SNMP V3 question - SNMP

This is a discussion on SNMP V3 question - SNMP ; Hi, From USM MIB rfc, the algorithms to convert passwords to keys using SHA (16 octets) and MD5 (20 octets) are provided. For authKey, either of them will be used depending on the usmUserAuthProtocol. How about for privKey which requires ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: SNMP V3 question

  1. SNMP V3 question

    Hi,

    From USM MIB rfc, the algorithms to convert passwords to keys using SHA
    (16 octets) and MD5 (20 octets) are provided. For authKey, either of
    them will be used depending on the usmUserAuthProtocol.

    How about for privKey which requires 16 octet key ? Which algorithm is
    selected to do password to privkey generation ? Does it depend on
    usmUserAuthProtocol ?

    Thanks in advance
    -Priya



  2. Re: SNMP V3 question


    "Priya Mollyn" wrote in message
    news:3FB16C1E.5D8919AE@cisco.com...
    > Hi,
    >
    > From USM MIB rfc, the algorithms to convert passwords to keys using SHA
    > (16 octets) and MD5 (20 octets) are provided. For authKey, either of
    > them will be used depending on the usmUserAuthProtocol.
    >


    It is the other way around--MD5 is 16 octets, and SHA is 20.

    > How about for privKey which requires 16 octet key ? Which algorithm is
    > selected to do password to privkey generation ?


    CBC-DES for one. See Section 8 of RFC 3414

    > Does it depend on
    > usmUserAuthProtocol ?
    >


    No, it depends on usmUserPrivProtocol


    HTH,

    --
    Shripathi Kamath
    NETAPHOR SOFTWARE INC.
    http://www.netaphor.com



  3. Re: SNMP V3 question


    "Shripathi Kamath"
    wrote in message news:vr2tgso6tndp79@corp.supernews.com...
    >
    > "Priya Mollyn" wrote in message
    > news:3FB16C1E.5D8919AE@cisco.com...
    > > Hi,
    > >
    > > From USM MIB rfc, the algorithms to convert passwords to keys using SHA
    > > (16 octets) and MD5 (20 octets) are provided. For authKey, either of
    > > them will be used depending on the usmUserAuthProtocol.
    > >

    >
    > It is the other way around--MD5 is 16 octets, and SHA is 20.


    yes, this is the right one.
    >
    > > How about for privKey which requires 16 octet key ? Which algorithm is
    > > selected to do password to privkey generation ?

    >
    > CBC-DES for one. See Section 8 of RFC 3414


    But it does not mention about the algorithm used to generate the privacyKey.
    Also in Appendix A.2, it says, both these algorithm can be used to generate
    authentication and privacy keys.

    A.2. Password to Key Algorithm

    A sample code fragment (section A.2.1) demonstrates the password to
    key algorithm which can be used when mapping a password to an
    authentication or privacy key using MD5. The reference source code
    of MD5 is available in [RFC1321].

    Another sample code fragment (section A.2.2) demonstrates the
    password to key algorithm which can be used when mapping a password
    to an authentication or privacy key using SHA (documented in SHA-
    NIST).

    Thx.
    -Priya
    >
    > > Does it depend on
    > > usmUserAuthProtocol ?
    > >

    >
    > No, it depends on usmUserPrivProtocol
    >
    >
    > HTH,
    >
    > --
    > Shripathi Kamath
    > NETAPHOR SOFTWARE INC.
    > http://www.netaphor.com
    >
    >




  4. Re: SNMP V3 question


    "Priya Mollyn" wrote in message
    news:1068596084.730604@sj-nntpcache-3...
    >
    > "Shripathi Kamath"
    > wrote in message news:vr2tgso6tndp79@corp.supernews.com...
    > >
    > > "Priya Mollyn" wrote in message
    > > news:3FB16C1E.5D8919AE@cisco.com...
    > > > Hi,
    > > >
    > > > From USM MIB rfc, the algorithms to convert passwords to keys using

    SHA
    > > > (16 octets) and MD5 (20 octets) are provided. For authKey, either of
    > > > them will be used depending on the usmUserAuthProtocol.
    > > >

    > >
    > > It is the other way around--MD5 is 16 octets, and SHA is 20.

    >
    > yes, this is the right one.
    > >
    > > > How about for privKey which requires 16 octet key ? Which algorithm is
    > > > selected to do password to privkey generation ?

    > >
    > > CBC-DES for one. See Section 8 of RFC 3414

    >
    > But it does not mention about the algorithm used to generate the

    privacyKey.
    > Also in Appendix A.2, it says, both these algorithm can be used to

    generate
    > authentication and privacy keys.
    >


    Which is correct. You can use MD5 or SHA for authentication. If you use
    MD5, use MD5 for producing the privacy key, and if you use SHA, use SHA for
    producing the privacy key.

    The first sixteen octets of the privacy key are used in either case.

    So when using MD5, the privacy password to key produces 16 octets
    and when using SHA, the privacy password to key produces 20 octets

    In the second case, use the first 16 octets.

    See Page 85 of the RFC:

    +++
    For the key used for privacy, the new localized key would be (note that they
    localized key gets truncated to 16 octets for DES):
    +++


    HTH,

    --
    Shripathi Kamath
    NETAPHOR SOFTWARE INC.
    http://www.netaphor.com



  5. Re: SNMP V3 question

    HI,

    see inline questions below...

    On Tue, 11 Nov 2003, it was written:

    >
    > "Priya Mollyn" wrote in message
    > news:3FB16C1E.5D8919AE@cisco.com...
    > > Hi,
    > >
    > > From USM MIB rfc, the algorithms to convert passwords to keys using SHA
    > > (16 octets) and MD5 (20 octets) are provided. For authKey, either of
    > > them will be used depending on the usmUserAuthProtocol.
    > >

    >
    > It is the other way around--MD5 is 16 octets, and SHA is 20.
    >
    > > How about for privKey which requires 16 octet key ? Which algorithm is
    > > selected to do password to privkey generation ?

    >
    > CBC-DES for one. See Section 8 of RFC 3414

    Would you be more specific. I read section A.2 to say that the
    same key that is generated is used for BOTH the auth and priv
    key. And, I would assume if this is correct that only first
    16 bytes of the 20 byte output from SHA is used.
    Can you, or others, verify.

    >
    > > Does it depend on
    > > usmUserAuthProtocol ?
    > >

    >
    > No, it depends on usmUserPrivProtocol

    Again, it appears that section A.2 says differently. Please
    verify.

    >
    >
    > HTH,
    >
    > --
    > Shripathi Kamath
    > NETAPHOR SOFTWARE INC.
    > http://www.netaphor.com

    Regards,
    /david t. perkins


  6. Re: SNMP V3 question


    wrote in message
    news:Pine.BSF.4.44.0311120527060.74293-100000@snmpinfo.com...
    > HI,
    >
    > see inline questions below...
    >
    > On Tue, 11 Nov 2003, it was written:
    >
    > >
    > > "Priya Mollyn" wrote in message
    > > news:3FB16C1E.5D8919AE@cisco.com...
    > > > Hi,
    > > >
    > > > From USM MIB rfc, the algorithms to convert passwords to keys using

    SHA
    > > > (16 octets) and MD5 (20 octets) are provided. For authKey, either of
    > > > them will be used depending on the usmUserAuthProtocol.
    > > >

    > >
    > > It is the other way around--MD5 is 16 octets, and SHA is 20.
    > >
    > > > How about for privKey which requires 16 octet key ? Which algorithm is
    > > > selected to do password to privkey generation ?

    > >
    > > CBC-DES for one. See Section 8 of RFC 3414

    > Would you be more specific. I read section A.2 to say that the
    > same key that is generated is used for BOTH the auth and priv
    > key. And, I would assume if this is correct that only first
    > 16 bytes of the 20 byte output from SHA is used.
    > Can you, or others, verify.
    >


    That is correct. See Section 8, and the example on Page 86 (not 85 as I
    incorrectly mentioned in my other reply).

    What Section A.2 provides is a means of localizing a password to a key.

    Given an authentication password, it can be used to produce an
    authentication key.

    Given a privacy password, it can be used to produce a privacy key.

    You can make both the passwords to be the same, in which case they'll
    produce the same key. When using SHA, and using CBC-DES for privacy, the
    first 16 octets of the localized privacy key are used. (Page 85 shows an
    example of truncation when using SHA)

    > >
    > > > Does it depend on
    > > > usmUserAuthProtocol ?
    > > >

    > >
    > > No, it depends on usmUserPrivProtocol

    > Again, it appears that section A.2 says differently. Please
    > verify.
    >


    The algorithm used for privacy is as indicated by the usmUserPrivProtocol.
    Currently only CBC-DES is mentioned in the RFC although people have
    implemented AES and IDEA among some other protocols.

    --
    Shripathi Kamath
    NETAPHOR SOFTWARE INC.
    http://www.netaphor.com





  7. Re: SNMP V3 question

    Thanks for more details.
    -Priya

    "Shripathi Kamath"
    wrote in message news:vr2vpg8rvpmr6c@corp.supernews.com...
    >
    > "Priya Mollyn" wrote in message
    > news:1068596084.730604@sj-nntpcache-3...
    > >
    > > "Shripathi Kamath"

    m>
    > > wrote in message news:vr2tgso6tndp79@corp.supernews.com...
    > > >
    > > > "Priya Mollyn" wrote in message
    > > > news:3FB16C1E.5D8919AE@cisco.com...
    > > > > Hi,
    > > > >
    > > > > From USM MIB rfc, the algorithms to convert passwords to keys using

    > SHA
    > > > > (16 octets) and MD5 (20 octets) are provided. For authKey, either of
    > > > > them will be used depending on the usmUserAuthProtocol.
    > > > >
    > > >
    > > > It is the other way around--MD5 is 16 octets, and SHA is 20.

    > >
    > > yes, this is the right one.
    > > >
    > > > > How about for privKey which requires 16 octet key ? Which algorithm

    is
    > > > > selected to do password to privkey generation ?
    > > >
    > > > CBC-DES for one. See Section 8 of RFC 3414

    > >
    > > But it does not mention about the algorithm used to generate the

    > privacyKey.
    > > Also in Appendix A.2, it says, both these algorithm can be used to

    > generate
    > > authentication and privacy keys.
    > >

    >
    > Which is correct. You can use MD5 or SHA for authentication. If you use
    > MD5, use MD5 for producing the privacy key, and if you use SHA, use SHA

    for
    > producing the privacy key.
    >
    > The first sixteen octets of the privacy key are used in either case.
    >
    > So when using MD5, the privacy password to key produces 16 octets
    > and when using SHA, the privacy password to key produces 20 octets
    >
    > In the second case, use the first 16 octets.
    >
    > See Page 85 of the RFC:
    >
    > +++
    > For the key used for privacy, the new localized key would be (note that

    they
    > localized key gets truncated to 16 octets for DES):
    > +++
    >
    >
    > HTH,
    >
    > --
    > Shripathi Kamath
    > NETAPHOR SOFTWARE INC.
    > http://www.netaphor.com
    >
    >