Hello David
You’re on the right track with your understanding of SNMPv3 Security Models. Let me just add a couple of points for each one that will help in understanding. We can gain insight into what is actually being performed from the names of the keywords themselves:
NoAuthNoPriv - NoAuth means no cryptographic authentication. Credentials are used, but there is no cryptographic mechanism to verify the authenticity of the message. NoPriv means no privacy of the contents of the SNMP messages, meaning there is no encryption of the payload.
AuthNoPriv - Auth means there is cryptographic authentication. It uses MD5 or SHA for this purpose. The authentication mechanism is actually applied to the associated user using the snmp-server user command. The NoPriv remains in this security model as described above.
AuthPriv - As in the previous model, Auth means cryptographic authentication is employed.
Priv indicates that the whole SNMP packet is encrypted, which means if the packet is intercepted, it cannot be deciphered.
From the above description, you can see that while AuthNoPriv does hash the password, the rest of the SNMP packet is sent in clear text. AuthPriv however encrypts the contents of the SNMP packet. Because SNMP messages can contain vital information about the configuration and state of a network, it can potentially be dangerous if intercepted and read.
Regarding your last question, you’re correct again. When configuring priv (privacy or encryption), you need to specify an encryption algorithm and a key. This key is used to both encrypt and decrypt the message. Both sides of the communication must have the same key in order to successfully decrypt the message.
I hope this has been helpful!
Laz