[SNMP4J] Nonstandard AES 192 & 256 Implementations?
Frank Fock
fock at agentpp.com
Wed Oct 9 23:07:17 CEST 2013
Hi,
A SNMP4J user recently reported interoperability problems
when using AES 256 privacy protocol in conjunction with SHA authentication
with a SNMP4J command generator and some Cisco device.
I investigated the issue and found out, that the device must have
implemented the
key extend from SHA-1's 20 bytes to 24 (AES 192) or 32 (AES 256)
not based on the IETF draft that defined AES 192 and 256 for SNMP:
http://tools.ietf.org/html/draft-blumenthal-aes-usm-04
Instead that device uses the key extension algorithm defined in the 3DES:
http://tools.ietf.org/html/draft-reeder-snmpv3-usm-3desede-00
The Cisco web pages seem not to mention this fact. Does anybody
know what devices and manufactures are affected by this interoperability
issue (bug)?
In order to provide best interoperability for all SNMP4J users, I have
implemented the package
org.snmp4j.security.nonstandard
in the current SNMP4J snapshot with the classes
PrivAES192With3DESKeyExtension
PrivAES256With3DESKeyExtension
which can be used to communicate with such nonstandard AES 192 and
256bit protocol implementations.
You can use this different AES 192/256 protocols per USM user by
1. Making sure that the protocol is registered:
SecurityProtocols.getInstance().addPrivacyProtocol(new
PrivAES256With3DESKeyExtension());
2. Assigning the protocol to the USM user that should use it:
user = new UsmUser(new OctetString("SHAAES256"),
AuthSHA.ID,
new OctetString("SHAAES256AuthPassword"),
// Uncomment the following if you want to use AES 256 with 3DES
like key extension for this user:
// PrivAES256With3DESKeyExtension.ID,
PrivAES256.ID,
new OctetString("SHAAES256PrivPassword"));
Best regards,
Frank Fock
--
---
AGENT++
Maximilian-Kolbe-Str. 10
73257 Koengen, Germany
https://agentpp.com
Phone: +49 7024 8688230
Fax: +49 7024 8688231
More information about the SNMP4J
mailing list