draft-ietf-opsawg-hmac-sha-2-usm-snmp-05.txt   draft-ietf-opsawg-hmac-sha-2-usm-snmp-06.txt 
OPSAWG J. Merkle, Ed. OPSAWG J. Merkle, Ed.
Internet-Draft Secunet Security Networks Internet-Draft Secunet Security Networks
Intended status: Standards Track M. Lochter Intended status: Standards Track M. Lochter
Expires: September 24, 2015 BSI Expires: October 22, 2015 BSI
March 23, 2015 April 20, 2015
HMAC-SHA-2 Authentication Protocols in USM for SNMP HMAC-SHA-2 Authentication Protocols in USM for SNMPv3
draft-ietf-opsawg-hmac-sha-2-usm-snmp-05 draft-ietf-opsawg-hmac-sha-2-usm-snmp-06
Abstract Abstract
This memo specifies new HMAC-SHA-2 authentication protocols for the This memo specifies new HMAC-SHA-2 authentication protocols for the
User-based Security Model (USM) for SNMPv3 defined in RFC 3414. User-based Security Model (USM) for SNMPv3 defined in RFC 3414.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 24, 2015. This Internet-Draft will expire on October 22, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 23 skipping to change at page 2, line 23
4.2. Processing . . . . . . . . . . . . . . . . . . . . . . . 5 4.2. Processing . . . . . . . . . . . . . . . . . . . . . . . 5
4.2.1. Processing an Outgoing Message . . . . . . . . . . . 5 4.2.1. Processing an Outgoing Message . . . . . . . . . . . 5
4.2.2. Processing an Incoming Message . . . . . . . . . . . 6 4.2.2. Processing an Incoming Message . . . . . . . . . . . 6
5. Key Localization and Key Change . . . . . . . . . . . . . . . 6 5. Key Localization and Key Change . . . . . . . . . . . . . . . 6
6. Structure of the MIB Module . . . . . . . . . . . . . . . . . 6 6. Structure of the MIB Module . . . . . . . . . . . . . . . . . 6
7. Relationship to Other MIB Modules . . . . . . . . . . . . . . 7 7. Relationship to Other MIB Modules . . . . . . . . . . . . . . 7
7.1. Relationship to SNMP-USER-BASED-SM-MIB . . . . . . . . . 7 7.1. Relationship to SNMP-USER-BASED-SM-MIB . . . . . . . . . 7
7.2. Relationship to SNMP-FRAMEWORK-MIB . . . . . . . . . . . 7 7.2. Relationship to SNMP-FRAMEWORK-MIB . . . . . . . . . . . 7
7.3. MIB modules required for IMPORTS . . . . . . . . . . . . 7 7.3. MIB modules required for IMPORTS . . . . . . . . . . . . 7
8. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 7 8. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 7
9. Security Considerations . . . . . . . . . . . . . . . . . . . 10 9. Security Considerations . . . . . . . . . . . . . . . . . . . 9
9.1. Use of the HMAC-SHA-2 authentication protocols in USM . . 10 9.1. Use of the HMAC-SHA-2 authentication protocols in USM . . 10
9.2. Cryptographic strength of the authentication protocols . 10 9.2. Cryptographic strength of the authentication protocols . 10
9.3. Derivation of keys from passwords . . . . . . . . . . . . 11 9.3. Derivation of keys from passwords . . . . . . . . . . . . 11
9.4. Access to the SNMP-USM-HMAC-SHA2-MIB . . . . . . . . . . 11 9.4. Access to the SNMP-USM-HMAC-SHA2-MIB . . . . . . . . . . 11
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
11.1. Normative References . . . . . . . . . . . . . . . . . . 12 11.1. Normative References . . . . . . . . . . . . . . . . . . 12
11.2. Informative References . . . . . . . . . . . . . . . . . 13 11.2. Informative References . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
skipping to change at page 3, line 30 skipping to change at page 3, line 30
3. Conventions 3. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, RFC 2119 document are to be interpreted as described in BCP 14, RFC 2119
[RFC2119]. [RFC2119].
4. The HMAC-SHA-2 Authentication Protocols 4. The HMAC-SHA-2 Authentication Protocols
This section describes the HMAC-SHA-2 authentication protocols. They This section describes the HMAC-SHA-2 authentication protocols. They
use the SHA-2 hash functions, which are described in [SHA] and use the SHA-2 hash functions, which are described in FIPS PUB 180-4
[RFC6234], in HMAC mode described in [RFC2104] and [RFC6234], [SHA] and RFC 6234 [RFC6234], in HMAC mode described in RFC 2104
truncating the output to 128 bits for SHA-224, 192 bits for SHA-256, [RFC2104] and RFC 6234, truncating the output to 128 bits for SHA-
256 bits for SHA-384, and 384 bits for SHA-512. [RFC6234] also 224, 192 bits for SHA-256, 256 bits for SHA-384, and 384 bits for
provides source code for all the SHA-2 algorithms and HMAC (without SHA-512. RFC 6234 also provides source code for all the SHA-2
truncation). It also includes test harness and standard test vectors algorithms and HMAC (without truncation). It also includes test
for all the defined hash functions and HMAC examples. harness and standard test vectors for all the defined hash functions
and HMAC examples.
The following protocols are defined: The following protocols are defined:
usmHMAC128SHA224AuthProtocol: uses SHA-224 and truncates the usmHMAC128SHA224AuthProtocol: uses SHA-224 and truncates the
output to 128 bits (16 octets); output to 128 bits (16 octets);
usmHMAC192SHA256AuthProtocol: uses SHA-256 and truncates the usmHMAC192SHA256AuthProtocol: uses SHA-256 and truncates the
output to 192 bits (24 octets); output to 192 bits (24 octets);
usmHMAC256SHA384AuthProtocol: uses SHA-384 and truncates the usmHMAC256SHA384AuthProtocol: uses SHA-384 and truncates the
skipping to change at page 4, line 19 skipping to change at page 4, line 19
OPTIONAL. OPTIONAL.
4.1. Deviations from the HMAC-SHA-96 Authentication Protocol 4.1. Deviations from the HMAC-SHA-96 Authentication Protocol
All the HMAC-SHA-2 authentication protocols are straightforward All the HMAC-SHA-2 authentication protocols are straightforward
adaptations of the HMAC-MD5-96 and HMAC-SHA-96 authentication adaptations of the HMAC-MD5-96 and HMAC-SHA-96 authentication
protocols. Precisely, they differ from the HMAC-MD5-96 and HMAC- protocols. Precisely, they differ from the HMAC-MD5-96 and HMAC-
SHA-96 authentication protocols in the following aspects: SHA-96 authentication protocols in the following aspects:
o The SHA-2 hash function is used to compute the message digest in o The SHA-2 hash function is used to compute the message digest in
the HMAC computation according to [RFC2104] and [RFC6234], as the HMAC computation according to RFC 2104 and RFC 6234, as
opposed to the MD5 hash function [RFC1321] and SHA-1 hash function opposed to the MD5 hash function [RFC1321] and SHA-1 hash function
[SHA] used in HMAC-MD5-96 and HMAC-SHA-96, respectively. [SHA] used in HMAC-MD5-96 and HMAC-SHA-96, respectively.
Consequently, the length of the message digest prior to truncation Consequently, the length of the message digest prior to truncation
is 224 bits for SHA-224 based protocol, 256 bits for SHA-256 based is 224 bits for SHA-224 based protocol, 256 bits for SHA-256 based
protocol, 384 bits for SHA-384 based protocol, and 512 bits for protocol, 384 bits for SHA-384 based protocol, and 512 bits for
SHA-512 based protocol. SHA-512 based protocol.
o The resulting message digest (output of HMAC) is truncated to o The resulting message digest (output of HMAC) is truncated to
* 16 octets for usmHMAC128SHA224AuthProtocol * 16 octets for usmHMAC128SHA224AuthProtocol
skipping to change at page 5, line 16 skipping to change at page 5, line 16
protocol usmHMAC384SHA512AuthProtocol protocol usmHMAC384SHA512AuthProtocol
as opposed to the keys being 16 and 20 octets long in HMAC-MD5-96 as opposed to the keys being 16 and 20 octets long in HMAC-MD5-96
and HMAC-SHA-96, respectively. and HMAC-SHA-96, respectively.
4.2. Processing 4.2. Processing
This section describes the procedures for the HMAC-SHA-2 This section describes the procedures for the HMAC-SHA-2
authentication protocols. The descriptions are based on the authentication protocols. The descriptions are based on the
definition of services and data elements defined for HMAC-SHA-96 in definition of services and data elements defined for HMAC-SHA-96 in
RFC 3414 [RFC3414] with the deviations listed in Section 4.1. RFC 3414 with the deviations listed in Section 4.1.
4.2.1. Processing an Outgoing Message 4.2.1. Processing an Outgoing Message
Values of constants M (the length of the secret key in octets) and N Values of constants M (the length of the secret key in octets) and N
(the length of the MAC output in octets) used below, are: (the length of the MAC output in octets) used below, are:
usmHMAC128SHA224AuthProtocol: M=28, N=16; usmHMAC128SHA224AuthProtocol: M=28, N=16;
usmHMAC192SHA256AuthProtocol: M=32, N=24; usmHMAC192SHA256AuthProtocol: M=32, N=24;
skipping to change at page 5, line 38 skipping to change at page 5, line 38
usmHMAC384SHA512AuthProtocol: M=64, N=48. usmHMAC384SHA512AuthProtocol: M=64, N=48.
correspondingly. correspondingly.
This section describes the procedure followed by an SNMP engine This section describes the procedure followed by an SNMP engine
whenever it must authenticate an outgoing message using one of the whenever it must authenticate an outgoing message using one of the
authentication protocols defined above. authentication protocols defined above.
1. The msgAuthenticationParameters field is set to serialization, 1. The msgAuthenticationParameters field is set to serialization,
according to the rules in [RFC3417], of an OCTET STRING according to the rules in RFC 3417 [RFC3417], of an OCTET STRING
containing N zero octets. containing N zero octets.
2. From the secret authKey of M octets, calculate the HMAC-SHA-2 2. From the secret authKey of M octets, calculate the HMAC-SHA-2
digest over it according to [RFC6234]. Take the first N octets digest over it according to RFC 6234. Take the first N octets of
of the final digest - this is the Message Authentication Code the final digest - this is the Message Authentication Code (MAC).
(MAC).
3. Replace the msgAuthenticationParameters field with the MAC 3. Replace the msgAuthenticationParameters field with the MAC
obtained in the previous step. obtained in the previous step.
4. The authenticatedWholeMsg is then returned to the caller together 4. The authenticatedWholeMsg is then returned to the caller together
with statusInformation indicating success. with statusInformation indicating success.
4.2.2. Processing an Incoming Message 4.2.2. Processing an Incoming Message
Values of the constants M and N are the same as in Section 4.2.1, and Values of the constants M and N are the same as in Section 4.2.1, and
skipping to change at page 6, line 44 skipping to change at page 6, line 44
7. The newly calculated MAC is compared with the MAC saved in step 7. The newly calculated MAC is compared with the MAC saved in step
2. If they do not match, then a failure and an errorIndication 2. If they do not match, then a failure and an errorIndication
(authenticationFailure) are returned to the calling module. (authenticationFailure) are returned to the calling module.
8. The authenticatedWholeMsg and statusInformation indicating 8. The authenticatedWholeMsg and statusInformation indicating
success are then returned to the caller. success are then returned to the caller.
5. Key Localization and Key Change 5. Key Localization and Key Change
For any of the protocols defined in Section 4, key localization and For any of the protocols defined in Section 4, key localization and
key change SHALL be performed according to RFC 3414 [RFC3414] using key change SHALL be performed according to RFC 3414 using the SHA-2
the SHA-2 hash function applied in the respective protocol. hash function applied in the respective protocol.
6. Structure of the MIB Module 6. Structure of the MIB Module
The MIB module specified in this memo does not define any managed The MIB module specified in this memo does not define any managed
objects, subtrees, notifications or tables, but only object objects, subtrees, notifications or tables, but only object
identities (for authentication protocols) under a subtree of an identities (for authentication protocols) under a subtree of an
existing MIB. existing MIB.
7. Relationship to Other MIB Modules 7. Relationship to Other MIB Modules
7.1. Relationship to SNMP-USER-BASED-SM-MIB 7.1. Relationship to SNMP-USER-BASED-SM-MIB
RFC 3414 [RFC3414] specifies the MIB module for the User-based RFC 3414 specifies the MIB module for the User-based Security Model
Security Model (USM) for SNMPv3 (SNMP-USER-BASED-SM-MIB), which (USM) for SNMPv3 (SNMP-USER-BASED-SM-MIB), which defines
defines authentication protocols for USM based on the hash functions authentication protocols for USM based on the hash functions MD5 and
MD5 and SHA-1, respectively. The following MIB module defines new SHA-1, respectively. The following MIB module defines new HMAC-SHA2
HMAC-SHA2 authentication protocols for USM based on the SHA-2 hash authentication protocols for USM based on the SHA-2 hash functions
functions [SHA]. The use of the HMAC-SHA2 authentication protocols [SHA]. The use of the HMAC-SHA2 authentication protocols requires
requires the usage of the objects defined in the SNMP-USER-BASED-SM- the usage of the objects defined in the SNMP-USER-BASED-SM-MIB.
MIB.
7.2. Relationship to SNMP-FRAMEWORK-MIB 7.2. Relationship to SNMP-FRAMEWORK-MIB
RFC 3411 [RFC3411] specifies the SNMP-FRAMEWORK-MIB, which defines a RFC 3411 [RFC3411] specifies the SNMP-FRAMEWORK-MIB, which defines a
subtree snmpAuthProtocols for SNMP authentication protocols. The subtree snmpAuthProtocols for SNMP authentication protocols. The
following MIB module defines new authentication protocols in the following MIB module defines new authentication protocols in the
snmpAuthProtocols subtree. snmpAuthProtocols subtree.
7.3. MIB modules required for IMPORTS 7.3. MIB modules required for IMPORTS
skipping to change at page 10, line 6 skipping to change at page 10, line 4
Keyed-Hashing for Message Authentication, RFC 2104. Keyed-Hashing for Message Authentication, RFC 2104.
- National Institute of Standards and Technology, - National Institute of Standards and Technology,
Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." Secure Hash Standard (SHS), FIPS PUB 180-4, 2012."
::= { snmpAuthProtocols dd } -- dd to be assigned by IANA ::= { snmpAuthProtocols dd } -- dd to be assigned by IANA
-- RFC Ed.: replace dd with actual number assigned by IANA & remove -- RFC Ed.: replace dd with actual number assigned by IANA & remove
-- this comment -- this comment
END END
9. Security Considerations 9. Security Considerations
9.1. Use of the HMAC-SHA-2 authentication protocols in USM 9.1. Use of the HMAC-SHA-2 authentication protocols in USM
The security considerations of [RFC3414] also apply to the HMAC-SHA-2 The security considerations of RFC 3414 also apply to the HMAC-SHA-2
authentication protocols defined in this document. authentication protocols defined in this document.
9.2. Cryptographic strength of the authentication protocols 9.2. Cryptographic strength of the authentication protocols
At the time of publication of this document, all of the HMAC-SHA-2 At the time of publication of this document, all of the HMAC-SHA-2
authentication protocols provide a very high level of security. The authentication protocols provide a very high level of security. The
security of each HMAC-SHA-2 authentication protocol depends on the security of each HMAC-SHA-2 authentication protocol depends on the
parameters used in the corresponding HMAC computation, which are the parameters used in the corresponding HMAC computation, which are the
length of the key (if the key has maximum entropy), the size of the length of the key (if the key has maximum entropy), the size of the
hash function's internal state, and the length of the truncated MAC. hash function's internal state, and the length of the truncated MAC.
skipping to change at page 10, line 49 skipping to change at page 10, line 46
function. function.
The role of the truncated output length is more complicated: The role of the truncated output length is more complicated:
according to [BCK], there is a trade-off in that "by outputting less according to [BCK], there is a trade-off in that "by outputting less
bits the attacker has less bits to predict in a MAC forgery but, on bits the attacker has less bits to predict in a MAC forgery but, on
the other hand, the attacker also learns less about the output of the the other hand, the attacker also learns less about the output of the
compression function from seeing the authentication tags computed by compression function from seeing the authentication tags computed by
legitimate parties"; thus, truncation weakens the HMAC against legitimate parties"; thus, truncation weakens the HMAC against
forgery by guessing, but at the same time strengthens it against forgery by guessing, but at the same time strengthens it against
chosen message attacks aiming at MAC forgery based on internal chosen message attacks aiming at MAC forgery based on internal
collisions or at key guessing. [RFC2104] and [BCK] allow truncation collisions or at key guessing. RFC 2104 and [BCK] allow truncation
to any length that is not less than half the size of the internal to any length that is not less than half the size of the internal
state. state.
Further discussion of the security of the HMAC construction is given Further discussion of the security of the HMAC construction is given
in [RFC2104]. in RFC 2104.
9.3. Derivation of keys from passwords 9.3. Derivation of keys from passwords
If secret keys to be used for HMAC-SHA-2 authentication protocols are If secret keys to be used for HMAC-SHA-2 authentication protocols are
derived from passwords, the derivation SHOULD be performed using the derived from passwords, the derivation SHOULD be performed using the
password-to-key algorithm from Appendix A.1 of RFC 3414 with MD5 password-to-key algorithm from Appendix A.1 of RFC 3414 with MD5
being replaced by the SHA-2 hash function H used in the HMAC-SHA-2 being replaced by the SHA-2 hash function H used in the HMAC-SHA-2
authentication protocol. Specifically, the password is converted authentication protocol. Specifically, the password is converted
into the required secret key by the following steps: into the required secret key by the following steps:
skipping to change at page 11, line 35 skipping to change at page 11, line 32
9.4. Access to the SNMP-USM-HMAC-SHA2-MIB 9.4. Access to the SNMP-USM-HMAC-SHA2-MIB
The SNMP-USM-HMAC-SHA2-MIB module defines OBJECT IDENTIFIER values The SNMP-USM-HMAC-SHA2-MIB module defines OBJECT IDENTIFIER values
for use in other MIB modules. It does not define any objects that for use in other MIB modules. It does not define any objects that
can be accessed. As such, the SNMP-USM-HMAC-SHA2-MIB does not, by can be accessed. As such, the SNMP-USM-HMAC-SHA2-MIB does not, by
itself, have any effect on the security of the Internet. itself, have any effect on the security of the Internet.
The values defined in this module are expected to be used with the The values defined in this module are expected to be used with the
usmUserTable defined in the SNMP-USER-BASED-SM-MIB [RFC3414]. The usmUserTable defined in the SNMP-USER-BASED-SM-MIB [RFC3414]. The
considerations in Section 11.5 of [RFC3414] should be taken into considerations in Section 11.5 of RFC 3414 should be taken into
account. account.
10. IANA Considerations 10. IANA Considerations
IANA is requested to assign an OID for IANA is requested to assign an OID for
+--------------------+-------------------------+ +--------------------+-------------------------+
| Descriptor | OBJECT IDENTIFIER value | | Descriptor | OBJECT IDENTIFIER value |
+--------------------+-------------------------+ +--------------------+-------------------------+
| snmpUsmHmacSha2MIB | { snmpModules nn } | | snmpUsmHmacSha2MIB | { snmpModules nn } |
 End of changes. 16 change blocks. 
34 lines changed or deleted 32 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/