For SNMP security, why is the HMAC-SHA encryption key shorter than the HMAC-SHA authentication key?

Question & Answer

Question

I'm configuring SNMP3. To do so I need to use the pwtokey Unix command to build keys for SNMP users.

When I use the SHA option to build localized keys then the authentication key is 20 bytes long but the privacy key is 16 bytes long. Why is the privacy key shorter than the authentication key?

Answer

The z/OS Communications Server IP Configuration Guide section on creating user keys for SNMP discusses this difference in key lengths:

"Keys used for encryption are generated using the same algorithms as those used for authentication. However, key lengths might differ. For example, an HMAC-SHA authentication key is 20 bytes long, but a localized encryption key used with HMAC-SHA is only 16 bytes long. The SNMP agent, z/OS UNIX snmp command, and the SNMP manager API use the first 16 bytes of the HMAC-SHA authentication key as the localized encryption key (also called the privacy key)."

As the z/OS Communications Server IP Administrator's Commands book explains, ""For privacy, CBC 56-bit DES encryption requires the use of 32 hexadecimal digit (16 byte) keys."

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Was this topic helpful?

Document Information

Modified date:
16 December 2015

UID

dwa1244142

Tips