diff options
Diffstat (limited to 'mibs/SNMP-USM-DH-OBJECTS-MIB.txt')
-rw-r--r-- | mibs/SNMP-USM-DH-OBJECTS-MIB.txt | 532 |
1 files changed, 532 insertions, 0 deletions
diff --git a/mibs/SNMP-USM-DH-OBJECTS-MIB.txt b/mibs/SNMP-USM-DH-OBJECTS-MIB.txt new file mode 100644 index 00000000..7377425c --- /dev/null +++ b/mibs/SNMP-USM-DH-OBJECTS-MIB.txt @@ -0,0 +1,532 @@ +SNMP-USM-DH-OBJECTS-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, + -- OBJECT-IDENTITY, + experimental, Integer32 + FROM SNMPv2-SMI + TEXTUAL-CONVENTION + FROM SNMPv2-TC + MODULE-COMPLIANCE, OBJECT-GROUP + FROM SNMPv2-CONF + usmUserEntry + FROM SNMP-USER-BASED-SM-MIB + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB; + +snmpUsmDHObjectsMIB MODULE-IDENTITY + LAST-UPDATED "200003060000Z" -- 6 March 2000, Midnight + ORGANIZATION "Excite@Home" + CONTACT-INFO "Author: Mike StJohns + Postal: Excite@Home + 450 Broadway + Redwood City, CA 94063 + Email: stjohns@corp.home.net + Phone: +1-650-556-5368" + DESCRIPTION + "The management information definitions for providing forward + secrecy for key changes for the usmUserTable, and for providing a + method for 'kickstarting' access to the agent via a Diffie-Helman + key agreement." + + REVISION "200003060000Z" + DESCRIPTION + "Initial version published as RFC 2786." + ::= { experimental 101 } -- IANA DHKEY-CHANGE 101 + +-- Administrative assignments + +usmDHKeyObjects OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 1 } +usmDHKeyConformance OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 2 } + +-- Textual conventions + +DHKeyChange ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Upon initialization, or upon creation of a row containing an + object of this type, and after any successful SET of this value, a + GET of this value returns 'y' where y = g^xa MOD p, and where g is + the base from usmDHParameters, p is the prime from + usmDHParameters, and xa is a new random integer selected by the + agent in the interval 2^(l-1) <= xa < 2^l < p-1. 'l' is the + optional privateValueLength from usmDHParameters in bits. If 'l' + is omitted, then xa (and xr below) is selected in the interval 0 + <= xa < p-1. y is expressed as an OCTET STRING 'PV' of length 'k' + which satisfies + + k + y = SUM 2^(8(k-i)) PV'i + i=1 + + where PV1,...,PVk are the octets of PV from first to last, and + where PV1 <> 0. + + A successful SET consists of the value 'y' expressed as an OCTET + STRING as above concatenated with the value 'z'(expressed as an + OCTET STRING in the same manner as y) where z = g^xr MOD p, where + g, p and l are as above, and where xr is a new random integer + selected by the manager in the interval 2^(l-1) <= xr < 2^l < + p-1. A SET to an object of this type will fail with the error + wrongValue if the current 'y' does not match the 'y' portion of + the value of the varbind for the object. (E.g. GET yout, SET + concat(yin, z), yout <> yin). + + Note that the private values xa and xr are never transmitted from + manager to device or vice versa, only the values y and z. + Obviously, these values must be retained until a successful SET on + the associated object. + + The shared secret 'sk' is calculated at the agent as sk = z^xa MOD + p, and at the manager as sk = y^xr MOD p. + + Each object definition of this type MUST describe how to map from + the shared secret 'sk' to the operational key value used by the + protocols and operations related to the object. In general, if n + bits of key are required, the author suggests using the n + right-most bits of the shared secret as the operational key value." + REFERENCE + "-- Diffie-Hellman Key-Agreement Standard, PKCS #3; + RSA Laboratories, November 1993" + SYNTAX OCTET STRING + +-- Diffie Hellman public values + +usmDHPublicObjects OBJECT IDENTIFIER ::= { usmDHKeyObjects 1 } + +usmDHParameters OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The public Diffie-Hellman parameters for doing a Diffie-Hellman + key agreement for this device. This is encoded as an ASN.1 + DHParameter per PKCS #3, section 9. E.g. + + DHParameter ::= SEQUENCE { + prime INTEGER, -- p + base INTEGER, -- g + privateValueLength INTEGER OPTIONAL } + + Implementors are encouraged to use either the values from + Oakley Group 1 or the values of from Oakley Group 2 as specified + in RFC-2409, The Internet Key Exchange, Section 6.1, 6.2 as the + default for this object. Other values may be used, but the + security properties of those values MUST be well understood and + MUST meet the requirements of PKCS #3 for the selection of + Diffie-Hellman primes. + + In addition, any time usmDHParameters changes, all values of + type DHKeyChange will change and new random numbers MUST be + generated by the agent for each DHKeyChange object." + REFERENCE + "-- Diffie-Hellman Key-Agreement Standard, PKCS #3, + RSA Laboratories, November 1993 + -- The Internet Key Exchange, RFC 2409, November 1998, + Sec 6.1, 6.2" + ::= { usmDHPublicObjects 1 } + +usmDHUserKeyTable OBJECT-TYPE + SYNTAX SEQUENCE OF UsmDHUserKeyEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table augments and extends the usmUserTable and provides + 4 objects which exactly mirror the objects in that table with the + textual convention of 'KeyChange'. This extension allows key + changes to be done in a manner where the knowledge of the current + secret plus knowledge of the key change data exchanges (e.g. via + wiretapping) will not reveal the new key." + ::= { usmDHPublicObjects 2 } + +usmDHUserKeyEntry OBJECT-TYPE + SYNTAX UsmDHUserKeyEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A row of DHKeyChange objects which augment or replace the + functionality of the KeyChange objects in the base table row." + AUGMENTS { usmUserEntry } + ::= {usmDHUserKeyTable 1 } + +UsmDHUserKeyEntry ::= SEQUENCE { + usmDHUserAuthKeyChange DHKeyChange, + usmDHUserOwnAuthKeyChange DHKeyChange, + usmDHUserPrivKeyChange DHKeyChange, + usmDHUserOwnPrivKeyChange DHKeyChange + } + +usmDHUserAuthKeyChange OBJECT-TYPE + SYNTAX DHKeyChange + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The object used to change any given user's Authentication Key + using a Diffie-Hellman key exchange. + + The right-most n bits of the shared secret 'sk', where 'n' is the + number of bits required for the protocol defined by + usmUserAuthProtocol, are installed as the operational + authentication key for this row after a successful SET." + ::= { usmDHUserKeyEntry 1 } + +usmDHUserOwnAuthKeyChange OBJECT-TYPE + SYNTAX DHKeyChange + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The object used to change the agents own Authentication Key + using a Diffie-Hellman key exchange. + + The right-most n bits of the shared secret 'sk', where 'n' is the + number of bits required for the protocol defined by + usmUserAuthProtocol, are installed as the operational + authentication key for this row after a successful SET." + ::= { usmDHUserKeyEntry 2 } + +usmDHUserPrivKeyChange OBJECT-TYPE + SYNTAX DHKeyChange + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The object used to change any given user's Privacy Key using + a Diffie-Hellman key exchange. + + The right-most n bits of the shared secret 'sk', where 'n' is the + number of bits required for the protocol defined by + usmUserPrivProtocol, are installed as the operational privacy key + for this row after a successful SET." + ::= { usmDHUserKeyEntry 3 } + +usmDHUserOwnPrivKeyChange OBJECT-TYPE + SYNTAX DHKeyChange + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The object used to change the agent's own Privacy Key using a + Diffie-Hellman key exchange. + + The right-most n bits of the shared secret 'sk', where 'n' is the + number of bits required for the protocol defined by + usmUserPrivProtocol, are installed as the operational privacy key + for this row after a successful SET." + ::= { usmDHUserKeyEntry 4 } + +usmDHKickstartGroup OBJECT IDENTIFIER ::= { usmDHKeyObjects 2 } + +usmDHKickstartTable OBJECT-TYPE + SYNTAX SEQUENCE OF UsmDHKickstartEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of mappings between zero or more Diffie-Helman key + agreement values and entries in the usmUserTable. Entries in this + table are created by providing the associated device with a + Diffie-Helman public value and a usmUserName/usmUserSecurityName + pair during initialization. How these values are provided is + outside the scope of this MIB, but could be provided manually, or + through a configuration file. Valid public value/name pairs + result in the creation of a row in this table as well as the + creation of an associated row (with keys derived as indicated) in + the usmUserTable. The actual access the related usmSecurityName + has is dependent on the entries in the VACM tables. In general, + an implementor will specify one or more standard security names + and will provide entries in the VACM tables granting various + levels of access to those names. The actual content of the VACM + + table is beyond the scope of this MIB. + + Note: This table is expected to be readable without authentication + using the usmUserSecurityName 'dhKickstart'. See the conformance + statements for details." + ::= { usmDHKickstartGroup 1 } + +usmDHKickstartEntry OBJECT-TYPE + SYNTAX UsmDHKickstartEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the usmDHKickstartTable. The agent SHOULD either + delete this entry or mark it as inactive upon a successful SET of + any of the KeyChange-typed objects in the usmUserEntry or upon a + successful SET of any of the DHKeyChange-typed objects in the + usmDhKeyChangeEntry where the related usmSecurityName (e.g. row of + usmUserTable or row of ushDhKeyChangeTable) equals this entry's + usmDhKickstartSecurityName. In otherwords, once you've changed + one or more of the keys for a row in usmUserTable with a + particular security name, the row in this table with that same + security name is no longer useful or meaningful." + INDEX { usmDHKickstartIndex } + ::= {usmDHKickstartTable 1 } + +UsmDHKickstartEntry ::= SEQUENCE { + usmDHKickstartIndex Integer32, + usmDHKickstartMyPublic OCTET STRING, + usmDHKickstartMgrPublic OCTET STRING, + usmDHKickstartSecurityName SnmpAdminString + } + +usmDHKickstartIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Index value for this row." + ::= { usmDHKickstartEntry 1 } + +usmDHKickstartMyPublic OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The agent's Diffie-Hellman public value for this row. At + + initialization, the agent generates a random number and derives + its public value from that number. This public value is published + here. This public value 'y' equals g^r MOD p where g is the from + the set of Diffie-Hellman parameters, p is the prime from those + parameters, and r is a random integer selected by the agent in the + interval 2^(l-1) <= r < p-1 < 2^l. If l is unspecified, then r is + a random integer selected in the interval 0 <= r < p-1 + + The public value is expressed as an OCTET STRING 'PV' of length + 'k' which satisfies + + k + y = SUM 2^(8(k-i)) PV'i + i = 1 + + where PV1,...,PVk are the octets of PV from first to last, and + where PV1 != 0. + + The following DH parameters (Oakley group #2, RFC 2409, sec 6.1, + 6.2) are used for this object: + + g = 2 + p = FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 + 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD + EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 + E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED + EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 + FFFFFFFF FFFFFFFF + l=1024 + " + REFERENCE + "-- Diffie-Hellman Key-Agreement Standard, PKCS#3v1.4; + RSA Laboratories, November 1993 + -- The Internet Key Exchange, RFC2409; + Harkins, D., Carrel, D.; November 1998" + ::= { usmDHKickstartEntry 2 } + +usmDHKickstartMgrPublic OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The manager's Diffie-Hellman public value for this row. Note + that this value is not set via the SNMP agent, but may be set via + some out of band method, such as the device's configuration file. + + The manager calculates this value in the same manner and using the + same parameter set as the agent does. E.g. it selects a random + number 'r', calculates y = g^r mod p and provides 'y' as the + public number expressed as an OCTET STRING. See + usmDHKickstartMyPublic for details. + + When this object is set with a valid value during initialization, + a row is created in the usmUserTable with the following values: + + usmUserEngineID localEngineID + usmUserName [value of usmDHKickstartSecurityName] + usmUserSecurityName [value of usmDHKickstartSecurityName] + usmUserCloneFrom ZeroDotZero + usmUserAuthProtocol usmHMACMD5AuthProtocol + usmUserAuthKeyChange -- derived from set value + usmUserOwnAuthKeyChange -- derived from set value + usmUserPrivProtocol usmDESPrivProtocol + usmUserPrivKeyChange -- derived from set value + usmUserOwnPrivKeyChange -- derived from set value + usmUserPublic '' + usmUserStorageType permanent + usmUserStatus active + + A shared secret 'sk' is calculated at the agent as sk = + mgrPublic^r mod p where r is the agents random number and p is the + DH prime from the common parameters. The underlying privacy key + for this row is derived from sk by applying the key derivation + function PBKDF2 defined in PKCS#5v2.0 with a salt of 0xd1310ba6, + and iterationCount of 500, a keyLength of 16 (for + usmDESPrivProtocol), and a prf (pseudo random function) of + 'id-hmacWithSHA1'. The underlying authentication key for this row + is derived from sk by applying the key derivation function PBKDF2 + with a salt of 0x98dfb5ac , an interation count of 500, a + keyLength of 16 (for usmHMAC5AuthProtocol), and a prf of + 'id-hmacWithSHA1'. Note: The salts are the first two words in the + ks0 [key schedule 0] of the BLOWFISH cipher from 'Applied + Cryptography' by Bruce Schnier - they could be any relatively + random string of bits. + + The manager can use its knowledge of its own random number and the + agent's public value to kickstart its access to the agent in a + secure manner. Note that the security of this approach is + directly related to the strength of the authorization security of + the out of band provisioning of the managers public value + (e.g. the configuration file), but is not dependent at all on the + strength of the confidentiality of the out of band provisioning + data." + REFERENCE + "-- Password-Based Cryptography Standard, PKCS#5v2.0; + RSA Laboratories, March 1999 + -- Applied Cryptography, 2nd Ed.; B. Schneier, + Counterpane Systems; John Wiley & Sons, 1996" + ::= { usmDHKickstartEntry 3 } + +usmDHKickstartSecurityName OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The usmUserName and usmUserSecurityName in the usmUserTable + associated with this row. This is provided in the same manner and + at the same time as the usmDHKickstartMgrPublic value - + e.g. possibly manually, or via the device's configuration file." + ::= { usmDHKickstartEntry 4 } + +-- Conformance Information + +usmDHKeyMIBCompliances OBJECT IDENTIFIER ::= { usmDHKeyConformance 1 } +usmDHKeyMIBGroups OBJECT IDENTIFIER ::= { usmDHKeyConformance 2 } + +-- Compliance statements + +usmDHKeyMIBCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for this module." + MODULE + GROUP usmDHKeyMIBBasicGroup + DESCRIPTION + "This group MAY be implemented by any agent which + implements the usmUserTable and which wishes to provide the + ability to change user and agent authentication and privacy + keys via Diffie-Hellman key exchanges." + + GROUP usmDHKeyParamGroup + DESCRIPTION + "This group MUST be implemented by any agent which + implements a MIB containing the DHKeyChange Textual + Convention defined in this module." + + GROUP usmDHKeyKickstartGroup + DESCRIPTION + "This group MAY be implemented by any agent which + implements the usmUserTable and which wishes the ability to + populate the USM table based on out-of-band provided DH + ignition values. + + Any agent implementing this group is expected to provide + preinstalled entries in the vacm tables as follows: + + In the usmUserTable: This entry allows access to the + system and dhKickstart groups + + usmUserEngineID localEngineID + usmUserName 'dhKickstart' + usmUserSecurityName 'dhKickstart' + usmUserCloneFrom ZeroDotZero + usmUserAuthProtocol none + usmUserAuthKeyChange '' + usmUserOwnAuthKeyChange '' + usmUserPrivProtocol none + usmUserPrivKeyChange '' + usmUserOwnPrivKeyChange '' + usmUserPublic '' + usmUserStorageType permanent + usmUserStatus active + + In the vacmSecurityToGroupTable: This maps the initial + user into the accessible objects. + + vacmSecurityModel 3 (USM) + vacmSecurityName 'dhKickstart' + vacmGroupName 'dhKickstart' + vacmSecurityToGroupStorageType permanent + vacmSecurityToGroupStatus active + + In the vacmAccessTable: Group name to view name translation. + + vacmGroupName 'dhKickstart' + vacmAccessContextPrefix '' + vacmAccessSecurityModel 3 (USM) + vacmAccessSecurityLevel noAuthNoPriv + vacmAccessContextMatch exact + vacmAccessReadViewName 'dhKickRestricted' + vacmAccessWriteViewName '' + vacmAccessNotifyViewName 'dhKickRestricted' + vacmAccessStorageType permanent + vacmAccessStatus active + + In the vacmViewTreeFamilyTable: Two entries to allow the + initial entry to access the system and kickstart groups. + + vacmViewTreeFamilyViewName 'dhKickRestricted' + vacmViewTreeFamilySubtree 1.3.6.1.2.1.1 (system) + vacmViewTreeFamilyMask '' + + vacmViewTreeFamilyType 1 + vacmViewTreeFamilyStorageType permanent + vacmViewTreeFamilyStatus active + + vacmViewTreeFamilyViewName 'dhKickRestricted' + vacmViewTreeFamilySubtree (usmDHKickstartTable OID) + vacmViewTreeFamilyMask '' + vacmViewTreeFamilyType 1 + vacmViewTreeFamilyStorageType permanent + vacmViewTreeFamilyStatus active + " + + OBJECT usmDHParameters + MIN-ACCESS read-only + DESCRIPTION + "It is compliant to implement this object as read-only for + any device." + ::= { usmDHKeyMIBCompliances 1 } + +-- Units of Compliance + +usmDHKeyMIBBasicGroup OBJECT-GROUP + OBJECTS { + usmDHUserAuthKeyChange, + usmDHUserOwnAuthKeyChange, + usmDHUserPrivKeyChange, + usmDHUserOwnPrivKeyChange + } + STATUS current + DESCRIPTION + "" + ::= { usmDHKeyMIBGroups 1 } + +usmDHKeyParamGroup OBJECT-GROUP + OBJECTS { + usmDHParameters + } + STATUS current + DESCRIPTION + "The mandatory object for all MIBs which use the DHKeyChange + textual convention." + ::= { usmDHKeyMIBGroups 2 } + +usmDHKeyKickstartGroup OBJECT-GROUP + OBJECTS { + usmDHKickstartMyPublic, + usmDHKickstartMgrPublic, + usmDHKickstartSecurityName + } + STATUS current + DESCRIPTION + "The objects used for kickstarting one or more SNMPv3 USM + associations via a configuration file or other out of band, + non-confidential access." + ::= { usmDHKeyMIBGroups 3 } + +END |