FAQ: RIPE Database Security

Show or Hide answer I have objects in the RIPE Database. How can I protect them ?

You can protect your objects using a mntner (maintainer) object. You can use this to let you know when your objects have been changed. It can authenticate changes by using one of several authentication schemes, including PGP. In order to set this up, you must add a "mnt-by:" attribute to your object(s). You can encrypt a password for authentication using our secure Crypted password generation tool.

An example of adding a maintainer to a person object is included in the RIPE Database User Manual: Getting Started. For more details about objects and maintainers, see the RIPE Database Documentation Library.

You can also use the webupdates online web interface to add a maintainer to a RIPE Database object.

Show or Hide answer In which database objects are maintainer references ("mnt-by") mandatory?

t is mandatory to include an "mnt-by" reference to a maintainer (mntner) object in the following object types: person, mntner, role, as-block, as-set, aut-num, domain, filter-set, inet6num, inetnum, inet-rtr, irt, key-cert, organisation, peering-set, poem, poetic-form, route, route6, route-set, rtr-set.

For more information about RIPE Database object types, please see the RIPE Database Reference Manual.

Show or Hide answer How do I create a maintainer (mntner) object in the RIPE Database?

New Database users are encouraged to create person and mntner objects using the RIPE Database - New User Start-up Form

Alternatively, to add a mntner object to the RIPE Database, you should query the RIPE Database with "-t mntner" as the query . You should make a copy of the output. Write the correct details into this object and send it to auto-dbm _at_ ripe _dot_ net.

You can also use the webupdates online web interface to create a mntner object.

Show or Hide answer I have an unmaintained person object in the RIPE Database. Can I create a mntner object to protect it?

Yes, it is possible to add a maintainer to an unreferenced person object through webupdates or by e-mail.

Unreferenced person objects will be deleted from the RIPE Database periodically. See also: Clean-up of unreferenced person objects.

Show or Hide answer We lost the password of our mntner. Can you please change it to xxxx?

Please see the Maintainer Modification Request page.

Show or Hide answer My mntner password does not work. Why not ?

You can easily check whether your MD5-PW password is correct. Simply submit query for your mntner (using the -B flag, e.g. query for "-B EXAMPLE-MNT"), copy the line containing the encrypted password (after "MD5-PW:"), then visit the following page and follow the instructions:

https://www.ripe.net/cgi-bin/check_crypt.cgi

Other reasons your password might not work are usually due to these common mistakes:

  • supplying the password in encrypted form instead of clear text;
  • forgetting to specify "password: " before the password string;
  • sending the password in the subject line.
Show or Hide answer How can I encrypt a password for my mntner using MD5-PW?

Please visit the following page and follow the instructions:
https://www.ripe.net/cgi-bin/crypt.cgi

For detailed information on how to use the obtained encrypted password, see:
http://www.ripe.net/db/support/security/

Show or Hide answer What encryption algorithm should be used for the crypted password in the "auth:" attribute of a mntner object ?

Either MD5-PW or DES. Both are "one-way" algorithms; you can _guess_ the clear text password that was used to generate this password (if you have lots of time and many powerful computers), but you cannot reverse-engineer the clear text password from the crypted one; i.e. you cannot use an algorithm on the crypted password to find the clear text password.

Note: the level of security using clear text passwords is not high; you send your clear text password in an e-mail, which could be copied ("sniffed") without you knowing it. Also, a determined, malicious cracker may eventually guess the password.

More information is available in the RIPE Database Reference Manual

Show or Hide answer How to use the MD5-PW auth scheme in my mntner ?

To use MD5-PW, do the following:

  1. Pick a passphrase - there is some advice on choosing a good passphrase
    E.g. "@ v3ri $3>|rit P@55Frais" has the mnemonic "a very secret passphrase", is relatively long, and contains a mix of non-alphabetic characters.

  2. Go to the Crypt CGI Interface at:
    (https://www.ripe.net/cgi-bin/crypt.cgi ) and convert the password to MD5-PW. E.g. "@ v3ri $3>|rit P@55Frais" converts to "$1$HaKpJ.7L$bMelWa6qPZJn9ZTn7dphr/". The encrypted password is not always the same for the same starting password.

  3. Modify your mntner object to add a line that starts with "auth: MD5-PW", followed by a space and the encrypted password from step 2.

    E.g. a maintainer would become:

    mntner: EXAMPLE-MNT
    descr: Sample maintainer for example.
    ...
    auth: MD5-PW $1$HaKpJ.7L$bMelWa6qPZJn9ZTn7dphr/
    ...
    source: RIPE

  4. Send the maintainer as a plain text e-mail to auto-dbm _at_ ripe _dot_ net.

  5. You will receive an automatic reply from the RIPE Database when the update is complete. If successful, you can use the password authentication. To do this, put "password:" at the beginning of a line in the body of the message, followed by the clear text, non-encrypted password.

    To create a person object with the above maintainer, you would send
    an e-mail with the following body:
    password: @ v3ri $3>|rit P@55Frais
    person: Adam Smith
    address: RIPE NCC
    address: Singel 258
    address: 1016 AB Amsterdam
    address: The Netherlands
    phone: +31 20 535 4444
    fax-no: +31 20 545 4445
    e-mail: adam-example _at_ ripe _dot_ net
    nic-hdl: AUTO-1
    notify: Adam-example _at_ ripe _dot_ net
    mnt-by: EXAMPLE-MNT
    changed: ripe-dbm _at_ ripe _dot_ net
    source: RIPE
Show or Hide answer Why is the crypted-password published in the RIPE Database ? Why not keep it secret ?

This way, users can see what passwords they have for their mntner objects. Also, it means that the RIPE Database can process updates faster (no overhead in looking up the crypted password).

A determined, malicious cracker can guess the password, but to use it they must then send an e-mail. The RIPE Database keeps logfiles of all transactions, so we would have a written record of any changes made.

We encourage users to adopt PGP authentication.

Show or Hide answer What software do I need to use PGP?

There are both commercial and free implementations of PGP available. The RIPE NCC uses GnuPG to implement its PGP operations.

You can download GnuPG for Unix, Macintosh and Windows from:
http://www.gnupg.org/download/

If you created a key-cert object using PGP 2.6 or 5.0i before 23 April 2001, then you can continue to authenticate your updates using it. However, we cannot guarantee that PGP 2.6 or 5.0i will work in Version 3.0.of the RIPE Database. We recommend that you use GNU PG (GNU Privacy Guard).

Contact ripe-dbm _at_ ripe _dot_ net if you have specific questions.

The RIPE Database supports DSS/Diffie-Hellman and RSA algorithms.

Show or Hide answer How can I use PGP with my mail software?

PGP support is available for most of the popular e-mail software, with varying success. A quick search on a search engine should reveal the various tools/configurations/plugins specific to your mailer.

Although it's convenient to integrate PGP with the mailer software, it can be used separately to generate signed messages. Therefore, you can send signed messages, even if you can't find a suitable extension to your mailer software.

Show or Hide answer Getting started with PGP in RIPE Database

After installing PGP, the next step is to run it once to create your settings. From the commandline, enter gpg once. It should give a message that the directory and options file are created.

You need a key for all operations with gpg, which you can create with the command gpg --gen-key. This command will ask you the following:

  • what kind of key you want: For most purposes, (1) is suitable.
  • What key size you want: 1024 is the default and reasonable choice. A lower value will decrease the security. On the other hand, a higher value will slow things down.
  • how long the key should be valid: You can choose 0 here for a non-expiring key. For custom needs, a limited duration can be set.
  • Real name: Your name and surname.
  • E-mail address: Your e-mail adress.
  • Comment: Remarks that will be appended after your name in the user-ID that gpg will create.

After entering all those information and confirming that they're correct, you'll be asked for a passphrase. Choose a passphrase that:

  • is long,
  • has special (non alpha-numeric) characters,
  • is something special (not a name),
  • is very hard to guess (not names, birth dates, phone numbers, names, number of children, ...)

Enter it twice and gpg will start generating the key. Moving your mouse or tapping the keyboard during this operation will help gpg to generate the key faster.

Further information is available on:
http://www.gnupg.org/documentation/index.en.html

Show or Hide answer What is a key-cert object, and how can I create it?

A key-cert object holds the public part of your key in the RIPE Database. To use the key you just generated in the RIPE Database, you should create it in the form of a key-cert object.

The following steps will help you create a key-cert object:

  • Export your gpg public key to a file with the command gpg --export --armor < your_email_address> > key-cert.txt
  • Issue the command gpg --list-keys and find the line with your e-mail address from output. It should be something like:
    pub 1024D/75FE6D99 2002-07-10 John Smith <bitbucket _at_ ripe _dot_ net>
    Write down the eight characters after the / sign. This is the key id of your key. You'll need it while creating the key-cert.
  • Open the file key-cert.txt with your favorite editor, and add "certif: " (without quotes, but a space after : sign) to the beginning of each line.
  • Add a line to the beginning of the file in the form
    key-cert: PGPKEY-XXXXXXXX
    where XXXXXXXX is the eight characters that you wrote down.
  • To the end of the file, add the following:
    mnt-by: <mntner>
    changed:<email> <date>
    source: RIPE
    where <mntner> is your maintainer name, <email> is your e-mail address, and <date> is the date in YYYYMMDD format.
  • Finally, add the authentication of mntner, e.g. if your maintainer is protected by MD5-PW, add the authentication of mntner to the file in the form password: <cleartext password>.
  • Send this update to auto-dbm _at_ ripe _dot_ net. You'll receive an acknowledgement. If all goes well, you'll be able to query the database and see the key-cert you just generated by the command PGPKEY-XXXXXXXX.

For more information about RIPE Database, please see the Databaase Reference Manual.

Technical details can be found at:
ftp://ftp.ripe.net/rfc/rfc2726.txt

Show or Hide answer How should I modify my maintainer to use PGP?

Just update your maintainer object to contain the line:

auth: PGPKEY-XXXXXXXX

where XXXXXXXX is your key-ID.

Be aware that if there are other auth: lines in your object, all will be effective. So, if there are both auth: NONE and auth: PGPKEY-XXXXXXXX lines in the mntner object, still everybody can update it, without the need for the PGP key.

Show or Hide answer How can I sign my update with PGP and send it?

The most straightforward way is to use gpg from the command line. The following steps will help you accomplish this:

  • Write your update to a file (say, update.txt).
  • Sign this file with the command gpg --clearsign update.txt. You'll be required to enter the passphrase. Then gpg will create a file update.txt.asc which contains the signed version of update.txt.
  • Mail update.txt.asc to auto-dbm _at_ ripe _dot_ net.

You can also use your mailer software facilities to do this which is mostly a menu entry. Please see the documentation of the particular software for this.

Show or Hide answer How can I put two or more signatures in a message?

Although there are a few variations for putting multiple signatures in an update, please note that there is yet no reported way to consistently do this via mailer interfaces. So, again the most straightforward way is to do this from the command line. For the first signature, just sign the message as explained in the previous question. For the consecutive signatures, sign the resulting .asc files from the last signing. Send the final resulting file to auto-dbm _at_ ripe _dot_ net, which will carry all authentications.

Show or Hide answer Can I create a maintainer with only PGP authentication?

No, initially the mntner has to be created with an authentication other than PGP. After that you can create the key-cert object protected with the new mntner. Upon creation of the mntner and the key-cert object (protected by your mntner), you can change the authentication to PGP.

Show or Hide answer What is the size of PGP key that can be used in a key-cert object in the RIPE Database?

The size of a PGP key is user defined. The RIPE Database key-cert object will accept any size that is generated by the software that generates the PGP key.