Authentication and Encryption

Localized Keys

To perform authentication and encryption, the switch and NMS (network management system) share localized keys. When sending a PDU to the switch, the NMS (network management system) generates the localized key and places it in the PDU. When the switch receives the PDU, it compares the localized key in the PDU to the localized key stored in the switch memory. If the two versions match, the PDU is authenticated or decrypted.

To generate a localized key, the switch and NMS use HMAC-MD5 or HMAC-SHA to:

1. Hash the user password. The hashed user password is called the non-localized key.
2. Hash a combination of the non-localized key and the engine ID of the switch. This hashed combination is the localized key.

The NMS stores the non-localized key and generates the localized key only before sending a PDU to the switch. Each time you create a new SNMP user, the switch generates and stores the localized key for that user.

If authentication is enabled for a user, he or she must have an authentication password. And if encryption is enabled for a user, he or she must have an encryption password. For information on setting these passwords, see "Configuring an SNMPv3 User."