Network Working Group H. Du Internet-Draft L. Fang Intended status: Standards Track F. Zou Expires: June 1, 2015 D. Zhang D. He Huawei Technologies Co., Ltd. November 28, 2014 A New Algorithm for SNMP Key Localization draft-du-opsawg-snmp-key-localization-00 Abstract This draft discusses a security issue with the algorithm for generating SNMP localized keys and introduce a new algorithm to address this problem. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on June 1, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents Du, et al. Expires June 1, 2015 [Page 1] Internet-Draft Abbreviated-Title November 2014 (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Updated Algorithm . . . . . . . . . . . . . . . . . . . . . . 2 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 4. Security Considerations . . . . . . . . . . . . . . . . . . . 3 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 3 6. Normative References . . . . . . . . . . . . . . . . . . . . 3 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction In Appendix 2 of [RFC3414], the SNMP localized key is obtained by the MD5 or SHA function with user password and SnmpEngineID as inputs. The user password should be padded by repeating itself if its length is less than 64 Octects. RFC3414 warns that longer passwords with repetitive strings may result in exactly the same key. For example, a password 'bertbert' will result in exactly the same key as password 'bertbertbert'. In other words, if an SNMP key string can be expressed by repeating string S with M times, other keys that expressed by repeating S with N times are also able to access the same target device. The traditional solution to avoid this security issue is to implement an extra module to check the format of user password, such as the length of the key should be between 8 and 15 chars, it must contain capital, small letters, digits and special characters, forbid using repetitive string with length as the divisor of 64. This draft tries to tackle this issue by revising the key localization algorithm specified in Appendix 2 of [RFC3414]. 2. Updated Algorithm Instead of extending to 64 Octets, the original user password is only extended to M<64 octets. The remaining Octets are padded with the original user password length. The value of M could be various, here we recommend M=60. Du, et al. Expires June 1, 2015 [Page 2] Internet-Draft Abbreviated-Title November 2014 while (count < 1048576) { cp = password_buf; for (i = 0; i < 60; i++) { /*************************************************/ /* Take the next octet of the password, wrapping */ /* to the beginning of the password as necessary.*/ /*************************************************/ *cp++ = password[password_index++ % passwordlen]; } memcpy(cp, &passwordlen, 4); MD5Update (&MD, password_buf, 64); count += 64; } 3. IANA Considerations This document makes no request of IANA. Note to RFC Editor: this section may be removed on publication as an RFC. 4. Security Considerations 5. Acknowledgements 6. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. Authors' Addresses Huan Du Huawei Technologies Co., Ltd. Email: duhuan09@huawei.com Liang Fang Huawei Technologies Co., Ltd. Email: leon.fang@huawei.com Du, et al. Expires June 1, 2015 [Page 3] Internet-Draft Abbreviated-Title November 2014 Fengyuan Zou Huawei Technologies Co., Ltd. Email: Zou.Fengyuan@huawei.com Dacheng Zhang Huawei Technologies Co., Ltd. Email: zhangdacheng@huawei.com Danping He Huawei Technologies Co., Ltd. Email: ana.hedanping@huawei.com Du, et al. Expires June 1, 2015 [Page 4]