current 1751 DESCRIPTION "The total number of packets received by the SNMP 1752 engine which were dropped because they referenced an 1753 snmpEngineID that was not known to the SNMP engine. 1754 " 1755 ::= { usmStats 4 } 1757 usmStatsWrongDigests OBJECT-TYPE 1758 SYNTAX Counter32 1759 MAX-ACCESS read-only 1760 STATUS current 1761 DESCRIPTION "The total number of packets received by the SNMP 1762 engine which were dropped because they didn't 1763 contain the expected digest value. 1764 " 1765 ::= { usmStats 5 } 1767 usmStatsDecryptionErrors OBJECT-TYPE 1768 SYNTAX Counter32 1769 MAX-ACCESS read-only 1770 STATUS current 1771 DESCRIPTION "The total number of packets received by the SNMP 1772 engine which were dropped because they could not be 1773 decrypted. 1774 " 1775 ::= { usmStats 6 } 1777 -- The usmUser Group ************************************************ 1779 usmUser OBJECT IDENTIFIER ::= { usmMIBObjects 2 } 1781 usmUserSpinLock OBJECT-TYPE 1782 SYNTAX TestAndIncr 1783 MAX-ACCESS read-write 1784 STATUS current 1785 DESCRIPTION "An advisory lock used to allow several cooperating 1786 Command Generator Applications to coordinate their 1787 use of facilities to alter secrets in the 1788 usmUserTable. 1789 " 1790 ::= { usmUser 1 } 1792 -- The table of valid users for the User-based Security Model ******** 1794 usmUserTable OBJECT-TYPE 1795 SYNTAX SEQUENCE OF UsmUserEntry 1796 MAX-ACCESS not-accessible 1797 STATUS current 1798 DESCRIPTION "The table of users configured in the SNMP engine's 1799 Local Configuration Datastore (LCD). 1801 To create a new user (i.e., to instantiate a new 1802 conceptual row in this table), it is recommended to 1803 follow this procedure: 1805 1) GET(usmUserSpinLock.0) and save in sValue. 1806 2) SET(usmUserSpinLock.0=sValue, 1807 usmUserCloneFrom=templateUser, 1808 usmUserStatus=createAndWait) 1809 You should use a template user to clone from 1810 which has the proper auth/priv protocol defined. 1812 If the new user is to use privacy: 1814 3) generate the keyChange value based on the secret 1815 privKey of the clone-from user and the secret key 1816 to be used for the new user. Let us call this 1817 pkcValue. 1818 4) GET(usmUserSpinLock.0) and save in sValue. 1819 5) SET(usmUserSpinLock.0=sValue, 1820 usmUserPrivKeyChange=pkcValue 1821 usmUserPublic=randomValue1) 1822 6) GET(usmUserPulic) and check it has randomValue1. 1823 If not, repeat steps 4-6. 1825 If the new user will never use privacy: 1827 7) SET(usmUserPrivProtocol=usmNoPrivProtocol) 1829 If the new user is to use authentication: 1831 8) generate the keyChange value based on the secret 1832 authKey of the clone-from user and the secret key 1833 to be used for the new user. Let us call this 1834 akcValue. 1835 9) GET(usmUserSpinLock.0) and save in sValue. 1836 10) SET(usmUserSpinLock.0=sValue, 1837 usmUserAuthKeyChange=akcValue 1838 usmUserPublic=randomValue2) 1839 11) GET(usmUserPulic) and check it has randomValue2. 1840 If not, repeat steps 9-11. 1842 If the new user will never use authentication: 1844 12) SET(usmUserAuthProtocol=usmNoAuthProtocol) 1846 Finally, activate the new user: 1848 13) SET(usmUserStatus=active) 1850 The new user should now be available and ready to be 1851 used for SNMPv3 communication. Note however that access 1852 to MIB data must be provided via configuration of the 1853 SNMP-VIEW-BASED-ACM-MIB. 1855 The use of usmUserSpinlock is to avoid conflicts with 1856 another SNMP command responder application which may 1857 also be acting on the usmUserTable. 1858 " 1859 ::= { usmUser 2 } 1861 usmUserEntry OBJECT-TYPE 1862 SYNTAX UsmUserEntry 1863 MAX-ACCESS not-accessible 1864 STATUS current 1865 DESCRIPTION "A user configured in the SNMP engine's Local 1866 Configuration Datastore (LCD) for the User-based 1867 Security Model. 1868 " 1870 INDEX { usmUserEngineID, 1871 usmUserName 1872 } 1873 ::= { usmUserTable 1 } 1875 UsmUserEntry ::= SEQUENCE 1876 { 1877 usmUserEngineID SnmpEngineID, 1878 usmUserName SnmpAdminString, 1879 usmUserSecurityName SnmpAdminString, 1880 usmUserCloneFrom RowPointer, 1881 usmUserAuthProtocol AutonomousType, 1882 usmUserAuthKeyChange KeyChange, 1883 usmUserOwnAuthKeyChange KeyChange, 1884 usmUserPrivProtocol AutonomousType, 1885 usmUserPrivKeyChange KeyChange, 1886 usmUserOwnPrivKeyChange KeyChange, 1887 usmUserPublic OCTET STRING, 1888 usmUserStorageType StorageType, 1889 usmUserStatus RowStatus 1890 } 1892 usmUserEngineID OBJECT-TYPE 1893 SYNTAX SnmpEngineID 1894 MAX-ACCESS not-accessible 1895 STATUS current 1896 DESCRIPTION "An SNMP engine's administratively-unique identifier. 1898 In a simple agent, this value is always that agent's 1899 own snmpEngineID value. 1901 The value can also take the value of the snmpEngineID 1902 of a remote SNMP engine with which this user can 1903 communicate. 1904 " 1905 ::= { usmUserEntry 1 } 1907 usmUserName OBJECT-TYPE 1908 SYNTAX SnmpAdminString (SIZE(1..32)) 1909 MAX-ACCESS not-accessible 1910 STATUS current 1911 DESCRIPTION "A human readable string representing the name of 1912 the user. 1914 This is the (User-based Security) Model dependent 1915 security ID. 1916 " 1917 ::= { usmUserEntry 2 } 1919 usmUserSecurityName OBJECT-TYPE 1920 SYNTAX SnmpAdminString 1921 MAX-ACCESS read-only 1922 STATUS current 1923 DESCRIPTION "A human readable string representing the user in 1924 Security Model independent format. 1926 The default transformation of the User-based Security 1927 Model dependent security ID to the securityName and 1928 vice versa is the identity function so that the 1929 securityName is the same as the userName. 1930 " 1931 ::= { usmUserEntry 3 } 1933 usmUserCloneFrom OBJECT-TYPE 1934 SYNTAX RowPointer 1935 MAX-ACCESS read-create 1936 STATUS current 1937 DESCRIPTION "A pointer to another conceptual row in this 1938 usmUserTable. The user in this other conceptual 1939 row is called the clone-from user. 1941 When a new user is created (i.e., a new conceptual 1942 row is instantiated in this table), the privacy and 1943 authentication parameters of the new user must be 1944 cloned from its clone-from user. These parameters are: 1945 - authentication protocol (usmUserAuthProtocol) 1946 - privacy protocol (usmUserPrivProtocol) 1947 They will be copied regardless of what the current 1948 value is. 1950 Cloning also causes the initial values of the secret 1951 authentication key (authKey) and the secret encryption 1952 key (privKey) of the new user to be set to the same 1953 value as the corresponding secret of the clone-from 1954 user. 1956 The first time an instance of this object is set by 1957 a management operation (either at or after its 1958 instantiation), the cloning process is invoked. 1959 Subsequent writes are successful but invoke no 1960 action to be taken by the receiver. 1961 The cloning process fails with an 'inconsistentName' 1962 error if the conceptual row representing the 1963 clone-from user does not exist or is not in an active 1964 state when the cloning process is invoked. 1966 When this object is read, the ZeroDotZero OID 1967 is returned. 1968 " 1969 ::= { usmUserEntry 4 } 1971 usmUserAuthProtocol OBJECT-TYPE 1972 SYNTAX AutonomousType 1973 MAX-ACCESS read-create 1974 STATUS current 1975 DESCRIPTION "An indication of whether messages sent on behalf of 1976 this user to/from the SNMP engine identified by 1977 usmUserEngineID, can be authenticated, and if so, 1978 the type of authentication protocol which is used. 1980 An instance of this object is created concurrently 1981 with the creation of any other object instance for 1982 the same user (i.e., as part of the processing of 1983 the set operation which creates the first object 1984 instance in the same conceptual row). 1986 If an initial set operation (i.e. at row creation time) 1987 tries to set a value for an unknown or unsupported 1988 protocol, then a 'wrongValue' error must be returned. 1990 The value will be overwritten/set when a set operation 1991 is performed on the corresponding instance of 1992 usmUserCloneFrom. 1994 Once instantiated, the value of such an instance of 1995 this object can only be changed via a set operation to 1996 the value of the usmNoAuthProtocol. 1998 If a set operation tries to change the value of an 1999 existing instance of this object to any value other 2000 than usmNoAuthProtocol, then an 'inconsistentValue' 2001 error must be returned. 2003 If a set operation tries to set the value to the 2004 usmNoAuthProtocol while the usmUserPrivProtocol value 2005 in the same row is not equal to usmNoPrivProtocol, 2006 then an 'inconsistentValue' error must be returned. 2007 That means that an SNMP command generator application 2008 must first ensure that the usmUserPrivProtocol is set 2009 to the usmNoPrivProtocol value before it can set 2010 the usmUserAuthProtocol value to usmNoAuthProtocol. 2011 " 2012 DEFVAL { usmNoAuthProtocol } 2013 ::= { usmUserEntry 5 } 2015 usmUserAuthKeyChange OBJECT-TYPE 2016 SYNTAX KeyChange -- typically (SIZE (0 | 32)) for HMACMD5 2017 -- typically (SIZE (0 | 40)) for HMACSHA 2018 MAX-ACCESS read-create 2019 STATUS current 2020 DESCRIPTION "An object, which when modified, causes the secret 2021 authentication key used for messages sent on behalf 2022 of this user to/from the SNMP engine identified by 2023 usmUserEngineID, to be modified via a one-way 2024 function. 2026 The associated protocol is the usmUserAuthProtocol. 2027 The associated secret key is the user's secret 2028 authentication key (authKey). The associated hash 2029 algorithm is the algorithm used by the user's 2030 usmUserAuthProtocol. 2032 When creating a new user, it is an 'inconsistentName' 2033 error for a set operation to refer to this object 2034 unless it is previously or concurrently initialized 2035 through a set operation on the corresponding instance 2036 of usmUserCloneFrom. 2038 When the value of the corresponding usmUserAuthProtocol 2039 is usmNoAuthProtocol, then a set is successful, but 2040 effectively is a no-op. 2042 When this object is read, the zero-length (empty) 2043 string is returned. 2045 The recommended way to do a key change is as follows: 2047 1) GET(usmUserSpinLock.0) and save in sValue. 2048 2) generate the keyChange value based on the old 2049 (existing) secret key and the new secret key, 2050 let us call this kcValue. 2052 If you do the key change on behalf of another user: 2054 3) SET(usmUserSpinLock.0=sValue, 2055 usmUserAuthKeyChange=kcValue 2056 usmUserPublic=randomValue) 2058 If you do the key change for yourself: 2060 4) SET(usmUserSpinLock.0=sValue, 2061 usmUserOwnAuthKeyChange=kcValue 2062 usmUserPublic=randomValue) 2064 If you get a response with error-status of noError, 2065 then the SET succeeded and the new key is active. 2066 If you do not get a response, then you can issue a 2067 GET(usmUserPublic) and check if the value is equal 2068 to the randomValue you did send in the SET. If so, then 2069 the key change succeeded and the new key is active 2070 (probably the response got lost). If not, then the SET 2071 request probably never reached the target and so you 2072 can start over with the procedure above. 2073 " 2074 DEFVAL { ''H } -- the empty string 2075 ::= { usmUserEntry 6 } 2077 usmUserOwnAuthKeyChange OBJECT-TYPE 2078 SYNTAX KeyChange -- typically (SIZE (0 | 32)) for HMACMD5 2079 -- typically (SIZE (0 | 40)) for HMACSHA 2080 MAX-ACCESS read-create 2081 STATUS current 2082 DESCRIPTION "Behaves exactly as usmUserAuthKeyChange, with one 2083 notable difference: in order for the set operation 2084 to succeed, the usmUserName of the operation 2085 requester must match the usmUserName that 2086 indexes the row which is targeted by this 2087 operation. 2088 In addition, the USM security model must be 2089 used for this operation. 2091 The idea here is that access to this column can be 2092 public, since it will only allow a user to change 2093 his own secret authentication key (authKey). 2094 Note that this can only be done once the row is active. 2096 When a set is received and the usmUserName of the 2097 requester is not the same as the umsUserName that 2098 indexes the row which is targeted by this operation, 2099 then a 'noAccess' error must be returned. 2101 When a set is received and the security model in use 2102 is not USM, then a 'noAccess' error must be returned. 2103 " 2104 DEFVAL { ''H } -- the empty string 2105 ::= { usmUserEntry 7 } 2107 usmUserPrivProtocol OBJECT-TYPE 2108 SYNTAX AutonomousType 2109 MAX-ACCESS read-create 2110 STATUS current 2111 DESCRIPTION "An indication of whether messages sent on behalf of 2112 this user to/from the SNMP engine identified by 2113 usmUserEngineID, can be protected from disclosure, 2114 and if so, the type of privacy protocol which is used. 2116 An instance of this object is created concurrently 2117 with the creation of any other object instance for 2118 the same user (i.e., as part of the processing of 2119 the set operation which creates the first object 2120 instance in the same conceptual row). 2122 If an initial set operation (i.e. at row creation time) 2123 tries to set a value for an unknown or unsupported 2124 protocol, then a 'wrongValue' error must be returned. 2126 The value will be overwritten/set when a set operation 2127 is performed on the corresponding instance of 2128 usmUserCloneFrom. 2130 Once instantiated, the value of such an instance of 2131 this object can only be changed via a set operation to 2132 the value of the usmNoPrivProtocol. 2134 If a set operation tries to change the value of an 2135 existing instance of this object to any value other 2136 than usmNoPrivProtocol, then an 'inconsistentValue' 2137 error must be returned. 2139 Note that if any privacy protocol is used, then you 2140 must also use an authentication protocol. In other 2141 words, if usmUserPrivProtocol is set to anything else 2142 than usmNoPrivProtocol, then the corresponding instance 2143 of usmUserAuthProtocol cannot have a value of 2144 usmNoAuthProtocol. If it does, then an 2145 'inconsistentValue' error must be returned. 2146 " 2147 DEFVAL { usmNoPrivProtocol } 2148 ::= { usmUserEntry 8 } 2150 usmUserPrivKeyChange OBJECT-TYPE 2151 SYNTAX KeyChange -- typically (SIZE (0 | 32)) for DES 2152 MAX-ACCESS read-create 2153 STATUS current 2154 DESCRIPTION "An object, which when modified, causes the secret 2155 encryption key used for messages sent on behalf 2156 of this user to/from the SNMP engine identified by 2157 usmUserEngineID, to be modified via a one-way 2158 function. 2160 The associated protocol is the usmUserPrivProtocol. 2161 The associated secret key is the user's secret 2162 privacy key (privKey). The associated hash 2163 algorithm is the algorithm used by the user's 2164 usmUserAuthProtocol. 2166 When creating a new user, it is an 'inconsistentName' 2167 error for a set operation to refer to this object 2168 unless it is previously or concurrently initialized 2169 through a set operation on the corresponding instance 2170 of usmUserCloneFrom. 2172 When the value of the corresponding usmUserPrivProtocol 2173 is usmNoPrivProtocol, then a set is successful, but 2174 effectively is a no-op. 2176 When this object is read, the zero-length (empty) 2177 string is returned. 2178 See the description clause of usmUserAuthKeyChange for 2179 a recommended procedure to do a key change. 2180 " 2181 DEFVAL { ''H } -- the empty string 2182 ::= { usmUserEntry 9 } 2184 usmUserOwnPrivKeyChange OBJECT-TYPE 2185 SYNTAX KeyChange -- typically (SIZE (0 | 32)) for DES 2186 MAX-ACCESS read-create 2187 STATUS current 2188 DESCRIPTION "Behaves exactly as usmUserPrivKeyChange, with one 2189 notable difference: in order for the Set operation 2190 to succeed, the usmUserName of the operation 2191 requester must match the usmUserName that indexes 2192 the row which is targeted by this operation. 2193 In addition, the USM security model must be 2194 used for this operation. 2196 The idea here is that access to this column can be 2197 public, since it will only allow a user to change 2198 his own secret privacy key (privKey). 2199 Note that this can only be done once the row is active. 2201 When a set is received and the usmUserName of the 2202 requester is not the same as the umsUserName that 2203 indexes the row which is targeted by this operation, 2204 then a 'noAccess' error must be returned. 2206 When a set is received and the security model in use 2207 is not USM, then a 'noAccess' error must be returned. 2208 " 2209 DEFVAL { ''H } -- the empty string 2210 ::= { usmUserEntry 10 } 2212 usmUserPublic OBJECT-TYPE 2213 SYNTAX OCTET STRING (SIZE(0..32)) 2214 MAX-ACCESS read-create 2215 STATUS current 2216 DESCRIPTION "A publicly-readable value which can be written as part 2217 of the procedure for changing a user's secret 2218 authentication and/or privacy key, and later read to 2219 determine whether the change of the secret was 2220 effected. 2221 " 2222 DEFVAL { ''H } -- the empty string 2223 ::= { usmUserEntry 11 } 2225 usmUserStorageType OBJECT-TYPE 2226 SYNTAX StorageType 2227 MAX-ACCESS read-create 2228 STATUS current 2229 DESCRIPTION "The storage type for this conceptual row. 2231 Conceptual rows having the value 'permanent' must 2232 allow write-access at a minimum to: 2234 - usmUserAuthKeyChange, usmUserOwnAuthKeyChange 2235 and usmUserPublic for a user who employs 2236 authentication, and 2237 - usmUserPrivKeyChange, usmUserOwnPrivKeyChange 2238 and usmUserPublic for a user who employs 2239 privacy. 2241 Note that any user who employs authentication or 2242 privacy must allow its secret(s) to be updated and 2243 thus cannot be 'readOnly'. 2245 If an initial set operation tries to set the value to 2246 'readOnly' for a user who employs authentication or 2247 privacy, then an 'inconsistentValue' error must be 2248 returned. Note that if the value has been previously 2249 set (implicit or explicit) to any value, then the rules 2250 as defined in the StorageType Textual Convention apply. 2252 It is an implementation issue to decide if a SET for 2253 a readOnly or permanent row is accepted at all. In some 2254 contexts this may make sense, in others it may not. If 2255 a SET for a readOnly or permanent row is not accepted 2256 at all, then a 'wrongValue' error must be returned. 2257 " 2258 DEFVAL { nonVolatile } 2259 ::= { usmUserEntry 12 } 2261 usmUserStatus OBJECT-TYPE 2262 SYNTAX RowStatus 2263 MAX-ACCESS read-create 2264 STATUS current 2265 DESCRIPTION "The status of this conceptual row. 2267 Until instances of all corresponding columns are 2268 appropriately configured, the value of the 2269 corresponding instance of the usmUserStatus column 2270 is 'notReady'. 2272 In particular, a newly created row for a user who 2273 employs authentication, cannot be made active until the 2274 corresponding usmUserCloneFrom and usmUserAuthKeyChange 2275 have been set. 2277 Further, a newly created row for a user who also 2278 employs privacy, cannot be made active until the 2279 usmUserPrivKeyChange has been set. 2281 The RowStatus TC [RFC1903] requires that this 2282 DESCRIPTION clause states under which circumstances 2283 other objects in this row can be modified: 2285 The value of this object has no effect on whether 2286 other objects in this conceptual row can be modified, 2287 except for usmUserOwnAuthKeyChange and 2288 usmUserOwnPrivKeyChange. For these 2 objects, the 2289 value of usmUserStatus MUST be active. 2290 " 2291 ::= { usmUserEntry 13 } 2293 -- Conformance Information ******************************************* 2295 usmMIBCompliances OBJECT IDENTIFIER ::= { usmMIBConformance 1 } 2296 usmMIBGroups OBJECT IDENTIFIER ::= { usmMIBConformance 2 } 2298 -- Compliance statements 2300 usmMIBCompliance MODULE-COMPLIANCE 2301 STATUS current 2302 DESCRIPTION "The compliance statement for SNMP engines which 2303 implement the SNMP-USER-BASED-SM-MIB. 2304 " 2306 MODULE -- this module 2307 MANDATORY-GROUPS { usmMIBBasicGroup } 2309 OBJECT usmUserAuthProtocol 2310 MIN-ACCESS read-only 2311 DESCRIPTION "Write access is not required." 2313 OBJECT usmUserPrivProtocol 2314 MIN-ACCESS read-only 2315 DESCRIPTION "Write access is not required." 2317 ::= { usmMIBCompliances 1 } 2319 -- Units of compliance 2320 usmMIBBasicGroup OBJECT-GROUP 2321 OBJECTS { 2322 usmStatsUnsupportedSecLevels, 2323 usmStatsNotInTimeWindows, 2324 usmStatsUnknownUserNames, 2325 usmStatsUnknownEngineIDs, 2326 usmStatsWrongDigests, 2327 usmStatsDecryptionErrors, 2328 usmUserSpinLock, 2329 usmUserSecurityName, 2330 usmUserCloneFrom, 2331 usmUserAuthProtocol, 2332 usmUserAuthKeyChange, 2333 usmUserOwnAuthKeyChange, 2334 usmUserPrivProtocol, 2335 usmUserPrivKeyChange, 2336 usmUserOwnPrivKeyChange, 2337 usmUserPublic, 2338 usmUserStorageType, 2339 usmUserStatus 2340 } 2341 STATUS current 2342 DESCRIPTION "A collection of objects providing for configuration 2343 of an SNMP engine which implements the SNMP 2344 User-based Security Model. 2345 " 2346 ::= { usmMIBGroups 1 } 2348 END 2349 6. HMAC-MD5-96 Authentication Protocol 2351 This section describes the HMAC-MD5-96 authentication protocol. This 2352 authentication protocol is the first defined for the User-based 2353 Security Model. It uses MD5 hash-function which is described in 2354 [MD5], in HMAC mode described in [RFC2104], truncating the output to 2355 96 bits. 2357 This protocol is identified by usmHMACMD5AuthProtocol. 2359 Over time, other authentication protocols may be defined either as a 2360 replacement of this protocol or in addition to this protocol. 2362 6.1. Mechanisms 2364 - In support of data integrity, a message digest algorithm is 2365 required. A digest is calculated over an appropriate portion of an 2366 SNMP message and included as part of the message sent to the 2367 recipient. 2369 - In support of data origin authentication and data integrity, 2370 a secret value is prepended to SNMP message prior to computing the 2371 digest; the calculated digest is partially inserted into the SNMP 2372 message prior to transmission, and the prepended value is not 2373 transmitted. The secret value is shared by all SNMP engines 2374 authorized to originate messages on behalf of the appropriate user. 2376 6.1.1. Digest Authentication Mechanism 2378 The Digest Authentication Mechanism defined in this memo provides 2379 for: 2381 - verification of the integrity of a received message, i.e., the 2382 message received is the message sent. 2384 The integrity of the message is protected by computing a digest 2385 over an appropriate portion of the message. The digest is computed 2386 by the originator of the message, transmitted with the message, and 2387 verified by the recipient of the message. 2389 - verification of the user on whose behalf the message was generated. 2391 A secret value known only to SNMP engines authorized to generate 2392 messages on behalf of a user is used in HMAC mode (see [RFC2104]). 2393 It also recommends the hash-function output used as Message 2394 Authentication Code, to be truncated. 2396 This protocol uses the MD5 [MD5] message digest algorithm. A 128-bit 2397 MD5 digest is calculated in a special (HMAC) way over the designated 2398 portion of an SNMP message and the first 96 bits of this digest is 2399 included as part of the message sent to the recipient. The size of 2400 the digest carried in a message is 12 octets. The size of the private 2401 authentication key (the secret) is 16 octets. For the details see 2402 section 6.3. 2404 6.2. Elements of the Digest Authentication Protocol 2406 This section contains definitions required to realize the 2407 authentication module defined in this section of this memo. 2409 6.2.1. Users 2411 Authentication using this authentication protocol makes use of a 2412 defined set of userNames. For any user on whose behalf a message must 2413 be authenticated at a particular SNMP engine, that SNMP engine must 2414 have knowledge of that user. An SNMP engine that wishes to 2415 communicate with another SNMP engine must also have knowledge of a 2416 user known to that engine, including knowledge of the applicable 2417 attributes of that user. 2419 A user and its attributes are defined as follows: 2421 2422 A string representing the name of the user. 2423 2424 A user's secret key to be used when calculating a digest. 2425 It MUST be 16 octets long for MD5. 2427 6.2.2. msgAuthoritativeEngineID 2429 The msgAuthoritativeEngineID value contained in an authenticated 2430 message specifies the authoritative SNMP engine for that particular 2431 message (see the definition of SnmpEngineID in the SNMP Architecture 2432 document [RFC-ARCH]). 2434 The user's (private) authentication key is normally different at each 2435 authoritative SNMP engine and so the snmpEngineID is used to select 2436 the proper key for the authentication process. 2438 6.2.3. SNMP Messages Using this Authentication Protocol 2440 Messages using this authentication protocol carry a 2441 msgAuthenticationParameters field as part of the 2442 msgSecurityParameters. For this protocol, the 2443 msgAuthenticationParameters field is the serialized OCTET STRING 2444 representing the first 12 octets of the HMAC-MD5-96 output done over 2445 the wholeMsg. 2447 The digest is calculated over the wholeMsg so if a message is 2448 authenticated, that also means that all the fields in the message are 2449 intact and have not been tampered with. 2451 6.2.4. Services provided by the HMAC-MD5-96 Authentication Module 2453 This section describes the inputs and outputs that the HMAC-MD5-96 2454 Authentication module expects and produces when the User-based 2455 Security module calls the HMAC-MD5-96 Authentication module for 2456 services. 2458 6.2.4.1. Services for Generating an Outgoing SNMP Message 2460 The HMAC-MD5-96 authentication protocol assumes that the selection of 2461 the authKey is done by the caller and that the caller passes the 2462 secret key to be used. 2464 Upon completion the authentication module returns statusInformation 2465 and, if the message digest was correctly calculated, the wholeMsg 2466 with the digest inserted at the proper place. The abstract service 2467 primitive is: 2469 statusInformation = -- success or failure 2470 authenticateOutgoingMsg( 2471 IN authKey -- secret key for authentication 2472 IN wholeMsg -- unauthenticated complete message 2473 OUT authenticatedWholeMsg -- complete authenticated message 2474 ) 2476 The abstract data elements are: 2478 statusInformation 2479 An indication of whether the authentication process was 2480 successful. If not it is an indication of the problem. 2481 authKey 2482 The secret key to be used by the authentication algorithm. 2483 The length of this key MUST be 16 octets. 2484 wholeMsg 2485 The message to be authenticated. 2486 authenticatedWholeMsg 2487 The authenticated message (including inserted digest) on output. 2489 Note, that authParameters field is filled by the authentication 2490 module and this field should be already present in the wholeMsg 2491 before the Message Authentication Code (MAC) is generated. 2493 6.2.4.2. Services for Processing an Incoming SNMP Message 2495 The HMAC-MD5-96 authentication protocol assumes that the selection of 2496 the authKey is done by the caller and that the caller passes the 2497 secret key to be used. 2499 Upon completion the authentication module returns statusInformation 2500 and, if the message digest was correctly calculated, the wholeMsg as 2501 it was processed. The abstract service primitive is: 2503 statusInformation = -- success or failure 2504 authenticateIncomingMsg( 2505 IN authKey -- secret key for authentication 2506 IN authParameters -- as received on the wire 2507 IN wholeMsg -- as received on the wire 2508 OUT authenticatedWholeMsg -- complete authenticated message 2509 ) 2511 The abstract data elements are: 2513 statusInformation 2514 An indication of whether the authentication process was 2515 successful. If not it is an indication of the problem. 2516 authKey 2517 The secret key to be used by the authentication algorithm. 2518 The length of this key MUST be 16 octets. 2519 authParameters 2520 The authParameters from the incoming message. 2521 wholeMsg 2522 The message to be authenticated on input and the authenticated 2523 message on output. 2524 authenticatedWholeMsg 2525 The whole message after the authentication check is complete. 2527 6.3. Elements of Procedure 2529 This section describes the procedures for the HMAC-MD5-96 2530 authentication protocol. 2532 6.3.1. Processing an Outgoing Message 2534 This section describes the procedure followed by an SNMP engine 2535 whenever it must authenticate an outgoing message using the 2536 usmHMACMD5AuthProtocol. 2538 1) The msgAuthenticationParameters field is set to the serialization, 2539 according to the rules in [RFC1906], of an OCTET STRING containing 2540 12 zero octets. 2542 2) From the secret authKey, two keys K1 and K2 are derived: 2544 a) extend the authKey to 64 octets by appending 48 zero 2545 octets; save it as extendedAuthKey 2546 b) obtain IPAD by replicating the octet 0x36 64 times; 2547 c) obtain K1 by XORing extendedAuthKey with IPAD; 2548 d) obtain OPAD by replicating the octet 0x5C 64 times; 2549 e) obtain K2 by XORing extendedAuthKey with OPAD. 2551 3) Prepend K1 to the wholeMsg and calculate MD5 digest over it 2552 according to [MD5]. 2554 4) Prepend K2 to the result of the step 4 and calculate MD5 digest 2555 over it according to [MD5]. Take the first 12 octets of the final 2556 digest - this is Message Authentication Code (MAC). 2558 5) Replace the msgAuthenticationParameters field with MAC obtained 2559 in the step 4. 2561 6) The authenticatedWholeMsg is then returned to the caller 2562 together with statusInformation indicating success. 2564 6.3.2. Processing an Incoming Message 2566 This section describes the procedure followed by an SNMP engine 2567 whenever it must authenticate an incoming message using the 2568 usmHMACMD5AuthProtocol. 2570 1) If the digest received in the msgAuthenticationParameters field 2571 is not 12 octets long, then an failure and an errorIndication 2572 (authenticationError) is returned to the calling module. 2574 2) The MAC received in the msgAuthenticationParameters field 2575 is saved. 2577 3) The digest in the msgAuthenticationParameters field is replaced 2578 by the 12 zero octets. 2580 4) From the secret authKey, two keys K1 and K2 are derived: 2582 a) extend the authKey to 64 octets by appending 48 zero 2583 octets; save it as extendedAuthKey 2584 b) obtain IPAD by replicating the octet 0x36 64 times; 2585 c) obtain K1 by XORing extendedAuthKey with IPAD; 2586 d) obtain OPAD by replicating the octet 0x5C 64 times; 2587 e) obtain K2 by XORing extendedAuthKey with OPAD. 2589 5) The MAC is calculated over the wholeMsg: 2591 a) prepend K1 to the wholeMsg and calculate the MD5 digest 2592 over it; 2593 b) prepend K2 to the result of step 5.a and calculate the 2594 MD5 digest over it; 2595 c) first 12 octets of the result of step 5.b is the MAC. 2597 The msgAuthenticationParameters field is replaced with the MAC 2598 value that was saved in step 2. 2600 6) Then the newly calculated MAC is compared with the MAC 2601 saved in step 2. If they do not match, then an failure and an 2602 errorIndication (authenticationFailure) is returned to the 2603 calling module. 2605 7) The authenticatedWholeMsg and statusInformation indicating 2606 success are then returned to the caller. 2608 7. HMAC-SHA-96 Authentication Protocol 2610 This section describes the HMAC-SHA-96 authentication protocol. This 2611 protocol uses the SHA hash-function which is described in [SHA-NIST], 2612 in HMAC mode described in [RFC2104], truncating the output to 96 2613 bits. 2615 This protocol is identified by usmHMACSHAAuthProtocol. 2617 Over time, other authentication protocols may be defined either as a 2618 replacement of this protocol or in addition to this protocol. 2620 7.1. Mechanisms 2622 - In support of data integrity, a message digest algorithm is 2623 required. A digest is calculated over an appropriate portion of an 2624 SNMP message and included as part of the message sent to the 2625 recipient. 2627 - In support of data origin authentication and data integrity, 2628 a secret value is prepended to the SNMP message prior to computing 2629 the digest; the calculated digest is then partially inserted into 2630 the message prior to transmission. The prepended secret is not 2631 transmitted. The secret value is shared by all SNMP engines 2632 authorized to originate messages on behalf of the appropriate user. 2634 7.1.1. Digest Authentication Mechanism 2636 The Digest Authentication Mechanism defined in this memo provides 2637 for: 2639 - verification of the integrity of a received message, i.e., the 2640 the message received is the message sent. 2642 The integrity of the message is protected by computing a digest 2643 over an appropriate portion of the message. The digest is computed 2644 by the originator of the message, transmitted with the message, and 2645 verified by the recipient of the message. 2647 - verification of the user on whose behalf the message was generated. 2649 A secret value known only to SNMP engines authorized to generate 2650 messages on behalf of a user is used in HMAC mode (see [RFC2104]). 2651 It also recommends the hash-function output used as Message 2652 Authentication Code, to be truncated. 2654 This mechanism uses the SHA [SHA-NIST] message digest algorithm. A 2655 160-bit SHA digest is calculated in a special (HMAC) way over the 2656 designated portion of an SNMP message and the first 96 bits of this 2657 digest is included as part of the message sent to the recipient. The 2658 size of the digest carried in a message is 12 octets. The size of the 2659 private authentication key (the secret) is 20 octets. For the details 2660 see section 7.3. 2662 7.2. Elements of the HMAC-SHA-96 Authentication Protocol 2664 This section contains definitions required to realize the 2665 authentication module defined in this section of this memo. 2667 7.2.1. Users 2669 Authentication using this authentication protocol makes use of a 2670 defined set of userNames. For any user on whose behalf a message 2671 must be authenticated at a particular SNMP engine, that SNMP engine 2672 must have knowledge of that user. An SNMP engine that wishes to 2673 communicate with another SNMP engine must also have knowledge of a 2674 user known to that engine, including knowledge of the applicable 2675 attributes of that user. 2677 A user and its attributes are defined as follows: 2679 2680 A string representing the name of the user. 2681 2682 A user's secret key to be used when calculating a digest. 2683 It MUST be 20 octets long for SHA. 2685 7.2.2. msgAuthoritativeEngineID 2687 The msgAuthoritativeEngineID value contained in an authenticated 2688 message specifies the authoritative SNMP engine for that particular 2689 message (see the definition of SnmpEngineID in the SNMP Architecture 2690 document [RFC-ARCH]). 2692 The user's (private) authentication key is normally different at each 2693 authoritative SNMP engine and so the snmpEngineID is used to select 2694 the proper key for the authentication process. 2696 7.2.3. SNMP Messages Using this Authentication Protocol 2698 Messages using this authentication protocol carry a 2699 msgAuthenticationParameters field as part of the 2700 msgSecurityParameters. For this protocol, the 2701 msgAuthenticationParameters field is the serialized OCTET STRING 2702 representing the first 12 octets of HMAC-SHA-96 output done over the 2703 wholeMsg. 2705 The digest is calculated over the wholeMsg so if a message is 2706 authenticated, that also means that all the fields in the message are 2707 intact and have not been tampered with. 2709 7.2.4. Services provided by the HMAC-SHA-96 Authentication Module 2711 This section describes the inputs and outputs that the HMAC-SHA-96 2712 Authentication module expects and produces when the User-based 2713 Security module calls the HMAC-SHA-96 Authentication module for 2714 services. 2716 7.2.4.1. Services for Generating an Outgoing SNMP Message 2718 HMAC-SHA-96 authentication protocol assumes that the selection of the 2719 authKey is done by the caller and that the caller passes the secret 2720 key to be used. 2722 Upon completion the authentication module returns statusInformation 2723 and, if the message digest was correctly calculated, the wholeMsg 2724 with the digest inserted at the proper place. The abstract service 2725 primitive is: 2727 statusInformation = -- success or failure 2728 authenticateOutgoingMsg( 2729 IN authKey -- secret key for authentication 2730 IN wholeMsg -- unauthenticated complete message 2731 OUT authenticatedWholeMsg -- complete authenticated message 2732 ) 2734 The abstract data elements are: 2736 statusInformation 2737 An indication of whether the authentication process was 2738 successful. If not it is an indication of the problem. 2739 authKey 2740 The secret key to be used by the authentication algorithm. 2741 The length of this key MUST be 20 octets. 2742 wholeMsg 2743 The message to be authenticated. 2744 authenticatedWholeMsg 2745 The authenticated message (including inserted digest) on output. 2747 Note, that authParameters field is filled by the authentication 2748 module and this field should be already present in the wholeMsg 2749 before the Message Authentication Code (MAC) is generated. 2751 7.2.4.2. Services for Processing an Incoming SNMP Message 2753 HMAC-SHA-96 authentication protocol assumes that the selection of the 2754 authKey is done by the caller and that the caller passes the secret 2755 key to be used. 2757 Upon completion the authentication module returns statusInformation 2758 and, if the message digest was correctly calculated, the wholeMsg as 2759 it was processed. The abstract service primitive is: 2761 statusInformation = -- success or failure 2762 authenticateIncomingMsg( 2763 IN authKey -- secret key for authentication 2764 IN authParameters -- as received on the wire 2765 IN wholeMsg -- as received on the wire 2766 OUT authenticatedWholeMsg -- complete authenticated message 2767 ) 2769 The abstract data elements are: 2771 statusInformation 2772 An indication of whether the authentication process was 2773 successful. If not it is an indication of the problem. 2774 authKey 2775 The secret key to be used by the authentication algorithm. 2776 The length of this key MUST be 20 octets. 2777 authParameters 2778 The authParameters from the incoming message. 2779 wholeMsg 2780 The message to be authenticated on input and the authenticated 2781 message on output. 2782 authenticatedWholeMsg 2783 The whole message after the authentication check is complete. 2785 7.3. Elements of Procedure 2787 This section describes the procedures for the HMAC-SHA-96 2788 authentication protocol. 2790 7.3.1. Processing an Outgoing Message 2792 This section describes the procedure followed by an SNMP engine 2793 whenever it must authenticate an outgoing message using the 2794 usmHMACSHAAuthProtocol. 2796 1) The msgAuthenticationParameters field is set to the 2797 serialization, according to the rules in [RFC1906], of an OCTET 2798 STRING containing 12 zero octets. 2800 2) From the secret authKey, two keys K1 and K2 are derived: 2802 a) extend the authKey to 64 octets by appending 44 zero 2803 octets; save it as extendedAuthKey 2804 b) obtain IPAD by replicating the octet 0x36 64 times; 2805 c) obtain K1 by XORing extendedAuthKey with IPAD; 2806 d) obtain OPAD by replicating the octet 0x5C 64 times; 2807 e) obtain K2 by XORing extendedAuthKey with OPAD. 2809 3) Prepend K1 to the wholeMsg and calculate the SHA digest over it 2810 according to [SHA-NIST]. 2812 4) Prepend K2 to the result of the step 4 and calculate SHA digest 2813 over it according to [SHA-NIST]. Take the first 12 octets of the 2814 final digest - this is Message Authentication Code (MAC). 2816 5) Replace the msgAuthenticationParameters field with MAC obtained 2817 in the step 5. 2819 6) The authenticatedWholeMsg is then returned to the caller 2820 together with statusInformation indicating success. 2822 7.3.2. Processing an Incoming Message 2824 This section describes the procedure followed by an SNMP engine 2825 whenever it must authenticate an incoming message using the 2826 usmHMACSHAAuthProtocol. 2828 1) If the digest received in the msgAuthenticationParameters field 2829 is not 12 octets long, then an failure and an errorIndication 2830 (authenticationError) is returned to the calling module. 2832 2) The MAC received in the msgAuthenticationParameters field 2833 is saved. 2835 3) The digest in the msgAuthenticationParameters field is 2836 replaced by the 12 zero octets. 2838 4) From the secret authKey, two keys K1 and K2 are derived: 2840 a) extend the authKey to 64 octets by appending 44 zero 2841 octets; save it as extendedAuthKey 2842 b) obtain IPAD by replicating the octet 0x36 64 times; 2843 c) obtain K1 by XORing extendedAuthKey with IPAD; 2844 d) obtain OPAD by replicating the octet 0x5C 64 times; 2845 e) obtain K2 by XORing extendedAuthKey with OPAD. 2847 5) The MAC is calculated over the wholeMsg: 2849 a) prepend K1 to the wholeMsg and calculate the SHA digest 2850 over it; 2851 b) prepend K2 to the result of step 5.a and calculate the 2852 SHA digest over it; 2853 c) first 12 octets of the result of step 5.b is the MAC. 2855 The msgAuthenticationParameters field is replaced with the MAC 2856 value that was saved in step 2. 2858 6) The the newly calculated MAC is compared with the MAC saved in 2859 step 2. If they do not match, then a failure and an 2860 errorIndication (authenticationFailure) are returned to the 2861 calling module. 2863 7) The authenticatedWholeMsg and statusInformation indicating 2864 success are then returned to the caller. 2866 8. CBC-DES Symmetric Encryption Protocol 2868 This section describes the CBC-DES Symmetric Encryption Protocol. 2869 This protocol is the first privacy protocol defined for the User- 2870 based Security Model. 2872 This protocol is identified by usmDESPrivProtocol. 2874 Over time, other privacy protocols may be defined either as a 2875 replacement of this protocol or in addition to this protocol. 2877 8.1. Mechanisms 2879 - In support of data confidentiality, an encryption algorithm is 2880 required. An appropriate portion of the message is encrypted prior 2881 to being transmitted. The User-based Security Model specifies that 2882 the scopedPDU is the portion of the message that needs to be 2883 encrypted. 2885 - A secret value in combination with a timeliness value is used 2886 to create the en/decryption key and the initialization vector. The 2887 secret value is shared by all SNMP engines authorized to originate 2888 messages on behalf of the appropriate user. 2890 8.1.1. Symmetric Encryption Protocol 2892 The Symmetric Encryption Protocol defined in this memo provides 2893 support for data confidentiality. The designated portion of an SNMP 2894 message is encrypted and included as part of the message sent to the 2895 recipient. 2897 Two organizations have published specifications defining the DES: 2898 the National Institute of Standards and Technology (NIST) [DES-NIST] 2899 and the American National Standards Institute [DES-ANSI]. There is a 2900 companion Modes of Operation specification for each definition 2901 ([DESO-NIST] and [DESO-ANSI], respectively). 2903 The NIST has published three additional documents that implementors 2904 may find useful. 2906 - There is a document with guidelines for implementing and using 2907 the DES, including functional specifications for the DES and its 2908 modes of operation [DESG-NIST]. 2910 - There is a specification of a validation test suite for the DES 2911 [DEST-NIST]. The suite is designed to test all aspects of the DES 2912 and is useful for pinpointing specific problems. 2914 - There is a specification of a maintenance test for the DES 2915 [DESM-NIST]. The test utilizes a minimal amount of data and 2916 processing to test all components of the DES. It provides a simple 2917 yes-or-no indication of correct operation and is useful to run as 2918 part of an initialization step, e.g., when a computer re-boots. 2920 8.1.1.1. DES key and Initialization Vector. 2922 The first 8 octets of the 16-octet secret (private privacy key) are 2923 used as a DES key. Since DES uses only 56 bits, the Least 2924 Significant Bit in each octet is disregarded. 2926 The Initialization Vector for encryption is obtained using the 2927 following procedure. 2929 The last 8 octets of the 16-octet secret (private privacy key) are 2930 used as pre-IV. 2932 In order to ensure that the IV for two different packets encrypted by 2933 the same key, are not the same (i.e., the IV does not repeat) we need 2934 to "salt" the pre-IV with something unique per packet. An 8-octet 2935 string is used as the "salt". The concatenation of the generating 2936 SNMP engine's 32-bit snmpEngineBoots and a local 32-bit integer, that 2937 the encryption engine maintains, is input to the "salt". The 32-bit 2938 integer is initialized to an arbitrary value at boot time. 2940 The 32-bit snmpEngineBoots is converted to the first 4 octets (Most 2941 Significant Byte first) of our "salt". The 32-bit integer is then 2942 converted to the last 4 octet (Most Significant Byte first) of our 2943 "salt". The resulting "salt" is then XOR-ed with the pre-IV to obtain 2944 the IV. The 8-octet "salt" is then put into the privParameters field 2945 encoded as an OCTET STRING. The "salt" integer is then modified. We 2946 recommend that it be incremented by one and wrap when it reaches the 2947 maximum value. 2949 How exactly the value of the "salt" (and thus of the IV) varies, is 2950 an implementation issue, as long as the measures are taken to avoid 2951 producing a duplicate IV. 2953 The "salt" must be placed in the privParameters field to enable the 2954 receiving entity to compute the correct IV and to decrypt the 2955 message. 2957 8.1.1.2. Data Encryption. 2959 The data to be encrypted is treated as sequence of octets. Its length 2960 should be an integral multiple of 8 - and if it is not, the data is 2961 padded at the end as necessary. The actual pad value is irrelevant. 2963 The data is encrypted in Cipher Block Chaining mode. 2965 The plaintext is divided into 64-bit blocks. 2967 The plaintext for each block is XOR-ed with the ciphertext of the 2968 previous block, the result is encrypted and the output of the 2969 encryption is the ciphertext for the block. This procedure is 2970 repeated until there are no more plaintext blocks. 2972 For the very first block, the Initialization Vector is used instead 2973 of the ciphertext of the previous block. 2975 8.1.1.3. Data Decryption 2977 Before decryption, the encrypted data length is verified. If the 2978 length of the OCTET STRING to be decrypted is not an integral 2979 multiple of 8 octets, the decryption process is halted and an 2980 appropriate exception noted. When decrypting, the padding is 2981 ignored. 2983 The first ciphertext block is decrypted, the decryption output is 2984 XOR-ed with the Initialization Vector, and the result is the first 2985 plaintext block. 2987 For each subsequent block, the ciphertext block is decrypted, the 2988 decryption output is XOR-ed with the previous ciphertext block and 2989 the result is the plaintext block. 2991 8.2. Elements of the DES Privacy Protocol 2993 This section contains definitions required to realize the privacy 2994 module defined by this memo. 2996 8.2.1. Users 2998 Data en/decryption using this Symmetric Encryption Protocol makes use 2999 of a defined set of userNames. For any user on whose behalf a 3000 message must be en/decrypted at a particular SNMP engine, that SNMP 3001 engine must have knowledge of that user. An SNMP engine that wishes 3002 to communicate with another SNMP engine must also have knowledge of a 3003 user known to that SNMP engine, including knowledge of the applicable 3004 attributes of that user. 3006 A user and its attributes are defined as follows: 3008 3009 An octet string representing the name of the user. 3011 3012 A user's secret key to be used as input for the DES key and IV. 3013 The length of this key MUST be 16 octets. 3015 8.2.2. msgAuthoritativeEngineID 3017 The msgAuthoritativeEngineID value contained in an authenticated 3018 message specifies the authoritative SNMP engine for that particular 3019 message (see the definition of SnmpEngineID in the SNMP Architecture 3020 document [RFC-ARCH]). 3022 The user's (private) privacy key is normally different at each 3023 authoritative SNMP engine and so the snmpEngineID is used to select 3024 the proper key for the en/decryption process. 3026 8.2.3. SNMP Messages Using this Privacy Protocol 3028 Messages using this privacy protocol carry a msgPrivacyParameters 3029 field as part of the msgSecurityParameters. For this protocol, the 3030 msgPrivacyParameters field is the serialized OCTET STRING 3031 representing the "salt" that was used to create the IV. 3033 8.2.4. Services provided by the DES Privacy Module 3035 This section describes the inputs and outputs that the DES Privacy 3036 module expects and produces when the User-based Security module 3037 invokes the DES Privacy module for services. 3039 8.2.4.1. Services for Encrypting Outgoing Data 3041 This DES privacy protocol assumes that the selection of the privKey 3042 is done by the caller and that the caller passes the secret key to be 3043 used. 3045 Upon completion the privacy module returns statusInformation and, if 3046 the encryption process was successful, the encryptedPDU and the 3047 msgPrivacyParameters encoded as an OCTET STRING. The abstract 3048 service primitive is: 3050 statusInformation = -- success of failure 3051 encryptData( 3052 IN encryptKey -- secret key for encryption 3053 IN dataToEncrypt -- data to encrypt (scopedPDU) 3054 OUT encryptedData -- encrypted data (encryptedPDU) 3055 OUT privParameters -- filled in by service provider 3056 ) 3058 The abstract data elements are: 3060 statusInformation 3061 An indication of the success or failure of the encryption 3062 process. In case of failure, it is an indication of the error. 3063 encryptKey 3064 The secret key to be used by the encryption algorithm. 3065 The length of this key MUST be 16 octets. 3066 dataToEncrypt 3067 The data that must be encrypted. 3068 encryptedData 3069 The encrypted data upon successful completion. 3070 privParameters 3071 The privParameters encoded as an OCTET STRING. 3073 8.2.4.2. Services for Decrypting Incoming Data 3075 This DES privacy protocol assumes that the selection of the privKey 3076 is done by the caller and that the caller passes the secret key to be 3077 used. 3079 Upon completion the privacy module returns statusInformation and, if 3080 the decryption process was successful, the scopedPDU in plain text. 3081 The abstract service primitive is: 3083 statusInformation = 3084 decryptData( 3085 IN decryptKey -- secret key for decryption 3086 IN privParameters -- as received on the wire 3087 IN encryptedData -- encrypted data (encryptedPDU) 3088 OUT decryptedData -- decrypted data (scopedPDU) 3089 ) 3091 The abstract data elements are: 3093 statusInformation 3094 An indication whether the data was successfully decrypted 3095 and if not an indication of the error. 3096 decryptKey 3097 The secret key to be used by the decryption algorithm. 3098 The length of this key MUST be 16 octets. 3099 privParameters 3100 The "salt" to be used to calculate the IV. 3101 encryptedData 3102 The data to be decrypted. 3103 decryptedData 3104 The decrypted data. 3106 8.3. Elements of Procedure. 3108 This section describes the procedures for the DES privacy protocol. 3110 8.3.1. Processing an Outgoing Message 3112 This section describes the procedure followed by an SNMP engine 3113 whenever it must encrypt part of an outgoing message using the 3114 usmDESPrivProtocol. 3116 1) The secret cryptKey is used to construct the DES encryption key, 3117 the "salt" and the DES pre-IV (from which the IV is computed as 3118 described in section 8.1.1.1). 3120 2) The privParameters field is set to the serialization according 3121 to the rules in [RFC1906] of an OCTET STRING representing the the 3122 "salt" string. 3124 3) The scopedPDU is encrypted (as described in section 8.1.1.2) 3125 and the encrypted data is serialized according to the rules in 3126 [RFC1906] as an OCTET STRING. 3128 4) The serialized OCTET STRING representing the encrypted 3129 scopedPDU together with the privParameters and statusInformation 3130 indicating success is returned to the calling module. 3132 8.3.2. Processing an Incoming Message 3134 This section describes the procedure followed by an SNMP engine 3135 whenever it must decrypt part of an incoming message using the 3136 usmDESPrivProtocol. 3138 1) If the privParameters field is not an 8-octet OCTET STRING, 3139 then an error indication (decryptionError) is returned to the 3140 calling module. 3142 2) The "salt" is extracted from the privParameters field. 3144 3) The secret cryptKey and the "salt" are then used to construct the 3145 DES decryption key and pre-IV (from which the IV is computed as 3146 described in section 8.1.1.1). 3148 4) The encryptedPDU is then decrypted (as described in 3149 section 8.1.1.3). 3151 5) If the encryptedPDU cannot be decrypted, then an error 3152 indication (decryptionError) is returned to the calling module. 3154 6) The decrypted scopedPDU and statusInformation indicating 3155 success are returned to the calling module. 3157 9. Intellectual Property 3159 The IETF takes no position regarding the validity or scope of any 3160 intellectual property or other rights that might be claimed to 3161 pertain to the implementation or use of the technology described in 3162 this document or the extent to which any license under such rights 3163 might or might not be available; neither does it represent that it 3164 has made any effort to identify any such rights. Information on the 3165 IETF's procedures with respect to rights in standards-track and 3166 standards-related documentation can be found in BCP-11. Copies of 3167 claims of rights made available for publication and any assurances of 3168 licenses to be made available, or the result of an attempt made to 3169 obtain a general license or permission for the use of such 3170 proprietary rights by implementors or users of this specification can 3171 be obtained from the IETF Secretariat. 3173 The IETF invites any interested party to bring to its attention any 3174 copyrights, patents or patent applications, or other proprietary 3175 rights which may cover technology that may be required to practice 3176 this standard. Please address the information to the IETF Executive 3177 Director. 3179 10. Acknowledgements 3181 This document is the result of the efforts of the SNMPv3 Working 3182 Group. Some special thanks are in order to the following SNMPv3 WG 3183 members: 3185 Harald Tveit Alvestrand (Maxware) 3186 Dave Battle (SNMP Research, Inc.) 3187 Alan Beard (Disney Worldwide Services) 3188 Paul Berrevoets (SWI Systemware/Halcyon Inc.) 3189 Martin Bjorklund (Ericsson) 3190 Uri Blumenthal (IBM T.J. Watson Research Center) 3191 Jeff Case (SNMP Research, Inc.) 3192 John Curran (BBN) 3193 Mike Daniele (Compaq Computer Corporation)) 3194 T. Max Devlin (Eltrax Systems) 3195 John Flick (Hewlett Packard) 3196 Rob Frye (MCI) 3197 Wes Hardaker (U.C.Davis, Information Technology - D.C.A.S.) 3198 David Harrington (Cabletron Systems Inc.) 3199 Lauren Heintz (BMC Software, Inc.) 3200 N.C. Hien (IBM T.J. Watson Research Center) 3201 Michael Kirkham (InterWorking Labs, Inc.) 3202 Dave Levi (SNMP Research, Inc.) 3203 Louis A Mamakos (UUNET Technologies Inc.) 3204 Joe Marzot (Nortel Networks) 3205 Paul Meyer (Secure Computing Corporation) 3206 Keith McCloghrie (Cisco Systems) 3207 Bob Moore (IBM) 3208 Russ Mundy (TIS Labs at Network Associates) 3209 Bob Natale (ACE*COMM Corporation) 3210 Mike O'Dell (UUNET Technologies Inc.) 3211 Dave Perkins (DeskTalk) 3212 Peter Polkinghorne (Brunel University) 3213 Randy Presuhn (BMC Software, Inc.) 3214 David Reeder (TIS Labs at Network Associates) 3215 David Reid (SNMP Research, Inc.) 3216 Aleksey Romanov (Quality Quorum) 3217 Shawn Routhier (Epilogue) 3218 Juergen Schoenwaelder (TU Braunschweig) 3219 Bob Stewart (Cisco Systems) 3220 Mike Thatcher (Independent Consultant) 3221 Bert Wijnen (IBM T.J. Watson Research Center) 3223 The document is based on recommendations of the IETF Security and 3224 Administrative Framework Evolution for SNMP Advisory Team. Members 3225 of that Advisory Team were: 3227 David Harrington (Cabletron Systems Inc.) 3228 Jeff Johnson (Cisco Systems) 3229 David Levi (SNMP Research Inc.) 3230 John Linn (Openvision) 3231 Russ Mundy (Trusted Information Systems) chair 3232 Shawn Routhier (Epilogue) 3233 Glenn Waters (Nortel) 3234 Bert Wijnen (IBM T. J. Watson Research Center) 3236 As recommended by the Advisory Team and the SNMPv3 Working Group 3237 Charter, the design incorporates as much as practical from previous 3238 RFCs and drafts. As a result, special thanks are due to the authors 3239 of previous designs known as SNMPv2u and SNMPv2*: 3241 Jeff Case (SNMP Research, Inc.) 3242 David Harrington (Cabletron Systems Inc.) 3243 David Levi (SNMP Research, Inc.) 3244 Keith McCloghrie (Cisco Systems) 3245 Brian O'Keefe (Hewlett Packard) 3246 Marshall T. Rose (Dover Beach Consulting) 3247 Jon Saperia (BGS Systems Inc.) 3248 Steve Waldbusser (International Network Services) 3249 Glenn W. Waters (Bell-Northern Research Ltd.) 3251 11. Security Considerations 3253 11.1. Recommended Practices 3255 This section describes practices that contribute to the secure, 3256 effective operation of the mechanisms defined in this memo. 3258 - An SNMP engine must discard SNMP Response messages that do not 3259 correspond to any currently outstanding Request message. It is the 3260 responsibility of the Message Processing module to take care of 3261 this. For example it can use a msgID for that. 3263 An SNMP Command Generator Application must discard any Response 3264 Class PDU for which there is no currently outstanding Confirmed 3265 Class PDU; for example for SNMPv2 [RFC1905] PDUs, the request-id 3266 component in the PDU can be used to correlate Responses to 3267 outstanding Requests. 3269 Although it would be typical for an SNMP engine and an SNMP Command 3270 Generator Application to do this as a matter of course, when using 3271 these security protocols it is significant due to the possibility 3272 of message duplication (malicious or otherwise). 3274 - If an SNMP engine uses a msgID for correlating Response messages 3275 to outstanding Request messages, then it MUST use different msgIDs 3276 in all such Request messages that it sends out during a Time Window 3277 (150 seconds) period. 3279 A Command Generator or Notification Originator Application MUST use 3280 different request-ids in all Request PDUs that it sends out during 3281 a TimeWindow (150 seconds) period. 3283 This must be done to protect against the possibility of message 3284 duplication (malicious or otherwise). 3286 For example, starting operations with a msgID and/or request-id 3287 value of zero is not a good idea. Initializing them with an 3288 unpredictable number (so they do not start out the same after each 3289 reboot) and then incrementing by one would be acceptable. 3291 - An SNMP engine should perform time synchronization using 3292 authenticated messages in order to protect against the possibility 3293 of message duplication (malicious or otherwise). 3295 - When sending state altering messages to a managed authoritative 3296 SNMP engine, a Command Generator Application should delay sending 3297 successive messages to that managed SNMP engine until a positive 3298 acknowledgement is received for the previous message or until the 3299 previous message expires. 3301 No message ordering is imposed by the SNMP. Messages may be 3302 received in any order relative to their time of generation and each 3303 will be processed in the ordered received. Note that when an 3304 authenticated message is sent to a managed SNMP engine, it will be 3305 valid for a period of time of approximately 150 seconds under 3306 normal circumstances, and is subject to replay during this period. 3307 Indeed, an SNMP engine and SNMP Command Generator Applications must 3308 cope with the loss and re-ordering of messages resulting from 3309 anomalies in the network as a matter of course. 3311 However, a managed object, snmpSetSerialNo [RFC1907], is 3312 specifically defined for use with SNMP Set operations in order to 3313 provide a mechanism to ensure that the processing of SNMP messages 3314 occurs in a specific order. 3316 - The frequency with which the secrets of a User-based Security 3317 Model user should be changed is indirectly related to the frequency 3318 of their use. 3320 Protecting the secrets from disclosure is critical to the overall 3321 security of the protocols. Frequent use of a secret provides a 3322 continued source of data that may be useful to a cryptanalyst in 3323 exploiting known or perceived weaknesses in an algorithm. Frequent 3324 changes to the secret avoid this vulnerability. 3326 Changing a secret after each use is generally regarded as the most 3327 secure practice, but a significant amount of overhead may be 3328 associated with that approach. 3330 Note, too, in a local environment the threat of disclosure may be 3331 less significant, and as such the changing of secrets may be less 3332 frequent. However, when public data networks are used as the 3333 communication paths, more caution is prudent. 3335 11.2 Defining Users 3337 The mechanisms defined in this document employ the notion of users on 3338 whose behalf messages are sent. How "users" are defined is subject 3339 to the security policy of the network administration. For example, 3340 users could be individuals (e.g., "joe" or "jane"), or a particular 3341 role (e.g., "operator" or "administrator"), or a combination (e.g., 3342 "joe-operator", "jane-operator" or "joe-admin"). Furthermore, a user 3343 may be a logical entity, such as an SNMP Application or a set of SNMP 3344 Applications, acting on behalf of an individual or role, or set of 3345 individuals, or set of roles, including combinations. 3347 Appendix A describes an algorithm for mapping a user "password" to a 3348 16/20 octet value for use as either a user's authentication key or 3349 privacy key (or both). Note however, that using the same password 3350 (and therefore the same key) for both authentication and privacy is 3351 very poor security practice and should be strongly discouraged. 3352 Passwords are often generated, remembered, and input by a human. 3353 Human-generated passwords may be less than the 16/20 octets required 3354 by the authentication and privacy protocols, and brute force attacks 3355 can be quite easy on a relatively short ASCII character set. 3356 Therefore, the algorithm is Appendix A performs a transformation on 3357 the password. If the Appendix A algorithm is used, SNMP 3358 implementations (and SNMP configuration applications) must ensure 3359 that passwords are at least 8 characters in length. Please note that 3360 longer passwords with repetitive strings may result in exactly the 3361 same key. For example, a password 'bertbert' will result in exactly 3362 the same key as password 'bertbertbert'. 3364 Because the Appendix A algorithm uses such passwords (nearly) 3365 directly, it is very important that they not be easily guessed. It 3366 is suggested that they be composed of mixed-case alphanumeric and 3367 punctuation characters that don't form words or phrases that might be 3368 found in a dictionary. Longer passwords improve the security of the 3369 system. Users may wish to input multiword phrases to make their 3370 password string longer while ensuring that it is memorable. 3372 Since it is infeasible for human users to maintain different 3373 passwords for every SNMP engine, but security requirements strongly 3374 discourage having the same key for more than one SNMP engine, the 3375 User-based Security Model employs a compromise proposed in 3376 [Localized-key]. It derives the user keys for the SNMP engines from 3377 user's password in such a way that it is practically impossible to 3378 either determine the user's password, or user's key for another SNMP 3379 engine from any combination of user's keys on SNMP engines. 3381 Note however, that if user's password is disclosed, then key 3382 localization will not help and network security may be compromised in 3383 this case. Therefore a user's password or non-localized key MUST NOT 3384 be stored on a managed device/node. Instead the localized key SHALL 3385 be stored (if at all) , so that, in case a device does get 3386 compromised, no other managed or managing devices get compromised. 3388 11.3. Conformance 3390 To be termed a "Secure SNMP implementation" based on the User-based 3391 Security Model, an SNMP implementation MUST: 3393 - implement one or more Authentication Protocol(s). The HMAC-MD5-96 3394 and HMAC-SHA-96 Authentication Protocols defined in this memo are 3395 examples of such protocols. 3397 - to the maximum extent possible, prohibit access to the secret(s) 3398 of each user about which it maintains information in a Local 3399 Configuration Datastore (LCD) under all circumstances except as 3400 required to generate and/or validate SNMP messages with respect to 3401 that user. 3403 - implement the key-localization mechanism. 3405 - implement the SNMP-USER-BASED-SM-MIB. 3407 In addition, an authoritative SNMP engine SHOULD provide initial 3408 configuration in accordance with Appendix A.1. 3410 Implementation of a Privacy Protocol (the DES Symmetric Encryption 3411 Protocol defined in this memo is one such protocol) is optional. 3413 11.4. Use of Reports 3415 The use of unsecure reports (i.e. sending them with a securityLevel 3416 of noAuthNoPriv) potentially exposes a non-authoritative SNMP engine 3417 to some form of attacks. Some people consider these denial of 3418 service attacks, others don't. An installation should evaluate the 3419 risk involved before deploying unsecure Report PDUs. 3421 11.5. Access to the SNMP-USER-BASED-SM-MIB 3423 The objects in this MIB may be considered sensitive in many 3424 environments. Specifically the objects in the usmUserTable contain 3425 information about users and their authentication and privacy 3426 protocols. It is important to closely control (both read and write) 3427 access to these MIB objects by using appropriately configured Access 3428 Control models (for example the View-based Access Control Model as 3429 specified in [RFC-VACM]). 3431 12. References 3433 [RFC1321] Rivest, R., "Message Digest Algorithm MD5", 3434 RFC 1321, April 1992. 3436 [RFC1903] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 3437 "Textual Conventions for Version 2 of the Simple Network 3438 Management Protocol (SNMPv2)", RFC 1903, January 1996. 3440 [RFC1905] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 3441 "Protocol Operations for Version 2 of the Simple Network 3442 Management Protocol (SNMPv2)", RFC 1905, January 1996. 3444 [RFC1906] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 3445 "Transport Mappings for Version 2 of the Simple Network Management 3446 Protocol (SNMPv2)", RFC 1906, January 1996. 3448 [RFC1907] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 3449 "Management Information Base for Version 2 of the Simple Network 3450 Management Protocol (SNMPv2)", RFC 1907 January 1996. 3452 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: 3453 Keyed-Hashing for Message Authentication", RFC 2104, February 3454 1997. 3456 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3457 Requirement Levels", BCP 14, RFC 2119, March 1997. 3459 [RFC-ARCH] Harrington, D., Presuhn, R. and B. Wijnen, "An 3460 Architecture for describing SNMP Management Frameworks", draft- 3461 ietf-snmpv3-arch-05.txt, February 1999. 3463 [RFC-MPD] Case, J., Harrington, D., Presuhn, R. and B. Wijnen, 3464 "Message Processing and Dispatching for the Simple Network 3465 Management Protocol (SNMP)", draft-ietf-snmpv3-mpc-05.txt, 3466 February 1999. 3468 [SNMP-VACM] Wijnen, B., Presuhn, R. and K. McCloghrie, 3469 "View-based Access Control Model for the Simple Network Management 3470 Protocol (SNMP)", , February 1999. 3472 [Localized-Key] U. Blumenthal, N. C. Hien, B. Wijnen 3473 "Key Derivation for Network Management Applications" IEEE Network 3474 Magazine, April/May issue, 1997. 3476 [DES-NIST] Data Encryption Standard, National Institute of Standards 3477 and Technology. Federal Information Processing Standard (FIPS) 3478 Publication 46-1. Supersedes FIPS Publication 46, (January, 1977; 3479 reaffirmed January, 1988). 3481 [DES-ANSI] Data Encryption Algorithm, American National Standards 3482 Institute. ANSI X3.92-1981, (December, 1980). 3484 [DESO-NIST] DES Modes of Operation, National Institute of Standards 3485 and Technology. Federal Information Processing Standard (FIPS) 3486 Publication 81, (December, 1980). 3488 [DESO-ANSI] Data Encryption Algorithm - Modes of Operation, American 3489 National Standards Institute. ANSI X3.106-1983, (May 1983). 3491 [DESG-NIST] Guidelines for Implementing and Using the NBS Data 3492 Encryption Standard, National Institute of Standards and 3493 Technology. Federal Information Processing Standard (FIPS) 3494 Publication 74, (April, 1981). 3496 [DEST-NIST] Validating the Correctness of Hardware Implementations of 3497 the NBS Data Encryption Standard, National Institute of Standards 3498 and Technology. Special Publication 500-20. 3500 [DESM-NIST] Maintenance Testing for the Data Encryption Standard, 3501 National Institute of Standards and Technology. Special 3502 Publication 500-61, (August, 1980). 3504 [SHA-NIST] Secure Hash Algorithm. NIST FIPS 180-1, (April, 1995) 3505 http://csrc.nist.gov/fips/fip180-1.txt (ASCII) 3506 http://csrc.nist.gov/fips/fip180-1.ps (Postscript) 3508 13. Editors' Addresses 3510 Uri Blumenthal 3511 IBM T. J. Watson Research 3512 30 Saw Mill River Pkwy, 3513 Hawthorne, NY 10532 3514 USA 3516 EMail: uri@watson.ibm.com 3517 Phone: +1-914-784-7064 3519 Bert Wijnen 3520 IBM T. J. Watson Research 3521 Schagen 33 3522 3461 GL Linschoten 3523 Netherlands 3525 EMail: wijnen@vnet.ibm.com 3526 Phone: +31-348-432-794 3528 APPENDIX A - Installation 3530 A.1. SNMP engine Installation Parameters 3532 During installation, an authoritative SNMP engine SHOULD (in the 3533 meaning as defined in [RFC2119]) be configured with several initial 3534 parameters. These include: 3536 1) A security posture 3538 The choice of security posture determines if initial configuration 3539 is implemented and if so how. One of three possible choices is 3540 selected: 3542 minimum-secure, 3543 semi-secure, 3544 very-secure (i.e., no-initial-configuration) 3546 In the case of a very-secure posture, there is no initial 3547 configuration, and so the following steps are irrelevant. 3549 2) one or more secrets 3551 These are the authentication/privacy secrets for the first user to be 3552 configured. 3554 One way to accomplish this is to have the installer enter a 3555 "password" for each required secret. The password is then 3556 algorithmically converted into the required secret by: 3558 - forming a string of length 1,048,576 octets by repeating the 3559 value of the password as often as necessary, truncating 3560 accordingly, and using the resulting string as the input to the MD5 3561 algorithm [MD5]. The resulting digest, termed "digest1", is used 3562 in the next step. 3564 - a second string is formed by concatenating digest1, the SNMP 3565 engine's snmpEngineID value, and digest1. This string is used as 3566 input to the MD5 algorithm [MD5]. 3568 The resulting digest is the required secret (see Appendix A.2). 3570 With these configured parameters, the SNMP engine instantiates the 3571 following usmUserEntry in the usmUserTable: 3573 no privacy support privacy support 3574 ------------------ --------------- 3575 usmUserEngineID localEngineID localEngineID 3576 usmUserName "initial" "initial" 3577 usmUserSecurityName "initial" "initial" 3578 usmUserCloneFrom ZeroDotZero ZeroDotZero 3579 usmUserAuthProtocol usmHMACMD5AuthProtocol usmHMACMD5AuthProtocol 3580 usmUserAuthKeyChange "" "" 3581 usmUserOwnAuthKeyChange "" "" 3582 usmUserPrivProtocol none usmDESPrivProtocol 3583 usmUserPrivKeyChange "" "" 3584 usmUserOwnPrivKeyChange "" "" 3585 usmUserPublic "" "" 3586 usmUserStorageType anyValidStorageType anyValidStorageType 3587 usmUserStatus active active 3589 It is recommended to also instantiate a set of template 3590 usmUserEntries which can be used as clone-from users for newly 3591 created usmUserEntries. These are the two suggested entries: 3593 no privacy support privacy support 3594 ------------------ --------------- 3595 usmUserEngineID localEngineID localEngineID 3596 usmUserName "templateMD5" "templateMD5" 3597 usmUserSecurityName "templateMD5" "templateMD5" 3598 usmUserCloneFrom ZeroDotZero ZeroDotZero 3599 usmUserAuthProtocol usmHMACMD5AuthProtocol usmHMACMD5AuthProtocol 3600 usmUserAuthKeyChange "" "" 3601 usmUserOwnAuthKeyChange "" "" 3602 usmUserPrivProtocol none usmDESPrivProtocol 3603 usmUserPrivKeyChange "" "" 3604 usmUserOwnPrivKeyChange "" "" 3605 usmUserPublic "" "" 3606 usmUserStorageType permanent permanent 3607 usmUserStatus active active 3608 no privacy support privacy support 3609 ------------------ --------------- 3610 usmUserEngineID localEngineID localEngineID 3611 usmUserName "templateSHA" "templateSHA" 3612 usmUserSecurityName "templateSHA" "templateSHA" 3613 usmUserCloneFrom ZeroDotZero ZeroDotZero 3614 usmUserAuthProtocol usmHMACSHAAuthProtocol usmHMACSHAAuthProtocol 3615 usmUserAuthKeyChange "" "" 3616 usmUserOwnAuthKeyChange "" "" 3617 usmUserPrivProtocol none usmDESPrivProtocol 3618 usmUserPrivKeyChange "" "" 3619 usmUserOwnPrivKeyChange "" "" 3620 usmUserPublic "" "" 3621 usmUserStorageType permanent permanent 3622 usmUserStatus active active 3624 A.2. Password to Key Algorithm 3626 A sample code fragment (section A.2.1) demonstrates the password to 3627 key algorithm which can be used when mapping a password to an 3628 authentication or privacy key using MD5. The reference source code 3629 of MD5 is available in [RFC1321]. 3631 Another sample code fragment (section A.2.2) demonstrates the 3632 password to key algorithm which can be used when mapping a password 3633 to an authentication or privacy key using SHA (documented in 3634 SHA-NIST). 3636 An example of the results of a correct implementation is provided 3637 (section A.3) which an implementor can use to check if his 3638 implementation produces the same result. 3640 A.2.1. Password to Key Sample Code for MD5 3642 void password_to_key_md5( 3643 u_char *password, /* IN */ 3644 u_int passwordlen, /* IN */ 3645 u_char *engineID, /* IN - pointer to snmpEngineID */ 3646 u_int engineLength,/* IN - length of snmpEngineID */ 3647 u_char *key) /* OUT - pointer to caller 16-octet buffer */ 3648 { 3649 MD5_CTX MD; 3650 u_char *cp, password_buf[64]; 3651 u_long password_index = 0; 3652 u_long count = 0, i; 3654 MD5Init (&MD); /* initialize MD5 */ 3656 /**********************************************/ 3657 /* Use while loop until we've done 1 Megabyte */ 3658 /**********************************************/ 3659 while (count < 1048576) { 3660 cp = password_buf; 3661 for (i = 0; i < 64; i++) { 3662 /*************************************************/ 3663 /* Take the next octet of the password, wrapping */ 3664 /* to the beginning of the password as necessary.*/ 3665 /*************************************************/ 3666 *cp++ = password[password_index++ % passwordlen]; 3667 } 3668 MD5Update (&MD, password_buf, 64); 3669 count += 64; 3670 } 3671 MD5Final (key, &MD); /* tell MD5 we're done */ 3673 /*****************************************************/ 3674 /* Now localize the key with the engineID and pass */ 3675 /* through MD5 to produce final key */ 3676 /* May want to ensure that engineLength <= 32, */ 3677 /* otherwise need to use a buffer larger than 64 */ 3678 /*****************************************************/ 3679 memcpy(password_buf, key, 16); 3680 memcpy(password_buf+16, engineID, engineLength); 3681 memcpy(password_buf+16+engineLength, key, 16); 3683 MD5Init(&MD); 3684 MD5Update(&MD, password_buf, 32+engineLength); 3685 MD5Final(key, &MD); 3686 return; 3687 } 3688 A.2.2. Password to Key Sample Code for SHA 3690 void password_to_key_sha( 3691 u_char *password, /* IN */ 3692 u_int passwordlen, /* IN */ 3693 u_char *engineID, /* IN - pointer to snmpEngineID */ 3694 u_int engineLength,/* IN - length of snmpEngineID */ 3695 u_char *key) /* OUT - pointer to caller 20-octet buffer */ 3696 { 3697 SHA_CTX SH; 3698 u_char *cp, password_buf[72]; 3699 u_long password_index = 0; 3700 u_long count = 0, i; 3702 SHAInit (&SH); /* initialize SHA */ 3704 /**********************************************/ 3705 /* Use while loop until we've done 1 Megabyte */ 3706 /**********************************************/ 3707 while (count < 1048576) { 3708 cp = password_buf; 3709 for (i = 0; i < 64; i++) { 3710 /*************************************************/ 3711 /* Take the next octet of the password, wrapping */ 3712 /* to the beginning of the password as necessary.*/ 3713 /*************************************************/ 3714 *cp++ = password[password_index++ % passwordlen]; 3715 } 3716 SHAUpdate (&SH, password_buf, 64); 3717 count += 64; 3718 } 3719 SHAFinal (key, &SH); /* tell SHA we're done */ 3721 /*****************************************************/ 3722 /* Now localize the key with the engineID and pass */ 3723 /* through SHA to produce final key */ 3724 /* May want to ensure that engineLength <= 32, */ 3725 /* otherwise need to use a buffer larger than 72 */ 3726 /*****************************************************/ 3727 memcpy(password_buf, key, 20); 3728 memcpy(password_buf+20, engineID, engineLength); 3729 memcpy(password_buf+20+engineLength, key, 20); 3731 SHAInit(&SH); 3732 SHAUpdate(&SH, password_buf, 40+engineLength); 3733 SHAFinal(key, &SH); 3734 return; 3735 } 3736 A.3. Password to Key Sample Results 3738 A.3.1. Password to Key Sample Results using MD5 3740 The following shows a sample output of the password to key algorithm 3741 for a 16-octet key using MD5. 3743 With a password of "maplesyrup" the output of the password to key 3744 algorithm before the key is localized with the SNMP engine's 3745 snmpEngineID is: 3747 '9f af 32 83 88 4e 92 83 4e bc 98 47 d8 ed d9 63'H 3749 After the intermediate key (shown above) is localized with the 3750 snmpEngineID value of: 3752 '00 00 00 00 00 00 00 00 00 00 00 02'H 3754 the final output of the password to key algorithm is: 3756 '52 6f 5e ed 9f cc e2 6f 89 64 c2 93 07 87 d8 2b'H 3758 A.3.2. Password to Key Sample Results using SHA 3760 The following shows a sample output of the password to key 3761 algorithm for a 20-octet key using SHA. 3763 With a password of "maplesyrup" the output of the password to key 3764 algorithm before the key is localized with the SNMP engine's 3765 snmpEngineID is: 3767 '9f b5 cc 03 81 49 7b 37 93 52 89 39 ff 78 8d 5d 79 14 52 11'H 3769 After the intermediate key (shown above) is localized with the 3770 snmpEngineID value of: 3772 '00 00 00 00 00 00 00 00 00 00 00 02'H 3774 the final output of the password to key algorithm is: 3776 '66 95 fe bc 92 88 e3 62 82 23 5f c7 15 1f 12 84 97 b3 8f 3f'H 3778 A.4. Sample encoding of msgSecurityParameters 3780 The msgSecurityParameters in an SNMP message are represented as an 3781 OCTET STRING. This OCTET STRING should be considered opaque outside a 3782 specific Security Model. 3784 The User-based Security Model defines the contents of the OCTET 3785 STRING as a SEQUENCE (see section 2.4). 3787 Given these two properties, the following is an example of the 3788 msgSecurityParameters for the User-based Security Model, encoded as 3789 an OCTET STRING: 3791 04 3792 30 3793 04 3794 02 3795 02 3796 04 3797 04 0c 3798 04 08 3800 Here is the example once more, but now with real values (except for 3801 the digest in msgAuthenticationParameters and the salt in 3802 msgPrivacyParameters, which depend on variable data that we have not 3803 defined here): 3805 Hex Data Description 3806 -------------- ----------------------------------------------- 3807 04 39 OCTET STRING, length 57 3808 30 37 SEQUENCE, length 55 3809 04 0c 80000002 msgAuthoritativeEngineID: IBM 3810 01 IPv4 address 3811 09840301 9.132.3.1 3812 02 01 01 msgAuthoritativeEngineBoots: 1 3813 02 02 0101 msgAuthoritativeEngineTime: 257 3814 04 04 62657274 msgUserName: bert 3815 04 0c 01234567 msgAuthenticationParameters: sample value 3816 89abcdef 3817 fedcba98 3818 04 08 01234567 msgPrivacyParameters: sample value 3819 89abcdef 3821 A.5. Sample keyChange Results 3823 A.5.1. Sample keyChange Results using MD5 3825 Let us assume that a user has a current password of "maplesyrup" as 3826 in section A.3.1. and let us also assume the snmpEngineID of 12 3827 octets: 3829 '00 00 00 00 00 00 00 00 00 00 00 02'H 3831 If we now want to change the password to "newsyrup", then we first 3832 calculate the key for the new password. It is as follows: 3834 '01 ad d2 73 10 7c 4e 59 6b 4b 00 f8 2b 1d 42 a7'H 3836 If we localize it for the above snmpEngineID, then the localized new 3837 key becomes: 3839 '87 02 1d 7b d9 d1 01 ba 05 ea 6e 3b f9 d9 bd 4a'H 3841 If we then use a (not so good, but easy to test) random value of: 3843 '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'H 3845 Then the value we must send for keyChange is: 3847 '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3848 88 05 61 51 41 67 6c c9 19 61 74 e7 42 a3 25 51'H 3850 If this were for the privacy key, then it would be exactly the same. 3852 A.5.2. Sample keyChange Results using SHA 3854 Let us assume that a user has a current password of "maplesyrup" as 3855 in section A.3.2. and let us also assume the snmpEngineID of 12 3856 octets: 3858 '00 00 00 00 00 00 00 00 00 00 00 02'H 3860 If we now want to change the password to "newsyrup", then we first 3861 calculate the key for the new password. It is as follows: 3863 '3a 51 a6 d7 36 aa 34 7b 83 dc 4a 87 e3 e5 5e e4 d6 98 ac 71'H 3865 If we localize it for the above snmpEngineID, then the localized new 3866 key becomes: 3868 '78 e2 dc ce 79 d5 94 03 b5 8c 1b ba a5 bf f4 63 91 f1 cd 25'H 3870 If we then use a (not so good, but easy to test) random value of: 3872 '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'H 3874 Then the value we must send for keyChange is: 3876 '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3877 9c 10 17 f4 fd 48 3d 2d e8 d5 fa db f8 43 92 cb 06 45 70 51' 3879 For the key used for privacy, the new nonlocalized key would be: 3881 '3a 51 a6 d7 36 aa 34 7b 83 dc 4a 87 e3 e5 5e e4 d6 98 ac 71'H 3883 For the key used for privacy, the new localized key would be (note 3884 that they localized key gets truncated to 16 octets for DES): 3886 '78 e2 dc ce 79 d5 94 03 b5 8c 1b ba a5 bf f4 63'H 3888 If we then use a (not so good, but easy to test) random value of: 3890 '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'H 3892 Then the value we must send for keyChange for the privacy key is: 3894 '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3895 '7e f8 d8 a4 c9 cd b2 6b 47 59 1c d8 52 ff 88 b5'H 3897 B. Change Log 3899 Changes made since RFC2274: 3900 - Fixed msgUserName to allow size of zero and explain that this can 3901 be used for snmpEngineID discovery. 3902 - Clarified section 3.1 steps 4.b, 5, 6 and 8.b. 3903 - Clarified section 3.2 paragraph 2. 3904 - Clarified section 3.2 step 7.a last paragraph, step 7.b.1 second 3905 bullet and step 7.b.2 third bullet. 3906 - Clarified section 4 to indicate that discovery can use a userName 3907 of zero length in unAuthenticated messages, whereas a valid 3908 userName must be used in authenticated messages. 3909 - Added REVISION clauses to MODULE-IDENTITY 3910 - Clarified KeyChange TC by adding a note that localized keys must be 3911 used when calculating a KeyChange value. 3912 - Added clarifying text to the DESCRIPTION clause of usmUserTable. 3913 Added text describes a recommended procedure for adding a new user. 3914 - Clarified the use of usmUserCloneFrom object. 3915 - Clarified how and under which conditions the usmUserAuthProtocol 3916 and usmUserPrivProtocol can be initialized and/or changed. 3917 - Added comment on typical sizes for usmUserAuthKeyChange and 3918 usmUserPrivKeyChange. Also for usmUserOwnAuthKeyChange and 3919 usmUserOwnPrivKeyChange. 3920 - Added clarifications to the DESCRIPTION clauses of 3921 usmUserAuthKeyChange, usmUserOwnAuthKeychange, usmUserPrivKeyChange 3922 and usmUserOwnPrivKeychange. - Added clarification to DESCRIPTION 3923 clause of usmUserStorageType. - Added clarification to DESCRIPTION 3924 clause of usmUserStatus. 3925 - Clarified IV generation procedure in section 8.1.1.1 and in 3926 addition clarified section 8.3.1 step 1 and section 8.3.2. step 3. 3927 - Clarified section 11.2 and added a warning that different size 3928 passwords with repetitive strings may result in same key. 3929 - Added template users to appendix A for cloning process. 3930 - Fixed C-code examples in Appendix A. 3931 - Fixed examples of generated keys in Appendix A. 3932 - Added examples of KeyChange values to Appendix A. 3933 - Used PDU Classes instead of RFC1905 PDU types. 3934 - Added text in the security section about Reports and Access Control 3935 to the MIB 3936 - Removed a incorrect note at the end of section 3.2 step 7. 3937 - Added a note in section 3.2 step 3. 3938 - Corrected various spelling errors and typos. 3939 - Corrected procedure for 3.2 step 2.a) 3940 - various clarifications. 3941 - Fixed references to new/revised documents 3942 - Change to no longer cache data that is not used 3944 C. Full Copyright Statement 3945 Copyright (C) The Internet Society (1999). All Rights Reserved. 3947 This document and translations of it may be copied and furnished to 3948 others, and derivative works that comment on or otherwise explain it 3949 or assist in its implementation may be prepared, copied, published 3950 and distributed, in whole or in part, without restriction of any 3951 kind, provided that the above copyright notice and this paragraph are 3952 included on all such copies and derivative works. However, this 3953 document itself may not be modified in any way, such as by removing 3954 the copyright notice or references to the Internet Society or other 3955 Internet organizations, except as needed for the purpose of 3956 developing Internet standards in which case the procedures for 3957 copyrights defined in the Internet Standards process must be 3958 followed, or as required to translate it into languages other than 3959 English. 3961 The limited permissions granted above are perpetual and will not be 3962 revoked by the Internet Society or its successors or assigns. 3964 This document and the information contained herein is provided on an 3965 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 3966 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 3967 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 3968 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 3969 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.