| draft-ietf-opsawg-hmac-sha-2-usm-snmp-00.txt | draft-ietf-opsawg-hmac-sha-2-usm-snmp-01.txt | |||
|---|---|---|---|---|
| OPSAWG J. Merkle, Ed. | OPSAWG J. Merkle, Ed. | |||
| Internet-Draft Secunet Security Networks | Internet-Draft Secunet Security Networks | |||
| Intended status: Informational M. Lochter | Intended status: Informational M. Lochter | |||
| Expires: June 15, 2015 BSI | Expires: July 23, 2015 BSI | |||
| December 12, 2014 | January 19, 2015 | |||
| HMAC-SHA-2 Authentication Protocols in USM for SNMP | HMAC-SHA-2 Authentication Protocols in USM for SNMP | |||
| draft-ietf-opsawg-hmac-sha-2-usm-snmp-00 | draft-ietf-opsawg-hmac-sha-2-usm-snmp-01 | |||
| Abstract | Abstract | |||
| This memo specifies new HMAC-SHA-2 authentication protocols for the | This memo specifies new HMAC-SHA-2 authentication protocols for the | |||
| User-based Security Model (USM) for SNMPv3 defined in RFC 3414. | User-based Security Model (USM) for SNMPv3 defined in RFC 3414. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 32 | skipping to change at page 1, line 32 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 15, 2015. | This Internet-Draft will expire on July 23, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 4, line 29 | skipping to change at page 4, line 29 | |||
| the HMAC computation according to [RFC2104], as opposed to the MD5 | the HMAC computation according to [RFC2104], as opposed to the MD5 | |||
| hash function [RFC1321] and SHA-1 hash function [SHA] used in | hash function [RFC1321] and SHA-1 hash function [SHA] used in | |||
| HMAC-MD5-96 and HMAC-SHA-96, respectively. Consequently, the | HMAC-MD5-96 and HMAC-SHA-96, respectively. Consequently, the | |||
| length of the message digest prior to truncation is 224 bits for | length of the message digest prior to truncation is 224 bits for | |||
| SHA-224 based protocol, 256 bits for SHA-256 based protocol, 384 | SHA-224 based protocol, 256 bits for SHA-256 based protocol, 384 | |||
| bits for SHA-384 based protocol, and 512 bits for SHA-512 based | bits for SHA-384 based protocol, and 512 bits for SHA-512 based | |||
| protocol. | protocol. | |||
| o The resulting message digest (output of HMAC) is truncated to | o The resulting message digest (output of HMAC) is truncated to | |||
| * 16 octets for usm128HMACSHA224AuthProtocol | * 16 octets for usmHMAC128SHA224AuthProtocol | |||
| * 24 octets for usm192HMACSHA256AuthProtocol | * 24 octets for usmHMAC192SHA256AuthProtocol | |||
| * 32 octets for usm256HMACSHA384AuthProtocol | * 32 octets for usmHMAC256SHA384AuthProtocol | |||
| * 48 octets for usm384HMACSHA512AuthProtocol | * 48 octets for usmHMAC384SHA512AuthProtocol | |||
| as opposed to the truncation to 12 octets in HMAC-MD5-96 and HMAC- | as opposed to the truncation to 12 octets in HMAC-MD5-96 and HMAC- | |||
| SHA-96. | SHA-96. | |||
| o The user's secret key to be used when calculating a digest MUST | o The user's secret key to be used when calculating a digest MUST | |||
| be: | be: | |||
| * 28 octets long and derived with SHA-224 for the SHA-224 based | * 28 octets long and derived with SHA-224 for the SHA-224 based | |||
| protocol usmHMAC128SHA224AuthProtocol | protocol usmHMAC128SHA224AuthProtocol | |||
| skipping to change at page 7, line 40 | skipping to change at page 7, line 40 | |||
| 8. Definitions | 8. Definitions | |||
| SNMP-USM-HMAC-SHA2-MIB DEFINITIONS ::= BEGIN | SNMP-USM-HMAC-SHA2-MIB DEFINITIONS ::= BEGIN | |||
| IMPORTS | IMPORTS | |||
| MODULE-IDENTITY, OBJECT-IDENTITY, | MODULE-IDENTITY, OBJECT-IDENTITY, | |||
| snmpModules FROM SNMPv2-SMI -- [RFC2578] | snmpModules FROM SNMPv2-SMI -- [RFC2578] | |||
| snmpAuthProtocols FROM SNMP-FRAMEWORK-MIB; -- [RFC3411] | snmpAuthProtocols FROM SNMP-FRAMEWORK-MIB; -- [RFC3411] | |||
| snmpUsmHmacSha2MIB MODULE-IDENTITY | snmpUsmHmacSha2MIB MODULE-IDENTITY | |||
| LAST-UPDATED "201408280000Z" -- 28 August 2014, midnight | LAST-UPDATED "201501150000Z" -- 25 January 2015, midnight | |||
| ORGANIZATION "SNMPv3 Working Group" | ORGANIZATION "SNMPv3 Working Group" | |||
| CONTACT-INFO "WG email: OPSAWG@ietf.org | CONTACT-INFO "WG email: OPSAWG@ietf.org | |||
| Subscribe: https://www.ietf.org/mailman/listinfo/opsawg | Subscribe: https://www.ietf.org/mailman/listinfo/opsawg | |||
| Editor: Johannes Merkle | Editor: Johannes Merkle | |||
| secunet Security Networks | secunet Security Networks | |||
| postal: Mergenthaler Allee 77 | postal: Mergenthaler Allee 77 | |||
| D-65760 Eschborn | D-65760 Eschborn | |||
| Germany | Germany | |||
| phone: +49 20154543091 | phone: +49 20154543091 | |||
| email: johannes.merkle@secunet.com | email: johannes.merkle@secunet.com | |||
| skipping to change at page 8, line 25 | skipping to change at page 8, line 25 | |||
| Security Model. | Security Model. | |||
| Copyright (C) The Internet Society (2004). | Copyright (C) The Internet Society (2004). | |||
| This version of this MIB module is part of RFC TBD; | This version of this MIB module is part of RFC TBD; | |||
| see the RFC itself for full legal notices. | see the RFC itself for full legal notices. | |||
| Supplementary information may be available on | Supplementary information may be available on | |||
| http://www.ietf.org/copyrights/ianamib.html." | http://www.ietf.org/copyrights/ianamib.html." | |||
| -- RFC Ed.: replace TBD with actual RFC number & remove this line | -- RFC Ed.: replace TBD with actual RFC number & remove this line | |||
| REVISION "201403060000Z" | REVISION "201501150000Z" | |||
| DESCRIPTION "Initial version, published as RFC TBD" | DESCRIPTION "Initial version, published as RFC TBD" | |||
| -- RFC Ed.: replace TBD with actual RFC number & remove this line | -- RFC Ed.: replace TBD with actual RFC number & remove this line | |||
| ::= { snmpModules nn } -- nn to be assigned by IANA | ::= { snmpModules nn } -- nn to be assigned by IANA | |||
| -- RFC Ed.: replace nn with actual number assigned by IANA & remove this line | -- RFC Ed.: replace nn with actual number assigned by IANA & remove this line | |||
| usmHmac128Sha224Protocol OBJECT-IDENTITY | usmHMAC128SHA224Protocol OBJECT-IDENTITY | |||
| STATUS current | STATUS current | |||
| DESCRIPTION "The HMAC-SHA-224-128 Authentication Protocol. | DESCRIPTION "The Authentication Protocol usmHMAC128SHA224AuthProtocol. | |||
| Uses HMAC-SHA-224 and truncates output to 128 bits." | Uses HMAC-SHA-224 and truncates output to 128 bits." | |||
| REFERENCE "- Krawczyk, H., Bellare, M., and R. Canetti, HMAC: | REFERENCE "- Krawczyk, H., Bellare, M., and R. Canetti, HMAC: | |||
| Keyed-Hashing for Message Authentication, RFC 2104. | Keyed-Hashing for Message Authentication, RFC 2104. | |||
| - National Institute of Standards and Technology, | - National Institute of Standards and Technology, | |||
| Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." | Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." | |||
| ::= { snmpAuthProtocols aa } -- aa to be assigned by IANA | ::= { snmpAuthProtocols aa } -- aa to be assigned by IANA | |||
| -- RFC Ed.: replace aa with actual number assigned by IANA & remove this line | -- RFC Ed.: replace aa with actual number assigned by IANA & remove this line | |||
| usmHmac192Sha256Protocol OBJECT-IDENTITY | usmHMAC192SHA256Protocol OBJECT-IDENTITY | |||
| STATUS current | STATUS current | |||
| DESCRIPTION "The HMAC-SHA-256-192 Authentication Protocol. | DESCRIPTION "The Authentication Protocol usmHMAC192SHA256AuthProtocol. | |||
| Uses HMAC-SHA-256 and truncates output to 192 bits." | Uses HMAC-SHA-256 and truncates output to 192 bits." | |||
| REFERENCE "- Krawczyk, H., Bellare, M., and R. Canetti, HMAC: | REFERENCE "- Krawczyk, H., Bellare, M., and R. Canetti, HMAC: | |||
| Keyed-Hashing for Message Authentication, RFC 2104. | Keyed-Hashing for Message Authentication, RFC 2104. | |||
| - National Institute of Standards and Technology, | - National Institute of Standards and Technology, | |||
| Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." | Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." | |||
| ::= { snmpAuthProtocols bb } -- bb to be assigned by IANA | ::= { snmpAuthProtocols bb } -- bb to be assigned by IANA | |||
| -- RFC Ed.: replace cc with actual number assigned by IANA & remove this line | -- RFC Ed.: replace cc with actual number assigned by IANA & remove this line | |||
| usmHmac256Sha384Protocol OBJECT-IDENTITY | usmHMAC256SHA384Protocol OBJECT-IDENTITY | |||
| STATUS current | STATUS current | |||
| DESCRIPTION "The HMAC-SHA-384-256 Authentication Protocol. | DESCRIPTION "The Authentication Protocol usmHMAC256SHA384AuthProtocol. | |||
| Uses HMAC-SHA-384 and truncates output to 256 bits." | Uses HMAC-SHA-384 and truncates output to 256 bits." | |||
| REFERENCE "- Krawczyk, H., Bellare, M., and R. Canetti, HMAC: | REFERENCE "- Krawczyk, H., Bellare, M., and R. Canetti, HMAC: | |||
| Keyed-Hashing for Message Authentication, RFC 2104. | Keyed-Hashing for Message Authentication, RFC 2104. | |||
| - National Institute of Standards and Technology, | - National Institute of Standards and Technology, | |||
| Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." | Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." | |||
| ::= { snmpAuthProtocols cc } -- cc to be assigned by IANA | ::= { snmpAuthProtocols cc } -- cc to be assigned by IANA | |||
| -- RFC Ed.: replace dd with actual number assigned by IANA & remove this line | -- RFC Ed.: replace dd with actual number assigned by IANA & remove this line | |||
| usmHmac384Sha512Protocol OBJECT-IDENTITY | usmHMAC384SHA12Protocol OBJECT-IDENTITY | |||
| STATUS current | STATUS current | |||
| DESCRIPTION "The HMAC-SHA-512-384 Authentication Protocol. | DESCRIPTION "The Authentication Protocol usmHMAC384SHA512AuthProtocol. | |||
| Uses HMAC-SHA-512 and truncates output to 384 bits." | Uses HMAC-SHA-512 and truncates output to 384 bits." | |||
| REFERENCE "- Krawczyk, H., Bellare, M., and R. Canetti, HMAC: | REFERENCE "- Krawczyk, H., Bellare, M., and R. Canetti, HMAC: | |||
| Keyed-Hashing for Message Authentication, RFC 2104. | Keyed-Hashing for Message Authentication, RFC 2104. | |||
| - National Institute of Standards and Technology, | - National Institute of Standards and Technology, | |||
| Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." | Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." | |||
| ::= { snmpAuthProtocols dd } -- dd to be assigned by IANA | ::= { snmpAuthProtocols dd } -- dd to be assigned by IANA | |||
| -- RFC Ed.: replace ff with actual number assigned by IANA & remove this line | -- RFC Ed.: replace ff with actual number assigned by IANA & remove this line | |||
| END | END | |||
| End of changes. 18 change blocks. | ||||
| 19 lines changed or deleted | 19 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||