Question

Suppose a manager has write permission only for the usmUserOwnAuthKeyChange column in usmUserTable, which allows change of only that manager’s password. However, the manager has full write access to the VACM tables. Explain how the manager can modify the local keys of other managers.

Answer 1

The manager will need to communicate the new key to the agent in such a way that it is not exposed to private converstation. Here is the mechanism, where, again, hash() is either MD5 or SHA-1 as appropriate, will use N to denote the length in bytes of the result of hash(). The original key is here denoted oldkey and the new key is newkey. The manager first chooses a string random of N bytes chosen as randomly as possible. A second N-byte string delta is then calculated as follows:

temp = hash(oldkey⏜random)
delta = temp XOR newkey

At this point, random and delta are sent from the manager to the agent. The agent can use random and oldkey to compute temp, and thus newkey = delta XOR temp. An private conversation cannot use random to find out anything about temp without knowing oldkey, and cannot get anything useful out of delta unless either newkey or temp is known.

The actual process is to combine random and delta into a single 2N-byte keyChange string, written to one of the key-change columns of usmUserTable where authkey column representing the local key corresponding to Name, that is never directly rachable or writable, however the agent must still keep the authkey tied to the Name. so it can be validate a given user on the Name and authParmeter supplied in a request. if an eavesdropper saves random and delta, and later discovers the user’s oldkey, then newkey can be calculated easily.