Background: Know: privacy, authentication, timeliness, Initialization Vector, MAC Recognize:
| Up | ||
| Previous | Next | |
| Down |
User Security Model (USM)
The User Security Model protects against the following threats:
Modification of Information: Here data is altered by an unauthorized entity thereby leading to unauthorized management operations. In other words data integrity is lost.
Masquerading: In this case, an unauthorized entity takes on the identity of an authorized user leading to mismanagement. USM ensures data origin authentication.
Disclosure (Data Confidentiality): The messages exchanged between agent and manager is overheard by an unauthorized entity. Data confidentiality is restored by USM
Message Stream Modification (Message Timeliness): In this case, messages are re-ordered, delayed and even replayed effecting in undesirable management operations. Message Timeliness is ensured by USM bringing about effective network management.
There are some new concepts which are introduced by SNMPv3 framework used by the USM: SNMPEngineID, SNMPEngineBoots, SNMPEngineTime, SNMPSecurityLevel & AuthoritativeSNMPEngine.
Privacy
The USM specifies the use of Data Encryption Standard (CBC-DES) algorithm for encrypting and decrypting SNMPv3 packets.
Authentication
Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA-1) algorithms are used by HMAC for authenticating SNMPv3 packets.
HMAC MD5 provides better performance for secure communications, while HMAC SHA-1 provides stronger cryptographic security. These algorithms are used to create unique fixed sized message digests, also called digital signatures or fingerprints, of a variable length message.
MD5 creates a digest of 128 bits (16 bytes) and SHA-1 creates a digest of 160 bits (20 bytes)". HMAC's cryptographic strength lies upon the message digest used and the secure exchange of the secret key. It is not required for the parties involved in communication to have the private and public keys.
Timeliness
The SNMPEngine Time should be incremented every second to ensure the value is very close to the master values maintained by the agent. The timeliness checks by an agent are considered part of the authentication process and after the received packet has been authenticated, timeliness checks should be done immediately.