Re: [Agentx] SNMP v3 Security Considerations
"Randy Presuhn" <randy_presuhn@mindspring.com> Fri, 13 June 2008 17:35 UTC
Return-Path: <agentx-bounces@ietf.org>
X-Original-To: agentx-archive@megatron.ietf.org
Delivered-To: ietfarch-agentx-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B37A93A69A9; Fri, 13 Jun 2008 10:35:20 -0700 (PDT)
X-Original-To: agentx@core3.amsl.com
Delivered-To: agentx@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4A1153A69A9 for <agentx@core3.amsl.com>; Fri, 13 Jun 2008 10:35:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.474
X-Spam-Level:
X-Spam-Status: No, score=-2.474 tagged_above=-999 required=5 tests=[AWL=0.125, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8TOppQWS3dI3 for <agentx@core3.amsl.com>; Fri, 13 Jun 2008 10:35:19 -0700 (PDT)
Received: from elasmtp-curtail.atl.sa.earthlink.net (elasmtp-curtail.atl.sa.earthlink.net [209.86.89.64]) by core3.amsl.com (Postfix) with ESMTP id 5200F3A68CE for <agentx@ietf.org>; Fri, 13 Jun 2008 10:35:19 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=mindspring.com; b=PaxgbchXeIRYx3VAWq8anv3mw8Iv4L4Embbm6QY4W5OUTsfllQyoMDQaMC1Bt2TH; h=Received:Message-ID:From:To:References:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP;
Received: from [68.164.89.67] (helo=oemcomputer) by elasmtp-curtail.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <randy_presuhn@mindspring.com>) id 1K7DBn-0006QE-2l for agentx@ietf.org; Fri, 13 Jun 2008 13:35:51 -0400
Message-ID: <000a01c8cd7c$0bc29740$6801a8c0@oemcomputer>
From: Randy Presuhn <randy_presuhn@mindspring.com>
To: agentx@ietf.org
References: <48528A12.3020800@aa.aeonnet.ne.jp>
Date: Fri, 13 Jun 2008 10:36:42 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1478
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478
X-ELNK-Trace: 4488c18417c9426da92b9037bc8bcf44d4c20f6b8d69d888a63b7957ab9b23b3b32461e5e5ec879708ad851ead50f695350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 68.164.89.67
Subject: Re: [Agentx] SNMP v3 Security Considerations
X-BeenThere: agentx@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SNMP Agent Extensibility <agentx.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/agentx>, <mailto:agentx-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/agentx>
List-Post: <mailto:agentx@ietf.org>
List-Help: <mailto:agentx-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/agentx>, <mailto:agentx-request@ietf.org?subject=subscribe>
Sender: agentx-bounces@ietf.org
Errors-To: agentx-bounces@ietf.org
Hi - Though slightly off-topic for this list.... > From: <wbenton@aa.aeonnet.ne.jp> > To: <agentx@ietf.org> > Sent: Friday, June 13, 2008 7:54 AM > Subject: [Agentx] SNMP v3 Security Considerations ... > In that concern, I think a WARNING should be added for the following > combinatoric usage: > > 1) If SNMP v3 AuthPriv is used in combination with AuthNoPriv > 2) If SNMP v3 AuthPriv is used in combination with NoAuthNoPriv > 3) If SNMP v3 AuthPriv is used in combination with SNMP v2c > 4) If SNMP v3 AuthPriv is used in combination with SNMP v1 > > All 4 of the above combinations include Encrypted data as well as > PlainText data. > > If any device is configured simultaneously with any one or more of the > above combinations, they will be virtually giving away their Encryption > Key because if a device is configured with any PlainText along side > Encrypted text, it will make it very easy to crack the key! It may be "very easy to crack the key" (for differing opinions of "very easy"), but having some unencrypted messages available doesn't really make the job significantly "easier." First, the queries coming from most management systems are rather predictable, except perhaps for the request-id. Furthermore, ASN.1 BER encoding is predictable enough to allow an automated brute-force attack to determine whether it has found the key. Having access to other request/response pairs which are not encrypted doesn't provide the attacker with a plaintext that is better known. Secondly, and more importantly, having a plaintext is not all that helpful in figuring out the key for CBC-DES - it just provides a way of verifying that one has found the correct key. However, BER encoding is brittle enough that if the result of decrypting with an attack key passes the parse unscathed, the key is likely to be the right one. RFC 3826 could also be used if you wanted a different value for "very easy". Randy
- [Agentx] SNMP v3 Security Considerations wbenton@aa.aeonnet.ne.jp
- Re: [Agentx] SNMP v3 Security Considerations Randy Presuhn