Documentation

Using GPG with the RADB


Notes and Limitations

In addition to supporting PGP-based authentication we now offer limited support of GPG-based signatures. It is limited because ElGamel encryption cannot currently be supported due to interoperability issues with PGP. Thus key types <1> DSA and Elgamal (default) and (2) DSA are supported while option (4) ElGamal (sign and encrypt) is not. We hope to provide full support for ElGamal keys in the near future.


Creating the Key-Cert Object

1. Create a GPG key.

This document takes you step-by-step through the process of creating a key- cert object, including generation of a GPG key and GPG-signing your DB submissions.

User input is shown in red. Other important information in orange.

The example below uses GPG version 1.04 but the process is applicable to other versions.

% gpg --gen-key

gpg (GnuPG) 1.0.4; Copyright (C) 2000 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.



gpg: you have to start GnuPG again, so it can read the new options
file
% gpg --gen-key

gpg (GnuPG) 1.0.4; Copyright (C) 2000 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: /.gnupg/secring.gpg: keyring created
gpg: /.gnupg/pubring.gpg: keyring created
Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (4) ElGamal (sign and encrypt)
Your selection? 1



Note that choosing option 4 will result in
a key that you will not be able to register. Options 1 and 2 should
work fine.




DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
              minimum keysize is  768 bits
              default keysize is 1024 bits
    highest suggested keysize is 2048 bits
What keysize do you want? (1024)
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct (y/n)? y

You need a User-ID to identify your key; the software constructs the
user id
from Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "

Real name: Christerfer Frazier
Email address: cfz@merit.edu
Comment:
You selected this USER-ID:
    "Christerfer Frazier "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
ThisIsAPieceofCake
We need to generate a lot of random bytes. It is a good idea to
perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++.+++++.++++++++++..+++++.++++++++++.+++++.+++++++++++++++++++++++++.++
++++++++++++++++++++++++++++++++++++++++++++..++++++++++++++++++++....>+++++....
++++++
We need to generate a lot of random bytes. It is a good idea to
perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.++++++++++++++++++
+++..++++++++++++++++++++++++++++++++++++++++.++++++++++>.+++++.................
+..+++++^^^^
public and secret key created and signed.
2. Get your hex ID.

Now note your hex ID. The hex ID here is 'E0EBA60B'. This is required to create the key-cert object.

% gpg --list-keys
/.gnupg/pubring.gpg
----------------------------------------------
pub  1024D/E0EBA60B 2001-10-10
Christerfer Frazier

sub  1024g/66C5C28C 2001-10-10
3. Extract your public key block in ascii format to a file mykeys.txt.
% gpg --export -a -o mykeys.txt --export E0EBA60B

% cat mykeys.txt
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.4 (SunOS)
Comment: For info see http://www.gnupg.org

mQGiBDvEqK4RBACipVK0SbSbggyWzSrdRn67BwFS3S4G0vIHO5PUzh4J9D4IxHu5
a3RfaSgKPGWp3ZrgWjm2Y4ff64DbcDbx43nkxGrQdnihMI7BS/ulehfkmlnET/BX
u9mtYiV4m+rpxT5XRJRjVbZBSERmZlaFhgfFGp2BYexVNegwDSa4ArWJ2wCgt88V
O/edXkFOC3jynH/XO478ikEEAJYSvrSJ6TYyPEn9N6jlD65xL0xUfAieGmW1NyRh
/KYLE+2+DoME0sVCqiCUqM4SYfr+n3N+Vpq1sLitUxWpi5jPwWtxFAZ9GU6HHb/n
YaHOgHA9Pb/OeO4zl9lCGjf4LJ6a5518x6jjoP6uhKrWXdOHjD10uQNI5zj2F9Xs
EuYDA/9gaNT8tHLNvbfbl+1PSrKa9b/tbcTAuA9Nu7U7V/0xAOYGJyejnjAEsJBI
wZJf+ua7KCV5mtqlwtTFw5pXMGHLHIMnbuzSU0qBsEHzo4yxtST7cTPh5Fv+xcc0
ST8fTw3A6xnmzDIi41q1EcuQT1E5igp4GEHYXnfdSqBMKglCnLQjQ2hyaXN0ZXJm
ZXIgRnJhemllciA8Y2Z6QG1lcml0LmVkdT6IVwQTEQIAFwUCO8SorgULBwoDBAMV
AwIDFgIBAheAAAoJEF+P4+7g66YLIPIAoIx5FgGo+mTsZvx1/G8haUW2oaUEAJ9T
n2Z9k7ASLHJWdB6ICGKkzRAwjbkBDQQ7xKjNEAQAsc246VvyqXnvSapiLP3cteSF
5esgC0xmvjgnrbv34mdQak7wgmWpXg8ohitij1vHl6Y07QgiJh3XJ0qLjT4bu+jE
w6c8FamkMovB2YnHAGiHAol3Mqv4codEUs1DRu0Sza+5pmpElcysMiPhx661OH1B
DTrDmHKBpXYfqI/ZNDMAAwYD+QErFkB62KV+u/Xx0dCeGdQL5AG/MnZobtnoNOkY
wSiXxUF1dN0+gVi61t31yDkoD3H0f5jKHYCTrgnAVmh+UJKpXNlskshzLBw3OM9F
oGI+3Cw+fLbMi4ojYyuYWvt2hywNEuzkEtirHrDMDbTLzGbO+c1OJDP2exrVHaU5
8N+MiEYEGBECAAYFAjvEqM0ACgkQX4/j7uDrpgv8OACgjrWbVVJzSe3Og5s+nJ59
Fy+Jqz4An3A2/b/t+7nH7e/0+fiwo+pfiCRi
=5lsy
-----END PGP PUBLIC KEY BLOCK-----
4. Create the key-cert.

Now use your favorite editor to create your key-cert object. Be sure to note the '+' signs that begin each line of the certif attribute you are required to add them in the object. Note that the 'method:', 'owner:' and 'fingerpr:' attributes have not been specified. These attributes are auto-generated by the IRRd software and so they are intentionally omitted.

% vi mykeys.txt
key-cert:  PGPKEY-E0EBA60B
certif:
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.0.4 (SunOS)
+Comment: For info see http://www.gnupg.org
+
+mQGiBDvEqK4RBACipVK0SbSbggyWzSrdRn67BwFS3S4G0vIHO5PUzh4J9D4IxHu5
+a3RfaSgKPGWp3ZrgWjm2Y4ff64DbcDbx43nkxGrQdnihMI7BS/ulehfkmlnET/BX
+u9mtYiV4m+rpxT5XRJRjVbZBSERmZlaFhgfFGp2BYexVNegwDSa4ArWJ2wCgt88V
+O/edXkFOC3jynH/XO478ikEEAJYSvrSJ6TYyPEn9N6jlD65xL0xUfAieGmW1NyRh
+/KYLE+2+DoME0sVCqiCUqM4SYfr+n3N+Vpq1sLitUxWpi5jPwWtxFAZ9GU6HHb/n
+YaHOgHA9Pb/OeO4zl9lCGjf4LJ6a5518x6jjoP6uhKrWXdOHjD10uQNI5zj2F9Xs
+EuYDA/9gaNT8tHLNvbfbl+1PSrKa9b/tbcTAuA9Nu7U7V/0xAOYGJyejnjAEsJBI
+wZJf+ua7KCV5mtqlwtTFw5pXMGHLHIMnbuzSU0qBsEHzo4yxtST7cTPh5Fv+xcc0
+ST8fTw3A6xnmzDIi41q1EcuQT1E5igp4GEHYXnfdSqBMKglCnLQjQ2hyaXN0ZXJm
+ZXIgRnJhemllciA8Y2Z6QG1lcml0LmVkdT6IVwQTEQIAFwUCO8SorgULBwoDBAMV
+AwIDFgIBAheAAAoJEF+P4+7g66YLIPIAoIx5FgGo+mTsZvx1/G8haUW2oaUEAJ9T
+n2Z9k7ASLHJWdB6ICGKkzRAwjbkBDQQ7xKjNEAQAsc246VvyqXnvSapiLP3cteSF
+5esgC0xmvjgnrbv34mdQak7wgmWpXg8ohitij1vHl6Y07QgiJh3XJ0qLjT4bu+jE
+w6c8FamkMovB2YnHAGiHAol3Mqv4codEUs1DRu0Sza+5pmpElcysMiPhx661OH1B
+DTrDmHKBpXYfqI/ZNDMAAwYD+QErFkB62KV+u/Xx0dCeGdQL5AG/MnZobtnoNOkY
+wSiXxUF1dN0+gVi61t31yDkoD3H0f5jKHYCTrgnAVmh+UJKpXNlskshzLBw3OM9F
+oGI+3Cw+fLbMi4ojYyuYWvt2hywNEuzkEtirHrDMDbTLzGbO+c1OJDP2exrVHaU5
+8N+MiEYEGBECAAYFAjvEqM0ACgkQX4/j7uDrpgv8OACgjrWbVVJzSe3Og5s+nJ59
+Fy+Jqz4An3A2/b/t+7nH7e/0+fiwo+pfiCRi
+=5lsy
+-----END PGP PUBLIC KEY BLOCK-----
mnt-by:    MAINT-FRAZIER
changed:   cfz@merit.edu
source:    RADB
5. Mail the key-cert object to auto-dbm for processing.
% mail -t auto-dbm@radb.net < mykeys.txt

If everything is ok you will recieve mail acknowledgement form auto-dbm@radb.net with the following:

ADD OK: [key-cert] PGPKEY-E0EBA60B

Else you will get a response with syntax errors. The errors are denoted in the response messsage with '?' characters.

6. Update your maintainer to use the GPG athentication.

Make sure your key has been added succesfully before updating your maintainer to use the key. At this point lets add in the new 'auth:' attribute. To make full use of the security GPG provides be sure to delete references to the 'MAIL-FROM' and 'CRYPT-PW' else your maintainer is just as insecure as it was before since these mechanisms can still be used.

BEFORE GPG
mntner:             MAINT-FRAZIER
descr:              Maintainer without GPG
admin-c:            CFZ
tech-c:             CFZ
upd-to:             cfz@merit.edu
auth:               MAIL-FROM cfz@merit.edu
auth:               CRYPT-PW pfRRVg599QpLw
mnt-by:             MAINT-FRAZIER
changed:            cfz@merit.edu 20010616
source:             RADB

WITH GPG
mntner:             MAINT-FRAZIER
descr:              New maintainer with GPG authentication
admin-c:            CFZ
tech-c:             CFZ
upd-to:             cfz@merit.edu
auth:               PGPKEY-E0EBA60B
mnt-by:             MAINT-FRAZIER
changed:            cfz@merit.edu 20011010
source:             RADB

How to use GPG for RADB authentication

1) Following instructions for creating, modifying, or deleting an object. But omit the step to mail auto-dbm@radb.net.

2) Assume the object is in a filed named 'db-submission.txt'. Since GPG defaults its output to a file named *.asc, in our example the GPG-signed submission will be in a file called db-submission.txt.asc.The 'passphrase' is the value you supplied to GPG when you created your key from step in the previous section "Create a GPG key."

% gpg --clearsign db-submission.txt

You need a passphrase to unlock the secret key for
user: "Christerfer Frazier "
1024-bit DSA key, ID E0EBA60B, created 2001-10-10
%

3) Send your GPG signed submission to auto-dbm@radb.net.

% mail -t auto-dbm@radb.net < db-submission.txt

4) DONE! You have successfully used a GPG-signed message to update an entry in the RADB.

Comments and questions are welcome; please send email to radb-support@merit.edu.

Back to Tutorials