3. Digest Authentication Protocol

This section describes the Digest Authentication Protocol. It provides both for verifying the integrity of a received message (i.e., the message received is the message sent) and for verifying the origin of a message (i.e., the reliable identification of the originator). The integrity of the message is protected by computing a digest over an appropriate portion of a message. The digest is computed by the originator of the message, transmitted with the message, and verified by the recipient of the message.

A secret value known only to the originator and recipient of the message is prefixed to the message prior to the digest computation. Thus, the origin of the message is known implicitly with the verification of the digest.

A requirement on parties using this Digest Authentication Protocol is that they shall not originate messages for transmission to any destination party which does not also use this Digest Authentication Protocol. This restriction excludes undesirable side effects of communication between a party which uses these security protocols and a party which does not.

Recall from [1] that a SNMPv2 management communication is represented by an ASN.1 value with the following syntax:

        SnmpMgmtCom ::= [2] IMPLICIT SEQUENCE {
          dstParty
             OBJECT IDENTIFIER,
          srcParty
             OBJECT IDENTIFIER,
          context
             OBJECT IDENTIFIER,
          pdu
             PDUs
        }

For each SnmpMgmtCom value that represents a SNMPv2 management communication, the following statements are true:

• Its dstParty component is called the destination and identifies the SNMPv2 party to which the communication is directed.

• Its srcParty component is called the source and identifies the SNMPv2 party from which the communication is originated.

• Its context component identifies the SNMPv2 context containing the management information referenced by the communication.

• Its pdu component has the form and significance attributed to it in [12].

  Recall from [1] that a SNMPv2 authenticated management communication is represented by an ASN.1 value with the following syntax:

  SnmpAuthMsg ::= [1] IMPLICIT SEQUENCE { authInfo ANY, - defined by authentication protocol authData SnmpMgmtCom }

For each SnmpAuthMsg value that represents a SNMPv2 authenticated management communication, the following statements are true:

• Its authInfo component is called the authentication information and represents information required in support of the authentication protocol used by both the SNMPv2 party originating the message, and the SNMPv2 party receiving the message. The detailed significance of the authentication information is specific to the authentication protocol in use; it has no effect on the application semantics of the communication other than its use by the authentication protocol in determining whether the communication is authentic or not.

• Its authData component is called the authentication data and represents a SNMPv2 management communication.

In support of the Digest Authentication Protocol, an authInfo component is of type AuthInformation:

        AuthInformation ::= [2] IMPLICIT SEQUENCE {
          authDigest
             OCTET STRING,
          authDstTimestamp
             UInteger32,
          authSrcTimestamp
             UInteger32
        }

For each AuthInformation value that represents authentication information, the following statements are true:

• Its authDigest component is called the authentication digest and represents the digest computed over an appropriate portion of the message, where the message is temporarily prefixed with a secret value for the purposes of computing the digest.

• Its authSrcTimestamp component is called the authentication timestamp and represents the time of the generation of the message according to the partyAuthClock of the SNMPv2 party that originated it. Note that the granularity of the authentication timestamp is 1 second.

• Its authDstTimestamp component is called the authentication timestamp and represents the time of the generation of the message according to the partyAuthClock of the SNMPv2 party that is to receive it. Note that the granularity of the authentication timestamp is 1 second.

• 3.1. Generating a Message
• 3.2. Receiving a Message