Lib.rs

Network programming
#security #snmp #snmpv3 #usm

snmp_usm

Implementation of the User-based Security Model (USM) for Simple Network Management Protocol (SNMP) version 3

by David Dufresne

3 unstable releases

0.2.1 Mar 16, 2023
0.2.0 Aug 27, 2020
0.1.0 Jul 19, 2020

#5 in #snmp

Download history 101/week @ 2023-12-11 82/week @ 2023-12-18 46/week @ 2024-01-01 27/week @ 2024-01-08 44/week @ 2024-01-15 75/week @ 2024-01-22 86/week @ 2024-01-29 82/week @ 2024-02-05 104/week @ 2024-02-12 90/week @ 2024-02-19 106/week @ 2024-02-26 131/week @ 2024-03-04 140/week @ 2024-03-11 197/week @ 2024-03-18 67/week @ 2024-03-25

539 downloads per month
Used in msnmp

MIT/Apache

52KB
785 lines

Implementation of the User-based Security Model (USM) for SNMPv3

SNMP USM provides SNMP message level security according to RFC 3414 and RFC 3826. It implements primitives that can be used by a security subsystem.

Implemented features of USM:

  • HMAC-MD5-96 Authentication Protocol
  • HMAC-SHA-96 Authentication Protocol
  • Timeliness verification
  • DES encryption
  • AES encryption

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

lib.rs:

Implementation of the User-based Security Model (USM) for SNMPv3

SNMP USM provides SNMP message level security according to RFC 3414 and RFC 3826. It implements primitives that can be used by a security subsystem.

Implemented features of USM:

  • HMAC-MD5-96 Authentication Protocol
  • HMAC-SHA-96 Authentication Protocol
  • Timeliness verification
  • DES encryption
  • AES encryption

Authentication and Privacy

When privacy is used with authentication, the privacy key must use the same message-digest algorithm as the authentication key. As an example, if the AuthKey is constructed with a LocalizedKey specialized with the MD5 message-digest algorithm, then the PrivKey must be constructed with a LocalizedKey specialized with the MD5 message-digest algorithm.

Authentication and time synchronization

If authenticated communication is required, then the discovery process should also establish time synchronization with the authoritative SNMP engine. This may be accomplished by sending an authenticated Request message with the value of msgAuthoritativeEngineID set to the previously learned snmpEngineID and with the values of msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime set to zero.

Examples

A fictional message processing subsystem is used to clarify the examples.

use snmp_usm::{
    Aes128PrivKey, AuthKey, LocalizedMd5Key, PrivKey, SecurityParams, WithLocalizedKey
};

// The password and engine ID are supplied by the security subsystem.
let localized_key = LocalizedMd5Key::new(&passwd, &engine_id);

let priv_key = Aes128PrivKey::with_localized_key(localized_key.clone());
// The security parameters are constructed from the local authoritative engine data.
let (encrypted_scoped_pdu, salt) = priv_key.encrypt(scoped_pdu, &security_params, 0);

// The message processing service would set the encrypted scoped PDU for the outgoing message.
// out_msg.set_encrypted_scoped_pdu(encrypted_scoped_pdu);

security_params
    .set_username(b"username")
    .set_priv_params(&salt)
    .set_auth_params_placeholder();
let encoded_security_params = security_params.encode();

// The message processing service would set the security parameters of the outgoing message and
// encode it.
// out_msg.set_security_params(&encoded_security_params);
// let out_msg = out_msg.encode();

let auth_key = AuthKey::new(localized_key);

// Authenticate the outgoing message.
auth_key.auth_out_msg(&mut out_msg)?;

// Authenticate an incoming message.
auth_key.auth_in_msg(&mut in_msg, local_engine_id, local_engine_boots, local_engine_time)?;

Dependencies

~1.5MB
~26K SLoC