draft-ietf-opsawg-hmac-sha-2-usm-snmp-new-04.txt   draft-ietf-opsawg-hmac-sha-2-usm-snmp-new-05.txt 
OPSAWG J. Merkle, Ed. OPSAWG J. Merkle, Ed.
Internet-Draft Secunet Security Networks Internet-Draft Secunet Security Networks
Obsoletes: 7630 (if approved) M. Lochter Obsoletes: 7630 (if approved) M. Lochter
Intended status: Standards Track BSI Intended status: Standards Track BSI
Expires: August 15, 2016 February 12, 2016 Expires: September 19, 2016 March 18, 2016
HMAC-SHA-2 Authentication Protocols in USM for SNMPv3 HMAC-SHA-2 Authentication Protocols in USM for SNMPv3
draft-ietf-opsawg-hmac-sha-2-usm-snmp-new-04 draft-ietf-opsawg-hmac-sha-2-usm-snmp-new-05
Abstract Abstract
This document specifies several authentication protocols based on the This document specifies several authentication protocols based on the
SHA-2 hash functions for the User-based Security Model (USM) for SHA-2 hash functions for the User-based Security Model (USM) for
SNMPv3 defined in RFC 3414. It obsoletes RFC 7630, in which the MIB SNMPv3 defined in RFC 3414. It obsoletes RFC 7630, in which the MIB
MODULE-IDENTITY value was incorrectly specified. MODULE-IDENTITY value was incorrectly specified.
Status of This Memo Status of This Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 15, 2016. This Internet-Draft will expire on September 19, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 26 skipping to change at page 2, line 26
6. Structure of the MIB Module . . . . . . . . . . . . . . . . . 6 6. Structure of the MIB Module . . . . . . . . . . . . . . . . . 6
7. Relationship to Other MIB Modules . . . . . . . . . . . . . . 7 7. Relationship to Other MIB Modules . . . . . . . . . . . . . . 7
7.1. Relationship to SNMP-USER-BASED-SM-MIB . . . . . . . . . 7 7.1. Relationship to SNMP-USER-BASED-SM-MIB . . . . . . . . . 7
7.2. Relationship to SNMP-FRAMEWORK-MIB . . . . . . . . . . . 7 7.2. Relationship to SNMP-FRAMEWORK-MIB . . . . . . . . . . . 7
7.3. MIB Modules Required for IMPORTS . . . . . . . . . . . . 7 7.3. MIB Modules Required for IMPORTS . . . . . . . . . . . . 7
8. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 7 8. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 7
9. Security Considerations . . . . . . . . . . . . . . . . . . . 9 9. Security Considerations . . . . . . . . . . . . . . . . . . . 9
9.1. Use of the HMAC-SHA-2 Authentication Protocols in USM . 9 9.1. Use of the HMAC-SHA-2 Authentication Protocols in USM . 9
9.2. Cryptographic Strength of the Authentication Protocols . 9 9.2. Cryptographic Strength of the Authentication Protocols . 9
9.3. Derivation of Keys from Passwords . . . . . . . . . . . 10 9.3. Derivation of Keys from Passwords . . . . . . . . . . . 10
9.4. Access to the SNMP-USM-HMAC-SHA2-MIB . . . . . . . . . . 10 9.4. Access to the SNMP-USM-HMAC-SHA2-MIB . . . . . . . . . . 11
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
11.1. Normative References . . . . . . . . . . . . . . . . . . 11 11.1. Normative References . . . . . . . . . . . . . . . . . . 12
11.2. Informative References . . . . . . . . . . . . . . . . . 12 11.2. Informative References . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
Within the Architecture for describing Simple Network Management Within the Architecture for describing Simple Network Management
Protocol (SNMP) Management Frameworks [RFC3411], the User-based Protocol (SNMP) Management Frameworks [RFC3411], the User-based
Security Model (USM) [RFC3414] for SNMPv3 is defined as a Security Security Model (USM) [RFC3414] for SNMPv3 is defined as a Security
Subsystem within an SNMP engine. In RFC 3414, two different Subsystem within an SNMP engine. In RFC 3414, two different
authentication protocols, HMAC-MD5-96 and HMAC-SHA-96, are defined authentication protocols, HMAC-MD5-96 and HMAC-SHA-96, are defined
based on the hash functions MD5 and SHA-1, respectively. based on the hash functions MD5 and SHA-1, respectively.
skipping to change at page 7, line 31 skipping to change at page 7, line 31
MIB module defines new authentication protocols in the MIB module defines new authentication protocols in the
snmpAuthProtocols subtree. snmpAuthProtocols subtree.
7.3. MIB Modules Required for IMPORTS 7.3. MIB Modules Required for IMPORTS
The following MIB module IMPORTS definitions from SNMPv2-SMI The following MIB module IMPORTS definitions from SNMPv2-SMI
[RFC2578] and SNMP-FRAMEWORK-MIB [RFC3411]. [RFC2578] and SNMP-FRAMEWORK-MIB [RFC3411].
8. Definitions 8. Definitions
SNMP-USM-HMAC-SHA2-MIB DEFINITIONS ::= BEGIN SNMP-USM-HMAC-SHA2-MIB DEFINITIONS ::= BEGIN
IMPORTS MODULE-IDENTITY, OBJECT-IDENTITY, mib-2 FROM SNMPv2-SMI IMPORTS
MODULE-IDENTITY, OBJECT-IDENTITY,
mib-2 FROM SNMPv2-SMI -- [RFC2578]
snmpAuthProtocols FROM SNMP-FRAMEWORK-MIB; -- [RFC3411]
snmpUsmHmacSha2MIB MODULE-IDENTITY LAST-UPDATED "201510210000Z" -- 21 snmpUsmHmacSha2MIB MODULE-IDENTITY
October 2015, midnight ORGANIZATION "SNMPv3 Working Group" CONTACT-INFO LAST-UPDATED "201603180000Z" -- 18 March 2016, midnight
"WG email: OPSAWG@ietf.org Subscribe: -- RFC Ed.: replace with publication date & remove this line
https://www.ietf.org/mailman/listinfo/opsawg Editor: Johannes Merkle ORGANIZATION "SNMPv3 Working Group"
secunet Security Networks Postal: Mergenthaler Allee 77 CONTACT-INFO "WG email: OPSAWG@ietf.org
D-65760 Eschborn Germany Phone: +49 20154543091 Email: Subscribe:
johannes.merkle@secunet.com https://www.ietf.org/mailman/listinfo/opsawg
Editor: Johannes Merkle
secunet Security Networks
postal: Mergenthaler Allee 77
D-65760 Eschborn
Germany
phone: +49 20154543091
email: johannes.merkle@secunet.com
Co-Editor: Manfred Lochter
Bundesamt fuer Sicherheit in der
Informationstechnik (BSI)
postal: Postfach 200363
D-53133 Bonn
Germany
phone: +49 228 9582 5643
email: manfred.lochter@bsi.bund.de"
Co-Editor: Manfred Lochter Bundesamt fuer Sicherheit in der DESCRIPTION
Informationstechnik (BSI) Postal: Postfach 200363 "Definitions of Object Identities needed for the use of
D-53133 Bonn Germany Phone: +49 228 9582 5643 Email: HMAC-SHA2 Authentication Protocols by SNMP's User-based Security
manfred.lochter@bsi.bund.de" Model.
DESCRIPTION "Definitions of Object Identities needed Copyright (c) 2014 IETF Trust and the persons identified
for the use of HMAC-SHA2 by SNMP's User-based Security Model. as authors of the code. All rights reserved.
Copyright (c) 2015 IETF Trust and the persons identified as authors of Redistribution and use in source and binary forms, with
the code. All rights reserved. or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info)."
Redistribution and use in source and binary forms, with or without REVISION "201603180000Z" -- 18 March 2016, midnight
modification, is permitted pursuant to, and subject to the license terms -- RFC Ed.: replace with publication date & remove this line
contained in, the Simplified BSD License set forth in Section 4.c of the "Version correcting the MODULE-IDENTITY value,
IETF Trust's Legal Provisions Relating to IETF Documents published as RFC TBD"
(http://trustee.ietf.org/license-info)." -- RFC Ed.: replace TBD with actual RFC number & remove this line
REVISION "201510210000Z" -- 21 October 2015, midnight DESCRIPTION REVISION "201510140000Z" -- 14 October 2015, midnight
"Version correcting the MODULE-IDENTITY value, published as RFC TBD" DESCRIPTION
REVISION "201508130000Z" -- 13 August 2015, midnight DESCRIPTION "Initial version, published as RFC 7630"
"Initial version, published as RFC 7630" ::= { mib-2 235 }
usmHMAC128SHA224AuthProtocol OBJECT-IDENTITY STATUS current DESCRIPTION ::= { mib-2 235 }
"The Authentication Protocol usmHMAC128SHA224AuthProtocol uses
HMAC-SHA-224 and truncates output to 128 bits." REFERENCE "- Krawczyk,
H., Bellare, M., and R. Canetti, HMAC: Keyed-Hashing for Message
Authentication, RFC 2104. - National Institute of Standards and
Technology, Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." ::= {
snmpAuthProtocols 4 }
usmHMAC192SHA256AuthProtocol OBJECT-IDENTITY STATUS current DESCRIPTION usmHMAC128SHA224AuthProtocol OBJECT-IDENTITY
"The Authentication Protocol usmHMAC192SHA256AuthProtocol uses STATUS current
HMAC-SHA-256 and truncates output to 192 bits." REFERENCE "- Krawczyk, DESCRIPTION "The Authentication Protocol
H., Bellare, M., and R. Canetti, HMAC: Keyed-Hashing for Message usmHMAC128SHA224AuthProtocol uses HMAC-SHA-224 and
Authentication, RFC 2104. - National Institute of Standards and truncates output to 128 bits."
Technology, Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." ::= { REFERENCE "- Krawczyk, H., Bellare, M., and R. Canetti, HMAC:
snmpAuthProtocols 5 } Keyed-Hashing for Message Authentication, RFC 2104.
- National Institute of Standards and Technology,
Secure Hash Standard (SHS), FIPS PUB 180-4, 2012."
::= { snmpAuthProtocols 4 }
usmHMAC256SHA384AuthProtocol OBJECT-IDENTITY STATUS current DESCRIPTION usmHMAC192SHA256AuthProtocol OBJECT-IDENTITY
"The Authentication Protocol usmHMAC256SHA384AuthProtocol uses STATUS current
HMAC-SHA-384 and truncates output to 256 bits." REFERENCE "- Krawczyk, DESCRIPTION "The Authentication Protocol
H., Bellare, M., and R. Canetti, HMAC: Keyed-Hashing for Message usmHMAC192SHA256AuthProtocol uses HMAC-SHA-256 and
Authentication, RFC 2104. - National Institute of Standards and truncates output to 192 bits."
Technology, Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." ::= { REFERENCE "- Krawczyk, H., Bellare, M., and R. Canetti, HMAC:
snmpAuthProtocols 6 } Keyed-Hashing for Message Authentication, RFC 2104.
- National Institute of Standards and Technology,
Secure Hash Standard (SHS), FIPS PUB 180-4, 2012."
::= { snmpAuthProtocols 5 }
usmHMAC384SHA512AuthProtocol OBJECT-IDENTITY STATUS current DESCRIPTION usmHMAC256SHA384AuthProtocol OBJECT-IDENTITY
"The Authentication Protocol usmHMAC384SHA512AuthProtocol uses STATUS current
HMAC-SHA-512 and truncates output to 384 bits." REFERENCE "- Krawczyk, DESCRIPTION "The Authentication Protocol
H., Bellare, M., and R. Canetti, HMAC: Keyed-Hashing for Message usmHMAC256SHA384AuthProtocol uses HMAC-SHA-384 and
Authentication, RFC 2104. - National Institute of Standards and truncates output to 256 bits."
Technology, Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." ::= { REFERENCE "- Krawczyk, H., Bellare, M., and R. Canetti, HMAC:
snmpAuthProtocols 7 } Keyed-Hashing for Message Authentication, RFC 2104.
- National Institute of Standards and Technology,
Secure Hash Standard (SHS), FIPS PUB 180-4, 2012."
::= { snmpAuthProtocols 6 }
usmHMAC384SHA512AuthProtocol OBJECT-IDENTITY
STATUS current
DESCRIPTION "The Authentication Protocol
usmHMAC384SHA512AuthProtocol uses HMAC-SHA-512 and
truncates output to 384 bits."
REFERENCE "- Krawczyk, H., Bellare, M., and R. Canetti, HMAC:
Keyed-Hashing for Message Authentication, RFC 2104.
- National Institute of Standards and Technology,
Secure Hash Standard (SHS), FIPS PUB 180-4, 2012."
::= { snmpAuthProtocols 7 }
END END
9. Security Considerations 9. Security Considerations
9.1. Use of the HMAC-SHA-2 Authentication Protocols in USM 9.1. Use of the HMAC-SHA-2 Authentication Protocols in USM
The security considerations of [RFC3414] also apply to the HMAC-SHA-2 The security considerations of [RFC3414] also apply to the HMAC-SHA-2
authentication protocols defined in this document. authentication protocols defined in this document.
9.2. Cryptographic Strength of the Authentication Protocols 9.2. Cryptographic Strength of the Authentication Protocols
At the time of publication of this document, all of the HMAC-SHA-2 At the time of publication of this document, all of the HMAC-SHA-2
 End of changes. 16 change blocks. 
62 lines changed or deleted 98 lines changed or added

This html diff was produced by rfcdiff 1.44. The latest version is available from http://tools.ietf.org/tools/rfcdiff/