Merit RADb
   Query the RADb:    Advanced Query    Query Help  
             
Merit RADb Tutorials

Using GPG with the RADB


Notes and Limitations

In addition to supporting PGP-based authentication we now offer limited support of GPG-based signatures. It is limited because ElGamel encryption cannot currently be supported due to interoperability issues with PGP. Thus key types <1> DSA and Elgamal (default) and (2) DSA are supported while option (4) ElGamal (sign and encrypt) is not. We hope to provide full support for ElGamal keys in the near future.

Creating the Key-Cert Object

  1. Create a GPG key.

    This document takes you step-by-step through the process of creating a key-cert object, including generation of a GPG key and GPG-signing your DB submissions.

    User input is shown in red. Other important information in orange.

    The example below uses GPG version 1.04 but the process is applicable to other versions.

    % gpg --gen-key
    
    gpg (GnuPG) 1.0.4; Copyright (C) 2000 Free Software Foundation, Inc.
    This program comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it
    under certain conditions. See the file COPYING for details.
    

    gpg: you have to start GnuPG again, so it can read the new options file % gpg --gen-key gpg (GnuPG) 1.0.4; Copyright (C) 2000 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: /.gnupg/secring.gpg: keyring created gpg: /.gnupg/pubring.gpg: keyring created Please select what kind of key you want: (1) DSA and ElGamal (default) (2) DSA (sign only) (4) ElGamal (sign and encrypt) Your selection? 1

    Note that choosing option 4 will result in a key that you will not be able to register. Options 1 and 2 should work fine.

    DSA keypair will have 1024 bits. About to generate a new ELG-E keypair. minimum keysize is 768 bits default keysize is 1024 bits highest suggested keysize is 2048 bits What keysize do you want? (1024) Requested keysize is 1024 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct (y/n)? y You need a User-ID to identify your key; the software constructs the user id from Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: Christerfer Frazier Email address: cfz@merit.edu Comment: You selected this USER-ID: "Christerfer Frazier " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. ThisIsAPieceofCake We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ++++++++++.+++++.++++++++++..+++++.++++++++++.+++++.+++++++++++++++++++++++++.++ ++++++++++++++++++++++++++++++++++++++++++++..++++++++++++++++++++....>+++++.... ++++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. .++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.++++++++++++++++++ +++..++++++++++++++++++++++++++++++++++++++++.++++++++++>.+++++................. +..+++++^^^^ public and secret key created and signed.

  2. Get your hex ID.

    Now note your hex ID. The hex ID here is 'E0EBA60B'. This is required to create the key-cert object.

    % gpg --list-keys
    /.gnupg/pubring.gpg
    ----------------------------------------------
    pub  1024D/E0EBA60B 2001-10-10
    Christerfer Frazier
    
    sub  1024g/66C5C28C 2001-10-10
    
  3. Extract your public key block in ascii format to a file mykeys.txt.
    
    % gpg --export -a -o mykeys.txt --export E0EBA60B
    
    % cat mykeys.txt
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v1.0.4 (SunOS)
    Comment: For info see http://www.gnupg.org
    
    mQGiBDvEqK4RBACipVK0SbSbggyWzSrdRn67BwFS3S4G0vIHO5PUzh4J9D4IxHu5
    a3RfaSgKPGWp3ZrgWjm2Y4ff64DbcDbx43nkxGrQdnihMI7BS/ulehfkmlnET/BX
    u9mtYiV4m+rpxT5XRJRjVbZBSERmZlaFhgfFGp2BYexVNegwDSa4ArWJ2wCgt88V
    O/edXkFOC3jynH/XO478ikEEAJYSvrSJ6TYyPEn9N6jlD65xL0xUfAieGmW1NyRh
    /KYLE+2+DoME0sVCqiCUqM4SYfr+n3N+Vpq1sLitUxWpi5jPwWtxFAZ9GU6HHb/n
    YaHOgHA9Pb/OeO4zl9lCGjf4LJ6a5518x6jjoP6uhKrWXdOHjD10uQNI5zj2F9Xs
    EuYDA/9gaNT8tHLNvbfbl+1PSrKa9b/tbcTAuA9Nu7U7V/0xAOYGJyejnjAEsJBI
    wZJf+ua7KCV5mtqlwtTFw5pXMGHLHIMnbuzSU0qBsEHzo4yxtST7cTPh5Fv+xcc0
    ST8fTw3A6xnmzDIi41q1EcuQT1E5igp4GEHYXnfdSqBMKglCnLQjQ2hyaXN0ZXJm
    ZXIgRnJhemllciA8Y2Z6QG1lcml0LmVkdT6IVwQTEQIAFwUCO8SorgULBwoDBAMV
    AwIDFgIBAheAAAoJEF+P4+7g66YLIPIAoIx5FgGo+mTsZvx1/G8haUW2oaUEAJ9T
    n2Z9k7ASLHJWdB6ICGKkzRAwjbkBDQQ7xKjNEAQAsc246VvyqXnvSapiLP3cteSF
    5esgC0xmvjgnrbv34mdQak7wgmWpXg8ohitij1vHl6Y07QgiJh3XJ0qLjT4bu+jE
    w6c8FamkMovB2YnHAGiHAol3Mqv4codEUs1DRu0Sza+5pmpElcysMiPhx661OH1B
    DTrDmHKBpXYfqI/ZNDMAAwYD+QErFkB62KV+u/Xx0dCeGdQL5AG/MnZobtnoNOkY
    wSiXxUF1dN0+gVi61t31yDkoD3H0f5jKHYCTrgnAVmh+UJKpXNlskshzLBw3OM9F
    oGI+3Cw+fLbMi4ojYyuYWvt2hywNEuzkEtirHrDMDbTLzGbO+c1OJDP2exrVHaU5
    8N+MiEYEGBECAAYFAjvEqM0ACgkQX4/j7uDrpgv8OACgjrWbVVJzSe3Og5s+nJ59
    Fy+Jqz4An3A2/b/t+7nH7e/0+fiwo+pfiCRi
    =5lsy
    -----END PGP PUBLIC KEY BLOCK-----
    
  4. Create the key-cert.

    Now use your favorite editor to create your key-cert object. Be sure to note the '+' signs that begin each line of the certif attribute you are required to add them in the object. Note that the 'method:', 'owner:' and 'fingerpr:' attributes have not been specified. These attributes are auto-generated by the IRRd software and so they are intentionally omitted.

    % vi mykeys.txt
    key-cert:  PGPKEY-E0EBA60B
    certif:
    +-----BEGIN PGP PUBLIC KEY BLOCK-----
    +Version: GnuPG v1.0.4 (SunOS)
    +Comment: For info see http://www.gnupg.org
    +
    +mQGiBDvEqK4RBACipVK0SbSbggyWzSrdRn67BwFS3S4G0vIHO5PUzh4J9D4IxHu5
    +a3RfaSgKPGWp3ZrgWjm2Y4ff64DbcDbx43nkxGrQdnihMI7BS/ulehfkmlnET/BX
    +u9mtYiV4m+rpxT5XRJRjVbZBSERmZlaFhgfFGp2BYexVNegwDSa4ArWJ2wCgt88V
    +O/edXkFOC3jynH/XO478ikEEAJYSvrSJ6TYyPEn9N6jlD65xL0xUfAieGmW1NyRh
    +/KYLE+2+DoME0sVCqiCUqM4SYfr+n3N+Vpq1sLitUxWpi5jPwWtxFAZ9GU6HHb/n
    +YaHOgHA9Pb/OeO4zl9lCGjf4LJ6a5518x6jjoP6uhKrWXdOHjD10uQNI5zj2F9Xs
    +EuYDA/9gaNT8tHLNvbfbl+1PSrKa9b/tbcTAuA9Nu7U7V/0xAOYGJyejnjAEsJBI
    +wZJf+ua7KCV5mtqlwtTFw5pXMGHLHIMnbuzSU0qBsEHzo4yxtST7cTPh5Fv+xcc0
    +ST8fTw3A6xnmzDIi41q1EcuQT1E5igp4GEHYXnfdSqBMKglCnLQjQ2hyaXN0ZXJm
    +ZXIgRnJhemllciA8Y2Z6QG1lcml0LmVkdT6IVwQTEQIAFwUCO8SorgULBwoDBAMV
    +AwIDFgIBAheAAAoJEF+P4+7g66YLIPIAoIx5FgGo+mTsZvx1/G8haUW2oaUEAJ9T
    +n2Z9k7ASLHJWdB6ICGKkzRAwjbkBDQQ7xKjNEAQAsc246VvyqXnvSapiLP3cteSF
    +5esgC0xmvjgnrbv34mdQak7wgmWpXg8ohitij1vHl6Y07QgiJh3XJ0qLjT4bu+jE
    +w6c8FamkMovB2YnHAGiHAol3Mqv4codEUs1DRu0Sza+5pmpElcysMiPhx661OH1B
    +DTrDmHKBpXYfqI/ZNDMAAwYD+QErFkB62KV+u/Xx0dCeGdQL5AG/MnZobtnoNOkY
    +wSiXxUF1dN0+gVi61t31yDkoD3H0f5jKHYCTrgnAVmh+UJKpXNlskshzLBw3OM9F
    +oGI+3Cw+fLbMi4ojYyuYWvt2hywNEuzkEtirHrDMDbTLzGbO+c1OJDP2exrVHaU5
    +8N+MiEYEGBECAAYFAjvEqM0ACgkQX4/j7uDrpgv8OACgjrWbVVJzSe3Og5s+nJ59
    +Fy+Jqz4An3A2/b/t+7nH7e/0+fiwo+pfiCRi
    +=5lsy
    +-----END PGP PUBLIC KEY BLOCK-----
    mnt-by:    MAINT-FRAZIER
    changed:   cfz@merit.edu
    source:    RADB
    
    
  5. Mail the key-cert object to auto-dbm for processing.

    % mail -t auto-dbm@radb.net < mykeys.txt

    If everything is ok you will recieve mail acknowledgement form auto-dbm@radb.net with the following:
    ADD OK: [key-cert] PGPKEY-E0EBA60B
    
    Else you will get a response with syntax errors. The errors are denoted in the response messsage with '?' characters.
  6. Update your maintainer to use the GPG athentication.

    Make sure your key has been added succesfully *before* updating your maintainer to use the key. At this point lets add in the new 'auth:' attribute. To make full use of the security GPG provides be sure to delete references to the 'MAIL-FROM' and 'CRYPT-PW' else your maintainer is just as insecure as it was before since these mechanisms can still be used.

    BEFORE GPG
    mntner:             MAINT-FRAZIER
    descr:              Maintainer without GPG
    admin-c:            CFZ
    tech-c:             CFZ
    upd-to:             cfz@merit.edu
    auth:               MAIL-FROM cfz@merit.edu
    auth:               CRYPT-PW pfRRVg599QpLw
    mnt-by:             MAINT-FRAZIER
    changed:            cfz@merit.edu 20010616
    source:             RADB
    
    WITH GPG
    mntner:             MAINT-FRAZIER
    descr:              New maintainer with GPG authentication
    admin-c:            CFZ
    tech-c:             CFZ
    upd-to:             cfz@merit.edu
    auth:               PGPKEY-E0EBA60B
    mnt-by:             MAINT-FRAZIER
    changed:            cfz@merit.edu 20011010
    source:             RADB
    

How to use GPG for RADB authentication

  1. Following instructions for creating, modifying, or deleting an object. But omit the step to mail auto-dbm@radb.net.

  2. Assume the object is in a filed named 'db-submission.txt'. Since GPG defaults its output to a file named *.asc, in our example the GPG-signed submission will be in a file called db-submission.txt.asc.The 'passphrase' is the value you supplied to GPG when you created your key from step in the previous section "Create a GPG key."

    % gpg --clearsign db-submission.txt 
    
    You need a passphrase to unlock the secret key for
    user: "Christerfer Frazier "
    1024-bit DSA key, ID E0EBA60B, created 2001-10-10
    %
    
  3. Send your GPG signed submission to auto-dbm@radb.net.
    % mail -t auto-dbm@radb.net < db-submission.txt
    
  4. DONE! You have successfully used a GPG-signed message to update an entry in the RADB.

    Comments and questions are welcome; please send email to radb-support@merit.edu.




    Back to Tutorials


 






Register Now | Features | Support | FAQ | Email List | Contact Us | Log In | Home


Merit RADb is operated by Merit Network Inc.
1000 Oakbrook Drive Suite 200, Ann Arbor, MI 48104-6794
734-527-5776