rfc2786.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,124 行 · 第 1/3 页
TXT
1,124 行
Network Working Group M. St. Johns
Request for Comments: 2786 Excite@Home
Category: Experimental March 2000
Diffie-Helman USM Key
Management Information Base and Textual Convention
Status of this Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
IESG Note
This document specifies an experimental MIB. Readers, implementers
and users of this MIB should be aware that in the future the IETF may
charter an IETF Working Group to develop a standards track MIB to
address the same problem space that this MIB addresses. It is quite
possible that an incompatible standards track MIB may result from
that effort.
Abstract
This memo defines an experimental portion of the Management
Information Base (MIB) for use with network management protocols in
the Internet community. In particular, it defines a textual
convention for doing Diffie-Helman key agreement key exchanges and a
set of objects which extend the usmUserTable to permit the use of a
DH key exchange in addition to the key change method described in
[12]. In otherwords, this MIB adds the possibility of forward secrecy
to the USM model. It also defines a set of objects that can be used
to kick start security on an SNMPv3 agent when the out of band path
is authenticated, but not necessarily private or confidential.
The KeyChange textual convention described in [12] permits secure key
changes, but has the property that if a third-party has knowledge of
the original key (e.g. if the agent was manufactured with a standard
default key) and could capture all SNMP exchanges, the third-party
would know the new key. The Diffie-Helman key change described here
St. Johns Experimental [Page 1]
RFC 2786 Diffie-Helman USM Key March 2000
limits knowledge of the new key to the agent and the manager making
the change. In otherwords, this process adds forward secrecy to the
key change process.
The recommendation in [12] is that the usmUserTable be populated out
of band - e.g. not via SNMP. If the number of agents to be
configured is small, this can be done via a console port and
manually. If the number of agents is large, as is the case for a
cable modem system, the manual approach doesn't scale well. The
combination of the two mechanisms specified here - the DH key change
mechanism, and the DH key ignition mechanism - allows managable use
of SNMPv3 USM in a system of millions of devices.
This memo specifies a MIB module in a manner that is compliant to the
SNMP SMIv2[5][6][7]. The set of objects is consistent with the SNMP
framework and existing SNMP standards and is intended for use with
the SNMPv3 User Security Model MIB and other security related MIBs.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [16].
This memo is a private submission by the author, but is applicable to
the SNMPv3 working group within the Internet Engineering Task Force.
Comments are solicited and should be addressed to the the author.
Table of Contents
1 The SNMP Management Framework ................................. 2
1.1 Structure of the MIB ........................................ 3
2 Theory of Operation ........................................... 4
2.1 Diffie-Helman Key Changes ................................... 4
2.2 Diffie-Helman Key Ignition .................................. 4
3 Definitions ................................................... 6
4 References .................................................... 17
5 Security Considerations ....................................... 18
6 Intellectual Property ......................................... 19
7 Author's Address .............................................. 19
8 Full Copyright Statement ...................................... 20
1. The SNMP Management Framework The SNMP Management Framework
presently consists of five major components:
o An overall architecture, described in RFC 2271 [1].
o Mechanisms for describing and naming objects and events for the
purpose of management. The first version of this Structure of
Management Information (SMI) is called SMIv1 and described in STD
St. Johns Experimental [Page 2]
RFC 2786 Diffie-Helman USM Key March 2000
16, RFC 1155 [2], STD 16, RFC 1212 [3] and RFC 1215 [4]. The
second version, called SMIv2, is described in STD 58, RFC 2578
[5], STD 58, RFC 2579 [6] and STD 58, RFC 2580 [7].
o Message protocols for transferring management information. The
first version of the SNMP message protocol is called SNMPv1 and
described in STD 15, RFC 1157 [8]. A second version of the SNMP
message protocol, which is not an Internet standards track
protocol, is called SNMPv2c and described in RFC 1901 [9] and RFC
1906 [10]. The third version of the message protocol is called
SNMPv3 and described in RFC 1906 [10], RFC 2272 [11] and RFC 2274
[12].
o Protocol operations for accessing management information. The
first set of protocol operations and associated PDU formats is
described in STD 15, RFC 1157 [8]. A second set of protocol
operations and associated PDU formats is described in RFC 1905
[13].
o A set of fundamental applications described in RFC 2273 [14] and
the view-based access control mechanism described in RFC 2275
[15].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using the mechanisms defined in the SMI.
This memo specifies a MIB module that is compliant to the SMIv2. A
MIB conforming to the SMIv1 can be produced through the appropriate
translations. The resulting translated MIB must be semantically
equivalent, except where objects or events are omitted because no
translation is possible (use of Counter64). Some machine readable
information in SMIv2 will be converted into textual descriptions in
SMIv1 during the translation process. However, this loss of machine
readable information is not considered to change the semantics of the
MIB.
1.1. Structure of the MIB
This MIB is structured into three groups and a single textual
convention:
o The DHKeyChange textual convention defines the process for
changing a secret key value via a Diffie-Helman key exchange.
o The usmDHPublicObjects group contains a single object which
describes the public Diffie-Helman parameters required by any
instance of a DHKeyChange typed object.
St. Johns Experimental [Page 3]
RFC 2786 Diffie-Helman USM Key March 2000
o The usmDHUserKeyTable augments and extends the usmUserTable
defined in the SNMPv3 User-based Security Model MIB [12] by
providing objects which permit the updating of the Authentication
and Privacy keys for a row in this table through the use of a
Diffie-Helman key exchange.
o The usmDHKickstartTable provides a mechanism for a management
station to be able to agree upon a set of authentication and
confidentiality keys and their associated row in the
usmUserTable.
2. Theory of Operation
2.1. Diffie-Helman Key Changes
Upon row creation (in the usmUserTable), or object change (either of
the object in the usmDHUserKeyTable or its associated value in the
usmUserTable), the agent generates a random number. From this random
number, the agent uses the DH parameters and transforms to derive a
DH public value which is then published to the associated MIB object.
The management station reads one or more of the objects in the
usmDHUserKeyTable to get the agent's DH public values.
The management station generates a random number, derives a DH public
value from that random number (as described in the DHKeyChange
Textual Convention), and does an SNMP SET against the object in the
usmDHUserKeyTable. The set consists of the concatenation of the
agent's derived DH public value and the manager's derived DH public
value (to ensure the DHKeyChange object hasn't otherwise changed in
the meantime).
Upon successful completion of the set, the underlying key
(authentication or confidentiality) for the associated object in the
usmUserTable is changed to a key derived from the DH shared secret.
Both the agent and the management station are able to calculate this
value based on their knowledge of their own random number and the
other's DH public number.
2.2. Diffie-Helman Key Ignition
[12] recommends that the usmUserTable be populated out of band, for
example - manually. This works reasonably well if there are a small
number of agents, or if all the agents are using the same key
material, and if the device is physically accessible for that action.
It does not scale very well to the case of possibly millions of
devices located in thousands of locations in hundreds of markets in
St. Johns Experimental [Page 4]
RFC 2786 Diffie-Helman USM Key March 2000
multiple countries. In other words, it doesn't work well with a
cable modem system, and may not work all that well with other large-
scale consumer broadband IP offerings.
The methods described in the objects under the usmDHKickstartGroup
can be used to populate the usmUserTable in the circumstances where
you may be able to provide at least limited integrity for the
provisioning process, but you can't guarantee confidentiality. In
addition, as a side effect of using the DH exchange, the operational
USM keys for each agent will differ from the operational USM keys for
every other device in the system, ensuring that compromise of one
device does not compromise the system as a whole.
The vendor who implements these objects is expected to provide one or
more usmSecurityNames which map to a set of accesses defined in the
VACM [15] tables. For example, the vendor may provide a 'root' user
who has access to the entire device for read-write, and 'operator'
user who has access to the network specific monitoring objects and
can also reset the device, and a 'customer' user who has access to a
subset of the monitoring objects which can be used to help the
customer debug the device in conjunction with customer service
questions.
To use, the system manager (the organization or individual who own
the group of devices) generates one or more random numbers - R. The
manager derives the DH Public Numbers R' from these random numbers,
associates the public numbers with a security name, and configures
the agent with this association. The configuration would be done
either manually (in the case of a small number of devices), or via
some sort of distributed configuration file. The actual mechanism is
outside the scope of this document. The agent in turn generates a
random number for each name/number pair, and publishes the DH Public
Number derived from its random number in the usmDHKickstartTable
along with the manager's public number and provided security name.
Once the agent is initialized, an SNMP Manager can read the contents
of the usmDHKickstartTable using the security name of 'dhKickstart'
with no authentication. The manager looks for one or more entries in
this table where it knows the random number used to derive the
usmDHKickstartMgrPublic number. Given the manager's knowledge of the
private random number, and the usmDHKickstartMyPublic number, the
manager can calculate the DH shared secret. From that shared secret,
it can derive the operational authentication and confidentiality keys
for the usmUserTable row which has the matching security name. Given
the keys and the security name, the manager can then use normal USM
mechanisms to access the remainder of the agent's MIB space.
St. Johns Experimental [Page 5]
RFC 2786 Diffie-Helman USM Key March 2000
3. Definitions
SNMP-USM-DH-OBJECTS-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE,
-- OBJECT-IDENTITY,
experimental, Integer32
FROM SNMPv2-SMI
TEXTUAL-CONVENTION
FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF
usmUserEntry
FROM SNMP-USER-BASED-SM-MIB
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB;
snmpUsmDHObjectsMIB MODULE-IDENTITY
LAST-UPDATED "200003060000Z" -- 6 March 2000, Midnight
ORGANIZATION "Excite@Home"
CONTACT-INFO "Author: Mike StJohns
Postal: Excite@Home
450 Broadway
Redwood City, CA 94063
Email: stjohns@corp.home.net
Phone: +1-650-556-5368"
DESCRIPTION
"The management information definitions for providing forward
secrecy for key changes for the usmUserTable, and for providing a
method for 'kickstarting' access to the agent via a Diffie-Helman
key agreement."
REVISION "200003060000Z"
DESCRIPTION
"Initial version published as RFC 2786."
::= { experimental 101 } -- IANA DHKEY-CHANGE 101
-- Administrative assignments
usmDHKeyObjects OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 1 }
usmDHKeyConformance OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 2 }
-- Textual conventions
St. Johns Experimental [Page 6]
RFC 2786 Diffie-Helman USM Key March 2000
DHKeyChange ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Upon initialization, or upon creation of a row containing an
object of this type, and after any successful SET of this value, a
GET of this value returns 'y' where y = g^xa MOD p, and where g is
the base from usmDHParameters, p is the prime from
usmDHParameters, and xa is a new random integer selected by the
agent in the interval 2^(l-1) <= xa < 2^l < p-1. 'l' is the
optional privateValueLength from usmDHParameters in bits. If 'l'
is omitted, then xa (and xr below) is selected in the interval 0
<= xa < p-1. y is expressed as an OCTET STRING 'PV' of length 'k'
which satisfies
k
y = SUM 2^(8(k-i)) PV'i
i=1
where PV1,...,PVk are the octets of PV from first to last, and
where PV1 <> 0.
A successful SET consists of the value 'y' expressed as an OCTET
STRING as above concatenated with the value 'z'(expressed as an
OCTET STRING in the same manner as y) where z = g^xr MOD p, where
g, p and l are as above, and where xr is a new random integer
selected by the manager in the interval 2^(l-1) <= xr < 2^l <
p-1. A SET to an object of this type will fail with the error
wrongValue if the current 'y' does not match the 'y' portion of
the value of the varbind for the object. (E.g. GET yout, SET
concat(yin, z), yout <> yin).
Note that the private values xa and xr are never transmitted from
manager to device or vice versa, only the values y and z.
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?