This is a summary of information regarding objects below the snmpUsmDHObjectsMIB MIB object, which is defined within the SNMP-USM-DH-OBJECTS-MIB MIB document as .1.3.6.1.3.101.
| Name | Type | Access | OID | Description |
|---|---|---|---|---|
|
1
usmDHParameters | OCTETSTR | ReadWrite | .1.3.6.1.3.101.1.1.1 |
The public Diffie-Hellman parameters for doing a Diffie-Hellman
key agreement for this device. This is encoded as an ASN.1
DHParameter per PKCS #3, section 9. E.g.
DHParameter ::= SEQUENCE {
prime INTEGER, -- p
base INTEGER, -- g
privateValueLength INTEGER OPTIONAL }
Implementors are encouraged to use either the values from
Oakley Group 1 or the values of from Oakley Group 2 as specified
in RFC-2409, The Internet Key Exchange, Section 6.1, 6.2 as the
default for this object. Other values may be used, but the
security properties of those values MUST be well understood and
MUST meet the requirements of PKCS #3 for the selection of
Diffie-Hellman primes.
In addition, any time usmDHParameters changes, all values of
type DHKeyChange will change and new random numbers MUST be
generated by the agent for each DHKeyChange object.
Also see Reference: -- Diffie-Hellman Key-Agreement Standard, PKCS #3,
RSA Laboratories, November 1993
-- The Internet Key Exchange, RFC 2409, November 1998,
Sec 6.1, 6.2
|
| Table Name | usmDHUserKeyTable |
| In MIB | SNMP-USM-DH-OBJECTS-MIB |
| Registered at OID | .1.3.6.1.3.101.1.1.2 |
| Table Description |
This table augments and extends the usmUserTable and provides 4 objects which exactly mirror the objects in that table with the textual convention of 'KeyChange'. This extension allows key changes to be done in a manner where the knowledge of the current secret plus knowledge of the key change data exchanges (e.g. via wiretapping) will not reveal the new key. |
| Row Description |
A row of DHKeyChange objects which augment or replace the functionality of the KeyChange objects in the base table row. |
| Name | Type | Access | Description |
|---|---|---|---|
|
1
usmUserEngineID |
OCTETSTR
Legal Lengths: 5 .. 32 SnmpEngineID | NoAccess |
Note: this object is based on the SnmpEngineID TEXTUAL-CONVENTION. An SNMP engine's administratively-unique identifier.
In a simple agent, this value is always that agent's
own snmpEngineID value.
The value can also take the value of the snmpEngineID
of a remote SNMP engine with which this user can
communicate.
|
|
2
usmUserName |
OCTETSTR
Legal Lengths: 1 .. 32 SnmpAdminString | NoAccess |
Note: this object is based on the SnmpAdminString TEXTUAL-CONVENTION. A human readable string representing the name of
the user.
This is the (User-based Security) Model dependent
security ID.
|
| Name | Type | Access | Description |
|---|---|---|---|
|
1
usmDHUserAuthKeyChange |
OCTETSTR
DHKeyChange | Create |
Note: this object is based on the DHKeyChange TEXTUAL-CONVENTION. The object used to change any given user's Authentication Key using a Diffie-Hellman key exchange. The right-most n bits of the shared secret 'sk', where 'n' is the number of bits required for the protocol defined by usmUserAuthProtocol, are installed as the operational authentication key for this row after a successful SET. |
|
2
usmDHUserOwnAuthKeyChange |
OCTETSTR
DHKeyChange | Create |
Note: this object is based on the DHKeyChange TEXTUAL-CONVENTION. The object used to change the agents own Authentication Key using a Diffie-Hellman key exchange. The right-most n bits of the shared secret 'sk', where 'n' is the number of bits required for the protocol defined by usmUserAuthProtocol, are installed as the operational authentication key for this row after a successful SET. |
|
3
usmDHUserPrivKeyChange |
OCTETSTR
DHKeyChange | Create |
Note: this object is based on the DHKeyChange TEXTUAL-CONVENTION. The object used to change any given user's Privacy Key using a Diffie-Hellman key exchange. The right-most n bits of the shared secret 'sk', where 'n' is the number of bits required for the protocol defined by usmUserPrivProtocol, are installed as the operational privacy key for this row after a successful SET. |
|
4
usmDHUserOwnPrivKeyChange |
OCTETSTR
DHKeyChange | Create |
Note: this object is based on the DHKeyChange TEXTUAL-CONVENTION. The object used to change the agent's own Privacy Key using a Diffie-Hellman key exchange. The right-most n bits of the shared secret 'sk', where 'n' is the number of bits required for the protocol defined by usmUserPrivProtocol, are installed as the operational privacy key for this row after a successful SET. |
| Table Name | usmDHKickstartTable |
| In MIB | SNMP-USM-DH-OBJECTS-MIB |
| Registered at OID | .1.3.6.1.3.101.1.2.1 |
| Table Description |
A table of mappings between zero or more Diffie-Helman key agreement values and entries in the usmUserTable. Entries in this table are created by providing the associated device with a Diffie-Helman public value and a usmUserName/usmUserSecurityName pair during initialization. How these values are provided is outside the scope of this MIB, but could be provided manually, or through a configuration file. Valid public value/name pairs result in the creation of a row in this table as well as the creation of an associated row (with keys derived as indicated) in the usmUserTable. The actual access the related usmSecurityName has is dependent on the entries in the VACM tables. In general, an implementor will specify one or more standard security names and will provide entries in the VACM tables granting various levels of access to those names. The actual content of the VACM table is beyond the scope of this MIB. Note: This table is expected to be readable without authentication using the usmUserSecurityName 'dhKickstart'. See the conformance statements for details. |
| Row Description |
An entry in the usmDHKickstartTable. The agent SHOULD either delete this entry or mark it as inactive upon a successful SET of any of the KeyChange-typed objects in the usmUserEntry or upon a successful SET of any of the DHKeyChange-typed objects in the usmDhKeyChangeEntry where the related usmSecurityName (e.g. row of usmUserTable or row of ushDhKeyChangeTable) equals this entry's usmDhKickstartSecurityName. In otherwords, once you've changed one or more of the keys for a row in usmUserTable with a particular security name, the row in this table with that same security name is no longer useful or meaningful. |
| Name | Type | Access | Description |
|---|---|---|---|
|
1
usmDHKickstartIndex |
INTEGER32
Legal values: 1 .. 2147483647 | NoAccess |
Index value for this row. |
| Name | Type | Access | Description |
|---|---|---|---|
|
2
usmDHKickstartMyPublic | OCTETSTR | ReadOnly |
The agent's Diffie-Hellman public value for this row. At
initialization, the agent generates a random number and derives
its public value from that number. This public value is published
here. This public value 'y' equals g^r MOD p where g is the from
the set of Diffie-Hellman parameters, p is the prime from those
parameters, and r is a random integer selected by the agent in the
interval 2^(l-1) <= r < p-1 < 2^l. If l is unspecified, then r is
a random integer selected in the interval 0 <= r < p-1
The public value is expressed as an OCTET STRING 'PV' of length
'k' which satisfies
k
y = SUM 2^(8(k-i)) PV'i
i = 1
where PV1,...,PVk are the octets of PV from first to last, and
where PV1 != 0.
The following DH parameters (Oakley group #2, RFC 2409, sec 6.1,
6.2) are used for this object:
g = 2
p = FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
FFFFFFFF FFFFFFFF
l=1024
Also see Reference: -- Diffie-Hellman Key-Agreement Standard, PKCS#3v1.4;
RSA Laboratories, November 1993
-- The Internet Key Exchange, RFC2409;
Harkins, D., Carrel, D.; November 1998
|
|
3
usmDHKickstartMgrPublic | OCTETSTR | ReadOnly |
The manager's Diffie-Hellman public value for this row. Note that this value is not set via the SNMP agent, but may be set via some out of band method, such as the device's configuration file. The manager calculates this value in the same manner and using the same parameter set as the agent does. E.g. it selects a random number 'r', calculates y = g^r mod p and provides 'y' as the public number expressed as an OCTET STRING. See usmDHKickstartMyPublic for details. When this object is set with a valid value during initialization, a row is created in the usmUserTable with the following values: usmUserEngineID localEngineID usmUserName [value of usmDHKickstartSecurityName] usmUserSecurityName [value of usmDHKickstartSecurityName] usmUserCloneFrom ZeroDotZero usmUserAuthProtocol usmHMACMD5AuthProtocol usmUserAuthKeyChange -- derived from set value usmUserOwnAuthKeyChange -- derived from set value usmUserPrivProtocol usmDESPrivProtocol usmUserPrivKeyChange -- derived from set value usmUserOwnPrivKeyChange -- derived from set value usmUserPublic '' usmUserStorageType permanent usmUserStatus active A shared secret 'sk' is calculated at the agent as sk = mgrPublic^r mod p where r is the agents random number and p is the DH prime from the common parameters. The underlying privacy key for this row is derived from sk by applying the key derivation function PBKDF2 defined in PKCS#5v2.0 with a salt of 0xd1310ba6, and iterationCount of 500, a keyLength of 16 (for usmDESPrivProtocol), and a prf (pseudo random function) of 'id-hmacWithSHA1'. The underlying authentication key for this row is derived from sk by applying the key derivation function PBKDF2 with a salt of 0x98dfb5ac , an interation count of 500, a keyLength of 16 (for usmHMAC5AuthProtocol), and a prf of 'id-hmacWithSHA1'. Note: The salts are the first two words in the ks0 [key schedule 0] of the BLOWFISH cipher from 'Applied Cryptography' by Bruce Schnier - they could be any relatively random string of bits. The manager can use its knowledge of its own random number and the agent's public value to kickstart its access to the agent in a secure manner. Note that the security of this approach is directly related to the strength of the authorization security of the out of band provisioning of the managers public value (e.g. the configuration file), but is not dependent at all on the strength of the confidentiality of the out of band provisioning data. Also see Reference: -- Password-Based Cryptography Standard, PKCS#5v2.0;
RSA Laboratories, March 1999
-- Applied Cryptography, 2nd Ed.; B. Schneier,
Counterpane Systems; John Wiley & Sons, 1996
|
|
4
usmDHKickstartSecurityName |
OCTETSTR
Legal Lengths: 0 .. 255 SnmpAdminString | ReadOnly |
Note: this object is based on the SnmpAdminString TEXTUAL-CONVENTION. The usmUserName and usmUserSecurityName in the usmUserTable associated with this row. This is provided in the same manner and at the same time as the usmDHKickstartMgrPublic value - e.g. possibly manually, or via the device's configuration file. |
SCALAR OBJECTS
TABLE OBJECTS |
These TEXTUAL-CONVENTIONS are used in other parts of the document above. They are SNMP's way of defining a datatype that is used repeatedly by other MIB objects. Any implementation implementing objects that use one of these definitions must follow its DESCRIPTION clause as well as the DESCRIPTION clause of the object itself.
| Name | Type | Description |
|---|---|---|
| DHKeyChange | OCTETSTR | Upon initialization, or upon creation of a row containing an
object of this type, and after any successful SET of this value, a
GET of this value returns 'y' where y = g^xa MOD p, and where g is
the base from usmDHParameters, p is the prime from
usmDHParameters, and xa is a new random integer selected by the
agent in the interval 2^(l-1) <= xa < 2^l < p-1. 'l' is the
optional privateValueLength from usmDHParameters in bits. If 'l'
is omitted, then xa (and xr below) is selected in the interval 0
<= xa < p-1. y is expressed as an OCTET STRING 'PV' of length 'k'
which satisfies
k
y = SUM 2^(8(k-i)) PV'i
i=1
where PV1,...,PVk are the octets of PV from first to last, and
where PV1 <> 0.
A successful SET consists of the value 'y' expressed as an OCTET
STRING as above concatenated with the value 'z'(expressed as an
OCTET STRING in the same manner as y) where z = g^xr MOD p, where
g, p and l are as above, and where xr is a new random integer
selected by the manager in the interval 2^(l-1) <= xr < 2^l <
p-1. A SET to an object of this type will fail with the error
wrongValue if the current 'y' does not match the 'y' portion of
the value of the varbind for the object. (E.g. GET yout, SET
concat(yin, z), yout <> yin).
Note that the private values xa and xr are never transmitted from
manager to device or vice versa, only the values y and z.
Obviously, these values must be retained until a successful SET on
the associated object.
The shared secret 'sk' is calculated at the agent as sk = z^xa MOD
p, and at the manager as sk = y^xr MOD p.
Each object definition of this type MUST describe how to map from
the shared secret 'sk' to the operational key value used by the
protocols and operations related to the object. In general, if n
bits of key are required, the author suggests using the n
right-most bits of the shared secret as the operational key value. |
| SnmpEngineID | OCTETSTR | An SNMP engine's administratively-unique identifier.
Objects of this type are for identification, not for
addressing, even though it is possible that an
address may have been used in the generation of
a specific value.
The value for this object may not be all zeros or
all 'ff'H or the empty (zero length) string.
The initial value for this object may be configured
via an operator console entry or via an algorithmic
function. In the latter case, the following
example algorithm is recommended.
In cases where there are multiple engines on the
same system, the use of this algorithm is NOT
appropriate, as it would result in all of those
engines ending up with the same ID value.
1) The very first bit is used to indicate how the
rest of the data is composed.
0 - as defined by enterprise using former methods
that existed before SNMPv3. See item 2 below.
1 - as defined by this architecture, see item 3
below.
Note that this allows existing uses of the
engineID (also known as AgentID [RFC1910]) to
co-exist with any new uses.
2) The snmpEngineID has a length of 12 octets.
The first four octets are set to the binary
equivalent of the agent's SNMP management
private enterprise number as assigned by the
Internet Assigned Numbers Authority (IANA).
For example, if Acme Networks has been assigned
{ enterprises 696 }, the first four octets would
be assigned '000002b8'H.
The remaining eight octets are determined via
one or more enterprise-specific methods. Such
methods must be designed so as to maximize the
possibility that the value of this object will
be unique in the agent's administrative domain.
For example, it may be the IP address of the SNMP
entity, or the MAC address of one of the
interfaces, with each address suitably padded
with random octets. If multiple methods are
defined, then it is recommended that the first
octet indicate the method being used and the
remaining octets be a function of the method.
3) The length of the octet string varies.
The first four octets are set to the binary
equivalent of the agent's SNMP management
private enterprise number as assigned by the
Internet Assigned Numbers Authority (IANA).
For example, if Acme Networks has been assigned
{ enterprises 696 }, the first four octets would
be assigned '000002b8'H.
The very first bit is set to 1. For example, the
above value for Acme Networks now changes to be
'800002b8'H.
The fifth octet indicates how the rest (6th and
following octets) are formatted. The values for
the fifth octet are:
0 - reserved, unused.
1 - IPv4 address (4 octets)
lowest non-special IP address
2 - IPv6 address (16 octets)
lowest non-special IP address
3 - MAC address (6 octets)
lowest IEEE MAC address, canonical
order
4 - Text, administratively a |
| SnmpAdminString | OCTETSTR | An octet string containing administrative
information, preferably in human-readable form.
To facilitate internationalization, this
information is represented using the ISO/IEC
IS 10646-1 character set, encoded as an octet
string using the UTF-8 transformation format
described in [RFC2279].
Since additional code points are added by
amendments to the 10646 standard from time
to time, implementations must be prepared to
encounter any code point from 0x00000000 to
0x7fffffff. Byte sequences that do not
correspond to the valid UTF-8 encoding of a
code point or are outside this range are
prohibited.
The use of control codes should be avoided.
When it is necessary to represent a newline,
the control code sequence CR LF should be used.
The use of leading or trailing white space should
be avoided.
For code points not directly supported by user
interface hardware or software, an alternative
means of entry and display, such as hexadecimal,
may be provided.
For information encoded in 7-bit US-ASCII,
the UTF-8 encoding is identical to the
US-ASCII encoding.
UTF-8 may require multiple bytes to represent a
single character / code point; thus the length
of this object in octets may be different from
the number of characters encoded. Similarly,
size constraints refer to the number of encoded
octets, not the number of characters represented
by an encoding.
Note that when this TC is used for an object that
is used or envisioned to be used as an index, then
a SIZE restriction MUST be specified so that the
number of sub-identifiers for any object instance
does not exceed the limit of 128, as defined by
[RFC3416].
Note that the size of an SnmpAdminString object is
measured in octets, not characters.
|
Tree view generated by running: snmptranslate -Tp SNMP-USM-DH-OBJECTS-MIB::snmpUsmDHObjectsMIB
+--snmpUsmDHObjectsMIB(101) | +--usmDHKeyObjects(1) | | | +--usmDHPublicObjects(1) | | | | | +-- -RW- String usmDHParameters(1) | | | | | +--usmDHUserKeyTable(2) | | | | | +--usmDHUserKeyEntry(1) | | | | | +-- CR-- String usmDHUserAuthKeyChange(1) | | | Textual Convention: DHKeyChange | | +-- CR-- String usmDHUserOwnAuthKeyChange(2) | | | Textual Convention: DHKeyChange | | +-- CR-- String usmDHUserPrivKeyChange(3) | | | Textual Convention: DHKeyChange | | +-- CR-- String usmDHUserOwnPrivKeyChange(4) | | Textual Convention: DHKeyChange | | | +--usmDHKickstartGroup(2) | | | +--usmDHKickstartTable(1) | | | +--usmDHKickstartEntry(1) | | Index: usmDHKickstartIndex | | | +-- ---- Integer32 usmDHKickstartIndex(1) | | Range: 1..2147483647 | +-- -R-- String usmDHKickstartMyPublic(2) | +-- -R-- String usmDHKickstartMgrPublic(3) | +-- -R-- String usmDHKickstartSecurityName(4) | Textual Convention: SnmpAdminString | Size: 0..255 | +--usmDHKeyConformance(2) | +--usmDHKeyMIBCompliances(1) | | | +--usmDHKeyMIBCompliance(1) | +--usmDHKeyMIBGroups(2) | +--usmDHKeyMIBBasicGroup(1) +--usmDHKeyParamGroup(2) +--usmDHKeyKickstartGroup(3)
Last modified: Wednesday, 01-Aug-2018 04:41:28 UTC
For questions regarding web content and site functionality, please write to the net-snmp-users mail list.