Strong Authentication or Encryption

From Net-SNMP Wiki
Revision as of 19:09, 31 January 2011 by Wes (Talk | contribs) (Answer)

Jump to: navigation, search
Good Answer

This is a Good Answer article. It was likely created as a response to a question on a Net-SNMP Mailing List and written up here for others to see. It likely covers material not yet in the FAQ or in the Tutorial but may someday be moved there

Question

Does Net-SNMP support AES192 or AES256? Does it support anything stronger than SHA1?

Answer

There are actually two separate parts to this answer:

SNMPv3 with the USM Security Model

AES192 and AES256 were never fully supported. At one point in the past the AES IETF document was going to standardize the 192 and 256 modes, but ended up dropping it before the final release of the RFC.

From the net-snmp point of view we started supporting AES192 and 256 [in v5.1.x] when the initial drafts started circulating. HOWEVER, Net-SNMP never supported it completely. You could not use passwords or master keys to get to the localized key because the hash algorithms (MD5 and SHA) didn't produce long enough keys and we never implemented the hash iterations required to producing the longer keys. (The internet-draft used repeated iterations to achieve the longer key lengths, but the resulting entropy was still limited, at best, to the output length of the hashing algorithm used to produce the keys).

There was an internet-draft created in the IETF to standardize 3DES encryption support, but the work was never pushed forward into the full standardization process and was later dropped. A few companies picked up that work and implemented it internally to their products. Net-SNMP does not yet support 3DES, however, as most people believe that the AES support provides sufficiently strong encryption.

In summary, market support for the other encryption and authentication possibilities doesn't really exist so Net-SNMP would talk mostly with itself. The project would likely accept patches to implement some of the other forms of authentication and encryption, but the patch should come with suitable documentation that discusses the ramifications of using a non-standardized security protocol.

SNMPv3 using TLS and DTLS

Starting with version 5.6, Net-SNMP has the ability to tunnel SNMPv3 packets over the TLS and DTLS protocols. These protocols offer their own negotiation of security algorithms to use and thus the resulting security is dependent on that negotiation. It is possible to configure OpenSSL, which Net-SNMP relies on for the connections, to use stronger authentication and encryption algorithms than the ones that are offered by SNMPv3 with USM.

For further reading on using DTLS and TLS, see The tutorial on using TLS and DTLS