Abstract
This paper describes the design and implementation of a secure management protocol for the management of distributed applications. The protocol is a modified use of the ISO CMIP protocol, with additional mechanisms and behavior to provide the following security services:Mutual authentication of communicating parties. Both parties can prove to each other that they are who they claim to be by the exchange of signed credentials.Stream integrity for management information packets (protocol data units—PDUs). The management information exchanged between the parties is protected from replay, misordering, modification, insertion, and deletion of the PDUs.Confidentiality of the management PDUs. Only the communicating parties can read the information passed between them. The mechanism used also provides a level ofback traffic protection andperfect forward secrecy. In previous work we have implemented apublic-key based system. Here, we present an experiment based on the use of asecret-key mechanism, for a faster,lightweight approach. The authentication mechanism makes use of the MD5 algorithm and the DES encryption standard. The PDU integrity mechanisms make use of a pseudo random number sequence for PDU numbering and the MD5 algorithm for generating unforgeable signatures for the PDUs.
Similar content being viewed by others
References
ISO/IEC 9596, Information technology, open systems interconnection, common management information protocol specification, May 1990.
CCITT Recommendations X.800, Security architecture for open systems interconnection for CCITT applications, Geneva, 1991.
Network Management Forum, Applications services: security of management, OMNIPoint Network Management Forum 016, Bernardsville, New Jersey, August 1992.
G. Knight, S. N. Bhatti, and L. Deri, Secure remote management in the ESPRIT MIDAS project, Proc. IFIP TC6/WG6. 5 International Working Conference on Upper Layer Protocols, Architectures and Applications, Barcelona, Spain, Elsevier Science B. V., Amsterdam, July 1994, pp. 77–86, June 1–3, 1994.
S. N. Bhatti, G. Knight, D. Gurle, and P. Rodier, Secure remote management, In: A. S. Sethi, Y. Raynaud, and F. Faure-Vincent, (eds.) Proc. Fourth International Symposium on Intergrated Network Management 1995, Santa Barbara, California, Chapman and Hall, pp. 156–169, May 1–5, 1995.
G. Knight and S. N. Bhatti, Some experiences with secure management. In. J. Barbera and J. Kiers (eds.) Proc. JENC6-6th Joint European Networking Conference, Tel Aviv, Israel, pp. 322/1–9, May 15–18, 1995.
CCITT Recommendation X.509, The Directory—authentication framework, Geneva, March 1988.
P. R. Zimmermann, The Official PGP User's Guide, MIT Press, p. 216.
C. Kaufman, DASS-Distributed authentication security service, Internet RFC 1507, September 10, 1993.
D. Maughan, B. Patrick, and M. Schertler, Internet security association and key management protocol, work in progress, IPSEC Working Group, draft-nsa-isakmp-01.ps, July 6, 1995.
P. Karn and W. A. Simpson, The Photuris session key management protocol, work in progress, Internet Draft, Network Working Group, draft-ietf-ipsec-photuris-02.txt, July 1995.
J. Galvin and K. McCloghrie, Security protocols for version 2 of the simple network management protocol (SNMPv2), RFC1446, 3 May 1993.
J. D. Case, J. Galvin, K. McCloghrie, M. T. Rose, and S. Waldbusser Security protocols for version 2 of the simple network management protocol (SNMPv2), work in progress, Internet Draft. draft-ietf-snmpv2-sec-ds-02.txt, May 31, 1995.
K. McCloghrie, M. T. Rose, G. W. Waters, and J. M. Galvin, User-based security model for version 2 of the simple network management protocol (SNMPv2), work in progress, Internet Draft, draft-kzm-snmpv2-sec-alt-00.txt, June 30, 1995.
R. Atkinson, Security architecture for the internet protocol, Internet RFC 1825, August 9, 1995.
R. Atkinson, IP encapsulating security payload (ESP), Internet RFC 1827, August 9, 1995.
R. Atkinson, IP authentication header, Internet RFC 1826, 9 August 1995.
P. Metzger, P. Karn, and W. A. Simpson, The ESP DES-CBC transform, Internet RFC 1829, 9 August 1995.
A Ramanov, Simple Authentication mechanism for SNMP, work in progress, draft-ramovsimple-snmp-00.txt, June 27, 1995.
G. W. Waters, Security mechanisms for version 1 of the simple network management protocol (SNMPv1), work in progress, Internet Draft, draft-waters-snmpv1-sec-mech-00.txt, June 7, 1995.
A. I. Walten Security encapsulation of SNMP, work in progress, Internet Draft, draft-altensnmp-sec-encap-00.txt, July 30, 1995.
R. Rivest, The MD5 message-digest algorithm, Internet RFC 1321, March 16, 1992.
NIST FIPS Publication 180, Secure Hash Standard, National Institute of Standards and Technology, Federal Information Processing Standards Publication, U.S. Department of Commerce, May 11, 1993.
NBS FIPS Publication 46-1, Data Encryption Standard, National Bureau of Standards, U.S. Department of Commerce, January 1988.
P. Rogaway, Problems with proposed IP cryptography, work in progress, Internet Draft, draftrogaway-ipsec-comments-00.txt, April 3, 1995.
ISO/IEC CD 11586, Information Technology, Opens Systems Interconnection, Generic Upper Layers Security, December 1992.
ISO/IEC CD 10181-1, Information Technology, Open Systems Interconnection, Security Frameworks in Open Systems, Part 1: Security Frameworks Overview, October 13, 1992.
CCITT Recommendation X.511, The directory-abstract service definition, Geneva, March 1988.
CCITT Recommendation X.227. Connection oriented protocol specification for the association control service element, September 1992.
D. Eastlake 3rd., S. Crocker, and J. Schiller, Randomness Recommendations for security. Internet RFC 1750, 29 December 1994.
ISO/IEC 9072, Information processing systems, test communication, remote operations, 1989.
G. Pavlou, G. Knight, K. McCarthy, and S. N. Bhatti, The OSIMIS platform: making OSI management simple. In A. S. Sethi, Y. Raynaud, and F. Faure-Vincent, (eds.), Proc. Fourth International Symposium on Integrated Network Management 1995, Santa Barbara, California, Chapman and Hall, pp. 480–493.
UCL Department of Computer Science,The ISODE User's Manual, Version 8.0, July 1991.
H. Krawczyk, Keyed-MD5 for message authentication, work in progress, Internet Draft, draftkrawczyk-keyed-md5-00.txt. June 22, 1995.
C. Neuman, B. Tung, and J. Wray, Public key cryptography for initial authentication in Kerberos, work in progress. Internet Draft, draft-ietf-cat-kerberos-pk-init-00.txt. March 6, 1995.
ITU M.3010, Principles of a telecommunication management network, Working Party IV, Report 28, December 1991.
Author information
Authors and Affiliations
Corresponding author
Additional information
University College London when work was completed, now at Harlow Butler Broking Services, Montague Close, London Bridge, London, United Kingdom.
Rights and permissions
About this article
Cite this article
Bhatti, S.N., McCarthy, K.M.T., Knight, G. et al. Secure management information exchange. J Netw Syst Manage 4, 251–277 (1996). https://doi.org/10.1007/BF02139146
Issue Date:
DOI: https://doi.org/10.1007/BF02139146