summaryrefslogtreecommitdiff
path: root/mibs/SNMP-USM-DH-OBJECTS-MIB.txt
diff options
context:
space:
mode:
Diffstat (limited to 'mibs/SNMP-USM-DH-OBJECTS-MIB.txt')
-rw-r--r--mibs/SNMP-USM-DH-OBJECTS-MIB.txt532
1 files changed, 532 insertions, 0 deletions
diff --git a/mibs/SNMP-USM-DH-OBJECTS-MIB.txt b/mibs/SNMP-USM-DH-OBJECTS-MIB.txt
new file mode 100644
index 00000000..7377425c
--- /dev/null
+++ b/mibs/SNMP-USM-DH-OBJECTS-MIB.txt
@@ -0,0 +1,532 @@
+SNMP-USM-DH-OBJECTS-MIB DEFINITIONS ::= BEGIN
+
+IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE,
+ -- OBJECT-IDENTITY,
+ experimental, Integer32
+ FROM SNMPv2-SMI
+ TEXTUAL-CONVENTION
+ FROM SNMPv2-TC
+ MODULE-COMPLIANCE, OBJECT-GROUP
+ FROM SNMPv2-CONF
+ usmUserEntry
+ FROM SNMP-USER-BASED-SM-MIB
+ SnmpAdminString
+ FROM SNMP-FRAMEWORK-MIB;
+
+snmpUsmDHObjectsMIB MODULE-IDENTITY
+ LAST-UPDATED "200003060000Z" -- 6 March 2000, Midnight
+ ORGANIZATION "Excite@Home"
+ CONTACT-INFO "Author: Mike StJohns
+ Postal: Excite@Home
+ 450 Broadway
+ Redwood City, CA 94063
+ Email: stjohns@corp.home.net
+ Phone: +1-650-556-5368"
+ DESCRIPTION
+ "The management information definitions for providing forward
+ secrecy for key changes for the usmUserTable, and for providing a
+ method for 'kickstarting' access to the agent via a Diffie-Helman
+ key agreement."
+
+ REVISION "200003060000Z"
+ DESCRIPTION
+ "Initial version published as RFC 2786."
+ ::= { experimental 101 } -- IANA DHKEY-CHANGE 101
+
+-- Administrative assignments
+
+usmDHKeyObjects OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 1 }
+usmDHKeyConformance OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 2 }
+
+-- Textual conventions
+
+DHKeyChange ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "Upon initialization, or upon creation of a row containing an
+ object of this type, and after any successful SET of this value, a
+ GET of this value returns 'y' where y = g^xa MOD p, and where g is
+ the base from usmDHParameters, p is the prime from
+ usmDHParameters, and xa is a new random integer selected by the
+ agent in the interval 2^(l-1) <= xa < 2^l < p-1. 'l' is the
+ optional privateValueLength from usmDHParameters in bits. If 'l'
+ is omitted, then xa (and xr below) is selected in the interval 0
+ <= xa < p-1. y is expressed as an OCTET STRING 'PV' of length 'k'
+ which satisfies
+
+ k
+ y = SUM 2^(8(k-i)) PV'i
+ i=1
+
+ where PV1,...,PVk are the octets of PV from first to last, and
+ where PV1 <> 0.
+
+ A successful SET consists of the value 'y' expressed as an OCTET
+ STRING as above concatenated with the value 'z'(expressed as an
+ OCTET STRING in the same manner as y) where z = g^xr MOD p, where
+ g, p and l are as above, and where xr is a new random integer
+ selected by the manager in the interval 2^(l-1) <= xr < 2^l <
+ p-1. A SET to an object of this type will fail with the error
+ wrongValue if the current 'y' does not match the 'y' portion of
+ the value of the varbind for the object. (E.g. GET yout, SET
+ concat(yin, z), yout <> yin).
+
+ Note that the private values xa and xr are never transmitted from
+ manager to device or vice versa, only the values y and z.
+ Obviously, these values must be retained until a successful SET on
+ the associated object.
+
+ The shared secret 'sk' is calculated at the agent as sk = z^xa MOD
+ p, and at the manager as sk = y^xr MOD p.
+
+ Each object definition of this type MUST describe how to map from
+ the shared secret 'sk' to the operational key value used by the
+ protocols and operations related to the object. In general, if n
+ bits of key are required, the author suggests using the n
+ right-most bits of the shared secret as the operational key value."
+ REFERENCE
+ "-- Diffie-Hellman Key-Agreement Standard, PKCS #3;
+ RSA Laboratories, November 1993"
+ SYNTAX OCTET STRING
+
+-- Diffie Hellman public values
+
+usmDHPublicObjects OBJECT IDENTIFIER ::= { usmDHKeyObjects 1 }
+
+usmDHParameters OBJECT-TYPE
+ SYNTAX OCTET STRING
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "The public Diffie-Hellman parameters for doing a Diffie-Hellman
+ key agreement for this device. This is encoded as an ASN.1
+ DHParameter per PKCS #3, section 9. E.g.
+
+ DHParameter ::= SEQUENCE {
+ prime INTEGER, -- p
+ base INTEGER, -- g
+ privateValueLength INTEGER OPTIONAL }
+
+ Implementors are encouraged to use either the values from
+ Oakley Group 1 or the values of from Oakley Group 2 as specified
+ in RFC-2409, The Internet Key Exchange, Section 6.1, 6.2 as the
+ default for this object. Other values may be used, but the
+ security properties of those values MUST be well understood and
+ MUST meet the requirements of PKCS #3 for the selection of
+ Diffie-Hellman primes.
+
+ In addition, any time usmDHParameters changes, all values of
+ type DHKeyChange will change and new random numbers MUST be
+ generated by the agent for each DHKeyChange object."
+ REFERENCE
+ "-- Diffie-Hellman Key-Agreement Standard, PKCS #3,
+ RSA Laboratories, November 1993
+ -- The Internet Key Exchange, RFC 2409, November 1998,
+ Sec 6.1, 6.2"
+ ::= { usmDHPublicObjects 1 }
+
+usmDHUserKeyTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF UsmDHUserKeyEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "This table augments and extends the usmUserTable and provides
+ 4 objects which exactly mirror the objects in that table with the
+ textual convention of 'KeyChange'. This extension allows key
+ changes to be done in a manner where the knowledge of the current
+ secret plus knowledge of the key change data exchanges (e.g. via
+ wiretapping) will not reveal the new key."
+ ::= { usmDHPublicObjects 2 }
+
+usmDHUserKeyEntry OBJECT-TYPE
+ SYNTAX UsmDHUserKeyEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A row of DHKeyChange objects which augment or replace the
+ functionality of the KeyChange objects in the base table row."
+ AUGMENTS { usmUserEntry }
+ ::= {usmDHUserKeyTable 1 }
+
+UsmDHUserKeyEntry ::= SEQUENCE {
+ usmDHUserAuthKeyChange DHKeyChange,
+ usmDHUserOwnAuthKeyChange DHKeyChange,
+ usmDHUserPrivKeyChange DHKeyChange,
+ usmDHUserOwnPrivKeyChange DHKeyChange
+ }
+
+usmDHUserAuthKeyChange OBJECT-TYPE
+ SYNTAX DHKeyChange
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The object used to change any given user's Authentication Key
+ using a Diffie-Hellman key exchange.
+
+ The right-most n bits of the shared secret 'sk', where 'n' is the
+ number of bits required for the protocol defined by
+ usmUserAuthProtocol, are installed as the operational
+ authentication key for this row after a successful SET."
+ ::= { usmDHUserKeyEntry 1 }
+
+usmDHUserOwnAuthKeyChange OBJECT-TYPE
+ SYNTAX DHKeyChange
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The object used to change the agents own Authentication Key
+ using a Diffie-Hellman key exchange.
+
+ The right-most n bits of the shared secret 'sk', where 'n' is the
+ number of bits required for the protocol defined by
+ usmUserAuthProtocol, are installed as the operational
+ authentication key for this row after a successful SET."
+ ::= { usmDHUserKeyEntry 2 }
+
+usmDHUserPrivKeyChange OBJECT-TYPE
+ SYNTAX DHKeyChange
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The object used to change any given user's Privacy Key using
+ a Diffie-Hellman key exchange.
+
+ The right-most n bits of the shared secret 'sk', where 'n' is the
+ number of bits required for the protocol defined by
+ usmUserPrivProtocol, are installed as the operational privacy key
+ for this row after a successful SET."
+ ::= { usmDHUserKeyEntry 3 }
+
+usmDHUserOwnPrivKeyChange OBJECT-TYPE
+ SYNTAX DHKeyChange
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The object used to change the agent's own Privacy Key using a
+ Diffie-Hellman key exchange.
+
+ The right-most n bits of the shared secret 'sk', where 'n' is the
+ number of bits required for the protocol defined by
+ usmUserPrivProtocol, are installed as the operational privacy key
+ for this row after a successful SET."
+ ::= { usmDHUserKeyEntry 4 }
+
+usmDHKickstartGroup OBJECT IDENTIFIER ::= { usmDHKeyObjects 2 }
+
+usmDHKickstartTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF UsmDHKickstartEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of mappings between zero or more Diffie-Helman key
+ agreement values and entries in the usmUserTable. Entries in this
+ table are created by providing the associated device with a
+ Diffie-Helman public value and a usmUserName/usmUserSecurityName
+ pair during initialization. How these values are provided is
+ outside the scope of this MIB, but could be provided manually, or
+ through a configuration file. Valid public value/name pairs
+ result in the creation of a row in this table as well as the
+ creation of an associated row (with keys derived as indicated) in
+ the usmUserTable. The actual access the related usmSecurityName
+ has is dependent on the entries in the VACM tables. In general,
+ an implementor will specify one or more standard security names
+ and will provide entries in the VACM tables granting various
+ levels of access to those names. The actual content of the VACM
+
+ table is beyond the scope of this MIB.
+
+ Note: This table is expected to be readable without authentication
+ using the usmUserSecurityName 'dhKickstart'. See the conformance
+ statements for details."
+ ::= { usmDHKickstartGroup 1 }
+
+usmDHKickstartEntry OBJECT-TYPE
+ SYNTAX UsmDHKickstartEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An entry in the usmDHKickstartTable. The agent SHOULD either
+ delete this entry or mark it as inactive upon a successful SET of
+ any of the KeyChange-typed objects in the usmUserEntry or upon a
+ successful SET of any of the DHKeyChange-typed objects in the
+ usmDhKeyChangeEntry where the related usmSecurityName (e.g. row of
+ usmUserTable or row of ushDhKeyChangeTable) equals this entry's
+ usmDhKickstartSecurityName. In otherwords, once you've changed
+ one or more of the keys for a row in usmUserTable with a
+ particular security name, the row in this table with that same
+ security name is no longer useful or meaningful."
+ INDEX { usmDHKickstartIndex }
+ ::= {usmDHKickstartTable 1 }
+
+UsmDHKickstartEntry ::= SEQUENCE {
+ usmDHKickstartIndex Integer32,
+ usmDHKickstartMyPublic OCTET STRING,
+ usmDHKickstartMgrPublic OCTET STRING,
+ usmDHKickstartSecurityName SnmpAdminString
+ }
+
+usmDHKickstartIndex OBJECT-TYPE
+ SYNTAX Integer32 (1..2147483647)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Index value for this row."
+ ::= { usmDHKickstartEntry 1 }
+
+usmDHKickstartMyPublic OBJECT-TYPE
+ SYNTAX OCTET STRING
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The agent's Diffie-Hellman public value for this row. At
+
+ initialization, the agent generates a random number and derives
+ its public value from that number. This public value is published
+ here. This public value 'y' equals g^r MOD p where g is the from
+ the set of Diffie-Hellman parameters, p is the prime from those
+ parameters, and r is a random integer selected by the agent in the
+ interval 2^(l-1) <= r < p-1 < 2^l. If l is unspecified, then r is
+ a random integer selected in the interval 0 <= r < p-1
+
+ The public value is expressed as an OCTET STRING 'PV' of length
+ 'k' which satisfies
+
+ k
+ y = SUM 2^(8(k-i)) PV'i
+ i = 1
+
+ where PV1,...,PVk are the octets of PV from first to last, and
+ where PV1 != 0.
+
+ The following DH parameters (Oakley group #2, RFC 2409, sec 6.1,
+ 6.2) are used for this object:
+
+ g = 2
+ p = FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
+ 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
+ EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
+ E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
+ EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
+ FFFFFFFF FFFFFFFF
+ l=1024
+ "
+ REFERENCE
+ "-- Diffie-Hellman Key-Agreement Standard, PKCS#3v1.4;
+ RSA Laboratories, November 1993
+ -- The Internet Key Exchange, RFC2409;
+ Harkins, D., Carrel, D.; November 1998"
+ ::= { usmDHKickstartEntry 2 }
+
+usmDHKickstartMgrPublic OBJECT-TYPE
+ SYNTAX OCTET STRING
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The manager's Diffie-Hellman public value for this row. Note
+ that this value is not set via the SNMP agent, but may be set via
+ some out of band method, such as the device's configuration file.
+
+ The manager calculates this value in the same manner and using the
+ same parameter set as the agent does. E.g. it selects a random
+ number 'r', calculates y = g^r mod p and provides 'y' as the
+ public number expressed as an OCTET STRING. See
+ usmDHKickstartMyPublic for details.
+
+ When this object is set with a valid value during initialization,
+ a row is created in the usmUserTable with the following values:
+
+ usmUserEngineID localEngineID
+ usmUserName [value of usmDHKickstartSecurityName]
+ usmUserSecurityName [value of usmDHKickstartSecurityName]
+ usmUserCloneFrom ZeroDotZero
+ usmUserAuthProtocol usmHMACMD5AuthProtocol
+ usmUserAuthKeyChange -- derived from set value
+ usmUserOwnAuthKeyChange -- derived from set value
+ usmUserPrivProtocol usmDESPrivProtocol
+ usmUserPrivKeyChange -- derived from set value
+ usmUserOwnPrivKeyChange -- derived from set value
+ usmUserPublic ''
+ usmUserStorageType permanent
+ usmUserStatus active
+
+ A shared secret 'sk' is calculated at the agent as sk =
+ mgrPublic^r mod p where r is the agents random number and p is the
+ DH prime from the common parameters. The underlying privacy key
+ for this row is derived from sk by applying the key derivation
+ function PBKDF2 defined in PKCS#5v2.0 with a salt of 0xd1310ba6,
+ and iterationCount of 500, a keyLength of 16 (for
+ usmDESPrivProtocol), and a prf (pseudo random function) of
+ 'id-hmacWithSHA1'. The underlying authentication key for this row
+ is derived from sk by applying the key derivation function PBKDF2
+ with a salt of 0x98dfb5ac , an interation count of 500, a
+ keyLength of 16 (for usmHMAC5AuthProtocol), and a prf of
+ 'id-hmacWithSHA1'. Note: The salts are the first two words in the
+ ks0 [key schedule 0] of the BLOWFISH cipher from 'Applied
+ Cryptography' by Bruce Schnier - they could be any relatively
+ random string of bits.
+
+ The manager can use its knowledge of its own random number and the
+ agent's public value to kickstart its access to the agent in a
+ secure manner. Note that the security of this approach is
+ directly related to the strength of the authorization security of
+ the out of band provisioning of the managers public value
+ (e.g. the configuration file), but is not dependent at all on the
+ strength of the confidentiality of the out of band provisioning
+ data."
+ REFERENCE
+ "-- Password-Based Cryptography Standard, PKCS#5v2.0;
+ RSA Laboratories, March 1999
+ -- Applied Cryptography, 2nd Ed.; B. Schneier,
+ Counterpane Systems; John Wiley & Sons, 1996"
+ ::= { usmDHKickstartEntry 3 }
+
+usmDHKickstartSecurityName OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The usmUserName and usmUserSecurityName in the usmUserTable
+ associated with this row. This is provided in the same manner and
+ at the same time as the usmDHKickstartMgrPublic value -
+ e.g. possibly manually, or via the device's configuration file."
+ ::= { usmDHKickstartEntry 4 }
+
+-- Conformance Information
+
+usmDHKeyMIBCompliances OBJECT IDENTIFIER ::= { usmDHKeyConformance 1 }
+usmDHKeyMIBGroups OBJECT IDENTIFIER ::= { usmDHKeyConformance 2 }
+
+-- Compliance statements
+
+usmDHKeyMIBCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for this module."
+ MODULE
+ GROUP usmDHKeyMIBBasicGroup
+ DESCRIPTION
+ "This group MAY be implemented by any agent which
+ implements the usmUserTable and which wishes to provide the
+ ability to change user and agent authentication and privacy
+ keys via Diffie-Hellman key exchanges."
+
+ GROUP usmDHKeyParamGroup
+ DESCRIPTION
+ "This group MUST be implemented by any agent which
+ implements a MIB containing the DHKeyChange Textual
+ Convention defined in this module."
+
+ GROUP usmDHKeyKickstartGroup
+ DESCRIPTION
+ "This group MAY be implemented by any agent which
+ implements the usmUserTable and which wishes the ability to
+ populate the USM table based on out-of-band provided DH
+ ignition values.
+
+ Any agent implementing this group is expected to provide
+ preinstalled entries in the vacm tables as follows:
+
+ In the usmUserTable: This entry allows access to the
+ system and dhKickstart groups
+
+ usmUserEngineID localEngineID
+ usmUserName 'dhKickstart'
+ usmUserSecurityName 'dhKickstart'
+ usmUserCloneFrom ZeroDotZero
+ usmUserAuthProtocol none
+ usmUserAuthKeyChange ''
+ usmUserOwnAuthKeyChange ''
+ usmUserPrivProtocol none
+ usmUserPrivKeyChange ''
+ usmUserOwnPrivKeyChange ''
+ usmUserPublic ''
+ usmUserStorageType permanent
+ usmUserStatus active
+
+ In the vacmSecurityToGroupTable: This maps the initial
+ user into the accessible objects.
+
+ vacmSecurityModel 3 (USM)
+ vacmSecurityName 'dhKickstart'
+ vacmGroupName 'dhKickstart'
+ vacmSecurityToGroupStorageType permanent
+ vacmSecurityToGroupStatus active
+
+ In the vacmAccessTable: Group name to view name translation.
+
+ vacmGroupName 'dhKickstart'
+ vacmAccessContextPrefix ''
+ vacmAccessSecurityModel 3 (USM)
+ vacmAccessSecurityLevel noAuthNoPriv
+ vacmAccessContextMatch exact
+ vacmAccessReadViewName 'dhKickRestricted'
+ vacmAccessWriteViewName ''
+ vacmAccessNotifyViewName 'dhKickRestricted'
+ vacmAccessStorageType permanent
+ vacmAccessStatus active
+
+ In the vacmViewTreeFamilyTable: Two entries to allow the
+ initial entry to access the system and kickstart groups.
+
+ vacmViewTreeFamilyViewName 'dhKickRestricted'
+ vacmViewTreeFamilySubtree 1.3.6.1.2.1.1 (system)
+ vacmViewTreeFamilyMask ''
+
+ vacmViewTreeFamilyType 1
+ vacmViewTreeFamilyStorageType permanent
+ vacmViewTreeFamilyStatus active
+
+ vacmViewTreeFamilyViewName 'dhKickRestricted'
+ vacmViewTreeFamilySubtree (usmDHKickstartTable OID)
+ vacmViewTreeFamilyMask ''
+ vacmViewTreeFamilyType 1
+ vacmViewTreeFamilyStorageType permanent
+ vacmViewTreeFamilyStatus active
+ "
+
+ OBJECT usmDHParameters
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "It is compliant to implement this object as read-only for
+ any device."
+ ::= { usmDHKeyMIBCompliances 1 }
+
+-- Units of Compliance
+
+usmDHKeyMIBBasicGroup OBJECT-GROUP
+ OBJECTS {
+ usmDHUserAuthKeyChange,
+ usmDHUserOwnAuthKeyChange,
+ usmDHUserPrivKeyChange,
+ usmDHUserOwnPrivKeyChange
+ }
+ STATUS current
+ DESCRIPTION
+ ""
+ ::= { usmDHKeyMIBGroups 1 }
+
+usmDHKeyParamGroup OBJECT-GROUP
+ OBJECTS {
+ usmDHParameters
+ }
+ STATUS current
+ DESCRIPTION
+ "The mandatory object for all MIBs which use the DHKeyChange
+ textual convention."
+ ::= { usmDHKeyMIBGroups 2 }
+
+usmDHKeyKickstartGroup OBJECT-GROUP
+ OBJECTS {
+ usmDHKickstartMyPublic,
+ usmDHKickstartMgrPublic,
+ usmDHKickstartSecurityName
+ }
+ STATUS current
+ DESCRIPTION
+ "The objects used for kickstarting one or more SNMPv3 USM
+ associations via a configuration file or other out of band,
+ non-confidential access."
+ ::= { usmDHKeyMIBGroups 3 }
+
+END