Using PGP with Merit RADb

Create key-cert

This document takes you step-by-step through the process of creating a key-cert object, including generation of a PGP key and PGP-signing your DB submissions. The key-cert object MUST be added into the database before your maintainer is updated to reference it. A new maintainer should not be submitted with a PGPKEY auth reference unless you include the key-cert object with your new maintainer object submission. The example below uses PGP version 5.0. When you enter PGP commands PGP will default to ~/.pgp in your default directory. You can override the default using the PGPPATH environment variable.

PGP key

In the example, the Enter pass phrase: line is used to indicate that the value you supply will be needed each time you PGP-sign a submission. Therefore it's a good idea to keep your pass phrase in a safe place or, ideally, memorize it so there is no possibility that another party can find it. Anyone with your pass phrase has the ability to impersonate you and breach your DB objects.

$ pgp -g

Choose the type of your public key:
    1)  DSS/Diffie-Hellman - New algorithm for 5.0 (default)
    2)  RSA
Choose 1 or 2: 2

Pick your public/private keypair key size:
    1)   768 bits- Commercial grade, probably not currently breakable
    2)  1024 bits- High commercial grade, secure for many years
    3)  2048 bits- "Military" grade, secure for the foreseeable future
Choose 1, 2 or 3, or enter desired number of bits
(768 - 2048): 1

You need a user ID for your public key.  The desired form for this
user ID is your FULL name, followed by your E-mail address enclosed in
, if you have an E-mail address.  For example:
    Joe Smith
If you violate this standard, you will lose much of the benefits of
PGP 5.0's keyserver and email integration.

Enter a user ID for your public key: Gerald A. Winters < gerald@merit.edu >

Enter the validity period of your key in days from 0 - 999
0 is forever (and the default): 0

You need a pass phrase to protect your private key(s).
Your pass phrase can be any sentence or phrase and may have many
words, spaces, punctuation, or any other printable characters.
Enter pass phrase:
Enter again, for confirmation:
Enter pass phrase:
Collecting randomness for key...

We need to generate 35 random bits.  This is done by measuring the
time intervals between your keystrokes.  Please enter some random text
on your keyboard until you hear the beep:
    0 * -Enough, thank you.
******* ...............*******
Keypair created successfully.

If you wish to send this new key to a server, enter the URL of the server,
below.  If not, enter nothing.

Extract key

$ pgp -xa gerald

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.0

mQBtAzlPun4AAAEDAL4HzIVpazkecT7nWTotIsbmSdyfeImWVA4ZzVXZuwb6quK3
SocNluXQnzCDf9rSGO7mT2gLYKFSpBuQXQ0mZfGjL1yXT1FLIdkb94B0B7vPiTVb
+d/f4Ye0diwnAceU0QAFEbQkR2VyYWxkIEEuIFdpbnRlcnMgPGdlcmFsZEBtZXJp
dC5lZHU+iQB1AwUQOU+6frR2LCcBx5TRAQHR0QMAp6lAb8/SEq8V8lLTtB908sPq
H2Sh034w75ekZIwWVP3WQx9DcugWxbaNv5mYhfq4eoGNBZ2svNFZ0s0440bD8gAU
CFuhzB4dp523YePxHxgK5MuMPVqRCnbLETgrnfcs
=sYcq
-----END PGP PUBLIC KEY BLOCK-----

Hex ID

The hex ID is 01C794D1.

$ pgp -l gerald

Type Bits KeyID      Created    Expires    Algorithm       Use
sec+  768 0x01C794D1 2000-06-20 ---------- RSA             Sign & Encrypt
uid  Gerald A. Winters

1 matching key found

Construct object

Note that the method:, owner: and fingerpr: attributes have not been specified. These attributes are auto-generated by the DB software and so they are intentionally omitted.

key-cert:      PGPKEY-01C794D1
certif:
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: PGP for Personal Privacy 5.0
+
+mQBtAzlPun4AAAEDAL4HzIVpazkecT7nWTotIsbmSdyfeImWVA4ZzVXZuwb6quK3
+SocNluXQnzCDf9rSGO7mT2gLYKFSpBuQXQ0mZfGjL1yXT1FLIdkb94B0B7vPiTVb
++d/f4Ye0diwnAceU0QAFEbQkR2VyYWxkIEEuIFdpbnRlcnMgPGdlcmFsZEBtZXJp
+dC5lZHU+iQB1AwUQOU+6frR2LCcBx5TRAQHR0QMAp6lAb8/SEq8V8lLTtB908sPq
+H2Sh034w75ekZIwWVP3WQx9DcugWxbaNv5mYhfq4eoGNBZ2svNFZ0s0440bD8gAU
+CFuhzB4dp523YePxHxgK5MuMPVqRCnbLETgrnfcs
+=sYcq
+-----END PGP PUBLIC KEY BLOCK-----
mnt-by:        MAINT-MERIT
changed:       gerald@merit.edu 20000709
source:        RADB

Update maintainer

Be sure to add your key-cert object to the database before you update your maintainer.

The new auth: attribute has been added in the 2nd auth field

mntner:        MAINT-GERALD
descr:         Illustrate PGP authenticaion
admin-c:       DUMMY-RADB
tech-c:        DUMMY-RADB
upd-to:        gerald@merit.edu
mnt-nfy:       gerald@merit.edu
auth:          BCRYPT-PW pfrutahVELjzI
auth:          PGPKEY-01C794D1
mnt-by:        MAINT-GERALD
changed:       gerald@merit.edu 20000709
source:        RADB

Email objects

Assume the objects are in a file called db-objects.txt:

$ mail auto-dbm@radb.net < db-objects.txt

PGP-sign

After you have successfully added your key-cert object to the DB and updated your maintainer to use PGP authentication, you can PGP-sign your submissions

PGP Authentication

Following instructions for creating, modifying or deleting an object, but omit the step to mail auto-dbm@radb.net.
Assume the object is in a filed named db-submission.txt.

Since PGP defaults its output to a file named *.asc, in our example the PGP-signed submission will be in a file called db-submission.txt.asc.

The pass phrase is the value you supplied to PGP when you created your key from step 1, in the previous section Create a PGP key.

$ pgp -ta -u 0x01C794D1 db-submission.txt  or pgp -ta -u gerald db-submission.txt
A private key is required to make a signature.
Need a pass phrase to decrypt private key:
    768 bits, Key ID 01C794D1, Created 2000-06-20
    "Gerald A. Winters "
Enter pass phrase:
Pass phrase is good.
Creating output file db-submission.txt.asc

Send your PGP submission to the RADB:
$ mail auto-dbm@radb.net < db-submission.txt.asc

Tips

Once you begin using PGP authentication is your DB updates, be sure that you are not allowing lesser forms of authentication in your maintainer, i.e., MAIL-FROM and NONE. For example, we discourage maintainers such as the following:

mntner:        MAINT-GERALD
descr:         How to nullify PGP authentication
admin-c:       DUMMY-RADB
tech-c:        DUMMY-RADB
upd-to:        gerald@merit.edu
mnt-nfy:       gerald@merit.edu
auth:          MAIL-FROM gerald@merit.edu
auth:          PGPKEY-01C794D1
mnt-by:        MAINT-GERALD
changed:       gerald@merit.edu 20000709
source:        RADB

Note that the maintainer above allows MAIL-FROM as well as PGP authentication. This would make it possible for an impostor to impersonate you in email using MAIL-FROM authentication, therefore nullifying the benefits of PGP authentication. Even worse would be to have a maintainer such as the following:

mntner:        MAINT-GERALD
descr:         Illustrate PGP authentication
admin-c:       DUMMY-RADB
tech-c:        DUMMY-RADB
upd-to:        gerald@merit.edu
mnt-nfy:       gerald@merit.edu
auth:          NONE
auth:          MAIL-FROM gerald@merit.edu
auth:          PGPKEY-01C794D1
mnt-by:        MAINT-GERALD
changed:       gerald@merit.edu 20000709
source:        RADB

Merit will continue to support the traditional forms of authentication. However, we strongly urge you to convert to PGP-signing of your DB submissions and to avoid the use of lesser forms of authentication.