Wiki source code of How-to configure nonstandard AES 192/256 for a SNMPv3 user?
Last modified by Frank Fock on 2024/05/25 20:22
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | {{success}} | ||
| 2 | **Avoid compatibility problems by choosing right authentication protocol** | ||
| 3 | |||
| 4 | Different key extension algorithms cause compatibility issues with AES >128 protocols. To avoid them and to ensure best security, use appropriate authentication protocols to avoid key extension at all. | ||
| 5 | |||
| 6 | That leads to the simple rule: | ||
| 7 | |||
| 8 | **For AES256 use at least SHA256!** | ||
| 9 | {{/success}} | ||
| 10 | |||
| 11 | |||
| 12 | Some devices* and SNMP tools use an AES key extension algorithm implementation for 192 and 256 bit key length that was not specified in the IETF draft [[http:~~/~~/tools.ietf.org/html/draft-blumenthal-aes-usm-04>>url:http://tools.ietf.org/html/draft-blumenthal-aes-usm-04]]. Instead those implementations use the key extension algorithm specified by [[http:~~/~~/tools.ietf.org/html/draft-reeder-snmpv3-usm-3desede-00>>url:http://tools.ietf.org/html/draft-reeder-snmpv3-usm-3desede-00]]. To use the latter non-standard protocol follow the steps below: | ||
| 13 | |||
| 14 | 1. Use SNMP4J 2.2.3 or later. | ||
| 15 | 1. ((( | ||
| 16 | Add the nonstandard privacy protocol to the SecurityProtocols instance with | ||
| 17 | |||
| 18 | {{code}} | ||
| 19 | import org.snmp4j.security.nonstandard.PrivAES256With3DESKeyExtension; | ||
| 20 | SecurityProtocols.getInstance().addPrivacyProtocol(new PrivAES256With3DESKeyExtension()); | ||
| 21 | {{/code}} | ||
| 22 | ))) | ||
| 23 | 1. ((( | ||
| 24 | Specify the nonstandard privacy protocol for the SNMPv3 user that should use it: | ||
| 25 | |||
| 26 | {{code}} | ||
| 27 | user = new UsmUser(new OctetString("SHAAES256"), | ||
| 28 | AuthSHA.ID, | ||
| 29 | new OctetString("SHAAES256AuthPassword"), | ||
| 30 | // Use the following privacy protocol if you want to use AES 256 with 3DES like key extension for this user: | ||
| 31 | PrivAES256With3DESKeyExtension.ID, | ||
| 32 | // Use the following privacy protocol for standard conform AES 256 privacy: | ||
| 33 | // PrivAES256.ID, | ||
| 34 | new OctetString("SHAAES256PrivPassword")); | ||
| 35 | {{/code}} | ||
| 36 | ))) | ||
| 37 | |||
| 38 | //Note: Standard and non-standard protocols cannot be used for the same SNMPv3 security Name concurrently when using USM - you can use them in a command generator with DirectUserTarget.// | ||
| 39 | |||
| 40 | //* SNMP4J users reported that there are Cisco devices using the 3DES key extension also for AES.// | ||
| 41 | |||
| 42 |