diff options
Diffstat (limited to 'data/mibs/SNMP-USM-DH-OBJECTS-MIB.txt')
| -rw-r--r-- | data/mibs/SNMP-USM-DH-OBJECTS-MIB.txt | 532 |
1 files changed, 0 insertions, 532 deletions
diff --git a/data/mibs/SNMP-USM-DH-OBJECTS-MIB.txt b/data/mibs/SNMP-USM-DH-OBJECTS-MIB.txt deleted file mode 100644 index 7377425c0..000000000 --- a/data/mibs/SNMP-USM-DH-OBJECTS-MIB.txt +++ /dev/null @@ -1,532 +0,0 @@ -SNMP-USM-DH-OBJECTS-MIB DEFINITIONS ::= BEGIN - -IMPORTS - MODULE-IDENTITY, OBJECT-TYPE, - -- OBJECT-IDENTITY, - experimental, Integer32 - FROM SNMPv2-SMI - TEXTUAL-CONVENTION - FROM SNMPv2-TC - MODULE-COMPLIANCE, OBJECT-GROUP - FROM SNMPv2-CONF - usmUserEntry - FROM SNMP-USER-BASED-SM-MIB - SnmpAdminString - FROM SNMP-FRAMEWORK-MIB; - -snmpUsmDHObjectsMIB MODULE-IDENTITY - LAST-UPDATED "200003060000Z" -- 6 March 2000, Midnight - ORGANIZATION "Excite@Home" - CONTACT-INFO "Author: Mike StJohns - Postal: Excite@Home - 450 Broadway - Redwood City, CA 94063 - Email: stjohns@corp.home.net - Phone: +1-650-556-5368" - DESCRIPTION - "The management information definitions for providing forward - secrecy for key changes for the usmUserTable, and for providing a - method for 'kickstarting' access to the agent via a Diffie-Helman - key agreement." - - REVISION "200003060000Z" - DESCRIPTION - "Initial version published as RFC 2786." - ::= { experimental 101 } -- IANA DHKEY-CHANGE 101 - --- Administrative assignments - -usmDHKeyObjects OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 1 } -usmDHKeyConformance OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 2 } - --- Textual conventions - -DHKeyChange ::= TEXTUAL-CONVENTION - STATUS current - DESCRIPTION - "Upon initialization, or upon creation of a row containing an - object of this type, and after any successful SET of this value, a - GET of this value returns 'y' where y = g^xa MOD p, and where g is - the base from usmDHParameters, p is the prime from - usmDHParameters, and xa is a new random integer selected by the - agent in the interval 2^(l-1) <= xa < 2^l < p-1. 'l' is the - optional privateValueLength from usmDHParameters in bits. If 'l' - is omitted, then xa (and xr below) is selected in the interval 0 - <= xa < p-1. y is expressed as an OCTET STRING 'PV' of length 'k' - which satisfies - - k - y = SUM 2^(8(k-i)) PV'i - i=1 - - where PV1,...,PVk are the octets of PV from first to last, and - where PV1 <> 0. - - A successful SET consists of the value 'y' expressed as an OCTET - STRING as above concatenated with the value 'z'(expressed as an - OCTET STRING in the same manner as y) where z = g^xr MOD p, where - g, p and l are as above, and where xr is a new random integer - selected by the manager in the interval 2^(l-1) <= xr < 2^l < - p-1. A SET to an object of this type will fail with the error - wrongValue if the current 'y' does not match the 'y' portion of - the value of the varbind for the object. (E.g. GET yout, SET - concat(yin, z), yout <> yin). - - Note that the private values xa and xr are never transmitted from - manager to device or vice versa, only the values y and z. - Obviously, these values must be retained until a successful SET on - the associated object. - - The shared secret 'sk' is calculated at the agent as sk = z^xa MOD - p, and at the manager as sk = y^xr MOD p. - - Each object definition of this type MUST describe how to map from - the shared secret 'sk' to the operational key value used by the - protocols and operations related to the object. In general, if n - bits of key are required, the author suggests using the n - right-most bits of the shared secret as the operational key value." - REFERENCE - "-- Diffie-Hellman Key-Agreement Standard, PKCS #3; - RSA Laboratories, November 1993" - SYNTAX OCTET STRING - --- Diffie Hellman public values - -usmDHPublicObjects OBJECT IDENTIFIER ::= { usmDHKeyObjects 1 } - -usmDHParameters OBJECT-TYPE - SYNTAX OCTET STRING - MAX-ACCESS read-write - STATUS current - DESCRIPTION - "The public Diffie-Hellman parameters for doing a Diffie-Hellman - key agreement for this device. This is encoded as an ASN.1 - DHParameter per PKCS #3, section 9. E.g. - - DHParameter ::= SEQUENCE { - prime INTEGER, -- p - base INTEGER, -- g - privateValueLength INTEGER OPTIONAL } - - Implementors are encouraged to use either the values from - Oakley Group 1 or the values of from Oakley Group 2 as specified - in RFC-2409, The Internet Key Exchange, Section 6.1, 6.2 as the - default for this object. Other values may be used, but the - security properties of those values MUST be well understood and - MUST meet the requirements of PKCS #3 for the selection of - Diffie-Hellman primes. - - In addition, any time usmDHParameters changes, all values of - type DHKeyChange will change and new random numbers MUST be - generated by the agent for each DHKeyChange object." - REFERENCE - "-- Diffie-Hellman Key-Agreement Standard, PKCS #3, - RSA Laboratories, November 1993 - -- The Internet Key Exchange, RFC 2409, November 1998, - Sec 6.1, 6.2" - ::= { usmDHPublicObjects 1 } - -usmDHUserKeyTable OBJECT-TYPE - SYNTAX SEQUENCE OF UsmDHUserKeyEntry - MAX-ACCESS not-accessible - STATUS current - DESCRIPTION - "This table augments and extends the usmUserTable and provides - 4 objects which exactly mirror the objects in that table with the - textual convention of 'KeyChange'. This extension allows key - changes to be done in a manner where the knowledge of the current - secret plus knowledge of the key change data exchanges (e.g. via - wiretapping) will not reveal the new key." - ::= { usmDHPublicObjects 2 } - -usmDHUserKeyEntry OBJECT-TYPE - SYNTAX UsmDHUserKeyEntry - MAX-ACCESS not-accessible - STATUS current - DESCRIPTION - "A row of DHKeyChange objects which augment or replace the - functionality of the KeyChange objects in the base table row." - AUGMENTS { usmUserEntry } - ::= {usmDHUserKeyTable 1 } - -UsmDHUserKeyEntry ::= SEQUENCE { - usmDHUserAuthKeyChange DHKeyChange, - usmDHUserOwnAuthKeyChange DHKeyChange, - usmDHUserPrivKeyChange DHKeyChange, - usmDHUserOwnPrivKeyChange DHKeyChange - } - -usmDHUserAuthKeyChange OBJECT-TYPE - SYNTAX DHKeyChange - MAX-ACCESS read-create - STATUS current - DESCRIPTION - "The object used to change any given user's Authentication Key - using a Diffie-Hellman key exchange. - - The right-most n bits of the shared secret 'sk', where 'n' is the - number of bits required for the protocol defined by - usmUserAuthProtocol, are installed as the operational - authentication key for this row after a successful SET." - ::= { usmDHUserKeyEntry 1 } - -usmDHUserOwnAuthKeyChange OBJECT-TYPE - SYNTAX DHKeyChange - MAX-ACCESS read-create - STATUS current - DESCRIPTION - "The object used to change the agents own Authentication Key - using a Diffie-Hellman key exchange. - - The right-most n bits of the shared secret 'sk', where 'n' is the - number of bits required for the protocol defined by - usmUserAuthProtocol, are installed as the operational - authentication key for this row after a successful SET." - ::= { usmDHUserKeyEntry 2 } - -usmDHUserPrivKeyChange OBJECT-TYPE - SYNTAX DHKeyChange - MAX-ACCESS read-create - STATUS current - DESCRIPTION - "The object used to change any given user's Privacy Key using - a Diffie-Hellman key exchange. - - The right-most n bits of the shared secret 'sk', where 'n' is the - number of bits required for the protocol defined by - usmUserPrivProtocol, are installed as the operational privacy key - for this row after a successful SET." - ::= { usmDHUserKeyEntry 3 } - -usmDHUserOwnPrivKeyChange OBJECT-TYPE - SYNTAX DHKeyChange - MAX-ACCESS read-create - STATUS current - DESCRIPTION - "The object used to change the agent's own Privacy Key using a - Diffie-Hellman key exchange. - - The right-most n bits of the shared secret 'sk', where 'n' is the - number of bits required for the protocol defined by - usmUserPrivProtocol, are installed as the operational privacy key - for this row after a successful SET." - ::= { usmDHUserKeyEntry 4 } - -usmDHKickstartGroup OBJECT IDENTIFIER ::= { usmDHKeyObjects 2 } - -usmDHKickstartTable OBJECT-TYPE - SYNTAX SEQUENCE OF UsmDHKickstartEntry - MAX-ACCESS not-accessible - STATUS current - DESCRIPTION - "A table of mappings between zero or more Diffie-Helman key - agreement values and entries in the usmUserTable. Entries in this - table are created by providing the associated device with a - Diffie-Helman public value and a usmUserName/usmUserSecurityName - pair during initialization. How these values are provided is - outside the scope of this MIB, but could be provided manually, or - through a configuration file. Valid public value/name pairs - result in the creation of a row in this table as well as the - creation of an associated row (with keys derived as indicated) in - the usmUserTable. The actual access the related usmSecurityName - has is dependent on the entries in the VACM tables. In general, - an implementor will specify one or more standard security names - and will provide entries in the VACM tables granting various - levels of access to those names. The actual content of the VACM - - table is beyond the scope of this MIB. - - Note: This table is expected to be readable without authentication - using the usmUserSecurityName 'dhKickstart'. See the conformance - statements for details." - ::= { usmDHKickstartGroup 1 } - -usmDHKickstartEntry OBJECT-TYPE - SYNTAX UsmDHKickstartEntry - MAX-ACCESS not-accessible - STATUS current - DESCRIPTION - "An entry in the usmDHKickstartTable. The agent SHOULD either - delete this entry or mark it as inactive upon a successful SET of - any of the KeyChange-typed objects in the usmUserEntry or upon a - successful SET of any of the DHKeyChange-typed objects in the - usmDhKeyChangeEntry where the related usmSecurityName (e.g. row of - usmUserTable or row of ushDhKeyChangeTable) equals this entry's - usmDhKickstartSecurityName. In otherwords, once you've changed - one or more of the keys for a row in usmUserTable with a - particular security name, the row in this table with that same - security name is no longer useful or meaningful." - INDEX { usmDHKickstartIndex } - ::= {usmDHKickstartTable 1 } - -UsmDHKickstartEntry ::= SEQUENCE { - usmDHKickstartIndex Integer32, - usmDHKickstartMyPublic OCTET STRING, - usmDHKickstartMgrPublic OCTET STRING, - usmDHKickstartSecurityName SnmpAdminString - } - -usmDHKickstartIndex OBJECT-TYPE - SYNTAX Integer32 (1..2147483647) - MAX-ACCESS not-accessible - STATUS current - DESCRIPTION - "Index value for this row." - ::= { usmDHKickstartEntry 1 } - -usmDHKickstartMyPublic OBJECT-TYPE - SYNTAX OCTET STRING - MAX-ACCESS read-only - STATUS current - DESCRIPTION - "The agent's Diffie-Hellman public value for this row. At - - initialization, the agent generates a random number and derives - its public value from that number. This public value is published - here. This public value 'y' equals g^r MOD p where g is the from - the set of Diffie-Hellman parameters, p is the prime from those - parameters, and r is a random integer selected by the agent in the - interval 2^(l-1) <= r < p-1 < 2^l. If l is unspecified, then r is - a random integer selected in the interval 0 <= r < p-1 - - The public value is expressed as an OCTET STRING 'PV' of length - 'k' which satisfies - - k - y = SUM 2^(8(k-i)) PV'i - i = 1 - - where PV1,...,PVk are the octets of PV from first to last, and - where PV1 != 0. - - The following DH parameters (Oakley group #2, RFC 2409, sec 6.1, - 6.2) are used for this object: - - g = 2 - p = FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 - 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD - EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 - E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED - EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 - FFFFFFFF FFFFFFFF - l=1024 - " - REFERENCE - "-- Diffie-Hellman Key-Agreement Standard, PKCS#3v1.4; - RSA Laboratories, November 1993 - -- The Internet Key Exchange, RFC2409; - Harkins, D., Carrel, D.; November 1998" - ::= { usmDHKickstartEntry 2 } - -usmDHKickstartMgrPublic OBJECT-TYPE - SYNTAX OCTET STRING - MAX-ACCESS read-only - STATUS current - DESCRIPTION - "The manager's Diffie-Hellman public value for this row. Note - that this value is not set via the SNMP agent, but may be set via - some out of band method, such as the device's configuration file. - - The manager calculates this value in the same manner and using the - same parameter set as the agent does. E.g. it selects a random - number 'r', calculates y = g^r mod p and provides 'y' as the - public number expressed as an OCTET STRING. See - usmDHKickstartMyPublic for details. - - When this object is set with a valid value during initialization, - a row is created in the usmUserTable with the following values: - - usmUserEngineID localEngineID - usmUserName [value of usmDHKickstartSecurityName] - usmUserSecurityName [value of usmDHKickstartSecurityName] - usmUserCloneFrom ZeroDotZero - usmUserAuthProtocol usmHMACMD5AuthProtocol - usmUserAuthKeyChange -- derived from set value - usmUserOwnAuthKeyChange -- derived from set value - usmUserPrivProtocol usmDESPrivProtocol - usmUserPrivKeyChange -- derived from set value - usmUserOwnPrivKeyChange -- derived from set value - usmUserPublic '' - usmUserStorageType permanent - usmUserStatus active - - A shared secret 'sk' is calculated at the agent as sk = - mgrPublic^r mod p where r is the agents random number and p is the - DH prime from the common parameters. The underlying privacy key - for this row is derived from sk by applying the key derivation - function PBKDF2 defined in PKCS#5v2.0 with a salt of 0xd1310ba6, - and iterationCount of 500, a keyLength of 16 (for - usmDESPrivProtocol), and a prf (pseudo random function) of - 'id-hmacWithSHA1'. The underlying authentication key for this row - is derived from sk by applying the key derivation function PBKDF2 - with a salt of 0x98dfb5ac , an interation count of 500, a - keyLength of 16 (for usmHMAC5AuthProtocol), and a prf of - 'id-hmacWithSHA1'. Note: The salts are the first two words in the - ks0 [key schedule 0] of the BLOWFISH cipher from 'Applied - Cryptography' by Bruce Schnier - they could be any relatively - random string of bits. - - The manager can use its knowledge of its own random number and the - agent's public value to kickstart its access to the agent in a - secure manner. Note that the security of this approach is - directly related to the strength of the authorization security of - the out of band provisioning of the managers public value - (e.g. the configuration file), but is not dependent at all on the - strength of the confidentiality of the out of band provisioning - data." - REFERENCE - "-- Password-Based Cryptography Standard, PKCS#5v2.0; - RSA Laboratories, March 1999 - -- Applied Cryptography, 2nd Ed.; B. Schneier, - Counterpane Systems; John Wiley & Sons, 1996" - ::= { usmDHKickstartEntry 3 } - -usmDHKickstartSecurityName OBJECT-TYPE - SYNTAX SnmpAdminString - MAX-ACCESS read-only - STATUS current - DESCRIPTION - "The usmUserName and usmUserSecurityName in the usmUserTable - associated with this row. This is provided in the same manner and - at the same time as the usmDHKickstartMgrPublic value - - e.g. possibly manually, or via the device's configuration file." - ::= { usmDHKickstartEntry 4 } - --- Conformance Information - -usmDHKeyMIBCompliances OBJECT IDENTIFIER ::= { usmDHKeyConformance 1 } -usmDHKeyMIBGroups OBJECT IDENTIFIER ::= { usmDHKeyConformance 2 } - --- Compliance statements - -usmDHKeyMIBCompliance MODULE-COMPLIANCE - STATUS current - DESCRIPTION - "The compliance statement for this module." - MODULE - GROUP usmDHKeyMIBBasicGroup - DESCRIPTION - "This group MAY be implemented by any agent which - implements the usmUserTable and which wishes to provide the - ability to change user and agent authentication and privacy - keys via Diffie-Hellman key exchanges." - - GROUP usmDHKeyParamGroup - DESCRIPTION - "This group MUST be implemented by any agent which - implements a MIB containing the DHKeyChange Textual - Convention defined in this module." - - GROUP usmDHKeyKickstartGroup - DESCRIPTION - "This group MAY be implemented by any agent which - implements the usmUserTable and which wishes the ability to - populate the USM table based on out-of-band provided DH - ignition values. - - Any agent implementing this group is expected to provide - preinstalled entries in the vacm tables as follows: - - In the usmUserTable: This entry allows access to the - system and dhKickstart groups - - usmUserEngineID localEngineID - usmUserName 'dhKickstart' - usmUserSecurityName 'dhKickstart' - usmUserCloneFrom ZeroDotZero - usmUserAuthProtocol none - usmUserAuthKeyChange '' - usmUserOwnAuthKeyChange '' - usmUserPrivProtocol none - usmUserPrivKeyChange '' - usmUserOwnPrivKeyChange '' - usmUserPublic '' - usmUserStorageType permanent - usmUserStatus active - - In the vacmSecurityToGroupTable: This maps the initial - user into the accessible objects. - - vacmSecurityModel 3 (USM) - vacmSecurityName 'dhKickstart' - vacmGroupName 'dhKickstart' - vacmSecurityToGroupStorageType permanent - vacmSecurityToGroupStatus active - - In the vacmAccessTable: Group name to view name translation. - - vacmGroupName 'dhKickstart' - vacmAccessContextPrefix '' - vacmAccessSecurityModel 3 (USM) - vacmAccessSecurityLevel noAuthNoPriv - vacmAccessContextMatch exact - vacmAccessReadViewName 'dhKickRestricted' - vacmAccessWriteViewName '' - vacmAccessNotifyViewName 'dhKickRestricted' - vacmAccessStorageType permanent - vacmAccessStatus active - - In the vacmViewTreeFamilyTable: Two entries to allow the - initial entry to access the system and kickstart groups. - - vacmViewTreeFamilyViewName 'dhKickRestricted' - vacmViewTreeFamilySubtree 1.3.6.1.2.1.1 (system) - vacmViewTreeFamilyMask '' - - vacmViewTreeFamilyType 1 - vacmViewTreeFamilyStorageType permanent - vacmViewTreeFamilyStatus active - - vacmViewTreeFamilyViewName 'dhKickRestricted' - vacmViewTreeFamilySubtree (usmDHKickstartTable OID) - vacmViewTreeFamilyMask '' - vacmViewTreeFamilyType 1 - vacmViewTreeFamilyStorageType permanent - vacmViewTreeFamilyStatus active - " - - OBJECT usmDHParameters - MIN-ACCESS read-only - DESCRIPTION - "It is compliant to implement this object as read-only for - any device." - ::= { usmDHKeyMIBCompliances 1 } - --- Units of Compliance - -usmDHKeyMIBBasicGroup OBJECT-GROUP - OBJECTS { - usmDHUserAuthKeyChange, - usmDHUserOwnAuthKeyChange, - usmDHUserPrivKeyChange, - usmDHUserOwnPrivKeyChange - } - STATUS current - DESCRIPTION - "" - ::= { usmDHKeyMIBGroups 1 } - -usmDHKeyParamGroup OBJECT-GROUP - OBJECTS { - usmDHParameters - } - STATUS current - DESCRIPTION - "The mandatory object for all MIBs which use the DHKeyChange - textual convention." - ::= { usmDHKeyMIBGroups 2 } - -usmDHKeyKickstartGroup OBJECT-GROUP - OBJECTS { - usmDHKickstartMyPublic, - usmDHKickstartMgrPublic, - usmDHKickstartSecurityName - } - STATUS current - DESCRIPTION - "The objects used for kickstarting one or more SNMPv3 USM - associations via a configuration file or other out of band, - non-confidential access." - ::= { usmDHKeyMIBGroups 3 } - -END |