6'th International Symposium on Telecommunications (IST'2012)

Formal Security Analysis of Authentication in

SNMPv3 Protocol by An Automated Tool

Sepideh Asadi Hadi Shahriar Shahhoseini

Electrical Engineering Department, Electrical Engineering Department,
Iran University of Science and Technology Iran University of Science and Technology
Tehran, Iran Tehran, Iran
[email protected] [email protected]

Abstract— Recently, the verification of network management To our knowledge, there has been no formal proof of
protocols has been the subject of many research works. SNMP network management protocols. As claimed in informal
(Simple Network Management Protocol) is a widely used descriptions of SNMPv3, it provides secrecy of management
protocol for monitoring and managing devices on IP networks. information and authentication and view-based access
Three significant security features (authentication, encryption, control to MIB (Management Information Base) data and
access control) are added to SNMPv3 under the User-based integrity check of protocol data. Authentication is a security
Security Model (USM). Until now, no formal and automated property that provides assurance that if a message is from a
verification methods have been proposed for network valid source or if the management information was not
management protocols and they have been analyzed only with
altered in transit or whether it was not delayed or replayed.
informal techniques or with symbolic methods which is a hard,
time-consuming and error-prone task when done by hand. Our goal in this paper is providing a fully automatic
Hence, in this paper, we first describe the SNMPv3 protocol technique to verify authenticity in SNMPv3 protocol,
and propose an abstract model of it to formalize our without bounding the number of runs of the protocol to
understanding of SNMP, and provide a specification of analyze it. To achieve this goal, we present an abstract and
SNMPv3 in the applied π-calculus. We verify authenticity in simplified model of SNMPv3 and specify it with applied π-
SNMPv3 protocol without bounding the number of sessions of calculus and then verify one of the main security properties,
the protocol, using an automated protocol verifier, ProVerif namely authenticity of the protocol using a popular
and we show a proof of authenticity for the SNMPv3 protocol.
cryptographic verification tool, ProVerif. Thanks to its use of
Keywords- Formal Verification, SNMPv3, ProVerif, Applied unification, it avoids the problem of the state space explosion
π-Calculus, Authentication, Correspondence Assertions. whereas most existing protocol verifiers based on model
checking suffer from this problem and need very large
resources to verify protocols.
I. INTRODUCTION
This paper is organized as follows: Section II provides
Recently, many research topics have mainly focused on some background on SNMPv3. Furthermore, we describe the
applying formal methods to broad class of network protocols security enhancements to the SNMP protocol and discuss
and there have been vast progress in the development of a how its security capability supplies authentication. Also, we
formal framework for specifying and reasoning about model a simplified SNMPv3 and propose an abstract model
security properties. It is very important to verify protocols of SNMPv3 and introduce a handshake model of it to
with an unbounded number of sessions, while relying as little formalize our understanding of SNMP. Section III, presents
as possible on human involvement. a brief introduction of the syntax of applied π-calculus and
During the last few years, SNMP protocol as a network we discuss how to model authentication using
management protocol has been widely used by various correspondence assertions. In Section IV we specify
network equipment vendors as the main network SNMPv3 in the applied π-calculus and verify this protocol
management interface. Security has been a strong concern using ProVerif tool. Finally, Section V offers conclusions.
with SNMPv1 and SNMPv2. Neither of them supplies
adequate security features such as management message II. THE SNMP PROTOCOL
authentication and encryption and there is no facility to SNMP is a protocol defined by the Internet Engineering
authenticate the source of the management information that Task Force (IETF) used for managing devices such as
is being exchanged. With these breaches in security, an routers, switches, servers, workstations and more. It
unauthorized client could perform network management facilitates the exchange of management information between
functions and hence, it was open to mount simple attacks. network devices in the form of variables. These variables
SNMPv3, a general framework for all three versions of describe the system configuration parameter and can be read
SNMP, provides security enhancements more than its and queried (or sometimes set or write) by managing
previous versions. applications.

This work is done in Iran University of Science and Technology

(IUST) as part of a contract with Research Institute for ICT (ITRC).

978-1-4673-2073-3/12/$31.00 ©2012 IEEE

1060
 The SNMPV3 management protocol is used to convey B. Protocol Details
management information between the manager and agent.
This protocol allows an SNMP manager (the controller) to The SNMP protocol is based on request and response
control an SNMP agent (the controlee) by exchanging commands. The seven SNMP protocol data units (PDUs) are
SNMP messages. Every SNMP agent has a database of as follows: GetRequest, SetRequest, GetNextRequest,
variables is called a MIB or Management Information Base. GetBulkRequest, Response, Trap, InformRequest. All types
The manager uses this database to request the SNMP agent of these commands can be transferred between the manager
and interpret the received signals. and an agent in a particular field in an SNMP message
Agents are the software modules that reside in the identified as Protocol Data Unit (PDU) field. SNMP
managed devices and respond to requests from manager messages are of the following format[2]:
using information from their MIB and send traps to the • Get messages: these messages are sent from a
manager by means of the SNMP protocol through the manager to an agent to obtain information.
network which does not provide any guarantee for security
of any kind. • Set requests: sent from a manager to an agent to
modify or enter data into the MIB of an agent.
A. SNMPv3 Security Enhancement
• Trap: sent from an agent to alert a manager.
SNMP includes three distinct versions SNMPv1,
SNMPv2, and SNMPv3. SNMPv1 is the first • Inform: an alert sent from a manager to another
implementation of SNMP as described RFC by 1157. All manager.
versions have a number of features in common, but SNMPv3 Management commands (such as Get, Set, Trap, Inform)
provides new features including security features that ensure are recognized in a PDU. So, the format is the same for all of
message authenticity, confidentiality and integrity. SNMPv3 them and the command is in the PDU field.
employs the User-based Security Model (USM) to supply
cryptographic services and message security. The USM Figure 1 shows the message structure that conforms to
applies either MD5 or SHA keyed message digests to the Message Processing Model and Security Models. The
guarantee message authenticity and integrity. The cipher- first five fields of the message are parameters applied to
block-chaining (CBC) mode of DES is used by USM to generation and processing of a message. These message
ensure message privacy. SNMPv3 employs the View-based parameters are: (1) SNMP version, (2) unique identifier, (3)
Access Control Model (VACM) for access control of maximum size supported by the sending entity, (4) state or
entities. In addition, SNMPv3 provides new capabilities that condition of SNMP operation, authentication and encryption,
facilitate remote configuration of these security features. and (5) security model. The next six fields of the message
illustrate security parameters important in authentication,
Table 1 categorizes SNMP Security Models and Levels. timeliness verification, and encryption. The last three fields
illustrate the PDU, together with the contextEngineID and
TABLE I. SECURITY MODELS AND LEVELS OF SNMP PROTOCOL[1] contextName, represent a scoped PDU, used for PDU
processing [3].
Protocol Level of Security Encryption Authentication form of protection

Uses a community
Community
V1 noAuthNoPriv String
No string match for
authentication.

Uses a community
Community
V2c noAuthNoPriv String
No string match for
authentication

Uses a username
V3 noAuthNoPriv Username No match for
authentication.

Provides
MD5 or authentication based
V3 authNoPriv No
SHA on the HMAC-MD5 or
HMAC-SHA.

Provides
authentication same
as authNoPriv.Also,
MD5 or provides DES 56-bit;
V3 authPriv DES
SHA 168-bit 3DES; or AES
128-, 192-, or 256-bit
encryption
algorithms.
Figure 1. SNMPv3 message format with User-Based Security Model

1061
C. Existing Authentication in SNMPv3 message identifiers and it is a unique ID associated with the
message. Also, timestamp is sent which the field TA
USM is implemented in the structure of authentication indicates time since the authoritative SNMP entity has been
and encryption and VACM in the form of access control. rebooted. In addition, manager sends PDU field that includes
The authentication process assures that the message is from a the body of an SNMP message and encrypts the PDU with
valid source, the management information was not altered in the symmetric key and sends it to the agent. Besides, the
transit and that it was not delayed or replayed. When a manager sends HMAC of these items to the agent. HMAC-
message passed the authentication process, it is certain the MD5 is a keyed hash function for MACs (message
message came from an authorized source. authentication codes) and K2 is secret hash key used for
authentication.
To achieve authentication, each pair of SNMP entities
must share a secret authentication key. In SNMPv3, there are →
A B: MsgID, TA, (PDUa)K1,
two different secret keys, one for privacy (encryption key or HMAC-MD5{MsgID, TA, (PDUa)K1 }k2
privacy key, privKey) and another for authentication
(authentication key, authKey). Authentication is supplied This protocol consist of all types of commands that can
through implementing Hashed Message Authentication Code be transferred between the manager and an agent because,
(HMAC) based on different one-way cryptography such as common messages such as GetRequest, SetRequest,
Message Digest Version 5 (MD5) and Secure Hash GetResponse, GetNextRequest and Trap are in form of a
Algorithm (SHA).Initial secret key must be distributed by special field in an SNMP message known as Protocol Data
configuration manager or network manager[4]. Unit (PDU) field. So, the format is the same for all of them
The need for techniques to verify the correctness of and the command is in the PDU field.
authentication is significant, so we will scrutiny In order to avoid ambiguity, we ignore the parameters
authentication between manager and agent that is particularly that are not of our interest in formal analysis. The goal of
important when protocol participants want to exchange proposed protocol is that the agent authenticates the
management information. manager, even in the presence of an active attacker.
D. Proposed Abstract model of SNMPV3 Protocol

We extracted the parameters that are exchanged between III. THE APPLIED Π-CALCULUS AND MODELING
the manager and agent. We illustrate this protocol in figure 2 AUTHENTICATIN
that A and B are the names of the manager and agent,
respectively. For the sake of simplicity, we assume that The applied π-calculus is an extremely expressive and
there is only one principal A acting as a Manager, and only powerful language for describing and analyzing security
one principal B acting as an agent. We used {M}K for an protocols with cryptographic primitives[6]. Cryptographic
encryption of the plaintext M under the key K, and || stands operations and communication through channels are the key
for message concatenation. elements of the applied π-calculus. Properties of processes
described in the applied pi calculus can be proved by
employing manual techniques [7], or by automated tools
MANAGER → AGENT such as ProVerif [8].
The syntax is coupled with a formal semantics to permit
( msgVersion & msgID & msgMaxSize & msgFlags &
reasoning about protocols. We briefly describe the syntax of
msgSecurityModel & msgAuthoritativeEngineID &
the applied pi-calculus that is used in this paper[9].
msgAuthoritativeEngineBoots & msgAuthoritativeEngineTime &
msgUserName & msgPrivacyParameters & DES{PDU}K1 ) ||
HMAC-MD5 {msgVersion & msgID & msgMaxSize &
msgFlags & msgSecurityModel & msgAuthoritativeEngineID & M,N ::= Applied π- calculus Terms (Messages)
msgAuthoritativeEngineBoots & msgAuthoritativeEngineTime &
x, y, z variables
msgUserName & msgPrivacyParameters & DES{PDU}K1 }k2
a, b, c, k, s names
f(M1,… ,Mn) constructor application
Figure 2. The proposed abstract model of SNMPv3.
P,Q ::= Applied-pi calculus plain Processes

0 empty process
P|Q parallel composition
At the beginning of communication, the type of !P replication
symmetric cryptographic algorithm and type of (va)P restriction (free variable instantiation)
authentication algorithm are exchanged between both output
M(x).P input
entities. After the connection is established, the manager let x = g(M1,… ,Mn) in P else Q destructor application
sends ID of message that the msgID contains the SNMP if M = N then P else Q conditional

1062
A. Correspondence Assertions behavior of the manager and agent that is modeled by the
process below.
Woo and Lam[10] introduce correspondence assertions
for specifying authenticity properties of security protocols
(* The processes *)
based on cryptography. Modeling authentication requires
correspondence assertions, and are also employed in our let manager =
models. We formally define the correspondences that we in(net, xTs);
verify. We prove correspondences of the form “If one
new MsgID;
principal ever reaches a certain point in a protocol, then
some other principal has previously reached some other new PDUa;
matching point in the protocol.” event beginServerAuth(MsgID,PDUa);
To express message authentication of A to B, we let cipher = sencrypt(PDUa,kSC) in
describe B’s process so that it sends out an end(B) event let hmac = hmacMD5((MsgID, xTS, cipher),khmSC) in
within session, modeling the fact that B has finished a
Simple network session. Similarly, A’s process is modified out(net, (MsgID, cipher, hmac))
to send a begin(B) event directly after public keys are let agent =
exchanged, modeling the fact that A has started a
new Ts;
communication with B[11]. In our syntax (based on that of
ProVerif), we express this correspondence assertion that out(net, Ts);
follows the pattern: in(net, (xMsgID, xcipher, xhmac));

query ev:Accept(x) ⇒ ev:Send(x) let newhmac = hmacMD5((xMsgID,Ts,xcipher),khmSC) in

if newhmac = xhmac then
query evinj: endServerAuth(x,y) =>
evinj:beginServerAuth(x,y) let xn = sdecrypt(xcipher, kSC) in
event endServerAuth(xMsgID,xn)
For each end-event there is a begin-event in our
specification .
Figure 3. The Manager and the Agent process

IV. SECURITY ANALYSIS OF SNMPV3 USING PROVERIF

Security analyses of systems usually begin with a model Among the functions used in the protocol there are one-
of the attacker, and we follow the Dolev-Yao model which is way functions, such as the hashing function hmacMD5, the
a standard attack model against messages exchanged over a function to compute HMAC and the key derivation function
network. This powerful model has reasonably realistic set of khmSC: for these functions only a constructor is needed. The
assumptions on adversary. The adversary in this model can lack of the proper destructor makes it infeasible to recover
listen to any message exchanged through the network. Also, the argument passed to any of these functions:
messages can be intercepted and altered and the attacker can
only encrypt, decrypt, sign messages or perform other fun hmacMD5/2.
cryptographic operations if he has the relevant key. Also, Some encryption functions employed in the protocol are
cryptographic primitives are assumed to work perfectly. We different, when a message is encrypted under the key k via
assume that the protocol is executed in the presence of the the function F, it can be destructed by using the function D
Dolev-Yao attacker that is compatible with ProVerif tool. A and it can be recovered:
particular predicate attacker(M) is used in these clauses to
represent the fact that an attacker knows the term M. Another fun sencrypt/2.
predicate mess(c, M) is employed to represent the fact that a
reduc sdecrypt(sencrypt(m,k),k) = m.
message M has been sent by a process over the network.

A. Modeling SNMPv3 in the applied π-Calculus The whole system is obtained by putting in parallel the
two components, that initA|initB represent participants of a
In this section, the proposed abstract model of the SNMPv3 protocol running in parallel:
is modeled in the applied π-calculus. Once the protocol has process
been modeled in the applied π-calculus, the analysis can be
new kSC;
performed with the tool ProVerif and will supply a formal
proof of security for the model. new kHmSC;
The manager and agent taking part in the protocol are
described as two concurrent processes. Figure 3 shows the (!manager) | (!agent)

1063
 This implementation has 26 lines of specific code; number of sessions, while relying as little as possible on
ProVerif takes less than one second to verify the message human intervention.
authentication query and to verify that the protocol satisfies
authenticity. We say a protocol is safe if it satisfies the Based on our verification and analysis performed on the
interactions included by the begin and end-assertions. protocol with ProVerif, we can conclude that the SNMPv3
protocol is able to authenticate the agent and manager
correctly during exchange of management information
B. Verifying Authenticity of SNMPv3 Using ProVerif between a manager and an agent of SNMP.

After a protocol has been specified as a set of processes

using the process calculus described above, ProVerif
automatically translates these processes into a set of Horn ACKNOWLEDGMENT
clauses which abstractly represent the protocol. The solution This work is done in Iran University of Science and
algorithm takes these parts as input and arranges the set of Technology (IUST) as part of a contract with Research
facts that an attacker can learn from protocol executions as a Institute for ICT (ITRC). Authors would like to thank
set of implications. Integrated Network Management (INM) group of ITRC for
The outputs of ProVerif have three possible modes: their valuable comments and support to this research.
Theorem: Given a script S=∆s process P containing a query
q
• If ProVerif returns True, then S is robustly safe for REFERENCES
q. [1] http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/SN
MPv3.html.
• If ProVerif returns False, then S is not robustly safe
for q. [2] E. Barka, F. Sallabi, and A. Hosani, "Managing access and usage
controls in SNMP," Proceedings of IEEE Computing,
• if ProVerif returns “ cannot be proved” , or if Communications and Applications Conference (ComComAp), pp. 41-
47, 2012.
ProVerif does not terminate, we do not know (usually
“cannot be proved” means “ Not robustly safe ” ) [3] W. Stallings, “SNMPv3: A security enhancement for SNMP,” IEEE
Communications Survey, vol. 1, no. 1, 1998.
ProVerif is sound but incomplete. It means that when it [4] W. Stallings, “Security comes to SNMP: The new SNMPv3 proposed
does not find attacks, the protocol is guaranteed to satisfy the Internet standards,” The Internet Protocol Journal, vol. 1, no. 3, Dec
1998.
considered property.
[5] H. Otrok, A. Mourad, M. Debbabi and C. Assi, “Improving the
We have analyzed the Authenticity property of SNMPv3 security of SNMP in wireless networks,” Proceedings of
protocol using the ProVerif cryptographic protocol verifier, Wireless Networks, Communications and Mobile Computing, pp.
198-202, vol. 1, 2005.
which allows us to verify Authentication, defined in terms of
correspondence assertions. We proved that all runs of the [6] M. Abadi and A. D. Gordon, “A calculus for cryptographic
protocols:The Spi calculus,” Proceedings of the 4th ACM conference
protocol in the presence of an adversary satisfy the on Computer and communications security, pp. 36–47, 1999.
assertions, So, SNMPv3 satisfies the authenticity property. [7] M. Abadi and C. Fournet. "Mobile values, new names, and secure
Also, ProVerif shows the protocol to be secure in a Dolev- communication," Proceedings of the 28th ACM Symposium on
Yao network, as the attacker cannot derive the private item, Principles of Programming Languages, pp. 104–115, 2001.
PDU. [8] B. Blanchet, “An efficient cryptographic protocol verifier based on
prolog rules,” Proceedings of the 14th IEEE Computer Security
Although the results are optimistic ones, we believe that Foundations Workshop, pp. 82–96, 2001.
the way we verify this security property enhances our [9] M. D. Ryan and B. Smyth, "Applied pi calculus," Proceedings of the
understanding of the properties themselves and also the way Formal Models and Techniques for Analyzing Security Protocols,
to model them with other formal methods. chapter 6. IOS Press, 2011.
[10] T. Y. Woo and S. S. LamA, “semantic model for authentication
protocols," Proceedings of IEEE Computer Society Symposium on
Research in Security and Privacy, pp.178–193, 1993.
V. CONCLUSION [11] R. Chang and V. Shmatikov, "Formal analysis of authentication in
bluetooth device pairing," Tech report of Univ. Texas, FCSARSPA,
Intuitively, SNMPv3 preserves the authentication Tech. Rep., 2007.
between manager and agent, but this claim needs to be
proven especially with automatic tools on formal framework,
because informal methods are inadequate for widely used
protocols and cannot be trusted. To achieve this goal, we
proposed an abstract model of SNMPv3 and introduced a
handshake model of it to formalize our understanding of
SNMP. For this reason, we have specified SNMPv3 in the
applied π-calculus and we have defined the correspondence
assertions for modeling authentication. Finally, we verified
SNMPv3 protocol using ProVerif tool, with an unbounded

1064