Difference between revisions of "Strong Authentication or Encryption"
(→Answer: reword a bit and explain further history.) |
(→Answer: entropy) |
||
Line 11: | Line 11: | ||
From the net-snmp point of view we started supporting AES192 and 256 | From the net-snmp point of view we started supporting AES192 and 256 | ||
− | [in v5.1.x] when the initial drafts started circulating. HOWEVER, | + | [in v5.1.x] when the initial drafts started circulating. HOWEVER, Net-SNMP |
never supported it completely. You could not use passwords or master | never supported it completely. You could not use passwords or master | ||
keys to get to the localized key because the hash algorithms (MD5 and SHA) | keys to get to the localized key because the hash algorithms (MD5 and SHA) | ||
didn't produce long enough keys and we never implemented the hash | didn't produce long enough keys and we never implemented the hash | ||
− | iterations required to producing the longer keys. | + | iterations required to producing the longer keys. (The internet-draft used repeated iterations to achieve the longer key lengths, but the resulting entropy was still limited, at best, to the output length of the hashing algorithm used to produce the keys). |
There was an internet-draft created in the IETF to standardize 3DES encryption support, but the work was never pushed forward into the full standardization process and was later dropped. A few companies picked up that work and implemented it internally to their products. Net-SNMP does not yet support 3DES, however, as most people believe that the AES support provides sufficiently strong encryption. | There was an internet-draft created in the IETF to standardize 3DES encryption support, but the work was never pushed forward into the full standardization process and was later dropped. A few companies picked up that work and implemented it internally to their products. Net-SNMP does not yet support 3DES, however, as most people believe that the AES support provides sufficiently strong encryption. | ||
In summary, market support for the other encryption and authentication possibilities doesn't really exist so Net-SNMP would talk mostly with itself. The project would likely accept patches to implement some of the other forms of authentication and encryption, but the patch should come with suitable documentation that discusses the ramifications of using a non-standardized security protocol. | In summary, market support for the other encryption and authentication possibilities doesn't really exist so Net-SNMP would talk mostly with itself. The project would likely accept patches to implement some of the other forms of authentication and encryption, but the patch should come with suitable documentation that discusses the ramifications of using a non-standardized security protocol. |
Revision as of 17:44, 14 November 2007
This is a Good Answer article. It was likely created as a response to a question on a Net-SNMP Mailing List and written up here for others to see. It likely covers material not yet in the FAQ or in the Tutorial but may someday be moved there
Question
Does Net-SNMP support AES192 or AES256? Does it support anything stronger than SHA1?
Answer
AES192 and AES256 were never fully supported. At one point in the past the AES IETF document was going to standardize the 192 and 256 modes, but ended up dropping it before the final release of the RFC.
From the net-snmp point of view we started supporting AES192 and 256 [in v5.1.x] when the initial drafts started circulating. HOWEVER, Net-SNMP never supported it completely. You could not use passwords or master keys to get to the localized key because the hash algorithms (MD5 and SHA) didn't produce long enough keys and we never implemented the hash iterations required to producing the longer keys. (The internet-draft used repeated iterations to achieve the longer key lengths, but the resulting entropy was still limited, at best, to the output length of the hashing algorithm used to produce the keys).
There was an internet-draft created in the IETF to standardize 3DES encryption support, but the work was never pushed forward into the full standardization process and was later dropped. A few companies picked up that work and implemented it internally to their products. Net-SNMP does not yet support 3DES, however, as most people believe that the AES support provides sufficiently strong encryption.
In summary, market support for the other encryption and authentication possibilities doesn't really exist so Net-SNMP would talk mostly with itself. The project would likely accept patches to implement some of the other forms of authentication and encryption, but the patch should come with suitable documentation that discusses the ramifications of using a non-standardized security protocol.