Thanks for the comments and I answer all the questions together: The new algorithm only tries to tackle the repetitive password issue of key localization. So, it is not the objective of this algorithm to increase entropy.
Tom mentioned 'anyone who uses a password based system and does not have an extra module to ensure that passwords meet current standards deserves all the security breaches they get ' , and it is really extreme. The more constraints we impose on user password, the less the available password space will be, which will in turn increases the possibility of collision attack. We examined enormous devices that have extra modules for SSH and even for Windows server. It turns out that the extra module for SNMPV3 already disobeys the regular and prevalent way, which normally checks '8 character string, upper case, lower case, digit and extended punctuation'. Thus 'BerT135!BerT135!BerT135!' is believed strong enough in a regular check. Hacker communities have mentioned the current key localization method as a loophole, and plan to submit it to CVE. Moreover, as the co-author of 'draft-hartman-snmp-sha2', I definitely agree SHA2 being used in SNMP. We also support the adoption of 'draft-hmac-sha-2-usm-snmp ' in order to support SHA2 to be a standard SNMP authentication method. If SHA2 is adopted, changes are mandated in the SNMP module. I don't think the change of key localization 'from 64bits to 60bits+4bits' can be more than the change' from SHA1,MD5 to SHA2'! Hence why don't we change the key localization algorithm together with authentication method and enhance the SNMP to a better security level, and most importantly with interoperability? I believe as time goes by standards should be updated. Especially for a protocol like SNMP, which impacts worldwide devices, the requirements of standardizing secure key localization method, authentication method and so on are emerged. Cheers, Ana > -----Original Message----- > From: t.petch [mailto:[email protected]] > Sent: Monday, December 01, 2014 6:31 PM > To: Zhangdacheng (Dacheng); Hedanping (Ana); [email protected] > Cc: [email protected] > Subject: Re: [OPSAWG] New Version Notification for > draft-du-opsawg-snmp-key-localization-00.txt > > ----- Original Message ----- > From: "Zhangdacheng (Dacheng)" <[email protected]> > To: "Hedanping (Ana)" <[email protected]>; <[email protected]> > Cc: <[email protected]> > Sent: Saturday, November 29, 2014 3:59 AM > > > Let me help clarify Danping's point. > > > > We found there was a problem in the localization algorithm, but we are > not sure whether this issue is worthwhile for us to address, or the effort of > addressing this issue is out of scope of the SNMP specification. So, we raise > this > question here, and hope to get comments or suggestions. > > The new algorithm that you propose seems to offer very little improvement. > You suggest that after replicating the password, you then add the password > length in the last four octets to bring the length up to 64 octet. This > seems to > add very little entropy. > > Also, an 8 character string, containing upper case, lower case, digit and > extended punctuation would have been regarded as too weak many years ago > and we should not be documenting such an approach now. > > Again, anyone who uses a password based system and does not have a extra > module to ensure that passwords meet current standards deserves all the > security breaches they get! > > Tom Petch > > > > > Cheers > > > > Dacheng > > > > > -----Original Message----- > > > From: OPSAWG [mailto:[email protected]] On Behalf Of Hedanping > > > (Ana) > > > Sent: Saturday, November 29, 2014 10:52 AM > > > To: [email protected] > > > Cc: [email protected] > > > Subject: [OPSAWG] FW: New Version Notification for > > > draft-du-opsawg-snmp-key-localization-00.txt > > > > > > Dear all, > > > We find a security problem in the current SNMP key localization > algorithm, but > > > we are not sure whether IETF is the right place to improve it. The > draft is > > > submitted and comments are appreciated. > > > > > > A new version of I-D, draft-du-opsawg-snmp-key-localization-00.txt > > > has been successfully submitted by Danping He and posted to the IETF > > > repository. > > > > > > Name: draft-du-opsawg-snmp-key-localization > > > Revision: 00 > > > Title: A New Algorithm for SNMP Key Localization Document date: > > > 2014-11-28 > > > Group: Individual Submission > > > Pages: 4 > > > URL: > > > > http://www.ietf.org/internet-drafts/draft-du-opsawg-snmp-key-localizatio > n-00. > > > txt > > > Status: > > > > https://datatracker.ietf.org/doc/draft-du-opsawg-snmp-key-localization/ > > > Htmlized: > > > http://tools.ietf.org/html/draft-du-opsawg-snmp-key-localization-00 > > > > > > > > > Abstract: > > > This draft discusses a security issue with the algorithm for > > > generating SNMP localized keys and introduce a new algorithm to > > > address this problem. > > > > > > > > > Regards, > > > Ana (Danping) _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
