This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ncc-announce@ripe.net/
[ncc-announce] [service] Improving Security of the API Key Management in the, LIR Portal
- Previous message (by thread): [ncc-announce] [meetings] Register for RIPE 80 – The First Virtual RIPE Meeting
- Next message (by thread): [ncc-announce] [news] 131st, 132nd and 133rd RIPE NCC Executive Board Meetings - Summary Notes and Minutes
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Theodoros Polychniatis
tpolychnia at ripe.net
Thu Apr 9 14:29:51 CEST 2020
Dear colleagues, If you are users of the API Key Management section in the LIR Portal (https://lirportal.ripe.net/api/) or if you use the API to submit resource requests, access "IP Analyser", "My Resources" or manage your ROAs, then please continue reading. Otherwise, this message should not concern you. During a recent security review of the LIR Portal, we identified that the API Keys created in the LIR Portal are stored in plain text. This functionality was developed in this way so that users are able to retrieve the keys even after they have created them. However, this poses a risk from a security point of view, because these API Keys are used for authentication and authorisation purposes. These keys should not be stored in plain text. Because there is no indication that the existing API Keys were leaked, and because we do not want to create any operational problems to the API users, we decided not to drop the existing keys. Therefore, your scripts will continue to work and *no change is needed from you*. However, we made the following changes: 1. We hashed all the existing API key values and updated the way the LIR Portal authenticates the keys accordingly. 2. We changed the User Interface in the LIR Portal, so that when a user creates an API key, the value is displayed only once to the user, and the hashed value is stored in the database. 3. Up until now, the keys had to be passed to the request as a URL parameter. Now, the above mentioned APIs also accept the API Key as a request header value. We strongly recommend using the header to pass the API Key value, so that the key is not stored in any server logs. You can find more information in the API Key management section in the LIR Portal. After this change, neither you nor the RIPE NCC can recover the existing keys from the LIR Portal. You can always create new keys, configure them in your scripts, and drop the old ones. Based on our risk evaluation, we plan to act similarly for API Keys used in other services. Please let us know if you have any questions regarding this change. Best regards, Theodoros Polychniatis Assistant Manager Software Engineering Department RIPE NCC
- Previous message (by thread): [ncc-announce] [meetings] Register for RIPE 80 – The First Virtual RIPE Meeting
- Next message (by thread): [ncc-announce] [news] 131st, 132nd and 133rd RIPE NCC Executive Board Meetings - Summary Notes and Minutes
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]