rfc1352.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,514 行 · 第 1/5 页
TXT
1,514 行
A secret value known only to the originator and recipient of the
message is prefixed to the message prior to the digest computation.
Thus, the origin of the message is known implicitly with the
verification of the digest.
Recall from [2] that a SNMP management communication is represented
by an ASN.1 value with the following syntax.
Galvin, McCloghrie, & Davin [Page 11]
RFC 1352 SNMP Security Protocols July 1992
SnmpMgmtCom ::= [1] IMPLICIT SEQUENCE {
dstParty
OBJECT IDENTIFIER,
srcParty
OBJECT IDENTIFIER,
pdu PDUs
}
For each SnmpMgmtCom value that represents a SNMP management
communication, the following statements are true:
o Its dstParty component is called the destination and
identifies the SNMP party to which the communication
is directed.
o Its srcParty component is called the source and
identifies the SNMP party from which the
communication is originated.
o Its pdu component has the form and significance
attributed to it in [1].
Recall from [2] that a SNMP authenticated management communication is
represented by an ASN.1 value with the following syntax.
SnmpAuthMsg ::= [1] IMPLICIT SEQUENCE {
authInfo
ANY, - defined by authentication protocol
authData
SnmpMgmtCom
}
For each SnmpAuthMsg value that represents a SNMP authenticated
management communication, the following statements are true:
o Its authInfo component is called the authentication
information and represents information required in
support of the authentication protocol used by the
SNMP party originating the message. The detailed
significance of the authentication information is specific
to the authentication protocol in use; it has no effect on
the application semantics of the communication other
than its use by the authentication protocol in
determining whether the communication is authentic or
not.
Galvin, McCloghrie, & Davin [Page 12]
RFC 1352 SNMP Security Protocols July 1992
o Its authData component is called the authentication
data and represents a SNMP management
communication.
In support of the Digest Authentication Protocol, an authInfo
component is of type AuthInformation:
AuthInformation ::= [1] IMPLICIT SEQUENCE {
authTimestamp
INTEGER (0..2147483647),
authNonce
INTEGER (0..2147483647),
authDigest
OCTET STRING
}
For each AuthInformation value that represents authentication
information, the following statements are true:
o Its authTimestamp component is called the
authentication timestamp and represents the time of the
generation of the message according to the
partyAuthClock of the SNMP party that originated
it. Note that the granularity of the authentication
timestamp is 1 second.
o Its authNonce component is called the authentication
nonce and represents a non-negative integer value
evaluated according to the authTimestamp value. In
order not to limit transmission frequency of management
communications to the granularity of the authentication
timestamp, the authentication nonce is provided to
differentiate between multiple messages sent with the
same value of authTimestamp. The authentication
nonce is a monotonically increasing sequence number,
that is reset for each new authentication timestamp
value.
o Its authDigest component is called the authentication
digest and represents the digest computed over an
appropriate portion of the message, where the message is
temporarily prefixed with a secret value for the purposes
of computing the digest.
Galvin, McCloghrie, & Davin [Page 13]
RFC 1352 SNMP Security Protocols July 1992
4.1 Generating a Message
This section describes the behavior of a SNMP protocol entity when it
acts as a SNMP party for which the authentication protocol is
administratively specified as the Digest Authentication Protocol.
Insofar as the behavior of a SNMP protocol entity when transmitting
protocol messages is defined generically in [2], only those aspects
of that behavior that are specific to the Digest Authentication
Protocol are described below. In particular, this section describes
the encapsulation of a SNMP management communication into a SNMP
authenticated management communication.
According to [2], a SnmpAuthMsg value is constructed during Step 3 of
generic processing. In particular, it states the authInfo component
is constructed according to the authentication protocol identified
for the SNMP party originating the message. When the relevant
authentication protocol is the Digest Authentication Protocol, the
procedure performed by a SNMP protocol entity whenever a management
communication is to be transmitted by a SNMP party is as follows.
1. The local database is consulted to determine the
authentication clock, last-timestamp, nonce, and private
authentication key (extracted, for example, according to
the conventions defined in Section 2.4.1) of the SNMP
party originating the message.
2. The authTimestamp component is set to the retrieved
authentication clock value.
3. If the last-timestamp is equal to the authentication
clock, the nonce is incremented. Otherwise the nonce is
set to zero. The authNonce component is set to the
nonce value. In the local database, the originating
SNMP party's nonce and last-timestamp are set to the
nonce value and the authentication clock, respectively.
4. The authentication digest is temporarily set to the
private authentication key. The SnmpAuthMsg value
is serialized according to the conventions of [12] and [1].
A digest is computed over the octet sequence
representing that serialized value using, for example, the
algorithm specified in Section 2.4.1. The authDigest
component is set to the computed digest value.
As set forth in [2], the SnmpAuthMsg value is then encapsulated
according to the appropriate privacy protocol into a SnmpPrivMsg
value. This latter value is then serialized and transmitted to the
receiving SNMP party.
Galvin, McCloghrie, & Davin [Page 14]
RFC 1352 SNMP Security Protocols July 1992
4.2 Receiving a Message
This section describes the behavior of a SNMP protocol entity upon
receipt of a protocol message from a SNMP party for which the
authentication protocol is administratively specified as the Digest
Authentication Protocol. Insofar as the behavior of a SNMP protocol
entity when receiving protocol messages is defined generically in
[2], only those aspects of that behavior that are specific to the
Digest Authentication Protocol are described below.
According to [2], a SnmpAuthMsg value is evaluated during Step 9 of
generic processing. In particular, it states the SnmpAuthMsg value is
evaluated according to the authentication protocol identified for the
SNMP party that originated the message. When the relevant
authentication protocol is the Digest Authentication Protocol, the
procedure performed by a SNMP protocol entity whenever a management
communication is received by a SNMP party is as follows.
1. If the ASN.1 type of the authInfo component is not
AuthInformation, the message is evaluated as
unauthentic. Otherwise, the authTimestamp,
authNonce, and authDigest components are
extracted from the SnmpAuthMsg value.
2. The local database is consulted to determine the
authentication clock, last-timestamp, nonce, private
authentication key (extracted, for example, according to
the conventions defined in Section 2.4.1), and lifetime of
the SNMP party that originated the message.
3. If the authTimestamp component plus the lifetime is
less than the authentication clock, the message is
evaluated as unauthentic.
4. If the authTimestamp component is less than the
last-timestamp recorded for the originating party in the
local database, the message is evaluated as unauthentic.
5. If the authTimestamp component is equal to the
last-timestamp and if the authNonce component is less
than or equal to the nonce, the message is evaluated as
unauthentic.
6. The authDigest component is extracted and
temporarily recorded.
7. A new SnmpAuthMsg value is constructed such that
its authDigest component is set to the private
Galvin, McCloghrie, & Davin [Page 15]
RFC 1352 SNMP Security Protocols July 1992
authentication key and its other components are set to
the value of the corresponding components in the
received SnmpAuthMsg value. This new
SnmpAuthMsg value is serialized according to the
conventions of [12] and [1]. A digest is computed over
the octet sequence representing that serialized value
using, for example, the algorithm specified in
Section 2.4.1.
8. If the computed digest value is not equal to the
previously recorded digest value, the message is
evaluated as unauthentic.
9. The message is evaluated as authentic.
10. The last-timestamp and nonce values locally recorded
for the originating SNMP party are set to the
authTimestamp value and the authNonce value,
respectively.
11. The authentication clock value locally recorded for the
originating SNMP party is advanced to the
authTimestamp value if this latter exceeds the
recorded value.
If the SnmpAuthMsg value is evaluated as unauthentic, an
authentication failure is noted and the received message is discarded
without further processing. Otherwise, processing of the received
message continues as specified in [2].
5. Symmetric Privacy Protocol
This section describes the Symmetric Privacy Protocol. It provides
for protection from disclosure of a received message. An appropriate
portion of the message is encrypted according to a secret key known
only to the originator and recipient of the message.
This protocol assumes the underlying mechanism is a symmetric
encryption algorithm. In addition, the message to be encrypted must
be protected according to the conventions of the Digest
Authentication Protocol.
Recall from [2] that a SNMP private management communication is
represented by an ASN.1 value with the following syntax.
Galvin, McCloghrie, & Davin [Page 16]
RFC 1352 SNMP Security Protocols July 1992
SnmpPrivMsg ::= [1] IMPLICIT SEQUENCE {
privDst
OBJECT IDENTIFIER,
privData
[1] IMPLICIT OCTET STRING
}
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?