SNMP-USM-DH-OBJECTS-MIB.txt
上传用户:wxp200602
上传日期:2007-10-30
资源大小:4028k
文件大小:21k
源码类别:
SNMP编程
开发平台:
Unix_Linux
- SNMP-USM-DH-OBJECTS-MIB DEFINITIONS ::= BEGIN
- IMPORTS
- MODULE-IDENTITY, OBJECT-TYPE,
- -- OBJECT-IDENTITY,
- experimental, Integer32
- FROM SNMPv2-SMI
- TEXTUAL-CONVENTION
- FROM SNMPv2-TC
- MODULE-COMPLIANCE, OBJECT-GROUP
- FROM SNMPv2-CONF
- usmUserEntry
- FROM SNMP-USER-BASED-SM-MIB
- SnmpAdminString
- FROM SNMP-FRAMEWORK-MIB;
- snmpUsmDHObjectsMIB MODULE-IDENTITY
- LAST-UPDATED "200003060000Z" -- 6 March 2000, Midnight
- ORGANIZATION "Excite@Home"
- CONTACT-INFO "Author: Mike StJohns
- Postal: Excite@Home
- 450 Broadway
- Redwood City, CA 94063
- Email: stjohns@corp.home.net
- Phone: +1-650-556-5368"
- DESCRIPTION
- "The management information definitions for providing forward
- secrecy for key changes for the usmUserTable, and for providing a
- method for 'kickstarting' access to the agent via a Diffie-Helman
- key agreement."
- REVISION "200003060000Z"
- DESCRIPTION
- "Initial version published as RFC 2786."
- ::= { experimental 101 } -- IANA DHKEY-CHANGE 101
- -- Administrative assignments
- usmDHKeyObjects OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 1 }
- usmDHKeyConformance OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 2 }
- -- Textual conventions
- DHKeyChange ::= TEXTUAL-CONVENTION
- STATUS current
- DESCRIPTION
- "Upon initialization, or upon creation of a row containing an
- object of this type, and after any successful SET of this value, a
- GET of this value returns 'y' where y = g^xa MOD p, and where g is
- the base from usmDHParameters, p is the prime from
- usmDHParameters, and xa is a new random integer selected by the
- agent in the interval 2^(l-1) <= xa < 2^l < p-1. 'l' is the
- optional privateValueLength from usmDHParameters in bits. If 'l'
- is omitted, then xa (and xr below) is selected in the interval 0
- <= xa < p-1. y is expressed as an OCTET STRING 'PV' of length 'k'
- which satisfies
- k
- y = SUM 2^(8(k-i)) PV'i
- i=1
- where PV1,...,PVk are the octets of PV from first to last, and
- where PV1 <> 0.
- A successful SET consists of the value 'y' expressed as an OCTET
- STRING as above concatenated with the value 'z'(expressed as an
- OCTET STRING in the same manner as y) where z = g^xr MOD p, where
- g, p and l are as above, and where xr is a new random integer
- selected by the manager in the interval 2^(l-1) <= xr < 2^l <
- p-1. A SET to an object of this type will fail with the error
- wrongValue if the current 'y' does not match the 'y' portion of
- the value of the varbind for the object. (E.g. GET yout, SET
- concat(yin, z), yout <> yin).
- Note that the private values xa and xr are never transmitted from
- manager to device or vice versa, only the values y and z.
- Obviously, these values must be retained until a successful SET on
- the associated object.
- The shared secret 'sk' is calculated at the agent as sk = z^xa MOD
- p, and at the manager as sk = y^xr MOD p.
- Each object definition of this type MUST describe how to map from
- the shared secret 'sk' to the operational key value used by the
- protocols and operations related to the object. In general, if n
- bits of key are required, the author suggests using the n
- right-most bits of the shared secret as the operational key value."
- REFERENCE
- "-- Diffie-Hellman Key-Agreement Standard, PKCS #3;
- RSA Laboratories, November 1993"
- SYNTAX OCTET STRING
- -- Diffie Hellman public values
- usmDHPublicObjects OBJECT IDENTIFIER ::= { usmDHKeyObjects 1 }
- usmDHParameters OBJECT-TYPE
- SYNTAX OCTET STRING
- MAX-ACCESS read-write
- STATUS current
- DESCRIPTION
- "The public Diffie-Hellman parameters for doing a Diffie-Hellman
- key agreement for this device. This is encoded as an ASN.1
- DHParameter per PKCS #3, section 9. E.g.
- DHParameter ::= SEQUENCE {
- prime INTEGER, -- p
- base INTEGER, -- g
- privateValueLength INTEGER OPTIONAL }
- Implementors are encouraged to use either the values from
- Oakley Group 1 or the values of from Oakley Group 2 as specified
- in RFC-2409, The Internet Key Exchange, Section 6.1, 6.2 as the
- default for this object. Other values may be used, but the
- security properties of those values MUST be well understood and
- MUST meet the requirements of PKCS #3 for the selection of
- Diffie-Hellman primes.
- In addition, any time usmDHParameters changes, all values of
- type DHKeyChange will change and new random numbers MUST be
- generated by the agent for each DHKeyChange object."
- REFERENCE
- "-- Diffie-Hellman Key-Agreement Standard, PKCS #3,
- RSA Laboratories, November 1993
- -- The Internet Key Exchange, RFC 2409, November 1998,
- Sec 6.1, 6.2"
- ::= { usmDHPublicObjects 1 }
- usmDHUserKeyTable OBJECT-TYPE
- SYNTAX SEQUENCE OF UsmDHUserKeyEntry
- MAX-ACCESS not-accessible
- STATUS current
- DESCRIPTION
- "This table augments and extends the usmUserTable and provides
- 4 objects which exactly mirror the objects in that table with the
- textual convention of 'KeyChange'. This extension allows key
- changes to be done in a manner where the knowledge of the current
- secret plus knowledge of the key change data exchanges (e.g. via
- wiretapping) will not reveal the new key."
- ::= { usmDHPublicObjects 2 }
- usmDHUserKeyEntry OBJECT-TYPE
- SYNTAX UsmDHUserKeyEntry
- MAX-ACCESS not-accessible
- STATUS current
- DESCRIPTION
- "A row of DHKeyChange objects which augment or replace the
- functionality of the KeyChange objects in the base table row."
- AUGMENTS { usmUserEntry }
- ::= {usmDHUserKeyTable 1 }
- UsmDHUserKeyEntry ::= SEQUENCE {
- usmDHUserAuthKeyChange DHKeyChange,
- usmDHUserOwnAuthKeyChange DHKeyChange,
- usmDHUserPrivKeyChange DHKeyChange,
- usmDHUserOwnPrivKeyChange DHKeyChange
- }
- usmDHUserAuthKeyChange OBJECT-TYPE
- SYNTAX DHKeyChange
- MAX-ACCESS read-create
- STATUS current
- DESCRIPTION
- "The object used to change any given user's Authentication Key
- using a Diffie-Hellman key exchange.
- The right-most n bits of the shared secret 'sk', where 'n' is the
- number of bits required for the protocol defined by
- usmUserAuthProtocol, are installed as the operational
- authentication key for this row after a successful SET."
- ::= { usmDHUserKeyEntry 1 }
- usmDHUserOwnAuthKeyChange OBJECT-TYPE
- SYNTAX DHKeyChange
- MAX-ACCESS read-create
- STATUS current
- DESCRIPTION
- "The object used to change the agents own Authentication Key
- using a Diffie-Hellman key exchange.
- The right-most n bits of the shared secret 'sk', where 'n' is the
- number of bits required for the protocol defined by
- usmUserAuthProtocol, are installed as the operational
- authentication key for this row after a successful SET."
- ::= { usmDHUserKeyEntry 2 }
- usmDHUserPrivKeyChange OBJECT-TYPE
- SYNTAX DHKeyChange
- MAX-ACCESS read-create
- STATUS current
- DESCRIPTION
- "The object used to change any given user's Privacy Key using
- a Diffie-Hellman key exchange.
- The right-most n bits of the shared secret 'sk', where 'n' is the
- number of bits required for the protocol defined by
- usmUserPrivProtocol, are installed as the operational privacy key
- for this row after a successful SET."
- ::= { usmDHUserKeyEntry 3 }
- usmDHUserOwnPrivKeyChange OBJECT-TYPE
- SYNTAX DHKeyChange
- MAX-ACCESS read-create
- STATUS current
- DESCRIPTION
- "The object used to change the agent's own Privacy Key using a
- Diffie-Hellman key exchange.
- The right-most n bits of the shared secret 'sk', where 'n' is the
- number of bits required for the protocol defined by
- usmUserPrivProtocol, are installed as the operational privacy key
- for this row after a successful SET."
- ::= { usmDHUserKeyEntry 4 }
- usmDHKickstartGroup OBJECT IDENTIFIER ::= { usmDHKeyObjects 2 }
- usmDHKickstartTable OBJECT-TYPE
- SYNTAX SEQUENCE OF UsmDHKickstartEntry
- MAX-ACCESS not-accessible
- STATUS current
- DESCRIPTION
- "A table of mappings between zero or more Diffie-Helman key
- agreement values and entries in the usmUserTable. Entries in this
- table are created by providing the associated device with a
- Diffie-Helman public value and a usmUserName/usmUserSecurityName
- pair during initialization. How these values are provided is
- outside the scope of this MIB, but could be provided manually, or
- through a configuration file. Valid public value/name pairs
- result in the creation of a row in this table as well as the
- creation of an associated row (with keys derived as indicated) in
- the usmUserTable. The actual access the related usmSecurityName
- has is dependent on the entries in the VACM tables. In general,
- an implementor will specify one or more standard security names
- and will provide entries in the VACM tables granting various
- levels of access to those names. The actual content of the VACM
- table is beyond the scope of this MIB.
- Note: This table is expected to be readable without authentication
- using the usmUserSecurityName 'dhKickstart'. See the conformance
- statements for details."
- ::= { usmDHKickstartGroup 1 }
- usmDHKickstartEntry OBJECT-TYPE
- SYNTAX UsmDHKickstartEntry
- MAX-ACCESS not-accessible
- STATUS current
- DESCRIPTION
- "An entry in the usmDHKickstartTable. The agent SHOULD either
- delete this entry or mark it as inactive upon a successful SET of
- any of the KeyChange-typed objects in the usmUserEntry or upon a
- successful SET of any of the DHKeyChange-typed objects in the
- usmDhKeyChangeEntry where the related usmSecurityName (e.g. row of
- usmUserTable or row of ushDhKeyChangeTable) equals this entry's
- usmDhKickstartSecurityName. In otherwords, once you've changed
- one or more of the keys for a row in usmUserTable with a
- particular security name, the row in this table with that same
- security name is no longer useful or meaningful."
- INDEX { usmDHKickstartIndex }
- ::= {usmDHKickstartTable 1 }
- UsmDHKickstartEntry ::= SEQUENCE {
- usmDHKickstartIndex Integer32,
- usmDHKickstartMyPublic OCTET STRING,
- usmDHKickstartMgrPublic OCTET STRING,
- usmDHKickstartSecurityName SnmpAdminString
- }
- usmDHKickstartIndex OBJECT-TYPE
- SYNTAX Integer32 (1..2147483647)
- MAX-ACCESS not-accessible
- STATUS current
- DESCRIPTION
- "Index value for this row."
- ::= { usmDHKickstartEntry 1 }
- usmDHKickstartMyPublic OBJECT-TYPE
- SYNTAX OCTET STRING
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "The agent's Diffie-Hellman public value for this row. At
- initialization, the agent generates a random number and derives
- its public value from that number. This public value is published
- here. This public value 'y' equals g^r MOD p where g is the from
- the set of Diffie-Hellman parameters, p is the prime from those
- parameters, and r is a random integer selected by the agent in the
- interval 2^(l-1) <= r < p-1 < 2^l. If l is unspecified, then r is
- a random integer selected in the interval 0 <= r < p-1
- The public value is expressed as an OCTET STRING 'PV' of length
- 'k' which satisfies
- k
- y = SUM 2^(8(k-i)) PV'i
- i = 1
- where PV1,...,PVk are the octets of PV from first to last, and
- where PV1 != 0.
- The following DH parameters (Oakley group #2, RFC 2409, sec 6.1,
- 6.2) are used for this object:
- g = 2
- p = FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
- 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
- EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
- E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
- EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
- FFFFFFFF FFFFFFFF
- l=1024
- "
- REFERENCE
- "-- Diffie-Hellman Key-Agreement Standard, PKCS#3v1.4;
- RSA Laboratories, November 1993
- -- The Internet Key Exchange, RFC2409;
- Harkins, D., Carrel, D.; November 1998"
- ::= { usmDHKickstartEntry 2 }
- usmDHKickstartMgrPublic OBJECT-TYPE
- SYNTAX OCTET STRING
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "The manager's Diffie-Hellman public value for this row. Note
- that this value is not set via the SNMP agent, but may be set via
- some out of band method, such as the device's configuration file.
- The manager calculates this value in the same manner and using the
- same parameter set as the agent does. E.g. it selects a random
- number 'r', calculates y = g^r mod p and provides 'y' as the
- public number expressed as an OCTET STRING. See
- usmDHKickstartMyPublic for details.
- When this object is set with a valid value during initialization,
- a row is created in the usmUserTable with the following values:
- usmUserEngineID localEngineID
- usmUserName [value of usmDHKickstartSecurityName]
- usmUserSecurityName [value of usmDHKickstartSecurityName]
- usmUserCloneFrom ZeroDotZero
- usmUserAuthProtocol usmHMACMD5AuthProtocol
- usmUserAuthKeyChange -- derived from set value
- usmUserOwnAuthKeyChange -- derived from set value
- usmUserPrivProtocol usmDESPrivProtocol
- usmUserPrivKeyChange -- derived from set value
- usmUserOwnPrivKeyChange -- derived from set value
- usmUserPublic ''
- usmUserStorageType permanent
- usmUserStatus active
- A shared secret 'sk' is calculated at the agent as sk =
- mgrPublic^r mod p where r is the agents random number and p is the
- DH prime from the common parameters. The underlying privacy key
- for this row is derived from sk by applying the key derivation
- function PBKDF2 defined in PKCS#5v2.0 with a salt of 0xd1310ba6,
- and iterationCount of 500, a keyLength of 16 (for
- usmDESPrivProtocol), and a prf (pseudo random function) of
- 'id-hmacWithSHA1'. The underlying authentication key for this row
- is derived from sk by applying the key derivation function PBKDF2
- with a salt of 0x98dfb5ac , an interation count of 500, a
- keyLength of 16 (for usmHMAC5AuthProtocol), and a prf of
- 'id-hmacWithSHA1'. Note: The salts are the first two words in the
- ks0 [key schedule 0] of the BLOWFISH cipher from 'Applied
- Cryptography' by Bruce Schnier - they could be any relatively
- random string of bits.
- The manager can use its knowledge of its own random number and the
- agent's public value to kickstart its access to the agent in a
- secure manner. Note that the security of this approach is
- directly related to the strength of the authorization security of
- the out of band provisioning of the managers public value
- (e.g. the configuration file), but is not dependent at all on the
- strength of the confidentiality of the out of band provisioning
- data."
- REFERENCE
- "-- Password-Based Cryptography Standard, PKCS#5v2.0;
- RSA Laboratories, March 1999
- -- Applied Cryptography, 2nd Ed.; B. Schneier,
- Counterpane Systems; John Wiley & Sons, 1996"
- ::= { usmDHKickstartEntry 3 }
- usmDHKickstartSecurityName OBJECT-TYPE
- SYNTAX SnmpAdminString
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "The usmUserName and usmUserSecurityName in the usmUserTable
- associated with this row. This is provided in the same manner and
- at the same time as the usmDHKickstartMgrPublic value -
- e.g. possibly manually, or via the device's configuration file."
- ::= { usmDHKickstartEntry 4 }
- -- Conformance Information
- usmDHKeyMIBCompliances OBJECT IDENTIFIER ::= { usmDHKeyConformance 1 }
- usmDHKeyMIBGroups OBJECT IDENTIFIER ::= { usmDHKeyConformance 2 }
- -- Compliance statements
- usmDHKeyMIBCompliance MODULE-COMPLIANCE
- STATUS current
- DESCRIPTION
- "The compliance statement for this module."
- MODULE
- GROUP usmDHKeyMIBBasicGroup
- DESCRIPTION
- "This group MAY be implemented by any agent which
- implements the usmUserTable and which wishes to provide the
- ability to change user and agent authentication and privacy
- keys via Diffie-Hellman key exchanges."
- GROUP usmDHKeyParamGroup
- DESCRIPTION
- "This group MUST be implemented by any agent which
- implements a MIB containing the DHKeyChange Textual
- Convention defined in this module."
- GROUP usmDHKeyKickstartGroup
- DESCRIPTION
- "This group MAY be implemented by any agent which
- implements the usmUserTable and which wishes the ability to
- populate the USM table based on out-of-band provided DH
- ignition values.
- Any agent implementing this group is expected to provide
- preinstalled entries in the vacm tables as follows:
- In the usmUserTable: This entry allows access to the
- system and dhKickstart groups
- usmUserEngineID localEngineID
- usmUserName 'dhKickstart'
- usmUserSecurityName 'dhKickstart'
- usmUserCloneFrom ZeroDotZero
- usmUserAuthProtocol none
- usmUserAuthKeyChange ''
- usmUserOwnAuthKeyChange ''
- usmUserPrivProtocol none
- usmUserPrivKeyChange ''
- usmUserOwnPrivKeyChange ''
- usmUserPublic ''
- usmUserStorageType permanent
- usmUserStatus active
- In the vacmSecurityToGroupTable: This maps the initial
- user into the accessible objects.
- vacmSecurityModel 3 (USM)
- vacmSecurityName 'dhKickstart'
- vacmGroupName 'dhKickstart'
- vacmSecurityToGroupStorageType permanent
- vacmSecurityToGroupStatus active
- In the vacmAccessTable: Group name to view name translation.
- vacmGroupName 'dhKickstart'
- vacmAccessContextPrefix ''
- vacmAccessSecurityModel 3 (USM)
- vacmAccessSecurityLevel noAuthNoPriv
- vacmAccessContextMatch exact
- vacmAccessReadViewName 'dhKickRestricted'
- vacmAccessWriteViewName ''
- vacmAccessNotifyViewName 'dhKickRestricted'
- vacmAccessStorageType permanent
- vacmAccessStatus active
- In the vacmViewTreeFamilyTable: Two entries to allow the
- initial entry to access the system and kickstart groups.
- vacmViewTreeFamilyViewName 'dhKickRestricted'
- vacmViewTreeFamilySubtree 1.3.6.1.2.1.1 (system)
- vacmViewTreeFamilyMask ''
- vacmViewTreeFamilyType 1
- vacmViewTreeFamilyStorageType permanent
- vacmViewTreeFamilyStatus active
- vacmViewTreeFamilyViewName 'dhKickRestricted'
- vacmViewTreeFamilySubtree (usmDHKickstartTable OID)
- vacmViewTreeFamilyMask ''
- vacmViewTreeFamilyType 1
- vacmViewTreeFamilyStorageType permanent
- vacmViewTreeFamilyStatus active
- "
- OBJECT usmDHParameters
- MIN-ACCESS read-only
- DESCRIPTION
- "It is compliant to implement this object as read-only for
- any device."
- ::= { usmDHKeyMIBCompliances 1 }
- -- Units of Compliance
- usmDHKeyMIBBasicGroup OBJECT-GROUP
- OBJECTS {
- usmDHUserAuthKeyChange,
- usmDHUserOwnAuthKeyChange,
- usmDHUserPrivKeyChange,
- usmDHUserOwnPrivKeyChange
- }
- STATUS current
- DESCRIPTION
- ""
- ::= { usmDHKeyMIBGroups 1 }
- usmDHKeyParamGroup OBJECT-GROUP
- OBJECTS {
- usmDHParameters
- }
- STATUS current
- DESCRIPTION
- "The mandatory object for all MIBs which use the DHKeyChange
- textual convention."
- ::= { usmDHKeyMIBGroups 2 }
- usmDHKeyKickstartGroup OBJECT-GROUP
- OBJECTS {
- usmDHKickstartMyPublic,
- usmDHKickstartMgrPublic,
- usmDHKickstartSecurityName
- }
- STATUS current
- DESCRIPTION
- "The objects used for kickstarting one or more SNMPv3 USM
- associations via a configuration file or other out of band,
- non-confidential access."
- ::= { usmDHKeyMIBGroups 3 }
- END