[erlang-questions] SNMP decryption with SHA auth and DES privacy

Scott Lystig Fritchie <>
Sun Mar 25 06:36:05 CEST 2007


Hi, all.  I hope very, very few of you are working on crypto things
this weekend.  :-)

I've stumbled upon a problem that appears to be very similar to one
reported in November 2005 by Magnus Fröberg(*).  However, my problem
appears to be with SHA authentication and DES privacy on a Linux box
with Erlang/OTP release R11B-3.

I have two entries in usm.conf that are nearly identical (see below).

  * MD5 auth + DES privacy for "superuser" works just fine.
  * MD5 auth + no privacy for "superuser-sha" works just fine.
  * SHA auth + DES privacy for "superuser-sha" gives this very
    repeatable error:

    "snmpget: Decryption error"
	 
I'm quite puzzled.  It looks like Magnus's fix is not-quite-verbatim
applied to R11B-3.  I guess I can try experimenting a bit on Sunday,
after a bit of sleep to clear my eyes.  I've included a
{net_if, debug} trace of all three operations.

-Scott

(*) http://www.erlang.org/ml-archive/erlang-questions/200511/msg00317.html

--- snip --- snip --- snip --- snip --- snip --- snip --- 

%% To reproduce:

snmpget -v 3 -u superuser -a MD5 -A authphrase -e 656e67696e656130 \
    -l authPriv -x DES -X privphrase localhost:55161 sysDescr.0
echo ""
sleep 5
snmpget -v 3 -u superuser-sha -a SHA -A shaphrase -e 656e67696e656130 \
    -l authNoPriv -x DES -X privphrase localhost:55161 sysDescr.0
echo ""
sleep 5
snmpget -v 3 -u superuser-sha -a SHA -A shaphrase -e 656e67696e656130 \
    -l authPriv -x DES -X privphrase localhost:55161 sysDescr.0

%% Output:

SNMPv2-MIB::sysDescr.0 = STRING: You found the description.

SNMPv2-MIB::sysDescr.0 = STRING: You found the description.

snmpget: Decryption error


--- snip --- snip --- snip --- snip --- snip --- snip --- 

%% usm.conf entries

%% authphrase, privphrase
{"enginea0", "superuser", "superuser", zeroDotZero,
    usmHMACMD5AuthProtocol, "", "",
    usmDESPrivProtocol, "", "", "",
    [201,30,3,40,187,111,176,54,115,130,133,102,206,102,95,204],
    [177,119,145,118,201,81,4,153,176,177,63,200,186,208,118,129]
}.

%% shaphrase, privphrase
{"enginea0", "superuser-sha", "superuser-sha", zeroDotZero,
    usmHMACSHAAuthProtocol, "", "",
    usmDESPrivProtocol, "", "", "",
    [112,106,201,117,200,192,230,137,68,190,22,79,233,209,95,141,121,43,89,119],
    [177,119,145,118,201,81,4,153,176,177,63,200,186,208,118,129]
}.

--- snip --- snip --- snip --- snip --- snip --- snip --- 


*** [2007:03:25 04:16:26 4137] SNMP A-NET-IF LOG *** 
   got paket from {127,0,0,1}:33978
*** [2007:03:25 04:16:26 4154] SNMP A-NET-IF MPD LOG *** 
   
   v3, msgID: 302068428, msgFlags: [7], msgSecModel: 3
*** [2007:03:25 04:16:26 4154] SNMP A-NET-IF MPD DEBUG *** 
   version 3 message header:
   msgID                 = 302068428
   msgMaxSize            = 65507
   msgFlags              = [7]
   msgSecurityModel      = 3
   msgSecurityParameters = [48,51,4,8,101,110,103,105,110,101,97,48,2,1,0,2,1,0,4,9,115,117,112,101,114,117,115,101,114,4,12,208,90,139,40,212,188,229,5,174,170,107,38,4,8,0,0,0,1,158,43,145,217]
*** [2007:03:25 04:16:26 4165] SNMP A-NET-IF A-USM LOG *** 
   
   authEngineID: "enginea0", userName: "superuser"
*** [2007:03:25 04:16:26 4176] SNMP A-NET-IF A-USM INFO *** 
   NOT in time window: 
   SecName:            "superuser"
   SnmpEngineBoots:    1
   MsgAuthEngineBoots: 0
   SnmpEngineTime:     5
   MsgAuthEngineTime:  0
*** [2007:03:25 04:16:26 4189] SNMP A-NET-IF MPD DEBUG *** 
   security module result when reportable [7.2.6-a]:
   Reason:    usmStatsNotInTimeWindows
   ErrorInfo: {{varbind,[1,3,6,1,6,3,15,1,1,2,0],'Counter32',1,undefined},
               "superuser",
               [{securityLevel,1}]}
*** [2007:03:25 04:16:26 4198] SNMP A-NET-IF LOG *** 
   sending report for reason: 
   {securityError,usmStatsNotInTimeWindows}
*** [2007:03:25 04:16:26 4208] SNMP A-NET-IF LOG *** 
   got paket from {127,0,0,1}:33978
*** [2007:03:25 04:16:26 4208] SNMP A-NET-IF MPD LOG *** 
   
   v3, msgID: 302068429, msgFlags: [7], msgSecModel: 3
*** [2007:03:25 04:16:26 4208] SNMP A-NET-IF MPD DEBUG *** 
   version 3 message header:
   msgID                 = 302068429
   msgMaxSize            = 65507
   msgFlags              = [7]
   msgSecurityModel      = 3
   msgSecurityParameters = [48,51,4,8,101,110,103,105,110,101,97,48,2,1,1,2,1,5,4,9,115,117,112,101,114,117,115,101,114,4,12,204,112,230,199,103,68,61,31,49,251,137,150,4,8,0,0,0,1,158,43,145,218]
*** [2007:03:25 04:16:26 4209] SNMP A-NET-IF A-USM LOG *** 
   
   authEngineID: "enginea0", userName: "superuser"
*** [2007:03:25 04:16:26 4222] SNMP A-NET-IF MPD LOG *** 
   
   contextEngineID: "enginea0", context: ""
*** [2007:03:25 04:16:26 4235] SNMP A-NET-IF MPD DEBUG *** 
   PDU type: 'get-request'
*** [2007:03:25 04:16:26 4244] SNMP A-NET-IF LOG *** 
   got pdu
   {pdu,'get-request',838136151,noError,0,[{varbind,[1,3,6,1,2,1,1,1,0],'NULL','NULL',1}]}
*** [2007:03:25 04:16:26 4274] SNMP A-NET-IF LOG *** 
   reply pdu: 
   {pdu,'get-response',838136151,noError,0,[{varbind,[1,3,6,1,2,1,1,1,0],'OCTET STRING',[71,101,109,105,110,105,32,77,111,98,105,108,101,32,84,101,99,104,110,111,108,111,103,105,101,115,32,77,77,83,71,32,83,78,77,80,32,65,103,101,110,116],1}]}
*** [2007:03:25 04:16:26 4282] SNMP A-NET-IF INFO *** 
   time in agent: 73850 mysec

()1> 
()1> 
()1> 
()1> 

*** [2007:03:25 04:16:31 4451] SNMP A-NET-IF LOG *** 
   got paket from {127,0,0,1}:33978
*** [2007:03:25 04:16:31 4452] SNMP A-NET-IF MPD LOG *** 
   
   v3, msgID: 1751779636, msgFlags: [5], msgSecModel: 3
*** [2007:03:25 04:16:31 4452] SNMP A-NET-IF MPD DEBUG *** 
   version 3 message header:
   msgID                 = 1751779636
   msgMaxSize            = 65507
   msgFlags              = [5]
   msgSecurityModel      = 3
   msgSecurityParameters = [48,47,4,8,101,110,103,105,110,101,97,48,2,1,0,2,1,0,4,13,115,117,112,101,114,117,115,101,114,45,115,104,97,4,12,18,222,3,95,162,234,24,13,151,130,210,188,4,0]
*** [2007:03:25 04:16:31 4452] SNMP A-NET-IF A-USM LOG *** 
   
   authEngineID: "enginea0", userName: "superuser-sha"
*** [2007:03:25 04:16:31 4460] SNMP A-NET-IF A-USM INFO *** 
   NOT in time window: 
   SecName:            "superuser-sha"
   SnmpEngineBoots:    1
   MsgAuthEngineBoots: 0
   SnmpEngineTime:     10
   MsgAuthEngineTime:  0
*** [2007:03:25 04:16:31 4461] SNMP A-NET-IF MPD DEBUG *** 
   security module result when reportable [7.2.6-a]:
   Reason:    usmStatsNotInTimeWindows
   ErrorInfo: {{varbind,[1,3,6,1,6,3,15,1,1,2,0],'Counter32',2,undefined},
               "superuser-sha",
               [{securityLevel,1}]}
*** [2007:03:25 04:16:31 4468] SNMP A-NET-IF LOG *** 
   sending report for reason: 
   {securityError,usmStatsNotInTimeWindows}
*** [2007:03:25 04:16:31 4473] SNMP A-NET-IF LOG *** 
   got paket from {127,0,0,1}:33978
*** [2007:03:25 04:16:31 4473] SNMP A-NET-IF MPD LOG *** 
   
   v3, msgID: 1751779637, msgFlags: [5], msgSecModel: 3
*** [2007:03:25 04:16:31 4474] SNMP A-NET-IF MPD DEBUG *** 
   version 3 message header:
   msgID                 = 1751779637
   msgMaxSize            = 65507
   msgFlags              = [5]
   msgSecurityModel      = 3
   msgSecurityParameters = [48,47,4,8,101,110,103,105,110,101,97,48,2,1,1,2,1,10,4,13,115,117,112,101,114,117,115,101,114,45,115,104,97,4,12,214,42,129,241,26,215,5,67,103,122,118,14,4,0]
*** [2007:03:25 04:16:31 4474] SNMP A-NET-IF A-USM LOG *** 
   
   authEngineID: "enginea0", userName: "superuser-sha"
*** [2007:03:25 04:16:31 4482] SNMP A-NET-IF MPD LOG *** 
   
   contextEngineID: "enginea0", context: ""
*** [2007:03:25 04:16:31 4484] SNMP A-NET-IF MPD DEBUG *** 
   PDU type: 'get-request'
*** [2007:03:25 04:16:31 4489] SNMP A-NET-IF LOG *** 
   got pdu
   {pdu,'get-request',1825175770,noError,0,[{varbind,[1,3,6,1,2,1,1,1,0],'NULL','NULL',1}]}
*** [2007:03:25 04:16:31 4497] SNMP A-NET-IF LOG *** 
   reply pdu: 
   {pdu,'get-response',1825175770,noError,0,[{varbind,[1,3,6,1,2,1,1,1,0],'OCTET STRING',[71,101,109,105,110,105,32,77,111,98,105,108,101,32,84,101,99,104,110,111,108,111,103,105,101,115,32,77,77,83,71,32,83,78,77,80,32,65,103,101,110,116],1}]}
*** [2007:03:25 04:16:31 4514] SNMP A-NET-IF INFO *** 
   time in agent: 40380 mysec

()1> 
()1> 
()1> 
()1> 

*** [2007:03:25 04:16:36 4689] SNMP A-NET-IF LOG *** 
   got paket from {127,0,0,1}:33978
*** [2007:03:25 04:16:36 4689] SNMP A-NET-IF MPD LOG *** 
   
   v3, msgID: 113381616, msgFlags: [7], msgSecModel: 3
*** [2007:03:25 04:16:36 4690] SNMP A-NET-IF MPD DEBUG *** 
   version 3 message header:
   msgID                 = 113381616
   msgMaxSize            = 65507
   msgFlags              = [7]
   msgSecurityModel      = 3
   msgSecurityParameters = [48,55,4,8,101,110,103,105,110,101,97,48,2,1,0,2,1,0,4,13,115,117,112,101,114,117,115,101,114,45,115,104,97,4,12,249,209,249,228,174,228,167,11,152,157,102,91,4,8,0,0,0,1,110,71,1,213]
*** [2007:03:25 04:16:36 4690] SNMP A-NET-IF A-USM LOG *** 
   
   authEngineID: "enginea0", userName: "superuser-sha"
*** [2007:03:25 04:16:36 4698] SNMP A-NET-IF A-USM INFO *** 
   NOT in time window: 
   SecName:            "superuser-sha"
   SnmpEngineBoots:    1
   MsgAuthEngineBoots: 0
   SnmpEngineTime:     15
   MsgAuthEngineTime:  0
*** [2007:03:25 04:16:36 4699] SNMP A-NET-IF MPD DEBUG *** 
   security module result when reportable [7.2.6-a]:
   Reason:    usmStatsNotInTimeWindows
   ErrorInfo: {{varbind,[1,3,6,1,6,3,15,1,1,2,0],'Counter32',3,undefined},
               "superuser-sha",
               [{securityLevel,1}]}
*** [2007:03:25 04:16:36 4707] SNMP A-NET-IF LOG *** 
   sending report for reason: 
   {securityError,usmStatsNotInTimeWindows}
*** [2007:03:25 04:16:36 4711] SNMP A-NET-IF LOG *** 
   got paket from {127,0,0,1}:33978
*** [2007:03:25 04:16:36 4712] SNMP A-NET-IF MPD LOG *** 
   
   v3, msgID: 113381617, msgFlags: [7], msgSecModel: 3
*** [2007:03:25 04:16:36 4712] SNMP A-NET-IF MPD DEBUG *** 
   version 3 message header:
   msgID                 = 113381617
   msgMaxSize            = 65507
   msgFlags              = [7]
   msgSecurityModel      = 3
   msgSecurityParameters = [48,55,4,8,101,110,103,105,110,101,97,48,2,1,1,2,1,15,4,13,115,117,112,101,114,117,115,101,114,45,115,104,97,4,12,107,221,81,164,31,13,51,255,54,251,27,6,4,8,0,0,0,1,110,71,1,214]
*** [2007:03:25 04:16:36 4712] SNMP A-NET-IF A-USM LOG *** 
   
   authEngineID: "enginea0", userName: "superuser-sha"
*** [2007:03:25 04:16:36 4720] SNMP A-NET-IF MPD DEBUG *** 
   security module result when reportable [7.2.6-a]:
   Reason:    usmStatsDecryptionErrors
   ErrorInfo: {{varbind,[1,3,6,1,6,3,15,1,1,6,0],'Counter32',1,undefined},
               "superuser-sha",
               []}
*** [2007:03:25 04:16:36 4727] SNMP A-NET-IF LOG *** 
   sending report for reason: 
   {securityError,usmStatsDecryptionErrors}

()1> 
BREAK: (a)bort (c)ontinue (p)roc info (i)nfo (l)oaded
       (v)ersion (k)ill (D)b-tables (d)istribution




More information about the erlang-questions mailing list