3 unstable releases
0.2.1 | Mar 16, 2023 |
---|---|
0.2.0 | Aug 27, 2020 |
0.1.0 | Jul 19, 2020 |
#5 in #snmp
1,157 downloads per month
Used in msnmp
52KB
785 lines
Implementation of the User-based Security Model (USM) for SNMPv3
SNMP USM provides SNMP message level security according to RFC 3414 and RFC 3826. It implements primitives that can be used by a security subsystem.
Implemented features of USM:
- HMAC-MD5-96 Authentication Protocol
- HMAC-SHA-96 Authentication Protocol
- Timeliness verification
- DES encryption
- AES encryption
License
Licensed under either of
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
lib.rs
:
Implementation of the User-based Security Model (USM) for SNMPv3
SNMP USM provides SNMP message level security according to RFC 3414 and RFC 3826. It implements primitives that can be used by a security subsystem.
Implemented features of USM:
- HMAC-MD5-96 Authentication Protocol
- HMAC-SHA-96 Authentication Protocol
- Timeliness verification
- DES encryption
- AES encryption
Authentication and Privacy
When privacy is used with authentication, the privacy key must use the same message-digest
algorithm as the authentication key. As an example, if the AuthKey is
constructed with a LocalizedKey specialized with the MD5
message-digest algorithm, then the PrivKey must be constructed with a
LocalizedKey
specialized with the MD5 message-digest algorithm.
Authentication and time synchronization
If authenticated communication is required, then the discovery process should also establish time synchronization with the authoritative SNMP engine. This may be accomplished by sending an authenticated Request message with the value of msgAuthoritativeEngineID set to the previously learned snmpEngineID and with the values of msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime set to zero.
Examples
A fictional message processing subsystem is used to clarify the examples.
use snmp_usm::{
Aes128PrivKey, AuthKey, LocalizedMd5Key, PrivKey, SecurityParams, WithLocalizedKey
};
// The password and engine ID are supplied by the security subsystem.
let localized_key = LocalizedMd5Key::new(&passwd, &engine_id);
let priv_key = Aes128PrivKey::with_localized_key(localized_key.clone());
// The security parameters are constructed from the local authoritative engine data.
let (encrypted_scoped_pdu, salt) = priv_key.encrypt(scoped_pdu, &security_params, 0);
// The message processing service would set the encrypted scoped PDU for the outgoing message.
// out_msg.set_encrypted_scoped_pdu(encrypted_scoped_pdu);
security_params
.set_username(b"username")
.set_priv_params(&salt)
.set_auth_params_placeholder();
let encoded_security_params = security_params.encode();
// The message processing service would set the security parameters of the outgoing message and
// encode it.
// out_msg.set_security_params(&encoded_security_params);
// let out_msg = out_msg.encode();
let auth_key = AuthKey::new(localized_key);
// Authenticate the outgoing message.
auth_key.auth_out_msg(&mut out_msg)?;
// Authenticate an incoming message.
auth_key.auth_in_msg(&mut in_msg, local_engine_id, local_engine_boots, local_engine_time)?;
Dependencies
~1.5MB
~26K SLoC