SCALAR OBJECTS

Name	Type	Access	OID	Description
1 usmDHParameters	OCTETSTR	ReadWrite	.1.3.6.1.3.101.1.1.1	The public Diffie-Hellman parameters for doing a Diffie-Hellman key agreement for this device. This is encoded as an ASN.1 DHParameter per PKCS #3, section 9. E.g. DHParameter ::= SEQUENCE { prime INTEGER, -- p base INTEGER, -- g privateValueLength INTEGER OPTIONAL } Implementors are encouraged to use either the values from Oakley Group 1 or the values of from Oakley Group 2 as specified in RFC-2409, The Internet Key Exchange, Section 6.1, 6.2 as the default for this object. Other values may be used, but the security properties of those values MUST be well understood and MUST meet the requirements of PKCS #3 for the selection of Diffie-Hellman primes. In addition, any time usmDHParameters changes, all values of type DHKeyChange will change and new random numbers MUST be generated by the agent for each DHKeyChange object. Also see Reference: -- Diffie-Hellman Key-Agreement Standard, PKCS #3, RSA Laboratories, November 1993 -- The Internet Key Exchange, RFC 2409, November 1998, Sec 6.1, 6.2

TABLE OBJECTS

Table usmDHUserKeyTable

Table Name	usmDHUserKeyTable
In MIB	SNMP-USM-DH-OBJECTS-MIB
Registered at OID	.1.3.6.1.3.101.1.1.2
Table Description	This table augments and extends the usmUserTable and provides 4 objects which exactly mirror the objects in that table with the textual convention of 'KeyChange'. This extension allows key changes to be done in a manner where the knowledge of the current secret plus knowledge of the key change data exchanges (e.g. via wiretapping) will not reveal the new key.
Row Description	A row of DHKeyChange objects which augment or replace the functionality of the KeyChange objects in the base table row.

usmDHUserKeyTable Indexes:

Name	Type	Access	Description
1 usmUserEngineID	OCTETSTR Legal Lengths: 5 .. 32 SnmpEngineID	NoAccess	Note: this object is based on the SnmpEngineID TEXTUAL-CONVENTION. An SNMP engine's administratively-unique identifier. In a simple agent, this value is always that agent's own snmpEngineID value. The value can also take the value of the snmpEngineID of a remote SNMP engine with which this user can communicate.
2 usmUserName	OCTETSTR Legal Lengths: 1 .. 32 SnmpAdminString	NoAccess	Note: this object is based on the SnmpAdminString TEXTUAL-CONVENTION. A human readable string representing the name of the user. This is the (User-based Security) Model dependent security ID.

Other usmDHUserKeyTable Columns:

Name	Type	Access	Description
1 usmDHUserAuthKeyChange	OCTETSTR DHKeyChange	Create	Note: this object is based on the DHKeyChange TEXTUAL-CONVENTION. The object used to change any given user's Authentication Key using a Diffie-Hellman key exchange. The right-most n bits of the shared secret 'sk', where 'n' is the number of bits required for the protocol defined by usmUserAuthProtocol, are installed as the operational authentication key for this row after a successful SET.
2 usmDHUserOwnAuthKeyChange	OCTETSTR DHKeyChange	Create	Note: this object is based on the DHKeyChange TEXTUAL-CONVENTION. The object used to change the agents own Authentication Key using a Diffie-Hellman key exchange. The right-most n bits of the shared secret 'sk', where 'n' is the number of bits required for the protocol defined by usmUserAuthProtocol, are installed as the operational authentication key for this row after a successful SET.
3 usmDHUserPrivKeyChange	OCTETSTR DHKeyChange	Create	Note: this object is based on the DHKeyChange TEXTUAL-CONVENTION. The object used to change any given user's Privacy Key using a Diffie-Hellman key exchange. The right-most n bits of the shared secret 'sk', where 'n' is the number of bits required for the protocol defined by usmUserPrivProtocol, are installed as the operational privacy key for this row after a successful SET.
4 usmDHUserOwnPrivKeyChange	OCTETSTR DHKeyChange	Create	Note: this object is based on the DHKeyChange TEXTUAL-CONVENTION. The object used to change the agent's own Privacy Key using a Diffie-Hellman key exchange. The right-most n bits of the shared secret 'sk', where 'n' is the number of bits required for the protocol defined by usmUserPrivProtocol, are installed as the operational privacy key for this row after a successful SET.

Table usmDHKickstartTable

Table Name	usmDHKickstartTable
In MIB	SNMP-USM-DH-OBJECTS-MIB
Registered at OID	.1.3.6.1.3.101.1.2.1
Table Description	A table of mappings between zero or more Diffie-Helman key agreement values and entries in the usmUserTable. Entries in this table are created by providing the associated device with a Diffie-Helman public value and a usmUserName/usmUserSecurityName pair during initialization. How these values are provided is outside the scope of this MIB, but could be provided manually, or through a configuration file. Valid public value/name pairs result in the creation of a row in this table as well as the creation of an associated row (with keys derived as indicated) in the usmUserTable. The actual access the related usmSecurityName has is dependent on the entries in the VACM tables. In general, an implementor will specify one or more standard security names and will provide entries in the VACM tables granting various levels of access to those names. The actual content of the VACM table is beyond the scope of this MIB. Note: This table is expected to be readable without authentication using the usmUserSecurityName 'dhKickstart'. See the conformance statements for details.
Row Description	An entry in the usmDHKickstartTable. The agent SHOULD either delete this entry or mark it as inactive upon a successful SET of any of the KeyChange-typed objects in the usmUserEntry or upon a successful SET of any of the DHKeyChange-typed objects in the usmDhKeyChangeEntry where the related usmSecurityName (e.g. row of usmUserTable or row of ushDhKeyChangeTable) equals this entry's usmDhKickstartSecurityName. In otherwords, once you've changed one or more of the keys for a row in usmUserTable with a particular security name, the row in this table with that same security name is no longer useful or meaningful.

usmDHKickstartTable Indexes:

Name	Type	Access	Description
1 usmDHKickstartIndex	INTEGER32 Legal values: 1 .. 2147483647	NoAccess	Index value for this row.

Other usmDHKickstartTable Columns:

Name	Type	Access	Description
2 usmDHKickstartMyPublic	OCTETSTR	ReadOnly	The agent's Diffie-Hellman public value for this row. At initialization, the agent generates a random number and derives its public value from that number. This public value is published here. This public value 'y' equals g^r MOD p where g is the from the set of Diffie-Hellman parameters, p is the prime from those parameters, and r is a random integer selected by the agent in the interval 2^(l-1) <= r < p-1 < 2^l. If l is unspecified, then r is a random integer selected in the interval 0 <= r < p-1 The public value is expressed as an OCTET STRING 'PV' of length 'k' which satisfies k y = SUM 2^(8(k-i)) PV'i i = 1 where PV1,...,PVk are the octets of PV from first to last, and where PV1 != 0. The following DH parameters (Oakley group #2, RFC 2409, sec 6.1, 6.2) are used for this object: g = 2 p = FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 FFFFFFFF FFFFFFFF l=1024 Also see Reference: -- Diffie-Hellman Key-Agreement Standard, PKCS#3v1.4; RSA Laboratories, November 1993 -- The Internet Key Exchange, RFC2409; Harkins, D., Carrel, D.; November 1998
3 usmDHKickstartMgrPublic	OCTETSTR	ReadOnly	The manager's Diffie-Hellman public value for this row. Note that this value is not set via the SNMP agent, but may be set via some out of band method, such as the device's configuration file. The manager calculates this value in the same manner and using the same parameter set as the agent does. E.g. it selects a random number 'r', calculates y = g^r mod p and provides 'y' as the public number expressed as an OCTET STRING. See usmDHKickstartMyPublic for details. When this object is set with a valid value during initialization, a row is created in the usmUserTable with the following values: usmUserEngineID localEngineID usmUserName [value of usmDHKickstartSecurityName] usmUserSecurityName [value of usmDHKickstartSecurityName] usmUserCloneFrom ZeroDotZero usmUserAuthProtocol usmHMACMD5AuthProtocol usmUserAuthKeyChange -- derived from set value usmUserOwnAuthKeyChange -- derived from set value usmUserPrivProtocol usmDESPrivProtocol usmUserPrivKeyChange -- derived from set value usmUserOwnPrivKeyChange -- derived from set value usmUserPublic '' usmUserStorageType permanent usmUserStatus active A shared secret 'sk' is calculated at the agent as sk = mgrPublic^r mod p where r is the agents random number and p is the DH prime from the common parameters. The underlying privacy key for this row is derived from sk by applying the key derivation function PBKDF2 defined in PKCS#5v2.0 with a salt of 0xd1310ba6, and iterationCount of 500, a keyLength of 16 (for usmDESPrivProtocol), and a prf (pseudo random function) of 'id-hmacWithSHA1'. The underlying authentication key for this row is derived from sk by applying the key derivation function PBKDF2 with a salt of 0x98dfb5ac , an interation count of 500, a keyLength of 16 (for usmHMAC5AuthProtocol), and a prf of 'id-hmacWithSHA1'. Note: The salts are the first two words in the ks0 [key schedule 0] of the BLOWFISH cipher from 'Applied Cryptography' by Bruce Schnier - they could be any relatively random string of bits. The manager can use its knowledge of its own random number and the agent's public value to kickstart its access to the agent in a secure manner. Note that the security of this approach is directly related to the strength of the authorization security of the out of band provisioning of the managers public value (e.g. the configuration file), but is not dependent at all on the strength of the confidentiality of the out of band provisioning data. Also see Reference: -- Password-Based Cryptography Standard, PKCS#5v2.0; RSA Laboratories, March 1999 -- Applied Cryptography, 2nd Ed.; B. Schneier, Counterpane Systems; John Wiley & Sons, 1996
4 usmDHKickstartSecurityName	OCTETSTR Legal Lengths: 0 .. 255 SnmpAdminString	ReadOnly	Note: this object is based on the SnmpAdminString TEXTUAL-CONVENTION. The usmUserName and usmUserSecurityName in the usmUserTable associated with this row. This is provided in the same manner and at the same time as the usmDHKickstartMgrPublic value - e.g. possibly manually, or via the device's configuration file.

DEPRECATED OR OBSOLETE OR HISTORIC OBJECTS

NOTIFICATIONS

TEXTUAL CONVENTIONS

These TEXTUAL-CONVENTIONS are used in other parts of the document above. They are SNMP's way of defining a datatype that is used repeatedly by other MIB objects. Any implementation implementing objects that use one of these definitions must follow its DESCRIPTION clause as well as the DESCRIPTION clause of the object itself.

Name	Type	Description
DHKeyChange	OCTETSTR	Upon initialization, or upon creation of a row containing an object of this type, and after any successful SET of this value, a GET of this value returns 'y' where y = g^xa MOD p, and where g is the base from usmDHParameters, p is the prime from usmDHParameters, and xa is a new random integer selected by the agent in the interval 2^(l-1) <= xa < 2^l < p-1. 'l' is the optional privateValueLength from usmDHParameters in bits. If 'l' is omitted, then xa (and xr below) is selected in the interval 0 <= xa < p-1. y is expressed as an OCTET STRING 'PV' of length 'k' which satisfies k y = SUM 2^(8(k-i)) PV'i i=1 where PV1,...,PVk are the octets of PV from first to last, and where PV1 <> 0. A successful SET consists of the value 'y' expressed as an OCTET STRING as above concatenated with the value 'z'(expressed as an OCTET STRING in the same manner as y) where z = g^xr MOD p, where g, p and l are as above, and where xr is a new random integer selected by the manager in the interval 2^(l-1) <= xr < 2^l < p-1. A SET to an object of this type will fail with the error wrongValue if the current 'y' does not match the 'y' portion of the value of the varbind for the object. (E.g. GET yout, SET concat(yin, z), yout <> yin). Note that the private values xa and xr are never transmitted from manager to device or vice versa, only the values y and z. Obviously, these values must be retained until a successful SET on the associated object. The shared secret 'sk' is calculated at the agent as sk = z^xa MOD p, and at the manager as sk = y^xr MOD p. Each object definition of this type MUST describe how to map from the shared secret 'sk' to the operational key value used by the protocols and operations related to the object. In general, if n bits of key are required, the author suggests using the n right-most bits of the shared secret as the operational key value.
SnmpEngineID	OCTETSTR	An SNMP engine's administratively-unique identifier. Objects of this type are for identification, not for addressing, even though it is possible that an address may have been used in the generation of a specific value. The value for this object may not be all zeros or all 'ff'H or the empty (zero length) string. The initial value for this object may be configured via an operator console entry or via an algorithmic function. In the latter case, the following example algorithm is recommended. In cases where there are multiple engines on the same system, the use of this algorithm is NOT appropriate, as it would result in all of those engines ending up with the same ID value. 1) The very first bit is used to indicate how the rest of the data is composed. 0 - as defined by enterprise using former methods that existed before SNMPv3. See item 2 below. 1 - as defined by this architecture, see item 3 below. Note that this allows existing uses of the engineID (also known as AgentID [RFC1910]) to co-exist with any new uses. 2) The snmpEngineID has a length of 12 octets. The first four octets are set to the binary equivalent of the agent's SNMP management private enterprise number as assigned by the Internet Assigned Numbers Authority (IANA). For example, if Acme Networks has been assigned { enterprises 696 }, the first four octets would be assigned '000002b8'H. The remaining eight octets are determined via one or more enterprise-specific methods. Such methods must be designed so as to maximize the possibility that the value of this object will be unique in the agent's administrative domain. For example, it may be the IP address of the SNMP entity, or the MAC address of one of the interfaces, with each address suitably padded with random octets. If multiple methods are defined, then it is recommended that the first octet indicate the method being used and the remaining octets be a function of the method. 3) The length of the octet string varies. The first four octets are set to the binary equivalent of the agent's SNMP management private enterprise number as assigned by the Internet Assigned Numbers Authority (IANA). For example, if Acme Networks has been assigned { enterprises 696 }, the first four octets would be assigned '000002b8'H. The very first bit is set to 1. For example, the above value for Acme Networks now changes to be '800002b8'H. The fifth octet indicates how the rest (6th and following octets) are formatted. The values for the fifth octet are: 0 - reserved, unused. 1 - IPv4 address (4 octets) lowest non-special IP address 2 - IPv6 address (16 octets) lowest non-special IP address 3 - MAC address (6 octets) lowest IEEE MAC address, canonical order 4 - Text, administratively a
SnmpAdminString	OCTETSTR	An octet string containing administrative information, preferably in human-readable form. To facilitate internationalization, this information is represented using the ISO/IEC IS 10646-1 character set, encoded as an octet string using the UTF-8 transformation format described in [RFC2279]. Since additional code points are added by amendments to the 10646 standard from time to time, implementations must be prepared to encounter any code point from 0x00000000 to 0x7fffffff. Byte sequences that do not correspond to the valid UTF-8 encoding of a code point or are outside this range are prohibited. The use of control codes should be avoided. When it is necessary to represent a newline, the control code sequence CR LF should be used. The use of leading or trailing white space should be avoided. For code points not directly supported by user interface hardware or software, an alternative means of entry and display, such as hexadecimal, may be provided. For information encoded in 7-bit US-ASCII, the UTF-8 encoding is identical to the US-ASCII encoding. UTF-8 may require multiple bytes to represent a single character / code point; thus the length of this object in octets may be different from the number of characters encoded. Similarly, size constraints refer to the number of encoded octets, not the number of characters represented by an encoding. Note that when this TC is used for an object that is used or envisioned to be used as an index, then a SIZE restriction MUST be specified so that the number of sub-identifiers for any object instance does not exceed the limit of 128, as defined by [RFC3416]. Note that the size of an SnmpAdminString object is measured in octets, not characters.

TREE VIEW

Tree view generated by running: snmptranslate -Tp SNMP-USM-DH-OBJECTS-MIB::snmpUsmDHObjectsMIB