Reg: SNMP v3 not working with AES

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Reg: SNMP v3 not working with AES

Alex Anto Navis Lawrence
Hello friends,

I have been trying to make the SNMP v3 work with AES, but couldn't. Please find the code in the below gist.

Erlang/OTP 19
Elixir: 1.4.2


Problem:
SNMP packet is sent out but there is no response from the server. Code gist has the working Net-SNMP shell utility working command.
It fails in the receive block timeout since no packet is received (I verified with wireshark). The same code works if it is the DES algorithm.

Code:

From the erlang code for AES, it uses Local EngineBoots and EngineTime to create the IV. SaltFun() is a incremental value which is sent as part of the authorizationParameters in the UDP headers. I feel using local engineBoots and engineTime might be wrong since the remote agent will not have any idea about our snmp_manager boots and engine time. Any thoughts on this ?

snmp_usm.erl.
aes_encrypt(PrivKey, Data, SaltFun, EngineBoots, EngineTime) ->
    AesKey = PrivKey,
    Salt = SaltFun(),
    IV = list_to_binary([?i32(EngineBoots), ?i32(EngineTime) | Salt]),
    EncData = crypto:block_encrypt(?BLOCK_CIPHER_AES, 
				   AesKey, IV, Data),
    {ok, binary_to_list(EncData), Salt}.

Any pointers will be really helpful. Thanks.


--
Thanks,
Alex Anto Navis. L

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Reg: SNMP v3 not working with AES

Dominik Pawlak-2
Hello Alex,
This looks similar to:
http://erlang.org/pipermail/erlang-questions/2016-September/090132.html

Basically, there was a bug for AES encryption in snmp library (exactly what you are pointing in your mail). You can fix it by applying a patch that is attached in the above post.

Best,
Dominik Pawlak

On 31.05.2017 10:10, Alex Anto Navis Lawrence wrote:
Hello friends,

I have been trying to make the SNMP v3 work with AES, but couldn't. Please find the code in the below gist.

Erlang/OTP 19
Elixir: 1.4.2


Problem:
SNMP packet is sent out but there is no response from the server. Code gist has the working Net-SNMP shell utility working command.
It fails in the receive block timeout since no packet is received (I verified with wireshark). The same code works if it is the DES algorithm.

Code:

From the erlang code for AES, it uses Local EngineBoots and EngineTime to create the IV. SaltFun() is a incremental value which is sent as part of the authorizationParameters in the UDP headers. I feel using local engineBoots and engineTime might be wrong since the remote agent will not have any idea about our snmp_manager boots and engine time. Any thoughts on this ?

snmp_usm.erl.
aes_encrypt(PrivKey, Data, SaltFun, EngineBoots, EngineTime) ->
    AesKey = PrivKey,
    Salt = SaltFun(),
    IV = list_to_binary([?i32(EngineBoots), ?i32(EngineTime) | Salt]),
    EncData = crypto:block_encrypt(?BLOCK_CIPHER_AES, 
				   AesKey, IV, Data),
    {ok, binary_to_list(EncData), Salt}.

Any pointers will be really helpful. Thanks.


--
Thanks,
Alex Anto Navis. L


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Reg: SNMP v3 not working with AES

Alex Anto Navis Lawrence
Hi Dominik,

Thanks a lot for the help. I was on the same line of fix based on RFC-3826 (3.1.2.1. AES Encryption Key and IV) where I got the response and got stuck with decryption problem.

Now I saw the patch and applied the remaining changes(git) on decryption got the whole thing workings. Thanks a lot for your help, you saved a lot for me. 👍

Any idea on this why this is not fixed in latest erlang code. ?. Can i be any help to make this to raise for a PR for the same. ?

Thanks,
Alex

On Wed, May 31, 2017 at 7:41 PM, Dominik Pawlak <[hidden email]> wrote:
Hello Alex,
This looks similar to:
http://erlang.org/pipermail/erlang-questions/2016-September/090132.html

Basically, there was a bug for AES encryption in snmp library (exactly what you are pointing in your mail). You can fix it by applying a patch that is attached in the above post.

Best,
Dominik Pawlak


On 31.05.2017 10:10, Alex Anto Navis Lawrence wrote:
Hello friends,

I have been trying to make the SNMP v3 work with AES, but couldn't. Please find the code in the below gist.

Erlang/OTP 19
Elixir: 1.4.2


Problem:
SNMP packet is sent out but there is no response from the server. Code gist has the working Net-SNMP shell utility working command.
It fails in the receive block timeout since no packet is received (I verified with wireshark). The same code works if it is the DES algorithm.

Code:

From the erlang code for AES, it uses Local EngineBoots and EngineTime to create the IV. SaltFun() is a incremental value which is sent as part of the authorizationParameters in the UDP headers. I feel using local engineBoots and engineTime might be wrong since the remote agent will not have any idea about our snmp_manager boots and engine time. Any thoughts on this ?

snmp_usm.erl.
aes_encrypt(PrivKey, Data, SaltFun, EngineBoots, EngineTime) ->
    AesKey = PrivKey,
    Salt = SaltFun(),
    IV = list_to_binary([?i32(EngineBoots), ?i32(EngineTime) | Salt]),
    EncData = crypto:block_encrypt(?BLOCK_CIPHER_AES, 
				   AesKey, IV, Data),
    {ok, binary_to_list(EncData), Salt}.

Any pointers will be really helpful. Thanks.


--
Thanks,
Alex Anto Navis. L


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions




--
Thanks,
Alex Anto Navis. L

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Reg: SNMP v3 not working with AES

Dominik Pawlak-2
I guess not that many people are using snmp in erlang. I should have made the PR a long time ago, but I never had the time. If you want, go ahead and use the patch as base for a PR.

Best,
Dominik

On 31.05.2017 18:42, Alex Anto Navis Lawrence wrote:
Hi Dominik,

Thanks a lot for the help. I was on the same line of fix based on RFC-3826 (3.1.2.1. AES Encryption Key and IV) where I got the response and got stuck with decryption problem.

Now I saw the patch and applied the remaining changes(git) on decryption got the whole thing workings. Thanks a lot for your help, you saved a lot for me. 👍

Any idea on this why this is not fixed in latest erlang code. ?. Can i be any help to make this to raise for a PR for the same. ?

Thanks,
Alex

On Wed, May 31, 2017 at 7:41 PM, Dominik Pawlak <[hidden email]> wrote:
Hello Alex,
This looks similar to:
http://erlang.org/pipermail/erlang-questions/2016-September/090132.html

Basically, there was a bug for AES encryption in snmp library (exactly what you are pointing in your mail). You can fix it by applying a patch that is attached in the above post.

Best,
Dominik Pawlak


On 31.05.2017 10:10, Alex Anto Navis Lawrence wrote:
Hello friends,

I have been trying to make the SNMP v3 work with AES, but couldn't. Please find the code in the below gist.

Erlang/OTP 19
Elixir: 1.4.2


Problem:
SNMP packet is sent out but there is no response from the server. Code gist has the working Net-SNMP shell utility working command.
It fails in the receive block timeout since no packet is received (I verified with wireshark). The same code works if it is the DES algorithm.

Code:

From the erlang code for AES, it uses Local EngineBoots and EngineTime to create the IV. SaltFun() is a incremental value which is sent as part of the authorizationParameters in the UDP headers. I feel using local engineBoots and engineTime might be wrong since the remote agent will not have any idea about our snmp_manager boots and engine time. Any thoughts on this ?

snmp_usm.erl.
aes_encrypt(PrivKey, Data, SaltFun, EngineBoots, EngineTime) ->
    AesKey = PrivKey,
    Salt = SaltFun(),
    IV = list_to_binary([?i32(EngineBoots), ?i32(EngineTime) | Salt]),
    EncData = crypto:block_encrypt(?BLOCK_CIPHER_AES, 
				   AesKey, IV, Data),
    {ok, binary_to_list(EncData), Salt}.

Any pointers will be really helpful. Thanks.


--
Thanks,
Alex Anto Navis. L


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions




--
Thanks,
Alex Anto Navis. L


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Loading...