This section describes the Digest Authentication Protocol. It
provides both for verifying the integrity of a received
message (i.e., the message received is the message sent) and
for verifying the origin of a message (i.e., the reliable
identification of the originator). The integrity of the
message is protected by computing a digest over an appropriate
portion of a message. The digest is computed by the
originator of the message, transmitted with the message, and
verified by the recipient of the message.
A secret value known only to the originator and recipient of
the message is prefixed to the message prior to the digest
computation. Thus, the origin of the message is known
implicitly with the verification of the digest.
A requirement on parties using this Digest Authentication
Protocol is that they shall not originate messages for
transmission to any destination party which does not also use
this Digest Authentication Protocol. This restriction
excludes undesirable side effects of communication between a
party which uses these security protocols and a party which
does not.
Recall from [1] that a SNMPv2 management communication is
represented by an ASN.1 value with the following syntax:
For each SnmpMgmtCom value that represents a SNMPv2 management
communication, the following statements are true:
Its dstParty component is called the destination and
identifies the SNMPv2 party to which the communication is
directed.
Its srcParty component is called the source and
identifies the SNMPv2 party from which the communication
is originated.
Its context component identifies the SNMPv2 context
containing the management information referenced by the
communication.
Its pdu component has the form and significance
attributed to it in [12].
Recall from [1] that a SNMPv2 authenticated management
communication is represented by an ASN.1 value with the
following syntax:
SnmpAuthMsg ::= [1] IMPLICIT SEQUENCE {
authInfo
ANY, - defined by authentication protocol
authData
SnmpMgmtCom
}
For each SnmpAuthMsg value that represents a SNMPv2
authenticated management communication, the following
statements are true:
Its authInfo component is called the authentication
information and represents information required in
support of the authentication protocol used by both the
SNMPv2 party originating the message, and the SNMPv2
party receiving the message. The detailed significance
of the authentication information is specific to the
authentication protocol in use; it has no effect on the
application semantics of the communication other than its
use by the authentication protocol in determining whether
the communication is authentic or not.
Its authData component is called the authentication data
and represents a SNMPv2 management communication.
In support of the Digest Authentication Protocol, an authInfo
component is of type AuthInformation:
For each AuthInformation value that represents authentication
information, the following statements are true:
Its authDigest component is called the authentication
digest and represents the digest computed over an
appropriate portion of the message, where the message is
temporarily prefixed with a secret value for the purposes
of computing the digest.
Its authSrcTimestamp component is called the
authentication timestamp and represents the time of the
generation of the message according to the partyAuthClock
of the SNMPv2 party that originated it. Note that the
granularity of the authentication timestamp is 1 second.
Its authDstTimestamp component is called the
authentication timestamp and represents the time of the
generation of the message according to the partyAuthClock
of the SNMPv2 party that is to receive it. Note that the
granularity of the authentication timestamp is 1 second.