Home

MIB Smithy

  1. Up to Table of Contents

USM Key Management

Converting Password to Unlocalized Key

Syntax:

% snmpcmd usm passToKey ?option value ...? password

Where:

snmpcmd
is the name of an SNMP session;
option value
are zero or more option+value pairs that may be specified to override session configuration parameters; and
password
is the password to be converted.

Returns:

  • The unlocalized key generated from the password using the configured or specified authentication protocol.

Options

-authproto protocol
Specifies the authentication protocol (HMAC-MD5-96 or HMAC-SHA-96) to use in generating the key. If unspecified, the configured authentication protocol for the session is used.

Example

% set key [snmplib usm passToKey -authproto HMAC-MD5-96 maplesyrup]
% smilib format "OCTET STRING" $key
9f:af:32:83:88:4e:92:83:4e:bc:98:47:d8:ed:d9:63

Converting Password to Localized Key

Syntax:

% snmpcmd usm passToLocKey ?option value ...? password

Where:

snmpcmd
is the name of an SNMP session;
option value
are zero or more option+value pairs that may be specified to override session configuration parameters; and
password
is the password to be converted.

Returns:

  • The localized key generated from the password using the configured or specified authentication protocol and Engine ID. Note that the key returned is the full-length key appropriate to the authentication protocol, which may be longer than required for the privacy protocol (e.g. 20 octets versus 16 in the case of HMAC-SHA-96 and DES/CBC).

Options

-authproto protocol
Specifies the authentication protocol (HMAC-MD5-96 or HMAC-SHA-96) to use in generating the key. If unspecified, the configured authentication protocol for the session is used.
-engineid string
Specifies the Engine ID to use for localizing the generated key. If unspecified, the known Engine ID for the configured remote engine for the session is used.

Example

% set key [snmplib usm passToLocKey -authproto HMAC-MD5-96 -engineid \
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02" \
        maplesyrup]
% smilib format "OCTET STRING" $key
52:6f:5e:ed:9f:cc:e2:6f:89:64:c2:93:07:87:d8:2b

Localizing Keys

Syntax:

% snmpcmd usm localizeKey ?option value ...? key

Where:

snmpcmd
is the name of an SNMP session;
option value
are zero or more option+value pairs that may be specified to override session configuration parameters; and
key
is the key to be localized.

Returns:

  • The localized key generated from the unlocalized key the configured or specified authentication protocol and Engine ID. Note that the key returned is the full-length key appropriate to the authentication protocol, which may be longer than required for the privacy protocol (e.g. 20 octets versus 16 in the case of HMAC-SHA-96 and DES/CBC).

Options

-authproto protocol
Specifies the authentication protocol (HMAC-MD5-96 or HMAC-SHA-96) to use in generating the key. If unspecified, the configured authentication protocol for the session is used.
-engineid string
Specifies the Engine ID to use for localizing the generated key. If unspecified, the known Engine ID for the configured remote engine for the session is used.

Example

% set key [snmplib usm localizeKey -authproto HMAC-MD5-96 -engineid \
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02" \
    "\x9f\xaf\x32\x83\x88\x4e\x92\x83\x4e\xbc\x98\x47\xd8\xed\xd9\x63"]
% smilib format "OCTET STRING" $key
52:6f:5e:ed:9f:cc:e2:6f:89:64:c2:93:07:87:d8:2b

Encoding/Decoding Authentication KeyChange Values

Syntax:

% snmpcmd usm authKeyChange ?option value ...? old new

Where:

snmpcmd
is the name of an SNMP session;
option value
are zero or more option+value pairs that may be specified to override session configuration parameters;
old
is the old key; and
new
is the new key (or KeyChange value).

Returns:

  • For encoding, the KeyChange value that can be issued in an SNMP set operation to usmUserAuthKeyChange or usmUserOwnAuthKeyChange to change the key from old to new
  • For decoding, the new key that results from reversing the supplied new KeyChange value using the old key.

Options

-authproto protocol
Specifies the authentication protocol (HMAC-MD5-96 or HMAC-SHA-96) to use in generating the KeyChange value. If unspecified, the configured authentication protocol for the session is used.
-direction dir
May either be encode to specify that the old and new parameters are the old and new keys to generate a KeyChange value; or decode to specify that the old and new parameters are the old key and KeyChange value from which to recover the new key. Default: encode
-salt string
By default, the random component of the KeyChange value is generated by the SDK. This option may be used to specify the random component for purpose of testing or using an alternate source of random data. This option is ignored when decoding.

Example

% set kc [snmplib usm authKeyChange -authproto HMAC-MD5-96 \
    "\x52\x6f\x5e\xed\x9f\xcc\xe2\x6f\x89\x64\xc2\x93\x07\x87\xd8\x2b" \
    "\x87\x02\x1d\x7b\xd9\xd1\x01\xba\x05\xea\x6e\x3b\xf9\xd9\xbd\x4a"]
% smilib format KeyChange $kc
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:88:05:61:51:41:67:6c:c9:19:
61:74:e7:42:a3:25:51

Encoding/Decoding Privacy KeyChange Values

Syntax:

% snmpcmd usm privKeyChange ?option value ...? password

Where:

snmpcmd
is the name of an SNMP session;
option value
are zero or more option+value pairs that may be specified to override session configuration parameters;
old
is the old key; and
new
is the new key (or KeyChange value).

Returns:

  • For encoding, the KeyChange value that can be issued in an SNMP set operation to usmUserPrivKeyChange or usmUserOwnPrivKeyChange to change the key from old to new
  • For decoding, the new key that results from reversing the supplied new KeyChange value using the old key.

Options

-authproto protocol
Specifies the authentication protocol (HMAC-MD5-96 or HMAC-SHA-96) to use in generating the KeyChange value. If unspecified, the configured authentication protocol for the session is used.
-direction dir
May either be encode to specify that the old and new parameters are the old and new keys to generate a KeyChange value; or decode to specify that the old and new parameters are the old key and KeyChange value from which to recover the new key. Default: encode
-privproto protocol
Specifies the privacy protocol to use in generating the KeyChange value. If unspecified, the configured authentication protocol for the session is used. At present, DES/CBC and AES128/CFB are supported.
-salt string
By default, the random component of the KeyChange value is generated by the SDK. This option may be used to specify the random component for purpose of testing or using an alternate source of random data. This option is ignored when decoding.

Example

% set kc [snmplib usm privKeyChange -authproto HMAC-SHA-96 \
    "\x66\x95\xfe\xbc\x92\x88\xe3\x62\x82\x23\x5f\xc7\x15\x1f\x12\x84\x97\xb3\x8f\x3f" \
    "\x78\xe2\xdc\xce\x79\xd5\x94\x03\xb5\x8c\x1b\xba\xa5\xbf\xf4\x63\x91\xf1\xcd\x25"]
% smilib format KeyChange $kc
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:7e:f8:d8:a4:c9:cd:b2:6b:47:
59:1c:d8:52:ff:88:b5
  1. Up to Table of Contents