Re: Does Net-SNMP support AES192 or AES256?

[Simon Chamlian]

Test results (omitted rwuser instruction for brevity):

createUser user0  MD5 "authpw-00"   Works
createUser user1  MD5 "authpw-00" AES "default-00"  Works

createUser user2  MD5 "authpw-00" AES192  "default-00"  FAILED
createUser user2c MD5 "authpw-00" AES192C "default-00"  Works

createUser user3  SHA "authpw-00" AES192  "default-00"  FAILED
createUser user3c SHA "authpw-00" AES192C "default-00"  Works

createUser user4  SHA "authpw-00" AES256  "default-00"  FAILED
createUser user4c SHA "authpw-00" AES256C "default-00"  Works

In summary, it works when 'C' is added ("Cisco" algorithm);

Unfortunately I couldn't try SHA224, SHA256, SHA384 and SHA512 since my
browser supports only SHA96

Thank you Bill !!

Simon







On Mon, Apr 9, 2018 at 4:13 PM, Bill Fenner  wrote:

> On Mon, Apr 9, 2018 at 12:21 PM, Simon Chamlian 
> wrote:
>
>> Hi ,
>>
>> Thanks for the information Bill. So  --with-transports="DTLSUDP"
>> --with-security-modules="tsm" are not required but simply
>> --enable-blumenthal-aes
>>
>> So I compiled the agent using the following configuration:
>>
>> ./configure  --disable-embedded-perl
>>  --without-perl-modules with_endianness=big
>>  --enable-mini-agent --with-default-snmp-version="3"
>>  --disable-debugging
>>  --with-sys-contact="who@where"
>> --with-logfile="/var/log/snmp"
>>  --with-transports="UDP TCP"
>>  --enable-blumenthal-aes
>>
>> In snmpd.conf I have:
>>
>>createUser user   MD5 "authpw-00"
>>rwuser user
>>
>>createUser user1  MD5 "authpw-00" AES "default-00"
>>rwuser user1
>>
>>createUser user2  MD5 "authpw-00" AES192 "default-00"
>>rwuser user2
>>
>> 1) The error message unknown privProtocol has disappeared from log file.
>> 2) From the MIB browser, I do a GET on one of the OID using user
>> (noPriv) and it works fine.
>> 3) From the MIB browser, I do a GET on one of the OID using user2 using
>> AES-128 and it works fine .
>> 4) From the MIB browser, I do a GET on one of the OID using user3 using
>> AES-192 and it DOES NOT work! I get the following error in the log file:
>>
>>  security service 3 error parsing ScopedPDU
>>
>>  What I am missing?
>>
>
> There are two ways to take a short auth key and lengthen it for a strong
> privacy algorithm.  Two things to try:
>
> 1. Use "AES192C" for the user instead of "AES192" (this uses the "Cisco"
> algorithm);
> 2. Use a stronger auth mechanism, which creates a longer auth key, which
> doesn't have to be lengthened for the strong privacy algorithm, avoiding
> the question of how to lengthen it. I think SHA suffices, but of course
> SHA224, SHA256, SHA384 and SHA512 are available to try.
>
>   Bill
>
>
>>
>> On Fri, Apr 6, 2018 at 8:49 PM, Bill Fenner  wrote:
>>
>>> Simon,
>>>
>>> The USM AES192 and AES256 support is based upon an Internet Draft, which
>>> never became a standard - therefore, you have to pass
>>> "--enable-blumenthal-aes" to ./configure. (You don't have to enable TSM or
>>> the TLS transports; that's a whole different kettle of fish.)
>>>
>>>   Bill
>>>
>>>
>>> On Fri, Apr 6, 2018 at 12:01 PM, Simon Chamlian 
>>> wrote:
>>>
 Thanks for the tip.

 I did compile with the following options:

 --disable-embedded-perl
 --without-perl-modules with_endianness=big
 --enable-mini-agent
 --with-default-snmp-version="3"
 --enable-ipv6
 --disable-debugging
 --with-sys-contact="who@where"
 --with-logfile="/var/log/snmp"

 *--with-transports="DTLSUDP TLSTCP" --with-security-modules="tsm" *


 Still when I put

 createUser User2  MD5 "passwrd-00" AES192 (or AES-192) "default-00"

 I get an error message:

 snmpd.conf: line 27: Error: unknown privProtocol

 So does SNMP 5.8 support AES192 and AES256?
 Is it another syntax I need in snmpd.conf?

 Thanks,

 S.




 On Thu, Apr 5, 2018 at 5:14 PM, Keith Mendoza 
 wrote:

> Simon,
> Those options have to be enabled in the configure options. I suggest
> building with the following configure options:
> --with-transports="DTLSUDP" --with-security-modules="tsm"
>
> There might be other configure options that you need to make it work.
>
> Just note though that SNMPv3 RFC _does not_ specify AES192 and AES256;
> they specified some older algorithms that were "latest and greatest"
> at the time it was being drafted :(
>
> Thanks,
> Keith
> Thanks,
> Keith
>
>
> On Thu, Apr 5, 2018 at 1:54 PM, Simon Chamlian 
> wrote:
> >
> >
> >
> > Hi,
> >
> > Does Net-SNMP support AES192 or AES256?
> >
> > According to this link
> >
> > 

Re: Does Net-SNMP support AES192 or AES256?

[Bill Fenner]

On Mon, Apr 9, 2018 at 12:21 PM, Simon Chamlian 
wrote:

> Hi ,
>
> Thanks for the information Bill. So  --with-transports="DTLSUDP"
> --with-security-modules="tsm" are not required but simply
> --enable-blumenthal-aes
>
> So I compiled the agent using the following configuration:
>
> ./configure  --disable-embedded-perl
>  --without-perl-modules with_endianness=big
>  --enable-mini-agent --with-default-snmp-version="3"
>  --disable-debugging
>  --with-sys-contact="who@where"
> --with-logfile="/var/log/snmp"
>  --with-transports="UDP TCP"
>  --enable-blumenthal-aes
>
> In snmpd.conf I have:
>
>createUser user   MD5 "authpw-00"
>rwuser user
>
>createUser user1  MD5 "authpw-00" AES "default-00"
>rwuser user1
>
>createUser user2  MD5 "authpw-00" AES192 "default-00"
>rwuser user2
>
> 1) The error message unknown privProtocol has disappeared from log file.
> 2) From the MIB browser, I do a GET on one of the OID using user  (noPriv)
> and it works fine.
> 3) From the MIB browser, I do a GET on one of the OID using user2 using
> AES-128 and it works fine .
> 4) From the MIB browser, I do a GET on one of the OID using user3 using
> AES-192 and it DOES NOT work! I get the following error in the log file:
>
>  security service 3 error parsing ScopedPDU
>
>  What I am missing?
>

There are two ways to take a short auth key and lengthen it for a strong
privacy algorithm.  Two things to try:

1. Use "AES192C" for the user instead of "AES192" (this uses the "Cisco"
algorithm);
2. Use a stronger auth mechanism, which creates a longer auth key, which
doesn't have to be lengthened for the strong privacy algorithm, avoiding
the question of how to lengthen it. I think SHA suffices, but of course
SHA224, SHA256, SHA384 and SHA512 are available to try.

  Bill


>
> On Fri, Apr 6, 2018 at 8:49 PM, Bill Fenner  wrote:
>
>> Simon,
>>
>> The USM AES192 and AES256 support is based upon an Internet Draft, which
>> never became a standard - therefore, you have to pass
>> "--enable-blumenthal-aes" to ./configure. (You don't have to enable TSM or
>> the TLS transports; that's a whole different kettle of fish.)
>>
>>   Bill
>>
>>
>> On Fri, Apr 6, 2018 at 12:01 PM, Simon Chamlian 
>> wrote:
>>
>>> Thanks for the tip.
>>>
>>> I did compile with the following options:
>>>
>>> --disable-embedded-perl
>>> --without-perl-modules with_endianness=big
>>> --enable-mini-agent
>>> --with-default-snmp-version="3"
>>> --enable-ipv6
>>> --disable-debugging
>>> --with-sys-contact="who@where"
>>> --with-logfile="/var/log/snmp"
>>>
>>> *--with-transports="DTLSUDP TLSTCP" --with-security-modules="tsm" *
>>>
>>>
>>> Still when I put
>>>
>>> createUser User2  MD5 "passwrd-00" AES192 (or AES-192) "default-00"
>>>
>>> I get an error message:
>>>
>>> snmpd.conf: line 27: Error: unknown privProtocol
>>>
>>> So does SNMP 5.8 support AES192 and AES256?
>>> Is it another syntax I need in snmpd.conf?
>>>
>>> Thanks,
>>>
>>> S.
>>>
>>>
>>>
>>>
>>> On Thu, Apr 5, 2018 at 5:14 PM, Keith Mendoza 
>>> wrote:
>>>
 Simon,
 Those options have to be enabled in the configure options. I suggest
 building with the following configure options:
 --with-transports="DTLSUDP" --with-security-modules="tsm"

 There might be other configure options that you need to make it work.

 Just note though that SNMPv3 RFC _does not_ specify AES192 and AES256;
 they specified some older algorithms that were "latest and greatest"
 at the time it was being drafted :(

 Thanks,
 Keith
 Thanks,
 Keith


 On Thu, Apr 5, 2018 at 1:54 PM, Simon Chamlian 
 wrote:
 >
 >
 >
 > Hi,
 >
 > Does Net-SNMP support AES192 or AES256?
 >
 > According to this link
 >
 > http://www.net-snmp.org/wiki/index.php/Strong_Authentication
 _or_Encryption
 >
 > The short answer is Yes, starting with release 5.8 AES193 and AES256
 are an
 > optional configure option.
 >
 > So I downloaded version 5.8.pre2 and tried:
 >
 >
 >   createUser user2  SHA "passwrd-00" AES192 "default-00"
 >   rwuser   user2
 >
 >   createUser user3  SHA "passwrd-00" AES256 "default-00"
 >   rwuser   user3
 >
 >
 > Does not work. I get an error:
 >   snmpd.conf: line 27: Error: unknown privProtocol
 >   snmpd.conf: line 31: Error: unknown privProtocol
 >
 > Any insight will be highly appreciated.
 >
 > S.
 >
 >
 >
 >
 > 
 --
 > Check out the vibrant tech community on one of the world's most
 > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
 > 

Re: Does Net-SNMP support AES192 or AES256?

[Simon Chamlian]

Hi ,

Thanks for the information Bill. So  --with-transports="DTLSUDP"
--with-security-modules="tsm" are not required but simply
--enable-blumenthal-aes

So I compiled the agent using the following configuration:

./configure  --disable-embedded-perl
 --without-perl-modules with_endianness=big
 --enable-mini-agent --with-default-snmp-version="3"
 --disable-debugging
 --with-sys-contact="who@where"
--with-logfile="/var/log/snmp"
 --with-transports="UDP TCP"
 --enable-blumenthal-aes

In snmpd.conf I have:

   createUser user   MD5 "authpw-00"
   rwuser user

   createUser user1  MD5 "authpw-00" AES "default-00"
   rwuser user1

   createUser user2  MD5 "authpw-00" AES192 "default-00"
   rwuser user2

1) The error message unknown privProtocol has disappeared from log file.
2) From the MIB browser, I do a GET on one of the OID using user  (noPriv)
and it works fine.
3) From the MIB browser, I do a GET on one of the OID using user2 using
AES-128 and it works fine .
4) From the MIB browser, I do a GET on one of the OID using user3 using
AES-192 and it DOES NOT work! I get the following error in the log file:

 security service 3 error parsing ScopedPDU

 What I am missing?

Thanks,
Simon




On Fri, Apr 6, 2018 at 8:49 PM, Bill Fenner  wrote:

> Simon,
>
> The USM AES192 and AES256 support is based upon an Internet Draft, which
> never became a standard - therefore, you have to pass
> "--enable-blumenthal-aes" to ./configure. (You don't have to enable TSM or
> the TLS transports; that's a whole different kettle of fish.)
>
>   Bill
>
>
> On Fri, Apr 6, 2018 at 12:01 PM, Simon Chamlian 
> wrote:
>
>> Thanks for the tip.
>>
>> I did compile with the following options:
>>
>> --disable-embedded-perl
>> --without-perl-modules with_endianness=big
>> --enable-mini-agent
>> --with-default-snmp-version="3"
>> --enable-ipv6
>> --disable-debugging
>> --with-sys-contact="who@where"
>> --with-logfile="/var/log/snmp"
>>
>> *--with-transports="DTLSUDP TLSTCP" --with-security-modules="tsm" *
>>
>>
>> Still when I put
>>
>> createUser User2  MD5 "passwrd-00" AES192 (or AES-192) "default-00"
>>
>> I get an error message:
>>
>> snmpd.conf: line 27: Error: unknown privProtocol
>>
>> So does SNMP 5.8 support AES192 and AES256?
>> Is it another syntax I need in snmpd.conf?
>>
>> Thanks,
>>
>> S.
>>
>>
>>
>>
>> On Thu, Apr 5, 2018 at 5:14 PM, Keith Mendoza 
>> wrote:
>>
>>> Simon,
>>> Those options have to be enabled in the configure options. I suggest
>>> building with the following configure options:
>>> --with-transports="DTLSUDP" --with-security-modules="tsm"
>>>
>>> There might be other configure options that you need to make it work.
>>>
>>> Just note though that SNMPv3 RFC _does not_ specify AES192 and AES256;
>>> they specified some older algorithms that were "latest and greatest"
>>> at the time it was being drafted :(
>>>
>>> Thanks,
>>> Keith
>>> Thanks,
>>> Keith
>>>
>>>
>>> On Thu, Apr 5, 2018 at 1:54 PM, Simon Chamlian 
>>> wrote:
>>> >
>>> >
>>> >
>>> > Hi,
>>> >
>>> > Does Net-SNMP support AES192 or AES256?
>>> >
>>> > According to this link
>>> >
>>> > http://www.net-snmp.org/wiki/index.php/Strong_Authentication
>>> _or_Encryption
>>> >
>>> > The short answer is Yes, starting with release 5.8 AES193 and AES256
>>> are an
>>> > optional configure option.
>>> >
>>> > So I downloaded version 5.8.pre2 and tried:
>>> >
>>> >
>>> >   createUser user2  SHA "passwrd-00" AES192 "default-00"
>>> >   rwuser   user2
>>> >
>>> >   createUser user3  SHA "passwrd-00" AES256 "default-00"
>>> >   rwuser   user3
>>> >
>>> >
>>> > Does not work. I get an error:
>>> >   snmpd.conf: line 27: Error: unknown privProtocol
>>> >   snmpd.conf: line 31: Error: unknown privProtocol
>>> >
>>> > Any insight will be highly appreciated.
>>> >
>>> > S.
>>> >
>>> >
>>> >
>>> >
>>> > 
>>> --
>>> > Check out the vibrant tech community on one of the world's most
>>> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> > ___
>>> > Net-snmp-coders mailing list
>>> > Net-snmp-coders@lists.sourceforge.net
>>> > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>>> >
>>>
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> Net-snmp-coders mailing list
>> Net-snmp-coders@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>>
>>
>
--
Check out the vibrant tech 

Re: Does Net-SNMP support AES192 or AES256?

[Bill Fenner]

Simon,

The USM AES192 and AES256 support is based upon an Internet Draft, which
never became a standard - therefore, you have to pass
"--enable-blumenthal-aes" to ./configure. (You don't have to enable TSM or
the TLS transports; that's a whole different kettle of fish.)

  Bill


On Fri, Apr 6, 2018 at 12:01 PM, Simon Chamlian 
wrote:

> Thanks for the tip.
>
> I did compile with the following options:
>
> --disable-embedded-perl
> --without-perl-modules with_endianness=big
> --enable-mini-agent
> --with-default-snmp-version="3"
> --enable-ipv6
> --disable-debugging
> --with-sys-contact="who@where"
> --with-logfile="/var/log/snmp"
>
> *--with-transports="DTLSUDP TLSTCP" --with-security-modules="tsm" *
>
>
> Still when I put
>
> createUser User2  MD5 "passwrd-00" AES192 (or AES-192) "default-00"
>
> I get an error message:
>
> snmpd.conf: line 27: Error: unknown privProtocol
>
> So does SNMP 5.8 support AES192 and AES256?
> Is it another syntax I need in snmpd.conf?
>
> Thanks,
>
> S.
>
>
>
>
> On Thu, Apr 5, 2018 at 5:14 PM, Keith Mendoza  wrote:
>
>> Simon,
>> Those options have to be enabled in the configure options. I suggest
>> building with the following configure options:
>> --with-transports="DTLSUDP" --with-security-modules="tsm"
>>
>> There might be other configure options that you need to make it work.
>>
>> Just note though that SNMPv3 RFC _does not_ specify AES192 and AES256;
>> they specified some older algorithms that were "latest and greatest"
>> at the time it was being drafted :(
>>
>> Thanks,
>> Keith
>> Thanks,
>> Keith
>>
>>
>> On Thu, Apr 5, 2018 at 1:54 PM, Simon Chamlian 
>> wrote:
>> >
>> >
>> >
>> > Hi,
>> >
>> > Does Net-SNMP support AES192 or AES256?
>> >
>> > According to this link
>> >
>> > http://www.net-snmp.org/wiki/index.php/Strong_Authentication
>> _or_Encryption
>> >
>> > The short answer is Yes, starting with release 5.8 AES193 and AES256
>> are an
>> > optional configure option.
>> >
>> > So I downloaded version 5.8.pre2 and tried:
>> >
>> >
>> >   createUser user2  SHA "passwrd-00" AES192 "default-00"
>> >   rwuser   user2
>> >
>> >   createUser user3  SHA "passwrd-00" AES256 "default-00"
>> >   rwuser   user3
>> >
>> >
>> > Does not work. I get an error:
>> >   snmpd.conf: line 27: Error: unknown privProtocol
>> >   snmpd.conf: line 31: Error: unknown privProtocol
>> >
>> > Any insight will be highly appreciated.
>> >
>> > S.
>> >
>> >
>> >
>> >
>> > 
>> --
>> > Check out the vibrant tech community on one of the world's most
>> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> > ___
>> > Net-snmp-coders mailing list
>> > Net-snmp-coders@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>> >
>>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Net-snmp-coders mailing list
> Net-snmp-coders@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Re: Does Net-SNMP support AES192 or AES256?

[Simon Chamlian]

Thanks for the tip.

I did compile with the following options:

--disable-embedded-perl
--without-perl-modules with_endianness=big
--enable-mini-agent
--with-default-snmp-version="3"
--enable-ipv6
--disable-debugging
--with-sys-contact="who@where"
--with-logfile="/var/log/snmp"

*--with-transports="DTLSUDP TLSTCP" --with-security-modules="tsm" *


Still when I put

createUser User2  MD5 "passwrd-00" AES192 (or AES-192) "default-00"

I get an error message:

snmpd.conf: line 27: Error: unknown privProtocol

So does SNMP 5.8 support AES192 and AES256?
Is it another syntax I need in snmpd.conf?

Thanks,

S.




On Thu, Apr 5, 2018 at 5:14 PM, Keith Mendoza  wrote:

> Simon,
> Those options have to be enabled in the configure options. I suggest
> building with the following configure options:
> --with-transports="DTLSUDP" --with-security-modules="tsm"
>
> There might be other configure options that you need to make it work.
>
> Just note though that SNMPv3 RFC _does not_ specify AES192 and AES256;
> they specified some older algorithms that were "latest and greatest"
> at the time it was being drafted :(
>
> Thanks,
> Keith
> Thanks,
> Keith
>
>
> On Thu, Apr 5, 2018 at 1:54 PM, Simon Chamlian 
> wrote:
> >
> >
> >
> > Hi,
> >
> > Does Net-SNMP support AES192 or AES256?
> >
> > According to this link
> >
> > http://www.net-snmp.org/wiki/index.php/Strong_
> Authentication_or_Encryption
> >
> > The short answer is Yes, starting with release 5.8 AES193 and AES256 are
> an
> > optional configure option.
> >
> > So I downloaded version 5.8.pre2 and tried:
> >
> >
> >   createUser user2  SHA "passwrd-00" AES192 "default-00"
> >   rwuser   user2
> >
> >   createUser user3  SHA "passwrd-00" AES256 "default-00"
> >   rwuser   user3
> >
> >
> > Does not work. I get an error:
> >   snmpd.conf: line 27: Error: unknown privProtocol
> >   snmpd.conf: line 31: Error: unknown privProtocol
> >
> > Any insight will be highly appreciated.
> >
> > S.
> >
> >
> >
> >
> > 
> --
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > ___
> > Net-snmp-coders mailing list
> > Net-snmp-coders@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
> >
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Re: Does Net-SNMP support AES192 or AES256?

[Keith Mendoza]

Simon,
Those options have to be enabled in the configure options. I suggest
building with the following configure options:
--with-transports="DTLSUDP" --with-security-modules="tsm"

There might be other configure options that you need to make it work.

Just note though that SNMPv3 RFC _does not_ specify AES192 and AES256;
they specified some older algorithms that were "latest and greatest"
at the time it was being drafted :(

Thanks,
Keith
Thanks,
Keith


On Thu, Apr 5, 2018 at 1:54 PM, Simon Chamlian  wrote:
>
>
>
> Hi,
>
> Does Net-SNMP support AES192 or AES256?
>
> According to this link
>
> http://www.net-snmp.org/wiki/index.php/Strong_Authentication_or_Encryption
>
> The short answer is Yes, starting with release 5.8 AES193 and AES256 are an
> optional configure option.
>
> So I downloaded version 5.8.pre2 and tried:
>
>
>   createUser user2  SHA "passwrd-00" AES192 "default-00"
>   rwuser   user2
>
>   createUser user3  SHA "passwrd-00" AES256 "default-00"
>   rwuser   user3
>
>
> Does not work. I get an error:
>   snmpd.conf: line 27: Error: unknown privProtocol
>   snmpd.conf: line 31: Error: unknown privProtocol
>
> Any insight will be highly appreciated.
>
> S.
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Net-snmp-coders mailing list
> Net-snmp-coders@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders