About RIPE NCC | Contact  | Search | Sitemap    
Homepage RIPE NCC  
FAQs
     
Next Sectionyou are here: home -> Info, Stats and FAQs -> FAQs
FAQs
RIPE NCC Navigation Ends
orangedot Internet Resources
orangedot RIPE Database
orangedot Membership
orangedot Projects
RIPE NCC Navigation Ends
Can't find it?
Mail the webmaster.
RIPE NCC Navigation Ends

Click here for the RIPE NCC E-Learning Centre
 Next Section

RIPE Database Security FAQs

  1. I have objects in the RIPE Database. How can I protect them ?
  2. How do I create a maintainer (mntner) object in the RIPE Database ?
  3. I have only one person object in the RIPE Database. Can I create a mntner object to protect it?
  4. We lost the password of our mntner. Can you please change it to xxxx?
  5. My mntner password does not work. Why not ?
  6. How can I encrypt a password for my mntner using MD5-PW?
  7. What encryption algorithm should be used for the crypted password in the "auth:" attribute of a mntner object ?
  8. How to use the MD5-PW auth scheme in my mntner ?
  9. Why is the crypted-password published in the RIPE Database ? Why not keep it secret ?
  10. What software do I need to use PGP?
  11. How can I use PGP with my mail software?
  12. Getting started with PGP in RIPE Database
  13. What is a key-cert object, and how can I create it?
  14. How should I modify my maintainer to use PGP?
  15. How can I sign my update with PGP and send it?
  16. How can I put two or more signatures in a message?
  17. Can I create a maintainer with only PGP authentication?
  18. What is the size of PGP key that can be used in a key-cert object in the RIPE Database?

1. I have objects in the RIPE Database. How can I protect them ?
You can protect your objects using a mntner (maintainer) object. You can use this to let you know when your objects have been changed. It can authenticate changes by using one of several authentication schemes, including PGP. In order to set this up, you must add a "mnt-by:" attribute to your object(s). You can encrypt a password for authentication using our secure Crypted password generation tool.

An example of adding a maintainer to a person object is included in the RIPE Database User Manual: Getting Started. For more details about objects and maintainers, see the RIPE Database Reference Manual.

You can also use the webupdates online web interface to add a maintainer to a RIPE Database object.

2. How do I create a maintainer (mntner) object in the RIPE Database ?
To add a mntner object to the RIPE Database, you should query the RIPE Database with "-t mntner" as the query . You should make a copy of the output. Write the correct details into this object and send it to auto-dbm@ripe.net.

You can also use the webupdates online web interface to create a mntner object.

3. I have only one person object in the RIPE Database. Can I create a mntner object to protect it?
Yes, it is possible to add a maintainer to an unreferenced person object through webupdates or by e-mail.

Unreferenced person objects will be deleted from the RIPE Database periodically. See also: Clean-up of unreferenced person objects.

4. We lost the password of our mntner. Can you please change it to xxxx?
Please see the Maintainer Modification Request page.

5. My mntner password does not work. Why not ?

You can easily check whether your MD5-PW password is correct. Simply submit query for your mntner (using the -B flag, e.g. query for "-B EXAMPLE-MNT"), copy the line containing the encrypted password (after "MD5-PW:"), then visit the following page and follow the instructions:

https://www.ripe.net/cgi-bin/check_crypt.cgi

Other reasons your password might not work are usually due to these common mistakes:

  • supplying the password in encrypted form instead of clear text;
  • forgetting to specify "password: " before the password string;
  • sending the password in the subject line.

6.How can I encrypt a password for my mntner using MD5-PW?
Please visit the following page and follow the instructions:
https://www.ripe.net/cgi-bin/crypt.cgi

For detailed information on how to use the obtained encrypted password, see:
http://www.ripe.net/db/support/security/

7. What encryption algorithm should be used for the crypted password in the "auth:" attribute of a mntner object ?
Either MD5-PW or DES. Both are "one-way" algorithms; you can _guess_ the clear text password that was used to generate this password (if you have lots of time and many powerful computers), but you cannot reverse-engineer the clear text password from the crypted one; i.e. you cannot use an algorithm on the crypted password to find the clear text password.

Note: the level of security using clear text passwords is not high; you send your clear text password in an e-mail, which could be copied ("sniffed") without you knowing it. Also, a determined, malicious cracker may eventually guess the password.

More information is available in the RIPE Database Reference Manual

8. How to use the MD5-PW auth scheme in my mntner ?
To use MD5-PW, do the following:

  1. Pick a passphrase - there is some advice on choosing a good passphrase
    E.g. "@ v3ri $3>|rit P@55Frais" has the mnemonic "a very secret passphrase", is relatively long, and contains a mix of non-alphabetic characters.

  2. Go to the Crypt CGI Interface at:
    (https://www.ripe.net/cgi-bin/crypt.cgi ) and convert the password to MD5-PW. E.g. "@ v3ri $3>|rit P@55Frais" converts to "$1$HaKpJ.7L$bMelWa6qPZJn9ZTn7dphr/". The encrypted password is not always the same for the same starting password.

  3. Modify your mntner object to add a line that starts with "auth: MD5-PW", followed by a space and the encrypted password from step 2.

    E.g. a maintainer would become:

    mntner: EXAMPLE-MNT
    descr: Sample maintainer for example.
    ...
    auth: MD5-PW $1$HaKpJ.7L$bMelWa6qPZJn9ZTn7dphr/
    ...
    source: RIPE
  4. Send the maintainer as a plain text e-mail to auto-dbm@ripe.net.

  5. You will receive an automatic reply from the RIPE Database when the update is complete. If successful, you can use the password authentication. To do this, put "password:" at the beginning of a line in the body of the message, followed by the clear text, non-encrypted password.

    To create a person object with the above maintainer, you would send
    an e-mail with the following body:
    password: @ v3ri $3>|rit P@55Frais
person: Adam Smith
address: RIPE NCC
address: Singel 258
address: 1016 AB Amsterdam
address: The Netherlands
phone: +31 20 535 4444
fax-no: +31 20 545 4445
e-mail: adam-example@ripe.net
nic-hdl: AUTO-1
notify: Adam-example@ripe.net
mnt-by: EXAMPLE-MNT
changed: ripe-dbm@ripe.net
source: RIPE

9. Why is the crypted-password published in the RIPE Database ? Why not keep it secret ?
This way, users can see what passwords they have for their mntner objects. Also, it means that the RIPE Database can process updates faster (no overhead in looking up the crypted password).

A determined, malicious cracker can guess the password, but to use it they must then send an e-mail. The RIPE Database keeps logfiles of all transactions, so we would have a written record of any changes made.

We encourage users to adopt PGP authentication.

10. What software do I need to use PGP?
There are both commercial and free implementations of PGP available. The RIPE NCC uses GnuPG to implement its PGP operations.

You can download GnuPG for Unix, Macintosh and Windows from:
http://www.gnupg.org/download/

If you created a key-cert object using PGP 2.6 or 5.0i before 23 April 2001, then you can continue to authenticate your updates using it. However, we cannot guarantee that PGP 2.6 or 5.0i will work in Version 3.0.of the RIPE Database. We recommend that you use GNU PG (GNU Privacy Guard).

Contact ripe-dbm@ripe.net if you have specific questions.

The RIPE Database supports DSS/Diffie-Hellman and RSA algorithms.

11. How can I use PGP with my mail software?
PGP support is available for most of the popular e-mail software, with varying success. A quick search on a search engine should reveal the various tools/configurations/plugins specific to your mailer.

Although it's convenient to integrate PGP with the mailer software, it can be used separately to generate signed messages. Therefore, you can send signed messages, even if you can't find a suitable extension to your mailer software.

12. Getting started with PGP in RIPE Database
After installing PGP, the next step is to run it once to create your settings. From the commandline, enter gpg once. It should give a message that the directory and options file are created.

You need a key for all operations with gpg, which you can create with the command gpg --gen-key. This command will ask you the following:

  • what kind of key you want: For most purposes, (1) is suitable.
  • What key size you want: 1024 is the default and reasonable choice. A lower value will decrease the security. On the other hand, a higher value will slow things down.
  • how long the key should be valid: You can choose 0 here for a non-expiring key. For custom needs, a limited duration can be set.
  • Real name: Your name and surname.
  • E-mail address: Your e-mail adress.
  • Comment: Remarks that will be appended after your name in the user-ID that gpg will create.

After entering all those information and confirming that they're correct, you'll be asked for a passphrase. Choose a passphrase that:

  • is long,
  • has special (non alpha-numeric) characters,
  • is something special (not a name),
  • is very hard to guess (not names, birth dates, phone numbers, names, number of children, ...)

Enter it twice and gpg will start generating the key. Moving your mouse or tapping the keyboard during this operation will help gpg to generate the key faster.

Further information is available on:
http://www.gnupg.org/documentation/index.en.html

13. What is a key-cert object, and how can I create it?
A key-cert object holds the public part of your key in the RIPE Database. To use the key you just generated in the RIPE Database, you should create it in the form of a key-cert object.

The following steps will help you create a key-cert object:

  • Export your gpg public key to a file with the command gpg --export --armor < your_email_address> > key-cert.txt
  • Issue the command gpg --list-keys and find the line with your e-mail address from output. It should be something like:
    pub 1024D/75FE6D99 2002-07-10 John Smith <bitbucket@ripe.net>
    Write down the eight characters after the / sign. This is the key id of your key. You'll need it while creating the key-cert.
  • Open the file key-cert.txt with your favorite editor, and add "certif: " (without quotes, but a space after : sign) to the beginning of each line.
  • Add a line to the beginning of the file in the form
    key-cert: PGPKEY-XXXXXXXX
    where XXXXXXXX is the eight characters that you wrote down.
  • To the end of the file, add the following:
    mnt-by: <mntner>
    changed:<email> <date>
    source: RIPE
     where <mntner> is your maintainer name, <email> is your e-mail address, and <date> is the date in YYYYMMDD format.
  • Finally, add the authentication of mntner, e.g. if your maintainer is protected by MD5-PW, add the authentication of mntner to the file in the form password: <cleartext password>.
  • Send this update to auto-dbm@ripe.net. You'll receive an acknowledgement. If all goes well, you'll be able to query the database and see the key-cert you just generated by the command PGPKEY-XXXXXXXX.

For more information about RIPE Database, please see the Databaase Reference Manual.

Technical details can be found at:
ftp://ftp.ripe.net/rfc/rfc2726.txt

14. How should I modify my maintainer to use PGP?
Just update your maintainer object to contain the line:

auth: PGPKEY-XXXXXXXX

where XXXXXXXX is your key-ID.

Be aware that if there are other auth: lines in your object, all will be effective. So, if there are both auth: NONE and auth: PGPKEY-XXXXXXXX lines in the mntner object, still everybody can update it, without the need for the PGP key.

15. How can I sign my update with PGP and send it?
The most straightforward way is to use gpg from the command line. The following steps will help you accomplish this:

  • Write your update to a file (say, update.txt).
  • Sign this file with the command gpg --clearsign update.txt. You'll be required to enter the passphrase. Then gpg will create a file update.txt.asc which contains the signed version of update.txt.
  • Mail update.txt.asc to auto-dbm@ripe.net.

You can also use your mailer software facilities to do this which is mostly a menu entry. Please see the documentation of the particular software for this.

16. How can I put two or more signatures in a message?
Although there are a few variations for putting multiple signatures in an update, please note that there is yet no reported way to consistently do this via mailer interfaces. So, again the most straightforward way is to do this from the command line. For the first signature, just sign the message as explained in the previous question. For the consecutive signatures, sign the resulting .asc files from the last signing. Send the final resulting file to auto-dbm@ripe.net, which will carry all authentications.

17. Can I create a maintainer with only PGP authentication?
No, initially the mntner has to be created with an authentication other than PGP. After that you can create the key-cert object protected with the new mntner. Upon creation of the mntner and the key-cert object (protected by your mntner), you can change the authentication to PGP.

18. What is the size of PGP key that can be used in a key-cert object in the RIPE Database?
The size of a PGP key is user defined. The RIPE Database key-cert object will accept any size that is generated by the software that generates the PGP key.

RELATED TOPICS
RIPE DATABASE SEARCH


 

Next Section
     About RIPE NCC | Service Announcements | Site Map | LIR Portal | About RIPE | Contact | Legal | Copyright Statement
RIPE NCC Homepage Go to the RIPE NCC LIRPortal Go to the RIPE Community pages