FAQ: RIPE Database Security
- I have objects in the RIPE Database. How can I protect them ? →
You can protect your objects using a mntner (maintainer) object. You can use this to let you know when your objects have been changed. It can authenticate changes by using one of several authentication schemes, including PGP. In order to set this up, you must add a "mnt-by:" attribute to your object(s). You can encrypt a password for authentication using our secure Crypted password generation tool.
An example of adding a maintainer to a person object is included in the RIPE Database User Manual: Getting Started. For more details about objects and maintainers, see the RIPE Database Documentation Library.
You can also use the webupdates online web interface to add a maintainer to a RIPE Database object.
- In which database objects are maintainer references ("mnt-by") mandatory? →
t is mandatory to include an "mnt-by" reference to a maintainer (mntner) object in the following object types: person, mntner, role, as-block, as-set, aut-num, domain, filter-set, inet6num, inetnum, inet-rtr, irt, key-cert, organisation, peering-set, poem, poetic-form, route, route6, route-set, rtr-set.
For more information about RIPE Database object types, please see the RIPE Database Reference Manual.
- How do I create a maintainer (mntner) object in the RIPE Database? →
New Database users are encouraged to create person and mntner objects using the RIPE Database - New User Start-up Form
Alternatively, to add a mntner object to the RIPE Database, you should query the RIPE Database with "-t mntner" as the query . You should make a copy of the output. Write the correct details into this object and send it to auto-dbm _at_ ripe _dot_ net.
You can also use the webupdates online web interface to create a mntner object.
- I have an unmaintained person object in the RIPE Database. Can I create a mntner object to protect it? →
Yes, it is possible to add a maintainer to an unreferenced person object through webupdates or by e-mail.
Unreferenced person objects will be deleted from the RIPE Database periodically. See also: Clean-up of unreferenced person objects.
- We lost the password of our mntner. Can you please change it to xxxx? →
Please see the Maintainer Modification Request page.
- My mntner password does not work. Why not ? →
You can easily check whether your MD5-PW password is correct. Simply submit query for your mntner (using the -B flag, e.g. query for "-B EXAMPLE-MNT"), copy the line containing the encrypted password (after "MD5-PW:"), then visit the following page and follow the instructions:
Other reasons your password might not work are usually due to these common mistakes:
- supplying the password in encrypted form instead of clear text;
- forgetting to specify "password: " before the password string;
- sending the password in the subject line.
- How can I encrypt a password for my mntner using MD5-PW? →
Please visit the following page and follow the instructions:
For detailed information on how to use the obtained encrypted password, see:
- What encryption algorithm should be used for the crypted password in the "auth:" attribute of a mntner object ? →
Either MD5-PW or DES. Both are "one-way" algorithms; you can _guess_ the clear text password that was used to generate this password (if you have lots of time and many powerful computers), but you cannot reverse-engineer the clear text password from the crypted one; i.e. you cannot use an algorithm on the crypted password to find the clear text password.
Note: the level of security using clear text passwords is not high; you send your clear text password in an e-mail, which could be copied ("sniffed") without you knowing it. Also, a determined, malicious cracker may eventually guess the password.
More information is available in the RIPE Database Reference Manual
- How to use the MD5-PW auth scheme in my mntner ? →
To use MD5-PW, do the following:
- Pick a passphrase - there is some advice on choosing a good passphrase
E.g. "@ v3ri $3>|rit P@55Frais" has the mnemonic "a very secret passphrase", is relatively long, and contains a mix of non-alphabetic characters.
- Go to the Crypt CGI Interface at:
(https://www.ripe.net/cgi-bin/crypt.cgi ) and convert the password to MD5-PW. E.g. "@ v3ri $3>|rit P@55Frais" converts to "$1$HaKpJ.7L$bMelWa6qPZJn9ZTn7dphr/". The encrypted password is not always the same for the same starting password.
- Modify your mntner object to add a line that starts with "auth: MD5-PW", followed by a space and the encrypted password from step 2.
E.g. a maintainer would become:
descr: Sample maintainer for example.
auth: MD5-PW $1$HaKpJ.7L$bMelWa6qPZJn9ZTn7dphr/
- Send the maintainer as a plain text e-mail to auto-dbm _at_ ripe _dot_ net.
- You will receive an automatic reply from the RIPE Database when the update is complete. If successful, you can use the password authentication. To do this, put "password:" at the beginning of a line in the body of the message, followed by the clear text, non-encrypted password.
To create a person object with the above maintainer, you would send
an e-mail with the following body:
password: @ v3ri $3>|rit P@55Frais
person: Adam Smith
address: RIPE NCC
address: Singel 258
address: 1016 AB Amsterdam
address: The Netherlands
phone: +31 20 535 4444
fax-no: +31 20 545 4445
e-mail: adam-example _at_ ripe _dot_ net
notify: Adam-example _at_ ripe _dot_ net
changed: ripe-dbm _at_ ripe _dot_ net
- Pick a passphrase - there is some advice on choosing a good passphrase
- Why is the crypted-password published in the RIPE Database ? Why not keep it secret ? →
This way, users can see what passwords they have for their mntner objects. Also, it means that the RIPE Database can process updates faster (no overhead in looking up the crypted password).
A determined, malicious cracker can guess the password, but to use it they must then send an e-mail. The RIPE Database keeps logfiles of all transactions, so we would have a written record of any changes made.
We encourage users to adopt PGP authentication.
- What software do I need to use PGP? →
There are both commercial and free implementations of PGP available. The RIPE NCC uses GnuPG to implement its PGP operations.
You can download GnuPG for Unix, Macintosh and Windows from:
If you created a key-cert object using PGP 2.6 or 5.0i before 23 April 2001, then you can continue to authenticate your updates using it. However, we cannot guarantee that PGP 2.6 or 5.0i will work in Version 3.0.of the RIPE Database. We recommend that you use GNU PG (GNU Privacy Guard).
Contact ripe-dbm _at_ ripe _dot_ net if you have specific questions.
The RIPE Database supports DSS/Diffie-Hellman and RSA algorithms.
- How can I use PGP with my mail software? →
PGP support is available for most of the popular e-mail software, with varying success. A quick search on a search engine should reveal the various tools/configurations/plugins specific to your mailer.
Although it's convenient to integrate PGP with the mailer software, it can be used separately to generate signed messages. Therefore, you can send signed messages, even if you can't find a suitable extension to your mailer software.
- Getting started with PGP in RIPE Database →
After installing PGP, the next step is to run it once to create your settings. From the commandline, enter gpg once. It should give a message that the directory and options file are created.
You need a key for all operations with gpg, which you can create with the command gpg --gen-key. This command will ask you the following:
- what kind of key you want: For most purposes, (1) is suitable.
- What key size you want: 1024 is the default and reasonable choice. A lower value will decrease the security. On the other hand, a higher value will slow things down.
- how long the key should be valid: You can choose 0 here for a non-expiring key. For custom needs, a limited duration can be set.
- Real name: Your name and surname.
- E-mail address: Your e-mail adress.
- Comment: Remarks that will be appended after your name in the user-ID that gpg will create.
After entering all those information and confirming that they're correct, you'll be asked for a passphrase. Choose a passphrase that:
- is long,
- has special (non alpha-numeric) characters,
- is something special (not a name),
- is very hard to guess (not names, birth dates, phone numbers, names, number of children, ...)
Enter it twice and gpg will start generating the key. Moving your mouse or tapping the keyboard during this operation will help gpg to generate the key faster.
Further information is available on:
- What is a key-cert object, and how can I create it? →
A key-cert object holds the public part of your key in the RIPE Database. To use the key you just generated in the RIPE Database, you should create it in the form of a key-cert object.
The following steps will help you create a key-cert object:
- Export your gpg public key to a file with the command gpg --export --armor < your_email_address> > key-cert.txt
- Issue the command gpg --list-keys and find the line with your e-mail address from output. It should be something like:
pub 1024D/75FE6D99 2002-07-10 John Smith <bitbucket _at_ ripe _dot_ net>
Write down the eight characters after the / sign. This is the key id of your key. You'll need it while creating the key-cert.
- Open the file key-cert.txt with your favorite editor, and add "certif: " (without quotes, but a space after : sign) to the beginning of each line.
- Add a line to the beginning of the file in the form
where XXXXXXXX is the eight characters that you wrote down.
- To the end of the file, add the following:
where <mntner> is your maintainer name, <email> is your e-mail address, and <date> is the date in YYYYMMDD format.
- Finally, add the authentication of mntner, e.g. if your maintainer is protected by MD5-PW, add the authentication of mntner to the file in the form password: <cleartext password>.
- Send this update to auto-dbm _at_ ripe _dot_ net. You'll receive an acknowledgement. If all goes well, you'll be able to query the database and see the key-cert you just generated by the command PGPKEY-XXXXXXXX.
- How should I modify my maintainer to use PGP? →
Just update your maintainer object to contain the line:
where XXXXXXXX is your key-ID.
Be aware that if there are other auth: lines in your object, all will be effective. So, if there are both auth: NONE and auth: PGPKEY-XXXXXXXX lines in the mntner object, still everybody can update it, without the need for the PGP key.
- How can I sign my update with PGP and send it? →
The most straightforward way is to use gpg from the command line. The following steps will help you accomplish this:
- Write your update to a file (say, update.txt).
- Sign this file with the command gpg --clearsign update.txt. You'll be required to enter the passphrase. Then gpg will create a file update.txt.asc which contains the signed version of update.txt.
- Mail update.txt.asc to auto-dbm _at_ ripe _dot_ net.
You can also use your mailer software facilities to do this which is mostly a menu entry. Please see the documentation of the particular software for this.
- How can I put two or more signatures in a message? →
Although there are a few variations for putting multiple signatures in an update, please note that there is yet no reported way to consistently do this via mailer interfaces. So, again the most straightforward way is to do this from the command line. For the first signature, just sign the message as explained in the previous question. For the consecutive signatures, sign the resulting .asc files from the last signing. Send the final resulting file to auto-dbm _at_ ripe _dot_ net, which will carry all authentications.
- Can I create a maintainer with only PGP authentication? →
No, initially the mntner has to be created with an authentication other than PGP. After that you can create the key-cert object protected with the new mntner. Upon creation of the mntner and the key-cert object (protected by your mntner), you can change the authentication to PGP.