Expand description
Implementation of the User-based Security Model (USM) for SNMPv3
SNMP USM provides SNMP message level security according to RFC 3414 and RFC 3826. It implements primitives that can be used by a security subsystem.
Implemented features of USM:
- HMAC-MD5-96 Authentication Protocol
- HMAC-SHA-96 Authentication Protocol
- Timeliness verification
- DES encryption
- AES encryption
Authentication and Privacy
When privacy is used with authentication, the privacy key must use the same message-digest
algorithm as the authentication key. As an example, if the AuthKey is
constructed with a LocalizedKey specialized with the MD5
message-digest algorithm, then the PrivKey must be constructed with a
LocalizedKey
specialized with the MD5 message-digest algorithm.
Authentication and time synchronization
If authenticated communication is required, then the discovery process should also establish time synchronization with the authoritative SNMP engine. This may be accomplished by sending an authenticated Request message with the value of msgAuthoritativeEngineID set to the previously learned snmpEngineID and with the values of msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime set to zero.
Examples
A fictional message processing subsystem is used to clarify the examples.
use snmp_usm::{
Aes128PrivKey, AuthKey, LocalizedMd5Key, PrivKey, SecurityParams, WithLocalizedKey
};
// The password and engine ID are supplied by the security subsystem.
let localized_key = LocalizedMd5Key::new(&passwd, &engine_id);
let priv_key = Aes128PrivKey::with_localized_key(localized_key.clone());
// The security parameters are constructed from the local authoritative engine data.
let (encrypted_scoped_pdu, salt) = priv_key.encrypt(scoped_pdu, &security_params, 0);
// The message processing service would set the encrypted scoped PDU for the outgoing message.
// out_msg.set_encrypted_scoped_pdu(encrypted_scoped_pdu);
security_params
.set_username(b"username")
.set_priv_params(&salt)
.set_auth_params_placeholder();
let encoded_security_params = security_params.encode();
// The message processing service would set the security parameters of the outgoing message and
// encode it.
// out_msg.set_security_params(&encoded_security_params);
// let out_msg = out_msg.encode();
let auth_key = AuthKey::new(localized_key);
// Authenticate the outgoing message.
auth_key.auth_out_msg(&mut out_msg)?;
// Authenticate an incoming message.
auth_key.auth_in_msg(&mut in_msg, local_engine_id, local_engine_boots, local_engine_time)?;
Structs
- Privacy key used for AES-128 encryption.
- Authentication key used to check data integrity and data origin.
- Privacy key used for DES encryption.
- Localized key used to verify the identity of users, verify the integrity of messages and encrypt messages.
- The MD5 hasher
- Security parameters used by the User-based Security Model.
- Structure representing the state of a SHA-1 computation
Enums
- The error type for security related operations.
Traits
- Convenience wrapper around
Update
,BlockInput
,FixedOutput
,Reset
,Default
, andClone
traits. Useful as trait bound where a digest algorithm is needed. - A trait for privacy keys.
- Trait implemented by types created with a localized key.
Type Definitions
- Type alias for a localized key specialized with the MD5 message-digest algorithm.
- Type alias for a localized key specialized with the SHA-1 message-digest algorithm.
- Type alias for an authentication key specialized with the MD5 message-digest algorithm.
- Type alias for the result of a security operation.
- Type alias for an authentication key specialized with SHA-1 message-digest algorithm.