6. HMAC-MD5-96 Authentication Protocol

This section describes the HMAC-MD5-96 authentication protocol. This authentication protocol is the first defined for the User-based Security Model. It uses MD5 hash-function which is described in RFC 1321, in HMAC mode described in RFC 2104, truncating the output to 96 bits.

This protocol is identified by usmHMACMD5AuthProtocol.

Over time, other authentication protocols may be defined either as a replacement of this protocol or in addition to this protocol.

6.1. Mechanisms

The HMAC-MD5-96 authentication protocol provides the following mechanisms:

Data Integrity Support

In support of data integrity, a message digest algorithm is required. A digest is calculated over an appropriate portion of an SNMP message and included as part of the message sent to the recipient.

Data Origin Authentication

In support of data origin authentication and data integrity, a secret value is prepended to SNMP message prior to computing the digest; the calculated digest is partially inserted into the SNMP message prior to transmission, and the prepended value is not transmitted. The secret value is shared by all SNMP engines authorized to originate messages on behalf of the appropriate user.

6.1.1. Digest Authentication Mechanism

The Digest Authentication Mechanism defined in this memo provides for:

Integrity Verification

Verification of the integrity of a received message, i.e., the message received is the message sent.

The integrity of the message is protected by computing a digest over an appropriate portion of the message. The digest is computed by the originator of the message, transmitted with the message, and verified by the recipient of the message.

User Verification

Verification of the user on whose behalf the message was generated.

A secret value known only to SNMP engines authorized to generate messages on behalf of a user is used in HMAC mode (see RFC 2104). It also recommends the hash-function output used as Message Authentication Code, to be truncated.

6.1.2. Algorithm Details

This protocol uses the MD5 (RFC 1321) message digest algorithm:

A 128-bit MD5 digest is calculated in a special (HMAC) way over the designated portion of an SNMP message
The first 96 bits of this digest is included as part of the message sent to the recipient
The size of the digest carried in a message is 12 octets
The size of the private authentication key (the secret) is 16 octets

For the details see section 6.3.

6.2. Elements of the Digest Authentication Protocol

This section contains definitions required to realize the authentication module defined in this section of this memo.

6.2.1. Users

Authentication using this authentication protocol makes use of a defined set of userNames. For any user on whose behalf a message must be authenticated at a particular SNMP engine, that SNMP engine must have knowledge of that user. An SNMP engine that wishes to communicate with another SNMP engine must also have knowledge of a user known to that engine, including knowledge of the applicable attributes of that user.

A user and its attributes are defined as follows:

`<userName>`

A string representing the name of the user.

`<authKey>`

A user's secret key to be used when calculating a digest. It MUST be 16 octets long for MD5.

6.2.2. msgAuthoritativeEngineID

The msgAuthoritativeEngineID value contained in an authenticated message specifies the authoritative SNMP engine for that particular message (see the definition of SnmpEngineID in the SNMP Architecture document RFC 3411).

The user's (private) authentication key is normally different at each authoritative SNMP engine and so the snmpEngineID is used to select the proper key for the authentication process.

6.2.3. SNMP Messages Using this Authentication Protocol

Messages using this authentication protocol carry a msgAuthenticationParameters field as part of the msgSecurityParameters.

For this protocol, the msgAuthenticationParameters field is the serialized OCTET STRING representing the first 12 octets of the HMAC-MD5-96 output done over the wholeMsg.

The digest is calculated over the wholeMsg so if a message is authenticated, that also means that all the fields in the message are intact and have not been tampered with.

6.2.4. Services provided by the HMAC-MD5-96 Authentication Module

This section describes the inputs and outputs that the HMAC-MD5-96 Authentication module expects and produces when the User-based Security module calls the HMAC-MD5-96 Authentication module for services.

6.2.4.1. Services for Generating an Outgoing SNMP Message

The HMAC-MD5-96 authentication protocol assumes that the selection of the authKey is done by the caller and that the caller passes the secret key to be used.

Upon completion the authentication module returns statusInformation and, if the message digest was correctly calculated, the wholeMsg with the digest inserted at the proper place.

The abstract service primitive is:

statusInformation =              -- success or failure
  authenticateOutgoingMsg(
  IN   authKey                   -- secret key for authentication
  IN   wholeMsg                  -- unauthenticated complete message
  OUT  authenticatedWholeMsg     -- complete authenticated message
       )

Parameters:

statusInformation: An indication of whether the authentication process was successful. If not it is an indication of the problem.
authKey: The secret key to be used by the authentication algorithm. The length of this key MUST be 16 octets.
wholeMsg: The message to be authenticated.
authenticatedWholeMsg: The authenticated message on output.

6.2.4.2. Services for Processing an Incoming SNMP Message

The HMAC-MD5-96 authentication protocol assumes that the selection of the authKey is done by the caller and that the caller passes the secret key to be used.

Upon completion the authentication module returns statusInformation to indicate whether the message was authentic or not.

The abstract service primitive is:

statusInformation =              -- success or failure
  authenticateIncomingMsg(
  IN   authKey                   -- secret key for authentication
  IN   authParameters            -- as received on the wire
  IN   wholeMsg                  -- as received on the wire
  OUT  authenticatedWholeMsg     -- checked for authentication
       )

Parameters:

statusInformation: An indication of whether the authentication process was successful. If not it is an indication of the problem.
authKey: The secret key to be used by the authentication algorithm. The length of this key MUST be 16 octets.
authParameters: The msgAuthenticationParameters from the incoming message.
wholeMsg: The message to be authenticated.
authenticatedWholeMsg: The authenticated message on output.

6.3. Elements of Procedure

This section describes the procedures for the HMAC-MD5-96 authentication protocol.

6.3.1. Processing an Outgoing Message

This section describes the procedure followed by an SNMP engine when it generates a message containing management information on behalf of a user with an securityLevel that specifies authentication is to be used.

Step 1: Set msgAuthenticationParameters

The msgAuthenticationParameters field is set to the serialization according to the rules in RFC 3417 of an OCTET STRING containing 12 zero octets.

Step 2: Calculate the MAC

Using the secret authKey of the user, and the message with msgAuthenticationParameters set to 12 zero octets, calculate the MAC (Message Authentication Code) according to the HMAC-MD5 algorithm:

MAC = HMAC-MD5(authKey, wholeMsg)

Where:

authKey is the 16-octet secret key
wholeMsg is the entire message with msgAuthenticationParameters set to 12 zero octets

Step 3: Truncate and Insert MAC

Take the first 12 octets of the 16-octet MAC value and place them in the msgAuthenticationParameters field.

Step 4: Return Result

Return the authenticatedWholeMsg to the calling module.

6.3.2. Processing an Incoming Message

This section describes the procedure followed by an SNMP engine when it processes a message containing management information with an securityLevel that specifies authentication has been used.

Step 1: Extract Parameters

Extract the msgAuthenticationParameters from the incoming message and save it.

Step 2: Set msgAuthenticationParameters to Zero

Replace the msgAuthenticationParameters field in the message with an OCTET STRING of 12 zero octets.

Step 3: Calculate Expected MAC

Using the secret authKey of the user, and the message with msgAuthenticationParameters set to 12 zero octets, calculate the expected MAC:

expectedMAC = HMAC-MD5(authKey, wholeMsg)

Step 4: Truncate Expected MAC

Take the first 12 octets of the 16-octet expectedMAC value.

Step 5: Compare MACs

Compare the extracted msgAuthenticationParameters (from step 1) with the calculated 12-octet MAC (from step 4).

If they are equal, the message is authenticated. If they are not equal, the message is not authentic and should be discarded.

Step 6: Return Result

Return statusInformation indicating success or failure.

Implementation Notes

Key Length: The authKey MUST be exactly 16 octets for HMAC-MD5-96
MAC Truncation: Only the first 96 bits (12 octets) of the 128-bit MD5 output are used
Constant-Time Comparison: When comparing MACs, implementations should use constant-time comparison to avoid timing attacks
HMAC Mode: The protocol uses HMAC mode as specified in RFC 2104, not plain MD5

Security Considerations

MD5 Weaknesses: MD5 has known cryptographic weaknesses. While HMAC-MD5 is more resistant to attacks than plain MD5, implementations should consider migrating to HMAC-SHA-96 for better security
Key Management: The 16-octet authKey must be kept secret and properly managed
Truncation: Truncating the MAC from 128 bits to 96 bits slightly reduces security but is considered acceptable for SNMP applications