[erlang-questions] SNMP decryption with SHA auth and DES privacy

Scott Lystig Fritchie <>
Tue Mar 27 08:18:47 CEST 2007


Following up to my own posting with a bit more info, I've discovered
the following things, using 4 users configured in the 4 combinations
of auth + privacy methods.

0. All 4 privacy keys are configured identically: the phrase
   "privphrase".

1. I have no problem with MD5 auth + DES privacy.

2. I have no problem with MD5 auth + AES privacy.(*)

3. I have problems with authPriv, using SHA auth + either privacy
   method.

4. If I send the wrong passphrase for either MD5 or SHA auth user,
   I immediately get an authentication error.

5. If I send the correct passphrase for a SHA auth user + authPriv,
   I immediately get a "snmpget: Decryption error" error.
      
6. The SNMP-USER-BASED-SM-MIB::usmStatsDecryptionErrors.0 counter is
   incremented each time I attempt a 

These facts suggest to me that I have configured the SHA
authentication key correctly.  Is it possible that I'm wrong?

I've included my snippet from "agent/usm.conf" as well as a trace log
of the net_if doodad.

-Scott

(*) I discovered that the net-snmp package version 5.1 does not
support AES encryption.  (Version 5.1 is what's installed on a
CentOS/Red Hat Enterprise Linux 4.x machine.)  Net-snmp version 5.4
supports both DES and AES encryption.

--- snip --- snip --- snip --- snip --- snip --- snip --- snip ---

{"enginea0", "test0.w-all", "test0.w-all", zeroDotZero,
    usmHMACMD5AuthProtocol, "", "",
    usmDESPrivProtocol, "", "", "",
    [201,30,3,40,187,111,176,54,115,130,133,102,206,102,95,204],
    [177,119,145,118,201,81,4,153,176,177,63,200,186,208,118,129]
}.

{"enginea0", "test0.w-all-sha", "test0.w-all-sha", zeroDotZero,
    usmHMACSHAAuthProtocol, "", "",
    usmDESPrivProtocol, "", "", "",
    [112,106,201,117,200,192,230,137,68,190,22,79,233,209,95,141,121,43,89,119],
    [177,119,145,118,201,81,4,153,176,177,63,200,186,208,118,129]
}.
{"enginea0", "test0.w-all-md5aes", "test0.w-all-md5aes", zeroDotZero,
    usmHMACMD5AuthProtocol, "", "",
    usmAesCfb128Protocol, "", "", "",
    [201,30,3,40,187,111,176,54,115,130,133,102,206,102,95,204],
    [177,119,145,118,201,81,4,153,176,177,63,200,186,208,118,129]
}.
{"enginea0", "test0.w-all-shaaes", "test0.w-all-shaaes", zeroDotZero,
    usmHMACSHAAuthProtocol, "", "",
    usmAesCfb128Protocol, "", "", "",
    [112,106,201,117,200,192,230,137,68,190,22,79,233,209,95,141,121,43,89,119],
    [177,119,145,118,201,81,4,153,176,177,63,200,186,208,118,129]
}.

--- snip --- snip --- snip --- snip --- snip --- snip --- snip ---

()5> *** [2007:03:27 06:10:15 4934] SNMP A-NET-IF LOG *** 
   got paket from {127,0,0,1}:33999
*** [2007:03:27 06:10:15 4934] SNMP A-NET-IF MPD LOG *** 
   
   v3, msgID: 488947328, msgFlags: [7], msgSecModel: 3
*** [2007:03:27 06:10:15 4934] SNMP A-NET-IF MPD DEBUG *** 
   version 3 message header:
   msgID                 = 488947328
   msgMaxSize            = 65507
   msgFlags              = [7]
   msgSecurityModel      = 3
   msgSecurityParameters = [48,60,4,8,101,110,103,105,110,101,97,48,2,1,0,2,1,0,4,18,116,101,115,116,48,46,119,45,97,108,108,45,115,104,97,97,101,115,4,12,52,96,113,137,13,135,131,237,174,30,185,171,4,8,109,235,47,18,194,123,209,147]
*** [2007:03:27 06:10:15 4935] SNMP A-NET-IF MPD TRACE *** 
   
   SecModule    = snmpa_usm
   SecLevel     = 3
   IsReportable = true
*** [2007:03:27 06:10:15 4935] SNMP A-NET-IF A-USM TRACE *** 
   process_incoming_msg -> check security parms: 3.2.1
*** [2007:03:27 06:10:15 4935] SNMP A-NET-IF A-USM LOG *** 
   
   authEngineID: "enginea0", userName: "test0.w-all-shaaes"
*** [2007:03:27 06:10:15 4935] SNMP A-NET-IF A-USM TRACE *** 
   process_incoming_msg -> check engine id: 3.2.3
*** [2007:03:27 06:10:15 4944] SNMP A-NET-IF A-USM TRACE *** 
   process_incoming_msg -> retrieve usm user: 3.2.4
*** [2007:03:27 06:10:15 4948] SNMP A-NET-IF A-USM TRACE *** 
   process_incoming_msg -> securityName: "test0.w-all-shaaes"
*** [2007:03:27 06:10:15 4948] SNMP A-NET-IF A-USM TRACE *** 
   process_incoming_msg -> authenticate incoming: 3.2.5 - 3.2.7
   {"enginea0",
    "test0.w-all-shaaes",
    "test0.w-all-shaaes",
    [0,0],
    [1,3,6,1,6,3,10,1,1,3],
    [],
    [],
    [1,3,6,1,6,3,10,1,2,4],
    [],
    [],
    [],
    3,
    1,
    [112,
     106,
     201,
     117,
     200,
     192,
     230,
     137,
     68,
     190,
     22,
     79,
     233,
     209,
     95,
     141,
     121,
     43,
     89,
     119],
    [177,119,145,118,201,81,4,153,176,177,63,200,186,208,118,129]}
*** [2007:03:27 06:10:15 4949] SNMP A-NET-IF A-USM TRACE *** 
   authenticate_incoming -> 3.2.6
*** [2007:03:27 06:10:15 4949] SNMP A-NET-IF A-USM TRACE *** 
   is_auth -> retrieve EngineBoots and EngineTime: 3.2.7
*** [2007:03:27 06:10:15 4959] SNMP A-NET-IF A-USM TRACE *** 
   is_auth -> SnmpEngineID: "enginea0"
*** [2007:03:27 06:10:15 4959] SNMP A-NET-IF A-USM TRACE *** 
   is_auth -> we are authoritative: 3.2.7a
*** [2007:03:27 06:10:15 4964] SNMP A-NET-IF A-USM TRACE *** 
   is_auth -> SnmpEngineBoots: 1
*** [2007:03:27 06:10:15 4964] SNMP A-NET-IF A-USM INFO *** 
   NOT in time window: 
   SecName:            "test0.w-all-shaaes"
   SnmpEngineBoots:    1
   MsgAuthEngineBoots: 0
   SnmpEngineTime:     382
   MsgAuthEngineTime:  0
*** [2007:03:27 06:10:15 4964] SNMP A-NET-IF MPD TRACE *** 
   message processing result: 
        {error,usmStatsNotInTimeWindows,
               {{varbind,[1,3,6,1,6,3,15,1,1,2,0],'Counter32',12,undefined},
                "test0.w-all-shaaes",
                [{securityLevel,1}]}}
*** [2007:03:27 06:10:15 4965] SNMP A-NET-IF MPD DEBUG *** 
   security module result when reportable [7.2.6-a]:
   Reason:    usmStatsNotInTimeWindows
   ErrorInfo: {{varbind,[1,3,6,1,6,3,15,1,1,2,0],'Counter32',12,undefined},
               "test0.w-all-shaaes",
               [{securityLevel,1}]}
*** [2007:03:27 06:10:15 4965] SNMP A-NET-IF MPD TRACE *** 
   Report ReqId: 0
*** [2007:03:27 06:10:15 4972] SNMP A-NET-IF MPD TRACE *** 
   generate_response_msg -> SecEngineID: "enginea0"
*** [2007:03:27 06:10:15 4972] SNMP A-NET-IF A-USM TRACE *** 
   generate_outgoing_msg -> entry [3.1.1]
*** [2007:03:27 06:10:15 4976] SNMP A-NET-IF A-USM TRACE *** 
   generate_outgoing_msg -> [3.1.4]
*** [2007:03:27 06:10:15 4977] SNMP A-NET-IF A-USM TRACE *** 
   encrypt -> 3.1.4b
*** [2007:03:27 06:10:15 4992] SNMP A-NET-IF A-USM TRACE *** 
   generate_outgoing_msg -> SnmpEngineID: "enginea0" [3.1.6]
*** [2007:03:27 06:10:15 4996] SNMP A-NET-IF A-USM TRACE *** 
   generate_outgoing_msg -> [3.1.5 - 3.1.7]
*** [2007:03:27 06:10:15 4996] SNMP A-NET-IF A-USM TRACE *** 
   generate_outgoing_msg -> [3.1.8]
*** [2007:03:27 06:10:15 4997] SNMP A-NET-IF A-USM TRACE *** 
   authenticate_outgoing -> encode message only
*** [2007:03:27 06:10:15 4997] SNMP A-NET-IF LOG TRACE *** 
   log -> entry with
   Log:  "snmpa_log"
   Addr: {127,0,0,1}
   Port: 33999
*** [2007:03:27 06:10:15 4997] SNMP A-NET-IF LOG *** 
   sending report for reason: 
   {securityError,usmStatsNotInTimeWindows}
*** [2007:03:27 06:10:16 415] SNMP A-NET-IF TRACE *** 
   activate once
*** [2007:03:27 06:10:16 426] SNMP A-NET-IF LOG *** 
   got paket from {127,0,0,1}:33999
*** [2007:03:27 06:10:16 426] SNMP A-NET-IF MPD LOG *** 
   
   v3, msgID: 488947329, msgFlags: [7], msgSecModel: 3
*** [2007:03:27 06:10:16 426] SNMP A-NET-IF MPD DEBUG *** 
   version 3 message header:
   msgID                 = 488947329
   msgMaxSize            = 65507
   msgFlags              = [7]
   msgSecurityModel      = 3
   msgSecurityParameters = [48,61,4,8,101,110,103,105,110,101,97,48,2,1,1,2,2,1,126,4,18,116,101,115,116,48,46,119,45,97,108,108,45,115,104,97,97,101,115,4,12,186,201,129,36,5,21,215,85,218,222,122,37,4,8,109,235,47,18,194,123,209,148]
*** [2007:03:27 06:10:16 427] SNMP A-NET-IF MPD TRACE *** 
   
   SecModule    = snmpa_usm
   SecLevel     = 3
   IsReportable = true
*** [2007:03:27 06:10:16 427] SNMP A-NET-IF A-USM TRACE *** 
   process_incoming_msg -> check security parms: 3.2.1
*** [2007:03:27 06:10:16 427] SNMP A-NET-IF A-USM LOG *** 
   
   authEngineID: "enginea0", userName: "test0.w-all-shaaes"
*** [2007:03:27 06:10:16 427] SNMP A-NET-IF A-USM TRACE *** 
   process_incoming_msg -> check engine id: 3.2.3
*** [2007:03:27 06:10:16 447] SNMP A-NET-IF A-USM TRACE *** 
   process_incoming_msg -> retrieve usm user: 3.2.4
*** [2007:03:27 06:10:16 452] SNMP A-NET-IF A-USM TRACE *** 
   process_incoming_msg -> securityName: "test0.w-all-shaaes"
*** [2007:03:27 06:10:16 452] SNMP A-NET-IF A-USM TRACE *** 
   process_incoming_msg -> authenticate incoming: 3.2.5 - 3.2.7
   {"enginea0",
    "test0.w-all-shaaes",
    "test0.w-all-shaaes",
    [0,0],
    [1,3,6,1,6,3,10,1,1,3],
    [],
    [],
    [1,3,6,1,6,3,10,1,2,4],
    [],
    [],
    [],
    3,
    1,
    [112,
     106,
     201,
     117,
     200,
     192,
     230,
     137,
     68,
     190,
     22,
     79,
     233,
     209,
     95,
     141,
     121,
     43,
     89,
     119],
    [177,119,145,118,201,81,4,153,176,177,63,200,186,208,118,129]}
*** [2007:03:27 06:10:16 453] SNMP A-NET-IF A-USM TRACE *** 
   authenticate_incoming -> 3.2.6
*** [2007:03:27 06:10:16 466] SNMP A-NET-IF A-USM TRACE *** 
   is_auth -> retrieve EngineBoots and EngineTime: 3.2.7
*** [2007:03:27 06:10:16 478] SNMP A-NET-IF A-USM TRACE *** 
   is_auth -> SnmpEngineID: "enginea0"
*** [2007:03:27 06:10:16 479] SNMP A-NET-IF A-USM TRACE *** 
   is_auth -> we are authoritative: 3.2.7a
*** [2007:03:27 06:10:16 491] SNMP A-NET-IF A-USM TRACE *** 
   is_auth -> SnmpEngineBoots: 1
*** [2007:03:27 06:10:16 491] SNMP A-NET-IF A-USM TRACE *** 
   process_incoming_msg -> decrypt scoped data: 3.2.8
*** [2007:03:27 06:10:16 492] SNMP A-NET-IF MPD TRACE *** 
   message processing result: 
        {error,usmStatsDecryptionErrors,
               {{varbind,[1,3,6,1,6,3,15,1,1,6,0],'Counter32',7,undefined},
                "test0.w-all-shaaes",
                []}}
*** [2007:03:27 06:10:16 492] SNMP A-NET-IF MPD DEBUG *** 
   security module result when reportable [7.2.6-a]:
   Reason:    usmStatsDecryptionErrors
   ErrorInfo: {{varbind,[1,3,6,1,6,3,15,1,1,6,0],'Counter32',7,undefined},
               "test0.w-all-shaaes",
               []}
*** [2007:03:27 06:10:16 493] SNMP A-NET-IF MPD TRACE *** 
   Report ReqId: 0
*** [2007:03:27 06:10:16 4115] SNMP A-NET-IF MPD TRACE *** 
   generate_response_msg -> SecEngineID: "enginea0"
*** [2007:03:27 06:10:16 4116] SNMP A-NET-IF A-USM TRACE *** 
   generate_outgoing_msg -> entry [3.1.1]
*** [2007:03:27 06:10:16 4118] SNMP A-NET-IF A-USM TRACE *** 
   generate_outgoing_msg -> [3.1.4]
*** [2007:03:27 06:10:16 4118] SNMP A-NET-IF A-USM TRACE *** 
   encrypt -> 3.1.4b
*** [2007:03:27 06:10:16 4118] SNMP A-NET-IF A-USM TRACE *** 
   generate_outgoing_msg -> SnmpEngineID: "enginea0" [3.1.6]
*** [2007:03:27 06:10:16 4119] SNMP A-NET-IF A-USM TRACE *** 
   generate_outgoing_msg -> [3.1.5 - 3.1.7]
*** [2007:03:27 06:10:16 4119] SNMP A-NET-IF A-USM TRACE *** 
   generate_outgoing_msg -> [3.1.8]
*** [2007:03:27 06:10:16 4119] SNMP A-NET-IF A-USM TRACE *** 
   authenticate_outgoing -> encode message only
*** [2007:03:27 06:10:16 4119] SNMP A-NET-IF LOG TRACE *** 
   log -> entry with
   Log:  "snmpa_log"
   Addr: {127,0,0,1}
   Port: 33999
*** [2007:03:27 06:10:16 4120] SNMP A-NET-IF LOG *** 
   sending report for reason: 
   {securityError,usmStatsDecryptionErrors}
*** [2007:03:27 06:10:16 4120] SNMP A-NET-IF TRACE *** 
   activate once



More information about the erlang-questions mailing list