Encryption And Authentication (Snmpv3); Configuring Encryption And Authentication - Alcatel-Lucent OmniSwitch 6450 Management Manual

Using SNMP

Encryption and Authentication (SNMPv3)

Two important processes are used to verify that the message contents have not been altered and that the
source of the message is authentic. These processes are encryption and authentication.
A typical data encryption process requires an encryption algorithm on both ends of the transmission and a
secret key (like a code or a password). The sending device encrypts or "scrambles" the message by
running it through an encryption algorithm along with the key. The message is then transmitted over the
network in its encrypted state. The receiving device then takes the transmitted message and "un-scram-
bles" it by running it through a decryption algorithm. The receiving device cannot un-scramble the coded
message without the key.
The switch uses the Data Encryption Standard (DES) encryption scheme in its SNMPv3 implementation.
For DES, the data is encrypted in 64-bit blocks by using a 56-bit key. The algorithm transforms a 64-bit
input into a 64-bit output. The same steps with the same key are used to reverse the encryption.
The authentication process ensures that the switch receives accurate messages from authorized sources.
Authentication is accomplished between the switch and the SNMP management station through the use of
a username and password identified via the
used by the SNMP management station along with an authentication algorithm (SHA or MD5) to compute
a hash that is transmitted in the PDU. The switch receives the PDU and computes the hash to verify that
the management station knows the password. The switch also verifyies the checksum contained in the
PDU.
Authentication and encryption are combined when the PDU is first authenticated by either the SHA or
MD5 method. Then the message is encrypted using the DES encryption scheme. The encryption key is
derived from the authentication key, which is used to decrypt the PDU on the switch's side.

Configuring Encryption and Authentication

Setting Authentication for a User Account
User account names and passwords must be a minimum of 8 characters in length when authentication and
encryption are used. The following syntax sets authentication type MD5 with DES encryption for user
account "user_auth1".
-> user user_auth1 password ******** md5+des
SNMP authentication types SHA and MD5 are available with and without type DES encryption. The sha,
md5, sha+des, and md5+des keywords can be used in the command syntax.
Note. Optional. To verify the authentication and encryption type for the user, enter the
command. The following is a partial display.
-> show user
User name = user_auth1
Read right
Write right
Read for domains
Read for families
Write for domains
Snmp authentication = MD5, Snmp encryption = DES
The user's SNMP authentication is shown as MD5 and SNMP encryption is shown as DES.
OmniSwitch 6250/6450 Switch Management Guide
snmp station
= 0x0000a200 0x00000000,
= 0x00000000 0x00000000,
= ,
= snmp chassis interface ,
= None ,
June 2013
Using SNMP For Switch Security
CLI syntax. The username and password are
show user
page 3-11