rfc2786.mib

wm PNE 3.3 source code, running at more than vxworks6.x version.

SNMP-USM-DH-OBJECTS-MIB DEFINITIONS ::= BEGIN

IMPORTS
    MODULE-IDENTITY, OBJECT-TYPE,
    -- OBJECT-IDENTITY,
    experimental, Integer32
        FROM SNMPv2-SMI
    TEXTUAL-CONVENTION
        FROM SNMPv2-TC
    MODULE-COMPLIANCE, OBJECT-GROUP
        FROM SNMPv2-CONF
    usmUserEntry
        FROM SNMP-USER-BASED-SM-MIB
    SnmpAdminString
        FROM SNMP-FRAMEWORK-MIB;

snmpUsmDHObjectsMIB MODULE-IDENTITY
    LAST-UPDATED "200003060000Z"  -- 6 March 2000, Midnight
    ORGANIZATION "Excite@Home"
    CONTACT-INFO "Author: Mike StJohns
                  Postal: Excite@Home
                          450 Broadway
                          Redwood City, CA 94063
                  Email:  stjohns@corp.home.net
                  Phone:  +1-650-556-5368"

    DESCRIPTION
        "The management information definitions for providing forward
    secrecy for key changes for the usmUserTable, and for providing a
    method for 'kickstarting' access to the agent via a Diffie-Helman
    key agreement."

    REVISION     "200003060000Z"
    DESCRIPTION
       "Initial version published as RFC 2786."


    ::= { experimental 101 }  -- IANA DHKEY-CHANGE 101

-- Administrative assignments

usmDHKeyObjects OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 1 }
usmDHKeyConformance OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 2 }

-- Textual conventions
DHKeyChange ::=         TEXTUAL-CONVENTION
    STATUS              current
    DESCRIPTION
        "Upon initialization, or upon creation of a row containing an
    object of this type, and after any successful SET of this value, a
    GET of this value returns 'y' where y = g^xa MOD p, and where g is
    the base from usmDHParameters, p is the prime from
    usmDHParameters, and xa is a new random integer selected by the
    agent in the interval 2^(l-1) <= xa < 2^l < p-1.  'l' is the
    optional privateValueLength from usmDHParameters in bits.  If 'l'
    is omitted, then xa (and xr below) is selected in the interval 0
    <= xa < p-1.  y is expressed as an OCTET STRING 'PV' of length 'k'
    which satisfies

              k
        y =  SUM   2^(8(k-i)) PV'i
             i=1

        where PV1,...,PVk are the octets of PV from first to last, and
        where PV1 <> 0.

    A successful SET consists of the value 'y' expressed as an OCTET
    STRING as above concatenated with the value 'z'(expressed as an
    OCTET STRING in the same manner as y) where z = g^xr MOD p, where
    g, p and l are as above, and where xr is a new random integer
    selected by the manager in the interval 2^(l-1) <= xr < 2^l <
    p-1. A SET to an object of this type will fail with the error
    wrongValue if the current 'y' does not match the 'y' portion of
    the value of the varbind for the object. (E.g. GET yout, SET
    concat(yin, z), yout <> yin).

    Note that the private values xa and xr are never transmitted from
    manager to device or vice versa, only the values y and z.
    Obviously, these values must be retained until a successful SET on
    the associated object.

    The shared secret 'sk' is calculated at the agent as sk = z^xa MOD
    p, and at the manager as sk = y^xr MOD p.

    Each object definition of this type MUST describe how to map from
    the shared secret 'sk' to the operational key value used by the
    protocols and operations related to the object.  In general, if n
    bits of key are required, the author suggests using the n
    right-most bits of the shared secret as the operational key value."
    REFERENCE
        "-- Diffie-Hellman Key-Agreement Standard, PKCS #3;
            RSA Laboratories, November 1993"
    SYNTAX              OCTET STRING
-- Diffie Hellman public values

usmDHPublicObjects      OBJECT IDENTIFIER ::= { usmDHKeyObjects 1 }

usmDHParameters OBJECT-TYPE
    SYNTAX  OCTET STRING
    MAX-ACCESS read-write
    STATUS  current
    DESCRIPTION
        "The public Diffie-Hellman parameters for doing a Diffie-Hellman
    key agreement for this device.  This is encoded as an ASN.1
    DHParameter per PKCS #3, section 9.  E.g.

        DHParameter ::= SEQUENCE {
           prime   INTEGER,   -- p
           base    INTEGER,   -- g
           privateValueLength  INTEGER OPTIONAL }


    Implementors are encouraged to use either the values from
    Oakley Group 1  or the values of from Oakley Group 2 as specified
    in RFC-2409, The Internet Key Exchange, Section 6.1, 6.2 as the
    default for this object.  Other values may be used, but the
    security properties of those values MUST be well understood and
    MUST meet the requirements of PKCS #3 for the selection of
    Diffie-Hellman primes.

        In addition, any time usmDHParameters changes, all values of
    type DHKeyChange will change and new random numbers MUST be
    generated by the agent for each DHKeyChange object."
    REFERENCE
        "-- Diffie-Hellman Key-Agreement Standard, PKCS #3,
            RSA Laboratories, November 1993
         -- The Internet Key Exchange, RFC 2409, November 1998,
            Sec 6.1, 6.2"
    ::= { usmDHPublicObjects 1 }

usmDHUserKeyTable OBJECT-TYPE
    SYNTAX  SEQUENCE OF UsmDHUserKeyEntry
    MAX-ACCESS not-accessible
    STATUS  current
    DESCRIPTION
        "This table augments and extends the usmUserTable and provides
    4 objects which exactly mirror the objects in that table with the
    textual convention of 'KeyChange'.  This extension allows key
    changes to be done in a manner where the knowledge of the current
    secret plus knowledge of the key change data exchanges (e.g. via
    wiretapping)  will not reveal the new key."
    ::= { usmDHPublicObjects 2 }

usmDHUserKeyEntry OBJECT-TYPE
    SYNTAX  UsmDHUserKeyEntry
    MAX-ACCESS not-accessible
    STATUS  current
    DESCRIPTION
        "A row of DHKeyChange objects which augment or replace the
    functionality of the KeyChange objects in the base table row."
    AUGMENTS { usmUserEntry }
    ::= {usmDHUserKeyTable 1 }

UsmDHUserKeyEntry ::= SEQUENCE {
        usmDHUserAuthKeyChange          DHKeyChange,
    usmDHUserOwnAuthKeyChange   DHKeyChange,
        usmDHUserPrivKeyChange          DHKeyChange,
        usmDHUserOwnPrivKeyChange       DHKeyChange
        }

usmDHUserAuthKeyChange OBJECT-TYPE
    SYNTAX  DHKeyChange
    MAX-ACCESS read-create
    STATUS  current
    DESCRIPTION
        "The object used to change any given user's Authentication Key
    using a Diffie-Hellman key exchange.

    The right-most n bits of the shared secret 'sk', where 'n' is the
    number of bits required for the protocol defined by
    usmUserAuthProtocol, are installed as the operational
    authentication key for this row after a successful SET."
    ::= { usmDHUserKeyEntry 1 }

usmDHUserOwnAuthKeyChange OBJECT-TYPE
    SYNTAX  DHKeyChange
    MAX-ACCESS read-create
    STATUS  current
    DESCRIPTION
        "The object used to change the agents own Authentication Key
    using a Diffie-Hellman key exchange.

    The right-most n bits of the shared secret 'sk', where 'n' is the
    number of bits required for the protocol defined by
    usmUserAuthProtocol, are installed as the operational
    authentication key for this row after a successful SET."
    ::= { usmDHUserKeyEntry 2 }

usmDHUserPrivKeyChange OBJECT-TYPE
    SYNTAX  DHKeyChange
    MAX-ACCESS read-create
    STATUS  current
    DESCRIPTION
        "The object used to change any given user's Privacy Key using
    a Diffie-Hellman key exchange.

    The right-most n bits of the shared secret 'sk', where 'n' is the
    number of bits required for the protocol defined by
    usmUserPrivProtocol, are installed as the operational privacy key
    for this row after a successful SET."
    ::= { usmDHUserKeyEntry 3 }

usmDHUserOwnPrivKeyChange OBJECT-TYPE
    SYNTAX  DHKeyChange
    MAX-ACCESS read-create
    STATUS  current
    DESCRIPTION
        "The object used to change the agent's own Privacy Key using a
    Diffie-Hellman key exchange.

    The right-most n bits of the shared secret 'sk', where 'n' is the
    number of bits required for the protocol defined by
    usmUserPrivProtocol, are installed as the operational privacy key
    for this row after a successful SET."
    ::= { usmDHUserKeyEntry 4 }

usmDHKickstartGroup OBJECT IDENTIFIER ::= { usmDHKeyObjects 2 }

usmDHKickstartTable OBJECT-TYPE
    SYNTAX      SEQUENCE OF UsmDHKickstartEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
        "A table of mappings between zero or more Diffie-Helman key
    agreement values and entries in the usmUserTable.  Entries in this
    table are created by providing the associated device with a
    Diffie-Helman public value and a usmUserName/usmUserSecurityName
    pair during initialization. How these values are provided is
    outside the scope of this MIB, but could be provided manually, or
    through a configuration file.  Valid public value/name pairs
    result in the creation of a row in this table as well as the
    creation of an associated row (with keys derived as indicated) in
    the usmUserTable.  The actual access the related usmSecurityName
    has is dependent on the entries in the VACM tables.  In general,
    an implementor will specify one or more standard security names
    and will provide entries in the VACM tables granting various
    levels of access to those names.  The actual content of the VACM
    table is beyond the scope of this MIB.

    Note: This table is expected to be readable without authentication
    using the usmUserSecurityName 'dhKickstart'.  See the conformance
    statements for details."
    ::= { usmDHKickstartGroup 1 }

usmDHKickstartEntry OBJECT-TYPE
    SYNTAX      UsmDHKickstartEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION

        "An entry in the usmDHKickstartTable.  The agent SHOULD either
    delete this entry or mark it as inactive upon a successful SET of
    any of the KeyChange-typed objects in the usmUserEntry or upon a
    successful SET of any of the DHKeyChange-typed objects in the
    usmDhKeyChangeEntry where the related usmSecurityName (e.g. row of
    usmUserTable or row of ushDhKeyChangeTable) equals this entry's
    usmDhKickstartSecurityName.  In otherwords, once you've changed
    one or more of the keys for a row in usmUserTable with a
    particular security name, the row in this table with that same
    security name is no longer useful or meaningful."

    INDEX   { usmDHKickstartIndex }
    ::= {usmDHKickstartTable 1 }

UsmDHKickstartEntry ::= SEQUENCE  {
        usmDHKickstartIndex     Integer32,
        usmDHKickstartMyPublic  OCTET STRING,
        usmDHKickstartMgrPublic OCTET STRING,