New Auth draft (as promised :-)
uri@watson.ibm.com Mon, 07 August 1995 21:24 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa20813; 7 Aug 95 17:24 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa20809; 7 Aug 95 17:24 EDT
Received: from neptune.tis.com by CNRI.Reston.VA.US id aa21433; 7 Aug 95 17:24 EDT
Received: from neptune.tis.com by neptune.TIS.COM id aa24644; 7 Aug 95 16:47 EDT
Received: from relay.tis.com by neptune.TIS.COM id aa24631; 7 Aug 95 16:17 EDT
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: uri@watson.ibm.com
MMDF-Warning: Parse error in original version of preceding line at neptune.TIS.COM
Received: from watson.ibm.com(129.34.139.4) by relay.tis.com via smap (g3.0.1) id xma020139; Mon, 7 Aug 95 16:08:41 -0400
Received: from WATSON by watson.ibm.com (IBM VM SMTP V2R3) with BSMTP id 5803; Mon, 07 Aug 95 16:16:37 EDT
Received: from YKTVMV by watson.vnet.ibm.com with "VAGENT.V1.01 on VAGENT2" id 9095; Mon, 7 Aug 1995 16:16:35 EDT
Received: from buoy.watson.ibm.com by yktvmv.watson.ibm.com (IBM VM SMTP V2Rx) with TCP; Mon, 07 Aug 95 16:16:34 EDT
Received: by buoy.watson.ibm.com (AIX 3.2/UCB 5.64/900524) id AA23661; Mon, 7 Aug 1995 16:16:15 -0400
Message-Id: <9508072016.AA23661@buoy.watson.ibm.com>
Subject: New Auth draft (as promised :-)
To: snmpv2@tis.com
Date: Mon, 07 Aug 1995 16:16:15 -0500
Cc: "Bert Wijnen (home +31-3480-12498" <wijnen@uitvm1.vnet.ibm.com>, "Nguyen C. Hien" <hien@watson.ibm.com>, Beverly Pederson <pedersn@watson.ibm.com>, Sigmund Handelman <handel@watson.ibm.com>, natale@acec.com
MMDF-Warning: Parse error in original version of preceding line at neptune.TIS.COM
Reply-To: uri@watson.ibm.com
X-Mailer: ELM [version 2.4 PL20]
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Content-Length: 15264
Hi,
First - sorry about the delay, but there were some last-time
updates Friday evening flying between USA and Netherlands,
and then I wake up pretty late in Mondays (:-).
Anyways, here's the proposal to authenticate community-based
messages.
Internet Draft SNMPv1a August 1995
SNMPv1a
Simple Authentication/Integrity for
Community-based SNMP messages
Wed Aug 4th, 13:23 EDT 1995
Uri Blumenthal, Nguyen C. Hien, Bert Wijnen
T.J. Watson Research Center, IBM Corp.
Yorktown Heights, NY, USA
Bob Natale
ACE*COMM
Gaithersburg, MD, USA
Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its Working Groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as 'work in
progress'.
Expires January 1996 [Page 1]
"
Internet-Draft SNMPv1a August 1995
1. Introduction
The authors of this document are quite familiar with the various
proposals that have been made concerning the SNMPv2 security
architecture and some authors have actually implemented the various
proposals and have shown that implementation is possible in an
interoperable manner.
However, it is apparent from this experience and other sources and
forms of evidence that the SNMPv2 security architecture has not
achieved the same degree of consensus that the other parts of
SNMPv2 have achieved. Furthermore, some analyses of the proposed
SNMPv2 security architecture suggest that it might face significant
hurdles in the marketplace due to its inherent complexity and
susceptibility to rapidly changing technology alternatives.
But while the jury is still out discussing the merits of the
protocols and methods proposed, SNMP has no security at all.
This proposal will show how with almost zero implementation costs
one can plug the biggest hole in SNMPv1 - namely passwords being
sent in clear, and at the same time maintain 100% compatibility
with existing SNMPv1 implementations.
The only goal of this proposal is to prevent eavesdropping on the
password (community names in SNMPv1). But as a freebee, both message
integrity and source authentication (to the level of belonging to
the given community) are achieved. Implementation complexity and
extra code size/performance hits are negligible, which allows
quick deployment and wide usage until a more complete security
procedures are agreed upon and accepted by the market.
Expires January 1996 [Page 1]
"
Internet-Draft SNMPv1a August 1995
2. Elements of the Model
Every community which wants to utilize this approach, gets a
password assigned to it, in addition to the traditional
"community name". From this password, 16-bytes long key
is derived as in Waldbusser's Simplified Configuration
and in SCM draft (see "password2key()" routine).
The new message format is exactly the same as the old SNMPv1
message format. The only difference is, that the last nine
bytes of the community string encoded have special meaning.
This old message with slightly different community string
(but the encoding stays the same!) we will call SNMPv1a
message, and the procedure - SNMPv1a.
Community name is what community string is in SNMPv1. In
SNMPv1a community name doesn't need to be kept secret,
because it's the password, associated with it, that
needs to be secret, and it never corsses the network.
Thus, the encoded community string will look like:
TAG: OCTET STRING
LENGTH: length of the community name plus 9
DATE: <community string> 0 <eight bytes of digest>
Digest is generated using MD5 with padded prepended and appended
key, as described in Section 3.
That's all!
2.1. Community names
To grossly simplify the life of numan Network Managers and of
SNMP implementors, it's recommended to restrict the community
names in SNMPv1a to non-zero printable strings. Pending SNMPv2
WG approval, "it's recommended" will be substituted by "must".
2.2 One more recommendation
In order to deal with response replays, it would be useful to
not generate request-id from zero, but treat it as TestAndIncr
in SNMPv2 documents. I.e. initialize it with random value,then
increment it one by one and either preserve it accross reboots,
or reinitialize with random value again.
Of course, for sensitive Set operations and such, TestAndIncr
or SNMPv2t and SNMPv2 will protect against request replay as
well (i.e. having a TestAndIncr object associated with the
MIB group or MIB object one writes to).
Expires January 1996 [Page 2]
"
Internet-Draft SNMPv1a August 1995
3 Elements of Procedure
This section describes the procedures followed by an SNMPv1a entity
in processing SNMPv1a messages.
3.1 Generating a Request, a Response, or a Notification
1. Information concerning the communityName is extracted from the
LCD. The transport domain and transport address to which the
operation is to be sent is determined.
2. The operation is serialized (i.e., encoded) according to the
conventions of [10] or [11] into a PDUs value.
3. An SNMPv1a message is constructed using the ASN.1 Message
syntax with the version component set to the value 1, but
nine zero bytes are appended to the community name prior
to serialization.
4. The constructed Message value is serialized (i.e., encoded)
according to the conventions of [10] for SNMPv1, or [11]
for SNMPv1a.
5. The key, derived from the community password is prepended to
the message and padded to the length of 512 bits with one
1 bit and 383 zero bits, then appended to it (appended
key isn't padded). For reference see [12].
6. MD5 is run over the resulting octet string (as in SNMPv2, see
[4], [5] and other SNMPv2-related drafts).
7. First eight bytes of resulting MD5 digest are placed after the
first zero byte which follows community string (so that there
is one zero byte between the community string and eight bytes
of message digest). Why only eight bytes - see [13].
5. The resulting serialized Message value is transmitted to the
determined transport address.
3.2 Processing a Received Communication
Everything's exactly as in SNMPv1, except for the following:
1. If the entire community string is found in the local
database, the message is believed to be SNMPv1 and is
processed accordingly. Otherwise - proceed to (2).
2. If community string without the last nine bytes is found in
the local database, and the first byte of the last nine bytes
is zero, the last eight bytes are stored as a received digest
and their place in the message is zeroed. As a note, if an
extra restriction is applied to community names, forcing them
to be printable strings, as most of the community strings in
the real world are today - the dealing with them can be grossly
simplified.
3. If there's no key associated with this community, no further
authentication is performed and the received digest is discarded.
4. If the key is found, it's prepended-padded and appended to the
message (as in Section 3.1 and in [12], MD5 is run over it, and
the first eight bytes of the resulting digest are compared with
the received digest. If they match, the message is authentic,
otherwise it's not.
Expires January 1996 [Page 3]
"
Internet-Draft SNMPv1a August 1995
4 Security Considerations
The method described guarantees authentication (ensures the message
came from a member of given community) and message integrity. In
addition, it accomplishes the goal of this proposal - to stop
sending passwords in clear.
This method doesn't completely protect against message replays,
which was not a goal of this intermediate step, aimed at providing
temporary fix to the worst existing problem in SNMPv1 security.
Usage of MD5 in this method differs from "traditional" SNMP approach.
This is due to the latest results in cryptanalysis of keyed hash
functions used for authentication (see [12], [13], [14], [15], 16]).
5 References
[1] Jeffrey D. Case, Keith McCloghrie, Marshall T. Rose and Keith
Steven Waldbusser, Introduction to SNMPv2, SNMP Research Inc,
Cisco Systems Inc, Dover Beach Consulting Inc, Carnegie Mellon
University, draft-kzm-snmpv2-intro-alt-00.txt, June 1995.
[2] Jeffrey D. Case, Keith McCloghrie, Marshall T. Rose and Keith
Steven Waldbusser, SMI formation for version 2 of the Simple
Network Management Protocol (SNMPv2), SNMP Research Inc, Cisco
Systems Inc, Dover Beach Consulting Inc, Carnegie Mellon
University, draft-kzm-snmpv2-smi-alt-00.txt, June 1995.
[3] Jeffrey D. Case, Keith McCloghrie, Marshall T. Rose and Keith
Steven Waldbusser, Textual Conventions for version 2 of the
Simple Network Management Protocol (SNMPv2), SNMP Research
Inc, Cisco Systems Inc, Dover Beach Consulting Inc, Carnegie
Mellon University, draft-kzm-snmpv2-tc-alt-00.txt, June 1995.
[4] Jeffrey D. Case, Keith McCloghrie, Marshall T. Rose and Keith
Steven Waldbusser, Protocol Operations for version 2 of the
Simple Network Management Protocol (SNMPv2), SNMP Research
Inc, Cisco Systems Inc, Dover Beach Consulting Inc, Carnegie
Mellon University, draft-kzm-snmpv2-proto-alt-00.txt, June
1995.
[5] Jeffrey D. Case, Keith McCloghrie, Marshall T. Rose and Keith
Steven Waldbusser, Transport Mappings for version 2 of the
Simple Network Management Protocol (SNMPv2), SNMP Research
Inc, Cisco Systems Inc, Dover Beach Consulting Inc, Carnegie
Mellon University, draft-kzm-snmpv2-tm-alt-00.txt, June 1995.
Expires January 1996 [Page 4]
"
Internet-Draft SNMPv1a August 1995
[6] Jeffrey D. Case, Keith McCloghrie, Marshall T. Rose and Keith
Steven Waldbusser, Management Information Base for version 2
of the Simple Network Management Protocol (SNMPv2), SNMP
Research Inc, Cisco Systems Inc, Dover Beach Consulting Inc,
Carnegie Mellon University, draft-kzm-snmpv2-mib-alt-00.txt,
June 1995.
[7] Jeffrey D. Case, Keith McCloghrie, Marshall T. Rose and Keith
Steven Waldbusser, Conformance Statements for version 2 of the
Simple Network Management Protocol (SNMPv2), SNMP Research
Inc, Cisco Systems Inc, Dover Beach Consulting Inc, Carnegie
Mellon University, draft-kzm-snmpv2-conf-alt-00.txt, June
1995.
[8] Jeffrey D. Case, Keith McCloghrie, Marshall T. Rose and Keith
Steven Waldbusser, Coexistence between version 1 and version 2
of the Internet-standard Network Management Framework, SNMP
Research Inc, Cisco Systems Inc, Dover Beach Consulting Inc,
Carnegie Mellon University, draft-kzm-snmpv2-coex-alt-00.txt,
June 1995.
[9] James M. Galvin, Keith McCloghrie, Marshall T. Rose and Glen
Waters, User Based Security Model for version 2 of the Simple
Network Management Protocol (SNMPv2), Trusted Information
Systems, Cisco Systemc Inc, Dover Beach Consulting Inc, Bell
Northern Research, draft-kzm-snmpv2-sec-alt-00.txt, June 1995.
[10] Jeffrey D. Case, Mark Fedor, Martin Lee Schoffstall and James
R. Davin, Simple Network Management Protocol (SNMP), SNMP
Research, Performance Systems International, MIT Laboratory
for Computer Science, RFC 1157, May 1990.
[11] Bert Wijnen, Uri Blumenthal, Nguyen. C. Hien, Bob Natale
SNMPv1a Simple Network Management Protocol Version 2 with
Transitional Authentication. July 1995, Internet Draft.
[12] Hugo Krawczyk, Keyed MD5 for Message Authentication,
June 1995, Internet Draft.
[13] Bart Preenel and Paul van Oorschot, MDx-MAC and Buinding Fast
MACs from Hash Functions,
to appear in Proceedings of CRYPTO-95, Springer-Verlag, LNCS,
August 1995.
[14] Paul van Oorschot, personal communications.
[15] M. Bellare, R. Canetti, and H. Krawczyk, Keing MD5 - Message
Authentication via Iterated Pseudo-randomness", manuscript.
[16] B. Kaliski and M. Robshaw, Message Authentication with MD5,
RSA Labs' CryptoBytes, Vol. 1 No. 1, Spring 1995.
Expires January 1996 [Page 5]
"
Internet-Draft SNMPv1a August 1995
6 Authors' Addresses
Uri Blumenthal
IBM T.J.Watson Research Center
P. O. Box 218
Yorktown Heights, NY 10598
USA
Phone: +1-914-945-1267
E-mail: uri@watson.ibm.com
Nguyen C. Hien
IBM T.J.Watson Research Center
P. O. Box 218
Yorktown Heights, NY 10598
USA
Phone: +1-914-945-2806
E-mail: hien@watson.ibm.com
Bob Natale
ACE*COMM
209 Perry Pkwy
Gaitherburg MD 20877
USA
Fax: +1-301-921-0434
Phone: +1-301-258-9850
E-mail: natale@acec.com
Bert Wijnen
IBM International Operations
Watsonweg 2
1423 ND Uithoorn
The Netherlands
Phone: +31-2975-53316
Fax: +31-2975-62468
E-mail: wijnen@vnet.ibm.com
Expires January 1996 [Page 6]
"
--
Regards,
Uri uri@watson.ibm.com N2RIU
-=-=-=-=-=-
<Disclamer>