Using GPG with the RADB
Notes and Limitations
In addition to supporting PGP-based authentication we now offer limited support of GPG-based signatures. It is limited because ElGamel encryption cannot currently be supported due to interoperability issues with PGP. Thus key types <1> DSA and Elgamal (default) and (2) DSA are supported while option (4) ElGamal (sign and encrypt) is not. We hope to provide full support for ElGamal keys in the near future.
Creating the Key-Cert Object
1. Create a GPG key.
This document takes you step-by-step through the process of creating a key- cert object, including generation of a GPG key and GPG-signing your DB submissions.
User input is shown in red. Other important information in orange.
The example below uses GPG version 1.04 but the process is applicable to other versions.
% gpg --gen-key gpg (GnuPG) 1.0.4; Copyright (C) 2000 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: you have to start GnuPG again, so it can read the new options file % gpg --gen-key gpg (GnuPG) 1.0.4; Copyright (C) 2000 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: /.gnupg/secring.gpg: keyring created gpg: /.gnupg/pubring.gpg: keyring created Please select what kind of key you want: (1) DSA and ElGamal (default) (2) DSA (sign only) (4) ElGamal (sign and encrypt) Your selection? 1 Note that choosing option 4 will result in a key that you will not be able to register. Options 1 and 2 should work fine. DSA keypair will have 1024 bits. About to generate a new ELG-E keypair. minimum keysize is 768 bits default keysize is 1024 bits highest suggested keysize is 2048 bits What keysize do you want? (1024) Requested keysize is 1024 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct (y/n)? y You need a User-ID to identify your key; the software constructs the user id from Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: Christerfer Frazier Email address: email@example.com Comment: You selected this USER-ID: "Christerfer Frazier " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. ThisIsAPieceofCake We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ++++++++++.+++++.++++++++++..+++++.++++++++++.+++++.+++++++++++++++++++++++++.++ ++++++++++++++++++++++++++++++++++++++++++++..++++++++++++++++++++....>+++++.... ++++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. .++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.++++++++++++++++++ +++..++++++++++++++++++++++++++++++++++++++++.++++++++++>.+++++................. +..+++++^^^^ public and secret key created and signed.
2. Get your hex ID.
Now note your hex ID. The hex ID here is 'E0EBA60B'. This is required to create the key-cert object.
% gpg --list-keys /.gnupg/pubring.gpg ---------------------------------------------- pub 1024D/E0EBA60B 2001-10-10 Christerfer Frazier sub 1024g/66C5C28C 2001-10-10
3. Extract your public key block in ascii format to a file mykeys.txt.
% gpg --export -a -o mykeys.txt --export E0EBA60B % cat mykeys.txt -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.4 (SunOS) Comment: For info see http://www.gnupg.org mQGiBDvEqK4RBACipVK0SbSbggyWzSrdRn67BwFS3S4G0vIHO5PUzh4J9D4IxHu5 a3RfaSgKPGWp3ZrgWjm2Y4ff64DbcDbx43nkxGrQdnihMI7BS/ulehfkmlnET/BX u9mtYiV4m+rpxT5XRJRjVbZBSERmZlaFhgfFGp2BYexVNegwDSa4ArWJ2wCgt88V O/edXkFOC3jynH/XO478ikEEAJYSvrSJ6TYyPEn9N6jlD65xL0xUfAieGmW1NyRh /KYLE+2+DoME0sVCqiCUqM4SYfr+n3N+Vpq1sLitUxWpi5jPwWtxFAZ9GU6HHb/n YaHOgHA9Pb/OeO4zl9lCGjf4LJ6a5518x6jjoP6uhKrWXdOHjD10uQNI5zj2F9Xs EuYDA/9gaNT8tHLNvbfbl+1PSrKa9b/tbcTAuA9Nu7U7V/0xAOYGJyejnjAEsJBI wZJf+ua7KCV5mtqlwtTFw5pXMGHLHIMnbuzSU0qBsEHzo4yxtST7cTPh5Fv+xcc0 ST8fTw3A6xnmzDIi41q1EcuQT1E5igp4GEHYXnfdSqBMKglCnLQjQ2hyaXN0ZXJm ZXIgRnJhemllciA8Y2Z6QG1lcml0LmVkdT6IVwQTEQIAFwUCO8SorgULBwoDBAMV AwIDFgIBAheAAAoJEF+P4+7g66YLIPIAoIx5FgGo+mTsZvx1/G8haUW2oaUEAJ9T n2Z9k7ASLHJWdB6ICGKkzRAwjbkBDQQ7xKjNEAQAsc246VvyqXnvSapiLP3cteSF 5esgC0xmvjgnrbv34mdQak7wgmWpXg8ohitij1vHl6Y07QgiJh3XJ0qLjT4bu+jE w6c8FamkMovB2YnHAGiHAol3Mqv4codEUs1DRu0Sza+5pmpElcysMiPhx661OH1B DTrDmHKBpXYfqI/ZNDMAAwYD+QErFkB62KV+u/Xx0dCeGdQL5AG/MnZobtnoNOkY wSiXxUF1dN0+gVi61t31yDkoD3H0f5jKHYCTrgnAVmh+UJKpXNlskshzLBw3OM9F oGI+3Cw+fLbMi4ojYyuYWvt2hywNEuzkEtirHrDMDbTLzGbO+c1OJDP2exrVHaU5 8N+MiEYEGBECAAYFAjvEqM0ACgkQX4/j7uDrpgv8OACgjrWbVVJzSe3Og5s+nJ59 Fy+Jqz4An3A2/b/t+7nH7e/0+fiwo+pfiCRi =5lsy -----END PGP PUBLIC KEY BLOCK-----
4. Create the key-cert.
Now use your favorite editor to create your key-cert object. Be sure to note the '+' signs that begin each line of the certif attribute you are required to add them in the object. Note that the 'method:', 'owner:' and 'fingerpr:' attributes have not been specified. These attributes are auto-generated by the IRRd software and so they are intentionally omitted.
% vi mykeys.txt key-cert: PGPKEY-E0EBA60B certif: +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.0.4 (SunOS) +Comment: For info see http://www.gnupg.org + +mQGiBDvEqK4RBACipVK0SbSbggyWzSrdRn67BwFS3S4G0vIHO5PUzh4J9D4IxHu5 +a3RfaSgKPGWp3ZrgWjm2Y4ff64DbcDbx43nkxGrQdnihMI7BS/ulehfkmlnET/BX +u9mtYiV4m+rpxT5XRJRjVbZBSERmZlaFhgfFGp2BYexVNegwDSa4ArWJ2wCgt88V +O/edXkFOC3jynH/XO478ikEEAJYSvrSJ6TYyPEn9N6jlD65xL0xUfAieGmW1NyRh +/KYLE+2+DoME0sVCqiCUqM4SYfr+n3N+Vpq1sLitUxWpi5jPwWtxFAZ9GU6HHb/n +YaHOgHA9Pb/OeO4zl9lCGjf4LJ6a5518x6jjoP6uhKrWXdOHjD10uQNI5zj2F9Xs +EuYDA/9gaNT8tHLNvbfbl+1PSrKa9b/tbcTAuA9Nu7U7V/0xAOYGJyejnjAEsJBI +wZJf+ua7KCV5mtqlwtTFw5pXMGHLHIMnbuzSU0qBsEHzo4yxtST7cTPh5Fv+xcc0 +ST8fTw3A6xnmzDIi41q1EcuQT1E5igp4GEHYXnfdSqBMKglCnLQjQ2hyaXN0ZXJm +ZXIgRnJhemllciA8Y2Z6QG1lcml0LmVkdT6IVwQTEQIAFwUCO8SorgULBwoDBAMV +AwIDFgIBAheAAAoJEF+P4+7g66YLIPIAoIx5FgGo+mTsZvx1/G8haUW2oaUEAJ9T +n2Z9k7ASLHJWdB6ICGKkzRAwjbkBDQQ7xKjNEAQAsc246VvyqXnvSapiLP3cteSF +5esgC0xmvjgnrbv34mdQak7wgmWpXg8ohitij1vHl6Y07QgiJh3XJ0qLjT4bu+jE +w6c8FamkMovB2YnHAGiHAol3Mqv4codEUs1DRu0Sza+5pmpElcysMiPhx661OH1B +DTrDmHKBpXYfqI/ZNDMAAwYD+QErFkB62KV+u/Xx0dCeGdQL5AG/MnZobtnoNOkY +wSiXxUF1dN0+gVi61t31yDkoD3H0f5jKHYCTrgnAVmh+UJKpXNlskshzLBw3OM9F +oGI+3Cw+fLbMi4ojYyuYWvt2hywNEuzkEtirHrDMDbTLzGbO+c1OJDP2exrVHaU5 +8N+MiEYEGBECAAYFAjvEqM0ACgkQX4/j7uDrpgv8OACgjrWbVVJzSe3Og5s+nJ59 +Fy+Jqz4An3A2/b/t+7nH7e/0+fiwo+pfiCRi +=5lsy +-----END PGP PUBLIC KEY BLOCK----- mnt-by: MAINT-FRAZIER changed: firstname.lastname@example.org source: RADB
5. Mail the key-cert object to auto-dbm for processing.
% mail -t email@example.com < mykeys.txt
If everything is ok you will recieve mail acknowledgement form firstname.lastname@example.org with the following:
ADD OK: [key-cert] PGPKEY-E0EBA60B
Else you will get a response with syntax errors. The errors are denoted in the response messsage with '?' characters.
6. Update your maintainer to use the GPG athentication.
Make sure your key has been added succesfully before updating your maintainer to use the key. At this point lets add in the new 'auth:' attribute. To make full use of the security GPG provides be sure to delete references to the 'MAIL-FROM' and 'CRYPT-PW' else your maintainer is just as insecure as it was before since these mechanisms can still be used.
BEFORE GPG mntner: MAINT-FRAZIER descr: Maintainer without GPG admin-c: CFZ tech-c: CFZ upd-to: email@example.com auth: MAIL-FROM firstname.lastname@example.org auth: CRYPT-PW pfRRVg599QpLw mnt-by: MAINT-FRAZIER changed: email@example.com 20010616 source: RADB WITH GPG mntner: MAINT-FRAZIER descr: New maintainer with GPG authentication admin-c: CFZ tech-c: CFZ upd-to: firstname.lastname@example.org auth: PGPKEY-E0EBA60B mnt-by: MAINT-FRAZIER changed: email@example.com 20011010 source: RADB
How to use GPG for RADB authentication
2) Assume the object is in a filed named 'db-submission.txt'. Since GPG defaults its output to a file named *.asc, in our example the GPG-signed submission will be in a file called db-submission.txt.asc.The 'passphrase' is the value you supplied to GPG when you created your key from step in the previous section "Create a GPG key."
% gpg --clearsign db-submission.txt You need a passphrase to unlock the secret key for user: "Christerfer Frazier " 1024-bit DSA key, ID E0EBA60B, created 2001-10-10 %
3) Send your GPG signed submission to firstname.lastname@example.org.
% mail -t email@example.com < db-submission.txt
4) DONE! You have successfully used a GPG-signed message to update an entry in the RADB.
Comments and questions are welcome; please send email to firstname.lastname@example.org.