Merit RADb
   Query the RADb:    Advanced Query    Query Help  
             
Merit RADb Tutorials

Using PGP with the RADB


How To Create a key-cert Object

This document takes you step-by-step through the process of creating a key-cert object, including generation of a PGP key and PGP-signing your DB submissions.

The key-cert object MUST be added into the database before your maintainer is updated to reference it. A new maintainer should not be submitted with a PGPKEY auth reference unless you include the key-cert object with your new maintainer object submission.

User input is shown in red.

The example below uses PGP version 5.0. When you enter PGP commands PGP will default to ~/.pgp in your default directory. You can override the default using the 'PGPPATH' environment variable.

  1. Create a PGP key.

    In the example, the 'Enter pass phrase:' line is highlighted in orange to indicate that the value you supply will be needed each time you PGP-sign a submission. Therefore it's a good idea to keep your pass phrase in a safe place or, ideally, memorize it so there is no possibility that another party can find it. Anyone with your pass phrase has the ability to impersonate you and breach your DB objects.

    % pgpk -g
    
    Choose the type of your public key:
      1)  DSS/Diffie-Hellman - New algorithm for 5.0 (default)
      2)  RSA
    Choose 1 or 2: 2
    
    Pick your public/private keypair key size:
      1)   768 bits- Commercial grade, probably not currently breakable
      2)  1024 bits- High commercial grade, secure for many years
      3)  2048 bits- "Military" grade, secure for the forseeable future
    Choose 1, 2 or 3, or enter desired number of bits
    (768 - 2048): 1
    
    You need a user ID for your public key.  The desired form for this
    user ID is your FULL name, followed by your E-mail address enclosed in
    , if you have an E-mail address.  For example:
      Joe Smith 
    If you violate this standard, you will lose much of the benefits of
    PGP 5.0's keyserver and email integration.
    
    Enter a user ID for your public key: Gerald A. Winters < gerald@merit.edu >
    
    Enter the validity period of your key in days from 0 - 999
    0 is forever (and the default): 0
    
    You need a pass phrase to protect your private key(s).
    Your pass phrase can be any sentence or phrase and may have many
    words, spaces, punctuation, or any other printable characters.
    Enter pass phrase: 
    Enter again, for confirmation:
    Enter pass phrase: 
    Collecting randomness for key...
    
    We need to generate 35 random bits.  This is done by measuring the
    time intervals between your keystrokes.  Please enter some random text
    on your keyboard until you hear the beep:
       0 * -Enough, thank you.
    ******* ...............*******
    Keypair created successfully.
    
    If you wish to send this new key to a server, enter the URL of the server,
    below.  If not, enter nothing.
    
    % 
    
  2. Extract your public key block.
    
    % pgpk -xa gerald
    
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: PGP for Personal Privacy 5.0
    
    mQBtAzlPun4AAAEDAL4HzIVpazkecT7nWTotIsbmSdyfeImWVA4ZzVXZuwb6quK3
    SocNluXQnzCDf9rSGO7mT2gLYKFSpBuQXQ0mZfGjL1yXT1FLIdkb94B0B7vPiTVb
    +d/f4Ye0diwnAceU0QAFEbQkR2VyYWxkIEEuIFdpbnRlcnMgPGdlcmFsZEBtZXJp
    dC5lZHU+iQB1AwUQOU+6frR2LCcBx5TRAQHR0QMAp6lAb8/SEq8V8lLTtB908sPq
    H2Sh034w75ekZIwWVP3WQx9DcugWxbaNv5mYhfq4eoGNBZ2svNFZ0s0440bD8gAU
    CFuhzB4dp523YePxHxgK5MuMPVqRCnbLETgrnfcs
    =sYcq
    -----END PGP PUBLIC KEY BLOCK-----                               
    
  3. Get your hex ID.

    The hex ID is '01C794D1'.

    % pgpk -l gerald
    
    Type Bits KeyID      Created    Expires    Algorithm       Use
    sec+  768 0x01C794D1 2000-06-20 ---------- RSA             Sign & Encrypt 
    uid  Gerald A. Winters 
    
    1 matching key found
    %
    
  4. Construct a 'key-cert' object.

    Note that the 'method:', 'owner:' and 'fingerpr:' attributes have not been specified. These attributes are auto-generated by the DB software and so they are intentionally omitted. The red + need to be added before each line of the public key block.

    key-cert:      PGPKEY-01C794D1
    certif:        
    +-----BEGIN PGP PUBLIC KEY BLOCK-----
    +Version: PGP for Personal Privacy 5.0
    +
    +mQBtAzlPun4AAAEDAL4HzIVpazkecT7nWTotIsbmSdyfeImWVA4ZzVXZuwb6quK3
    +SocNluXQnzCDf9rSGO7mT2gLYKFSpBuQXQ0mZfGjL1yXT1FLIdkb94B0B7vPiTVb
    ++d/f4Ye0diwnAceU0QAFEbQkR2VyYWxkIEEuIFdpbnRlcnMgPGdlcmFsZEBtZXJp
    +dC5lZHU+iQB1AwUQOU+6frR2LCcBx5TRAQHR0QMAp6lAb8/SEq8V8lLTtB908sPq
    +H2Sh034w75ekZIwWVP3WQx9DcugWxbaNv5mYhfq4eoGNBZ2svNFZ0s0440bD8gAU
    +CFuhzB4dp523YePxHxgK5MuMPVqRCnbLETgrnfcs
    +=sYcq
    +-----END PGP PUBLIC KEY BLOCK-----            
    mnt-by:        MAINT-MERIT
    changed:       gerald@merit.edu 20000709
    source:        RADB
    
  5. Update your maintainer to use PGP authentication using the PGP key from the 'key-cert' object. Be sure to add your key-cert object to the database *before* you update your maintainer.

    The new 'auth:' attribute is highlighted in boldface type.

    mntner:        MAINT-GERALD
    descr:         Illustrate PGP authenticaion
    admin-c:       Gerald Winters
    tech-c:        Gerald Winters
    upd-to:        gerald@merit.edu
    mnt-nfy:       gerald@merit.edu
    auth:          CRYPT-PW pfrutahVELjzI
    auth:          PGPKEY-01C794D1
    mnt-by:        MAINT-GERALD
    changed:       gerald@merit.edu 20000709
    source:        RADB
    
  6. Email your objects to the registry. Assume the objects are in a file called 'db-objects.txt'.

    % mail auto-dbm@radb.net < db-objects.txt
    
  7. After you have successfully added your 'key-cert' object to the DB and updated your maintainer to use PGP authentication, you can PGP-sign your submissions.


How to Use PGP for RADB Authentication

  1. Following instructions for creating, modifying, or deleting an object. But omit the step to mail auto-dbm@radb.net.

  2. Assume the object is in a filed named 'db-submission.txt'. Since PGP defaults its output to a file named *.asc, in our example the PGP-signed submission will be in a file called db-submission.txt.asc. The 'pass phrase' is the value you supplied to PGP when you created your key from step 1, in the previous section "Create a PGP key."

    % pgps -ta -u 0x01C794D1 db-submission.txt  or pgps -ta -u gerald db-submission.txt 
    A private key is required to make a signature.
    Need a pass phrase to decrypt private key:
       768 bits, Key ID 01C794D1, Created 2000-06-20
       "Gerald A. Winters "
    Enter pass phrase: 
    Pass phrase is good.
    Creating output file db-submission.txt.asc
    %
    
  3. Send your PGP submission to the RADB:
    % mail auto-dbm@radb.net < db-submission.txt.asc
    

Tips for Making Your Objects More Secure

Once you begin using PGP authentication is your DB updates, be sure that you are not allowing lesser forms of authentication in your maintainer, i.e., 'MAIL-FROM' and 'NONE'. For example, we discourage maintainers such as the following:

mntner:        MAINT-GERALD
descr:         How to nullify PGP authentication
admin-c:       Gerald Winters
tech-c:        Gerald Winters
upd-to:        gerald@merit.edu
mnt-nfy:       gerald@merit.edu
auth:          MAIL-FROM gerald@merit.edu
auth:          PGPKEY-01C794D1
mnt-by:        MAINT-GERALD
changed:       gerald@merit.edu 20000709
source:        RADB
Note that the maintainer above allows 'MAIL-FROM' as well as PGP authentication. This would make it possible for an imposter to impersonate you in email using 'MAIL-FROM' authentication, therefore nullifying the benefits of PGP authentication. Even worse would be to have a maintainer such as the following:

mntner:        MAINT-GERALD
descr:         Illustrate PGP authentication
admin-c:       Gerald Winters
tech-c:        Gerald Winters
upd-to:        gerald@merit.edu
mnt-nfy:       gerald@merit.edu
auth:          NONE
auth:          MAIL-FROM gerald@merit.edu
auth:          PGPKEY-01C794D1
mnt-by:        MAINT-GERALD
changed:       gerald@merit.edu 20000709
source:        RADB
Merit will continue to support the traditional forms of authentication. However, we strongly urge you to convert to PGP-signing of your DB submissions and to avoid the use of lesser forms of authentication.

Comments and questions are welcome; please send email to radb-support@merit.edu.




Back to Tutorials


 






Register Now | Features | Support | FAQ | Contact Us | Log In | Home


Merit RADb is operated by Merit Network Inc.
1000 Oakbrook Drive Suite 200, Ann Arbor, MI 48104-6794
734-527-5776