| usmDHParameters |
.1.3.6.1.3.101.1.1.1 |
|
The public Diffie-Hellman parameters for doing a Diffie-Hellman
key agreement for this device. This is encoded as an ASN.1
DHParameter per PKCS #3, section 9. E.g.
DHParameter ::= SEQUENCE {
prime INTEGER, -- p
base INTEGER, -- g
privateValueLength INTEGER OPTIONAL }
Implementors are encouraged to use either the values from
Oakley Group 1 or the values of from Oakley Group 2 as specified
in RFC-2409, The Internet Key Exchange, Section 6.1, 6.2 as the
default for this object. Other values may be used, but the
security properties of those values MUST be well understood and
MUST meet the requirements of PKCS #3 for the selection of
Diffie-Hellman primes.
In addition, any time usmDHParameters changes, all values of
type DHKeyChange will change and new random numbers MUST be
generated by the agent for each DHKeyChange object.
|
| usmDHUserKeyEntry |
.1.3.6.1.3.101.1.1.2.1 |
|
A row of DHKeyChange objects which augment or replace the
functionality of the KeyChange objects in the base table row.
|
| usmDHKickstartEntry |
.1.3.6.1.3.101.1.2.1.1 |
|
An entry in the usmDHKickstartTable. The agent SHOULD either
delete this entry or mark it as inactive upon a successful SET of
any of the KeyChange-typed objects in the usmUserEntry or upon a
successful SET of any of the DHKeyChange-typed objects in the
usmDhKeyChangeEntry where the related usmSecurityName (e.g. row of
usmUserTable or row of ushDhKeyChangeTable) equals this entry's
usmDhKickstartSecurityName. In otherwords, once you've changed
one or more of the keys for a row in usmUserTable with a
particular security name, the row in this table with that same
security name is no longer useful or meaningful.
|
| usmDHUserAuthKeyChange |
.1.3.6.1.3.101.1.1.2.1.1 |
|
The object used to change any given user's Authentication Key
using a Diffie-Hellman key exchange.
The right-most n bits of the shared secret 'sk', where 'n' is the
number of bits required for the protocol defined by
usmUserAuthProtocol, are installed as the operational
authentication key for this row after a successful SET.
|
| usmDHUserOwnAuthKeyChange |
.1.3.6.1.3.101.1.1.2.1.2 |
|
The object used to change the agents own Authentication Key
using a Diffie-Hellman key exchange.
The right-most n bits of the shared secret 'sk', where 'n' is the
number of bits required for the protocol defined by
usmUserAuthProtocol, are installed as the operational
authentication key for this row after a successful SET.
|
| usmDHUserPrivKeyChange |
.1.3.6.1.3.101.1.1.2.1.3 |
|
The object used to change any given user's Privacy Key using
a Diffie-Hellman key exchange.
The right-most n bits of the shared secret 'sk', where 'n' is the
number of bits required for the protocol defined by
usmUserPrivProtocol, are installed as the operational privacy key
for this row after a successful SET.
|
| usmDHUserOwnPrivKeyChange |
.1.3.6.1.3.101.1.1.2.1.4 |
|
The object used to change the agent's own Privacy Key using a
Diffie-Hellman key exchange.
The right-most n bits of the shared secret 'sk', where 'n' is the
number of bits required for the protocol defined by
usmUserPrivProtocol, are installed as the operational privacy key
for this row after a successful SET.
|
| usmDHKickstartIndex |
.1.3.6.1.3.101.1.2.1.1.1 |
|
Index value for this row.
|
| usmDHKickstartMyPublic |
.1.3.6.1.3.101.1.2.1.1.2 |
|
The agent's Diffie-Hellman public value for this row. At
initialization, the agent generates a random number and derives
its public value from that number. This public value is published
here. This public value 'y' equals g^r MOD p where g is the from
the set of Diffie-Hellman parameters, p is the prime from those
parameters, and r is a random integer selected by the agent in the
interval 2^(l-1) <= r < p-1 < 2^l. If l is unspecified, then r is
a random integer selected in the interval 0 <= r < p-1
The public value is expressed as an OCTET STRING 'PV' of length
'k' which satisfies
k
y = SUM 2^(8(k-i)) PV'i
i = 1
where PV1,...,PVk are the octets of PV from first to last, and
where PV1 != 0.
The following DH parameters (Oakley group #2, RFC 2409, sec 6.1,
6.2) are used for this object:
g = 2
p = FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
FFFFFFFF FFFFFFFF
l=1024
|
| usmDHKickstartMgrPublic |
.1.3.6.1.3.101.1.2.1.1.3 |
|
The manager's Diffie-Hellman public value for this row. Note
that this value is not set via the SNMP agent, but may be set via
some out of band method, such as the device's configuration file.
The manager calculates this value in the same manner and using the
same parameter set as the agent does. E.g. it selects a random
number 'r', calculates y = g^r mod p and provides 'y' as the
public number expressed as an OCTET STRING. See
usmDHKickstartMyPublic for details.
When this object is set with a valid value during initialization,
a row is created in the usmUserTable with the following values:
usmUserEngineID localEngineID
usmUserName [value of usmDHKickstartSecurityName]
usmUserSecurityName [value of usmDHKickstartSecurityName]
usmUserCloneFrom ZeroDotZero
usmUserAuthProtocol usmHMACMD5AuthProtocol
usmUserAuthKeyChange -- derived from set value
usmUserOwnAuthKeyChange -- derived from set value
usmUserPrivProtocol usmDESPrivProtocol
usmUserPrivKeyChange -- derived from set value
usmUserOwnPrivKeyChange -- derived from set value
usmUserPublic ''
usmUserStorageType permanent
usmUserStatus active
A shared secret 'sk' is calculated at the agent as sk =
mgrPublic^r mod p where r is the agents random number and p is the
DH prime from the common parameters. The underlying privacy key
for this row is derived from sk by applying the key derivation
function PBKDF2 defined in PKCS#5v2.0 with a salt of 0xd1310ba6,
and iterationCount of 500, a keyLength of 16 (for
usmDESPrivProtocol), and a prf (pseudo random function) of
'id-hmacWithSHA1'. The underlying authentication key for this row
is derived from sk by applying the key derivation function PBKDF2
with a salt of 0x98dfb5ac , an interation count of 500, a
keyLength of 16 (for usmHMAC5AuthProtocol), and a prf of
'id-hmacWithSHA1'. Note: The salts are the first two words in the
ks0 [key schedule 0] of the BLOWFISH cipher from 'Applied
Cryptography' by Bruce Schnier - they could be any relatively
random string of bits.
The manager can use its knowledge of its own random number and the
agent's public value to kickstart its access to the agent in a
secure manner. Note that the security of this approach is
directly related to the strength of the authorization security of
the out of band provisioning of the managers public value
(e.g. the configuration file), but is not dependent at all on the
strength of the confidentiality of the out of band provisioning
data.
|
| usmDHKickstartSecurityName |
.1.3.6.1.3.101.1.2.1.1.4 |
|
The usmUserName and usmUserSecurityName in the usmUserTable
associated with this row. This is provided in the same manner and
at the same time as the usmDHKickstartMgrPublic value -
e.g. possibly manually, or via the device's configuration file.
|
