Table of Contents
Advertisement
Specifications
"standard") is detected in SNMP v3. From the User-based Security Model (USM) MIB
variables, there is a support of "usmStats ..." counter. The "usmUser ..." variables will
be added with the enhancement of additional users in later firmware versions. The sys-
tem has only one context. The system accepts the context "normal" or an empty con-
text.
Authentication
The algorithms "HMAC-MD5-96" and "HMAC-SHA-96" are available for authentication.
In addition, the "HMAC-SHA-2" variants (RFC7630) "SHA-256", "SHA-384" and "SHA-
512" are implemented.
"SHA-384" and "SHA512" are calculated purely in software. If "SHA-384" or "SHA-
512" is set on the configuration page, the time for the key generation may take once up
to approx. 45 seconds.
Encryption
The methods "DES", "3DES", "AES-128", "AES-192" and "AES-256" are supported in
combination with "HMAC-MD5-96" and "HMAC-SHA-96." For the "HMAC-SHA-2" pro-
tocols, there is currently neither RFC nor draft that will allow for cooperation with an en-
cryption.
W hile in the settings "AES-192" and "AES256" the key calculation is based on
"draft-blumenthalphoto-aes-usm-04", the methods "AES 192-3DESKey" and "AES
256-3DESKey" utilize a key generation, which is also used in the "3DES" configuration
("draft-reeder-snmpv3-usm-3desede-00"). If one is not an SNMP expert, it is recom-
mended to try in each case the settings with and without "...- 3DESKey".
Passwords
The passwords for authentication and encryption are stored only as computed hashes
for security reasons. Thus it is, if at all, very difficult to infer the initial password.
However, the hash calculation changes with the set algorithms. If the authentication or
privacy algorithms are changed, the passwords must be re-entered in the configuration
dialog.
Security
The following aspects should be considered:
· If encryption or authentication is used, then SNMP v1 and v2c should be turned off.
Otherwise the device could be accessed with it.
· If only authentication is used, then the new "HMAC-SHA-2" methods are superior to
the MD5 or SHA-1 hashing algorithms. Since only SHA-256 is accelerated in hard-
ware, and SHA-384 and SHA-512 are calculated purely in software, one should nor-
mally select SHA-256. From a cryptographic point of view, the security of SHA-256 is
sufficient for today's usage.
· For SHA-1, there are a little less attack scenarios than MD5. If in doubt, SHA-1 is
preferable.
· Encryption "DES" is considered very unsafe, use only in an emergency for reasons
of compatibility!
· For cryptologists it's a debatable point whether "HMAC-MD5-96" and "HMAC-SHA-
96" can muster enough entropy for key lengths of "AES-192" or "AES-256".
· From the foregoing considerations, we would recommended at present "HMAC-
SHA-96" with "AES-128" as authentication and encryption method.
37
Advertisement
Table of Contents
