| Description | The manager's Diffie-Hellman public value for this row. Note
that this value is not set via the SNMP agent, but may be set via
some out of band method, such as the device's configuration file.
The manager calculates this value in the same manner and using the
same parameter set as the agent does. E.g. it selects a random
number 'r', calculates y = g^r mod p and provides 'y' as the
public number expressed as an OCTET STRING. See
usmDHKickstartMyPublic for details.
When this object is set with a valid value during initialization,
a row is created in the usmUserTable with the following values:
usmUserEngineID localEngineID
usmUserName [value of usmDHKickstartSecurityName]
usmUserSecurityName [value of usmDHKickstartSecurityName]
usmUserCloneFrom ZeroDotZero
usmUserAuthProtocol usmHMACMD5AuthProtocol
usmUserAuthKeyChange -- derived from set value
usmUserOwnAuthKeyChange -- derived from set value
usmUserPrivProtocol usmDESPrivProtocol
usmUserPrivKeyChange -- derived from set value
usmUserOwnPrivKeyChange -- derived from set value
usmUserPublic ''
usmUserStorageType permanent
usmUserStatus active
A shared secret 'sk' is calculated at the agent as sk =
mgrPublic^r mod p where r is the agents random number and p is the
DH prime from the common parameters. The underlying privacy key
for this row is derived from sk by applying the key derivation
function PBKDF2 defined in PKCS#5v2.0 with a salt of 0xd1310ba6,
and iterationCount of 500, a keyLength of 16 (for
usmDESPrivProtocol), and a prf (pseudo random function) of
'id-hmacWithSHA1'. The underlying authentication key for this row
is derived from sk by applying the key derivation function PBKDF2
with a salt of 0x98dfb5ac , an interation count of 500, a
keyLength of 16 (for usmHMAC5AuthProtocol), and a prf of
'id-hmacWithSHA1'. Note: The salts are the first two words in the
ks0 [key schedule 0] of the BLOWFISH cipher from 'Applied
Cryptography' by Bruce Schnier - they could be any relatively
random string of bits.
The manager can use its knowledge of its own random number and the
agent's public value to kickstart its access to the agent in a
secure manner. Note that the security of this approach is
directly related to the strength of the authorization security of
the out of band provisioning of the managers public value
(e.g. the configuration file), but is not dependent at all on the
strength of the confidentiality of the out of band provisioning
data. |