This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
Database development plans
- Previous message (by thread): Database development plans
- Next message (by thread): Database development plans
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Larry J. Blunk
ljb at merit.edu
Tue Jan 29 23:31:30 CET 2002
> > 5. Improve database security > > These ideas were discussed at the RIPE-41, the detailed proposals will follow > - Deprecate MAIL-FROM as a weak auth scheme that doesn't serve todays's > security requirements. This will be done in several phases starting form > not allowing updating mntner objects containing this scheme, and ending > with not allowing updates to be authorised with MAIL-FROM. > - Implement authentication scheme using MD5 as a more secure mechanism > compared to crypt. Passphrases can be used instead of 8 character > passwords and MD5 fingerprint will be presented in the auth value. > - Implement inverse queries on auth, encryption, signature for PGP keys only > (key-cert's). > > As an alternative to deprecating MAIL-FROM, have you considered sending a response to updates with a random cookie in it and requiring a confirmation message with the cookie? In regards to the MD5 fingerprint, would this be a straight MD5 hash, or something like the FreeBSD MD5-based password hash (which I believe supports passwords longer than 8 chars)? Also, would the hash continue to be openly published? It would seem you would still have to deal with potential dictionary attacks. I understand the Perl-based RIPE server would use a "*" in place of the actual crypt-pw and I've been considering adding support for this in IRRd. Also, I would suggest reading the following paper regarding the strength of traditional Unix crypt, FreeBSD's MD5-based crypt, and OpenBSD's Blowfish- based bcrypt -- http://www.usenix.org/events/usenix99/provos.html Regards, Larry Blunk Merit
- Previous message (by thread): Database development plans
- Next message (by thread): Database development plans
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]