[ncc-services-wg] Proposal to Introduce SHA2 Passwords in the RIPE Database

[Apologies for duplicate emails]

Dear Colleagues,

What follows is a short proposal to introduce SHA2 passwords as an authentication method in MNTNER objects in the RIPE Database.

Regards,
Denis Walker
Business Analyst
RIPE NCC Database Group


Proposal to Introduce SHA2 Passwords in the RIPE Database

The RIPE NCC has looked at the possibility of introducing SHA2 as a password algorithm, as requested by AP61.2.

>From a technical point of view this is certainly possible. There are C and Java libraries available for generating SHA2 algorithms. We can provide SHA2 as an additional password option alongside MD5. In addition we would also provide a web service to generate SHA2 passwords similar to the one provided for MD5.

If the community requires MD5 to be deprecated we would suggest fixing a time period for users to update their MNTNER objects. From the start of that period no MD5 passwords can be added to a MNTNER, but existing ones will remain valid. At the end of that period the RIPE NCC can replace/remove all remaining MD5 passwords. As with the crypt-pw deprecation, we would provide an automated web service to reinstate access to a MNTNER object if you can validate against one of the original MD5 passwords.

The time limits used for the crypt-pw deprecation were a 6 month period for users to update their MNTNER objects and a 3 year period to reinstate user access via the web service.