Manualshelf

User guide

ManualsBrandsAllied Telesis ManualsComputer equipmentAT-iMG634 - R2
111112113114115116117118119120
SNMP configuration within the SNMPv3 administration framework SNMP
1-87
iMG/RG Software Reference Manual (System Configuration)
The shared secret key, which has been xored with the hexadecimal value ‘5C ’(opad),
The intermediate digest to produce the final digest.
The HMAC function is summarized by the following expression:
FIGURE 1-15 hmac expression
HMAC is used in the following manner to protect against threats to management operations:
The sender and intended recipient of the SNMPv3 message share a secret key.
When the sender constructs the outgoing message, the sender’s notion of the SNMP agent’s time is inserted
into the message, and the digest field is padded with zeros. The HMAC function is then used to compute a
digest (“fingerprint”) over the concatenation of the sender‘s notion of the shared secret key and SNMPv3
message.
The digest is then inserted into the message at the position where the padding previously had been.
The message is then sent.
When the recipient receives the message, the digest in the incoming message is saved.
The recipient inserts zeros into the incoming message at the position where the shared secret key previ-
ously had been.
In the same manner as the sender, the recipient uses HMAC to compute a digest of the incoming message
(with padding instead of a digest) and the recipient’s notion of the shared secret key.
The recipient then compares:
The digest computed over the incoming message,
The digest that was saved from the incoming message.
If the shared secret key has not been compromised
2
, and if the two digests above exactly match, then there is a
high degree of confidence
3
that the following statements about the message are true:
The message origin is authentic. That is, the user that claims to have sent the message did in fact send it.
Otherwise, the digests would have been different.
The message contents have not been altered in transit. Otherwise, the digests would have been different.
2. SNMPv3 cannot protect against the threat of compromised keys. If an unauthorized user knows a shared secret key, then
that user can masquerade as another user, modify messages in transit, and modify the message stream.
3. It is computationally infeasible to threaten a system by trying all possible keys, especially if the administration policy for
the system includes a periodic changing of the keys which are configured.