|
Packit |
022b05 |
SNMP-USM-DH-OBJECTS-MIB DEFINITIONS ::= BEGIN
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
IMPORTS
|
|
Packit |
022b05 |
MODULE-IDENTITY, OBJECT-TYPE,
|
|
Packit |
022b05 |
-- OBJECT-IDENTITY,
|
|
Packit |
022b05 |
experimental, Integer32
|
|
Packit |
022b05 |
FROM SNMPv2-SMI
|
|
Packit |
022b05 |
TEXTUAL-CONVENTION
|
|
Packit |
022b05 |
FROM SNMPv2-TC
|
|
Packit |
022b05 |
MODULE-COMPLIANCE, OBJECT-GROUP
|
|
Packit |
022b05 |
FROM SNMPv2-CONF
|
|
Packit |
022b05 |
usmUserEntry
|
|
Packit |
022b05 |
FROM SNMP-USER-BASED-SM-MIB
|
|
Packit |
022b05 |
SnmpAdminString
|
|
Packit |
022b05 |
FROM SNMP-FRAMEWORK-MIB;
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
snmpUsmDHObjectsMIB MODULE-IDENTITY
|
|
Packit |
022b05 |
LAST-UPDATED "200003060000Z" -- 6 March 2000, Midnight
|
|
Packit |
022b05 |
ORGANIZATION "Excite@Home"
|
|
Packit |
022b05 |
CONTACT-INFO "Author: Mike StJohns
|
|
Packit |
022b05 |
Postal: Excite@Home
|
|
Packit |
022b05 |
450 Broadway
|
|
Packit |
022b05 |
Redwood City, CA 94063
|
|
Packit |
022b05 |
Email: stjohns@corp.home.net
|
|
Packit |
022b05 |
Phone: +1-650-556-5368"
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"The management information definitions for providing forward
|
|
Packit |
022b05 |
secrecy for key changes for the usmUserTable, and for providing a
|
|
Packit |
022b05 |
method for 'kickstarting' access to the agent via a Diffie-Helman
|
|
Packit |
022b05 |
key agreement."
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
REVISION "200003060000Z"
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"Initial version published as RFC 2786."
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
::= { experimental 101 } -- IANA DHKEY-CHANGE 101
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
-- Administrative assignments
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHKeyObjects OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 1 }
|
|
Packit |
022b05 |
usmDHKeyConformance OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 2 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
-- Textual conventions
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
DHKeyChange ::= TEXTUAL-CONVENTION
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"Upon initialization, or upon creation of a row containing an
|
|
Packit |
022b05 |
object of this type, and after any successful SET of this value, a
|
|
Packit |
022b05 |
GET of this value returns 'y' where y = g^xa MOD p, and where g is
|
|
Packit |
022b05 |
the base from usmDHParameters, p is the prime from
|
|
Packit |
022b05 |
usmDHParameters, and xa is a new random integer selected by the
|
|
Packit |
022b05 |
agent in the interval 2^(l-1) <= xa < 2^l < p-1. 'l' is the
|
|
Packit |
022b05 |
optional privateValueLength from usmDHParameters in bits. If 'l'
|
|
Packit |
022b05 |
is omitted, then xa (and xr below) is selected in the interval 0
|
|
Packit |
022b05 |
<= xa < p-1. y is expressed as an OCTET STRING 'PV' of length 'k'
|
|
Packit |
022b05 |
which satisfies
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
k
|
|
Packit |
022b05 |
y = SUM 2^(8(k-i)) PV'i
|
|
Packit |
022b05 |
i=1
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
where PV1,...,PVk are the octets of PV from first to last, and
|
|
Packit |
022b05 |
where PV1 <> 0.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
A successful SET consists of the value 'y' expressed as an OCTET
|
|
Packit |
022b05 |
STRING as above concatenated with the value 'z'(expressed as an
|
|
Packit |
022b05 |
OCTET STRING in the same manner as y) where z = g^xr MOD p, where
|
|
Packit |
022b05 |
g, p and l are as above, and where xr is a new random integer
|
|
Packit |
022b05 |
selected by the manager in the interval 2^(l-1) <= xr < 2^l <
|
|
Packit |
022b05 |
p-1. A SET to an object of this type will fail with the error
|
|
Packit |
022b05 |
wrongValue if the current 'y' does not match the 'y' portion of
|
|
Packit |
022b05 |
the value of the varbind for the object. (E.g. GET yout, SET
|
|
Packit |
022b05 |
concat(yin, z), yout <> yin).
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Note that the private values xa and xr are never transmitted from
|
|
Packit |
022b05 |
manager to device or vice versa, only the values y and z.
|
|
Packit |
022b05 |
Obviously, these values must be retained until a successful SET on
|
|
Packit |
022b05 |
the associated object.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The shared secret 'sk' is calculated at the agent as sk = z^xa MOD
|
|
Packit |
022b05 |
p, and at the manager as sk = y^xr MOD p.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Each object definition of this type MUST describe how to map from
|
|
Packit |
022b05 |
the shared secret 'sk' to the operational key value used by the
|
|
Packit |
022b05 |
protocols and operations related to the object. In general, if n
|
|
Packit |
022b05 |
bits of key are required, the author suggests using the n
|
|
Packit |
022b05 |
right-most bits of the shared secret as the operational key value."
|
|
Packit |
022b05 |
REFERENCE
|
|
Packit |
022b05 |
"-- Diffie-Hellman Key-Agreement Standard, PKCS #3;
|
|
Packit |
022b05 |
RSA Laboratories, November 1993"
|
|
Packit |
022b05 |
SYNTAX OCTET STRING
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
-- Diffie Hellman public values
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHPublicObjects OBJECT IDENTIFIER ::= { usmDHKeyObjects 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHParameters OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX OCTET STRING
|
|
Packit |
022b05 |
MAX-ACCESS read-write
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"The public Diffie-Hellman parameters for doing a Diffie-Hellman
|
|
Packit |
022b05 |
key agreement for this device. This is encoded as an ASN.1
|
|
Packit |
022b05 |
DHParameter per PKCS #3, section 9. E.g.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
DHParameter ::= SEQUENCE {
|
|
Packit |
022b05 |
prime INTEGER, -- p
|
|
Packit |
022b05 |
base INTEGER, -- g
|
|
Packit |
022b05 |
privateValueLength INTEGER OPTIONAL }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Implementors are encouraged to use either the values from
|
|
Packit |
022b05 |
Oakley Group 1 or the values of from Oakley Group 2 as specified
|
|
Packit |
022b05 |
in RFC-2409, The Internet Key Exchange, Section 6.1, 6.2 as the
|
|
Packit |
022b05 |
default for this object. Other values may be used, but the
|
|
Packit |
022b05 |
security properties of those values MUST be well understood and
|
|
Packit |
022b05 |
MUST meet the requirements of PKCS #3 for the selection of
|
|
Packit |
022b05 |
Diffie-Hellman primes.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
In addition, any time usmDHParameters changes, all values of
|
|
Packit |
022b05 |
type DHKeyChange will change and new random numbers MUST be
|
|
Packit |
022b05 |
generated by the agent for each DHKeyChange object."
|
|
Packit |
022b05 |
REFERENCE
|
|
Packit |
022b05 |
"-- Diffie-Hellman Key-Agreement Standard, PKCS #3,
|
|
Packit |
022b05 |
RSA Laboratories, November 1993
|
|
Packit |
022b05 |
-- The Internet Key Exchange, RFC 2409, November 1998,
|
|
Packit |
022b05 |
Sec 6.1, 6.2"
|
|
Packit |
022b05 |
::= { usmDHPublicObjects 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHUserKeyTable OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX SEQUENCE OF UsmDHUserKeyEntry
|
|
Packit |
022b05 |
MAX-ACCESS not-accessible
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"This table augments and extends the usmUserTable and provides
|
|
Packit |
022b05 |
4 objects which exactly mirror the objects in that table with the
|
|
Packit |
022b05 |
textual convention of 'KeyChange'. This extension allows key
|
|
Packit |
022b05 |
changes to be done in a manner where the knowledge of the current
|
|
Packit |
022b05 |
secret plus knowledge of the key change data exchanges (e.g. via
|
|
Packit |
022b05 |
wiretapping) will not reveal the new key."
|
|
Packit |
022b05 |
::= { usmDHPublicObjects 2 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHUserKeyEntry OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX UsmDHUserKeyEntry
|
|
Packit |
022b05 |
MAX-ACCESS not-accessible
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"A row of DHKeyChange objects which augment or replace the
|
|
Packit |
022b05 |
functionality of the KeyChange objects in the base table row."
|
|
Packit |
022b05 |
AUGMENTS { usmUserEntry }
|
|
Packit |
022b05 |
::= {usmDHUserKeyTable 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
UsmDHUserKeyEntry ::= SEQUENCE {
|
|
Packit |
022b05 |
usmDHUserAuthKeyChange DHKeyChange,
|
|
Packit |
022b05 |
usmDHUserOwnAuthKeyChange DHKeyChange,
|
|
Packit |
022b05 |
usmDHUserPrivKeyChange DHKeyChange,
|
|
Packit |
022b05 |
usmDHUserOwnPrivKeyChange DHKeyChange
|
|
Packit |
022b05 |
}
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHUserAuthKeyChange OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX DHKeyChange
|
|
Packit |
022b05 |
MAX-ACCESS read-create
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"The object used to change any given user's Authentication Key
|
|
Packit |
022b05 |
using a Diffie-Hellman key exchange.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The right-most n bits of the shared secret 'sk', where 'n' is the
|
|
Packit |
022b05 |
number of bits required for the protocol defined by
|
|
Packit |
022b05 |
usmUserAuthProtocol, are installed as the operational
|
|
Packit |
022b05 |
authentication key for this row after a successful SET."
|
|
Packit |
022b05 |
::= { usmDHUserKeyEntry 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHUserOwnAuthKeyChange OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX DHKeyChange
|
|
Packit |
022b05 |
MAX-ACCESS read-create
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"The object used to change the agents own Authentication Key
|
|
Packit |
022b05 |
using a Diffie-Hellman key exchange.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The right-most n bits of the shared secret 'sk', where 'n' is the
|
|
Packit |
022b05 |
number of bits required for the protocol defined by
|
|
Packit |
022b05 |
usmUserAuthProtocol, are installed as the operational
|
|
Packit |
022b05 |
authentication key for this row after a successful SET."
|
|
Packit |
022b05 |
::= { usmDHUserKeyEntry 2 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHUserPrivKeyChange OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX DHKeyChange
|
|
Packit |
022b05 |
MAX-ACCESS read-create
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"The object used to change any given user's Privacy Key using
|
|
Packit |
022b05 |
a Diffie-Hellman key exchange.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The right-most n bits of the shared secret 'sk', where 'n' is the
|
|
Packit |
022b05 |
number of bits required for the protocol defined by
|
|
Packit |
022b05 |
usmUserPrivProtocol, are installed as the operational privacy key
|
|
Packit |
022b05 |
for this row after a successful SET."
|
|
Packit |
022b05 |
::= { usmDHUserKeyEntry 3 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHUserOwnPrivKeyChange OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX DHKeyChange
|
|
Packit |
022b05 |
MAX-ACCESS read-create
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"The object used to change the agent's own Privacy Key using a
|
|
Packit |
022b05 |
Diffie-Hellman key exchange.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The right-most n bits of the shared secret 'sk', where 'n' is the
|
|
Packit |
022b05 |
number of bits required for the protocol defined by
|
|
Packit |
022b05 |
usmUserPrivProtocol, are installed as the operational privacy key
|
|
Packit |
022b05 |
for this row after a successful SET."
|
|
Packit |
022b05 |
::= { usmDHUserKeyEntry 4 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHKickstartGroup OBJECT IDENTIFIER ::= { usmDHKeyObjects 2 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHKickstartTable OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX SEQUENCE OF UsmDHKickstartEntry
|
|
Packit |
022b05 |
MAX-ACCESS not-accessible
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"A table of mappings between zero or more Diffie-Helman key
|
|
Packit |
022b05 |
agreement values and entries in the usmUserTable. Entries in this
|
|
Packit |
022b05 |
table are created by providing the associated device with a
|
|
Packit |
022b05 |
Diffie-Helman public value and a usmUserName/usmUserSecurityName
|
|
Packit |
022b05 |
pair during initialization. How these values are provided is
|
|
Packit |
022b05 |
outside the scope of this MIB, but could be provided manually, or
|
|
Packit |
022b05 |
through a configuration file. Valid public value/name pairs
|
|
Packit |
022b05 |
result in the creation of a row in this table as well as the
|
|
Packit |
022b05 |
creation of an associated row (with keys derived as indicated) in
|
|
Packit |
022b05 |
the usmUserTable. The actual access the related usmSecurityName
|
|
Packit |
022b05 |
has is dependent on the entries in the VACM tables. In general,
|
|
Packit |
022b05 |
an implementor will specify one or more standard security names
|
|
Packit |
022b05 |
and will provide entries in the VACM tables granting various
|
|
Packit |
022b05 |
levels of access to those names. The actual content of the VACM
|
|
Packit |
022b05 |
table is beyond the scope of this MIB.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Note: This table is expected to be readable without authentication
|
|
Packit |
022b05 |
using the usmUserSecurityName 'dhKickstart'. See the conformance
|
|
Packit |
022b05 |
statements for details."
|
|
Packit |
022b05 |
::= { usmDHKickstartGroup 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHKickstartEntry OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX UsmDHKickstartEntry
|
|
Packit |
022b05 |
MAX-ACCESS not-accessible
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
"An entry in the usmDHKickstartTable. The agent SHOULD either
|
|
Packit |
022b05 |
delete this entry or mark it as inactive upon a successful SET of
|
|
Packit |
022b05 |
any of the KeyChange-typed objects in the usmUserEntry or upon a
|
|
Packit |
022b05 |
successful SET of any of the DHKeyChange-typed objects in the
|
|
Packit |
022b05 |
usmDhKeyChangeEntry where the related usmSecurityName (e.g. row of
|
|
Packit |
022b05 |
usmUserTable or row of ushDhKeyChangeTable) equals this entry's
|
|
Packit |
022b05 |
usmDhKickstartSecurityName. In otherwords, once you've changed
|
|
Packit |
022b05 |
one or more of the keys for a row in usmUserTable with a
|
|
Packit |
022b05 |
particular security name, the row in this table with that same
|
|
Packit |
022b05 |
security name is no longer useful or meaningful."
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
INDEX { usmDHKickstartIndex }
|
|
Packit |
022b05 |
::= {usmDHKickstartTable 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
UsmDHKickstartEntry ::= SEQUENCE {
|
|
Packit |
022b05 |
usmDHKickstartIndex Integer32,
|
|
Packit |
022b05 |
usmDHKickstartMyPublic OCTET STRING,
|
|
Packit |
022b05 |
usmDHKickstartMgrPublic OCTET STRING,
|
|
Packit |
022b05 |
usmDHKickstartSecurityName SnmpAdminString
|
|
Packit |
022b05 |
}
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHKickstartIndex OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX Integer32 (1..2147483647)
|
|
Packit |
022b05 |
MAX-ACCESS not-accessible
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"Index value for this row."
|
|
Packit |
022b05 |
::= { usmDHKickstartEntry 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHKickstartMyPublic OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX OCTET STRING
|
|
Packit |
022b05 |
MAX-ACCESS read-only
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"The agent's Diffie-Hellman public value for this row. At
|
|
Packit |
022b05 |
initialization, the agent generates a random number and derives
|
|
Packit |
022b05 |
its public value from that number. This public value is published
|
|
Packit |
022b05 |
here. This public value 'y' equals g^r MOD p where g is the from
|
|
Packit |
022b05 |
the set of Diffie-Hellman parameters, p is the prime from those
|
|
Packit |
022b05 |
parameters, and r is a random integer selected by the agent in the
|
|
Packit |
022b05 |
interval 2^(l-1) <= r < p-1 < 2^l. If l is unspecified, then r is
|
|
Packit |
022b05 |
a random integer selected in the interval 0 <= r < p-1
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The public value is expressed as an OCTET STRING 'PV' of length
|
|
Packit |
022b05 |
'k' which satisfies
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
k
|
|
Packit |
022b05 |
y = SUM 2^(8(k-i)) PV'i
|
|
Packit |
022b05 |
i = 1
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
where PV1,...,PVk are the octets of PV from first to last, and
|
|
Packit |
022b05 |
where PV1 != 0.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The following DH parameters (Oakley group #2, RFC 2409, sec 6.1,
|
|
Packit |
022b05 |
6.2) are used for this object:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
g = 2
|
|
Packit |
022b05 |
p = FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
|
|
Packit |
022b05 |
29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
|
|
Packit |
022b05 |
EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
|
|
Packit |
022b05 |
E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
|
|
Packit |
022b05 |
EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
|
|
Packit |
022b05 |
FFFFFFFF FFFFFFFF
|
|
Packit |
022b05 |
l=1024
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
REFERENCE
|
|
Packit |
022b05 |
"-- Diffie-Hellman Key-Agreement Standard, PKCS#3v1.4;
|
|
Packit |
022b05 |
RSA Laboratories, November 1993
|
|
Packit |
022b05 |
-- The Internet Key Exchange, RFC2409;
|
|
Packit |
022b05 |
Harkins, D., Carrel, D.; November 1998"
|
|
Packit |
022b05 |
::= { usmDHKickstartEntry 2 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHKickstartMgrPublic OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX OCTET STRING
|
|
Packit |
022b05 |
MAX-ACCESS read-only
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
"The manager's Diffie-Hellman public value for this row. Note
|
|
Packit |
022b05 |
that this value is not set via the SNMP agent, but may be set via
|
|
Packit |
022b05 |
some out of band method, such as the device's configuration file.
|
|
Packit |
022b05 |
The manager calculates this value in the same manner and using the
|
|
Packit |
022b05 |
same parameter set as the agent does. E.g. it selects a random
|
|
Packit |
022b05 |
number 'r', calculates y = g^r mod p and provides 'y' as the
|
|
Packit |
022b05 |
public number expressed as an OCTET STRING. See
|
|
Packit |
022b05 |
usmDHKickstartMyPublic for details.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
When this object is set with a valid value during initialization,
|
|
Packit |
022b05 |
a row is created in the usmUserTable with the following values:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserEngineID localEngineID
|
|
Packit |
022b05 |
usmUserName [value of usmDHKickstartSecurityName]
|
|
Packit |
022b05 |
usmUserSecurityName [value of usmDHKickstartSecurityName]
|
|
Packit |
022b05 |
usmUserCloneFrom ZeroDotZero
|
|
Packit |
022b05 |
usmUserAuthProtocol usmHMACMD5AuthProtocol
|
|
Packit |
022b05 |
usmUserAuthKeyChange -- derived from set value
|
|
Packit |
022b05 |
usmUserOwnAuthKeyChange -- derived from set value
|
|
Packit |
022b05 |
usmUserPrivProtocol usmDESPrivProtocol
|
|
Packit |
022b05 |
usmUserPrivKeyChange -- derived from set value
|
|
Packit |
022b05 |
usmUserOwnPrivKeyChange -- derived from set value
|
|
Packit |
022b05 |
usmUserPublic ''
|
|
Packit |
022b05 |
usmUserStorageType permanent
|
|
Packit |
022b05 |
usmUserStatus active
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
A shared secret 'sk' is calculated at the agent as sk =
|
|
Packit |
022b05 |
mgrPublic^r mod p where r is the agents random number and p is the
|
|
Packit |
022b05 |
DH prime from the common parameters. The underlying privacy key
|
|
Packit |
022b05 |
for this row is derived from sk by applying the key derivation
|
|
Packit |
022b05 |
function PBKDF2 defined in PKCS#5v2.0 with a salt of 0xd1310ba6,
|
|
Packit |
022b05 |
and iterationCount of 500, a keyLength of 16 (for
|
|
Packit |
022b05 |
usmDESPrivProtocol), and a prf (pseudo random function) of
|
|
Packit |
022b05 |
'id-hmacWithSHA1'. The underlying authentication key for this row
|
|
Packit |
022b05 |
is derived from sk by applying the key derivation function PBKDF2
|
|
Packit |
022b05 |
with a salt of 0x98dfb5ac , an interation count of 500, a
|
|
Packit |
022b05 |
keyLength of 16 (for usmHMAC5AuthProtocol), and a prf of
|
|
Packit |
022b05 |
'id-hmacWithSHA1'. Note: The salts are the first two words in the
|
|
Packit |
022b05 |
ks0 [key schedule 0] of the BLOWFISH cipher from 'Applied
|
|
Packit |
022b05 |
Cryptography' by Bruce Schnier - they could be any relatively
|
|
Packit |
022b05 |
random string of bits.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The manager can use its knowledge of its own random number and the
|
|
Packit |
022b05 |
agent's public value to kickstart its access to the agent in a
|
|
Packit |
022b05 |
secure manner. Note that the security of this approach is
|
|
Packit |
022b05 |
directly related to the strength of the authorization security of
|
|
Packit |
022b05 |
the out of band provisioning of the managers public value
|
|
Packit |
022b05 |
(e.g. the configuration file), but is not dependent at all on the
|
|
Packit |
022b05 |
strength of the confidentiality of the out of band provisioning
|
|
Packit |
022b05 |
data."
|
|
Packit |
022b05 |
REFERENCE
|
|
Packit |
022b05 |
"-- Password-Based Cryptography Standard, PKCS#5v2.0;
|
|
Packit |
022b05 |
RSA Laboratories, March 1999
|
|
Packit |
022b05 |
-- Applied Cryptography, 2nd Ed.; B. Schneier,
|
|
Packit |
022b05 |
Counterpane Systems; John Wiley & Sons, 1996"
|
|
Packit |
022b05 |
::= { usmDHKickstartEntry 3 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHKickstartSecurityName OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX SnmpAdminString
|
|
Packit |
022b05 |
MAX-ACCESS read-only
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"The usmUserName and usmUserSecurityName in the usmUserTable
|
|
Packit |
022b05 |
associated with this row. This is provided in the same manner and
|
|
Packit |
022b05 |
at the same time as the usmDHKickstartMgrPublic value -
|
|
Packit |
022b05 |
e.g. possibly manually, or via the device's configuration file."
|
|
Packit |
022b05 |
::= { usmDHKickstartEntry 4 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
-- Conformance Information
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHKeyMIBCompliances OBJECT IDENTIFIER ::= { usmDHKeyConformance 1 }
|
|
Packit |
022b05 |
usmDHKeyMIBGroups OBJECT IDENTIFIER ::= { usmDHKeyConformance 2 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
-- Compliance statements
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHKeyMIBCompliance MODULE-COMPLIANCE
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"The compliance statement for this module."
|
|
Packit |
022b05 |
MODULE
|
|
Packit |
022b05 |
GROUP usmDHKeyMIBBasicGroup
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"This group MAY be implemented by any agent which
|
|
Packit |
022b05 |
implements the usmUserTable and which wishes to provide the
|
|
Packit |
022b05 |
ability to change user and agent authentication and privacy
|
|
Packit |
022b05 |
keys via Diffie-Hellman key exchanges."
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
GROUP usmDHKeyParamGroup
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"This group MUST be implemented by any agent which
|
|
Packit |
022b05 |
implements a MIB containing the DHKeyChange Textual
|
|
Packit |
022b05 |
Convention defined in this module."
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
GROUP usmDHKeyKickstartGroup
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"This group MAY be implemented by any agent which
|
|
Packit |
022b05 |
implements the usmUserTable and which wishes the ability to
|
|
Packit |
022b05 |
populate the USM table based on out-of-band provided DH
|
|
Packit |
022b05 |
ignition values.
|
|
Packit |
022b05 |
Any agent implementing this group is expected to provide
|
|
Packit |
022b05 |
preinstalled entries in the vacm tables as follows:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
In the usmUserTable: This entry allows access to the
|
|
Packit |
022b05 |
system and dhKickstart groups
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserEngineID localEngineID
|
|
Packit |
022b05 |
usmUserName 'dhKickstart'
|
|
Packit |
022b05 |
usmUserSecurityName 'dhKickstart'
|
|
Packit |
022b05 |
usmUserCloneFrom ZeroDotZero
|
|
Packit |
022b05 |
usmUserAuthProtocol none
|
|
Packit |
022b05 |
usmUserAuthKeyChange ''
|
|
Packit |
022b05 |
usmUserOwnAuthKeyChange ''
|
|
Packit |
022b05 |
usmUserPrivProtocol none
|
|
Packit |
022b05 |
usmUserPrivKeyChange ''
|
|
Packit |
022b05 |
usmUserOwnPrivKeyChange ''
|
|
Packit |
022b05 |
usmUserPublic ''
|
|
Packit |
022b05 |
usmUserStorageType permanent
|
|
Packit |
022b05 |
usmUserStatus active
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
In the vacmSecurityToGroupTable: This maps the initial
|
|
Packit |
022b05 |
user into the accessible objects.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
vacmSecurityModel 3 (USM)
|
|
Packit |
022b05 |
vacmSecurityName 'dhKickstart'
|
|
Packit |
022b05 |
vacmGroupName 'dhKickstart'
|
|
Packit |
022b05 |
vacmSecurityToGroupStorageType permanent
|
|
Packit |
022b05 |
vacmSecurityToGroupStatus active
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
In the vacmAccessTable: Group name to view name translation.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
vacmGroupName 'dhKickstart'
|
|
Packit |
022b05 |
vacmAccessContextPrefix ''
|
|
Packit |
022b05 |
vacmAccessSecurityModel 3 (USM)
|
|
Packit |
022b05 |
vacmAccessSecurityLevel noAuthNoPriv
|
|
Packit |
022b05 |
vacmAccessContextMatch exact
|
|
Packit |
022b05 |
vacmAccessReadViewName 'dhKickRestricted'
|
|
Packit |
022b05 |
vacmAccessWriteViewName ''
|
|
Packit |
022b05 |
vacmAccessNotifyViewName 'dhKickRestricted'
|
|
Packit |
022b05 |
vacmAccessStorageType permanent
|
|
Packit |
022b05 |
vacmAccessStatus active
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
In the vacmViewTreeFamilyTable: Two entries to allow the
|
|
Packit |
022b05 |
initial entry to access the system and kickstart groups.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
vacmViewTreeFamilyViewName 'dhKickRestricted'
|
|
Packit |
022b05 |
vacmViewTreeFamilySubtree 1.3.6.1.2.1.1 (system)
|
|
Packit |
022b05 |
vacmViewTreeFamilyMask ''
|
|
Packit |
022b05 |
vacmViewTreeFamilyType 1
|
|
Packit |
022b05 |
vacmViewTreeFamilyStorageType permanent
|
|
Packit |
022b05 |
vacmViewTreeFamilyStatus active
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
vacmViewTreeFamilyViewName 'dhKickRestricted'
|
|
Packit |
022b05 |
vacmViewTreeFamilySubtree (usmDHKickstartTable OID)
|
|
Packit |
022b05 |
vacmViewTreeFamilyMask ''
|
|
Packit |
022b05 |
vacmViewTreeFamilyType 1
|
|
Packit |
022b05 |
vacmViewTreeFamilyStorageType permanent
|
|
Packit |
022b05 |
vacmViewTreeFamilyStatus active
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
OBJECT usmDHParameters
|
|
Packit |
022b05 |
MIN-ACCESS read-only
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"It is compliant to implement this object as read-only for
|
|
Packit |
022b05 |
any device."
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
::= { usmDHKeyMIBCompliances 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
-- Units of Compliance
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHKeyMIBBasicGroup OBJECT-GROUP
|
|
Packit |
022b05 |
OBJECTS {
|
|
Packit |
022b05 |
usmDHUserAuthKeyChange,
|
|
Packit |
022b05 |
usmDHUserOwnAuthKeyChange,
|
|
Packit |
022b05 |
usmDHUserPrivKeyChange,
|
|
Packit |
022b05 |
usmDHUserOwnPrivKeyChange
|
|
Packit |
022b05 |
}
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
""
|
|
Packit |
022b05 |
::= { usmDHKeyMIBGroups 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHKeyParamGroup OBJECT-GROUP
|
|
Packit |
022b05 |
OBJECTS {
|
|
Packit |
022b05 |
usmDHParameters
|
|
Packit |
022b05 |
}
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"The mandatory object for all MIBs which use the DHKeyChange
|
|
Packit |
022b05 |
textual convention."
|
|
Packit |
022b05 |
::= { usmDHKeyMIBGroups 2 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDHKeyKickstartGroup OBJECT-GROUP
|
|
Packit |
022b05 |
OBJECTS {
|
|
Packit |
022b05 |
usmDHKickstartMyPublic,
|
|
Packit |
022b05 |
usmDHKickstartMgrPublic,
|
|
Packit |
022b05 |
usmDHKickstartSecurityName
|
|
Packit |
022b05 |
}
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"The objects used for kickstarting one or more SNMPv3 USM
|
|
Packit |
022b05 |
associations via a configuration file or other out of band,
|
|
Packit |
022b05 |
non-confidential access."
|
|
Packit |
022b05 |
::= { usmDHKeyMIBGroups 3 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
END
|