Hi! Why not to hide crypted password in mntner objects from public queries? It is so easy to crack now. -- WBR, Maxim V. Tulyev (MT6561-RIPE, 2:463/253@FIDO)
Max,
Why not to hide crypted password in mntner objects from public queries?
Action Item 52.5 <http://www.ripe.net/ripe/wg/db/db-actions.html> is to not only hide CRYPT-PW, but deprecate it completely -- for security reasons. Your support (and remindeer :-) is welcome. -Peter
Peter, Do you really thinking MD5 much safer? ;) It is not. It is good idea even to hide PGP key data (open key) because why we need to provide extra data to evil persons? Peter Koch wrote:
Max,
Why not to hide crypted password in mntner objects from public queries?
Action Item 52.5 <http://www.ripe.net/ripe/wg/db/db-actions.html> is to not only hide CRYPT-PW, but deprecate it completely -- for security reasons. Your support (and remindeer :-) is welcome.
-Peter
-- WBR, Maxim V. Tulyev (MT6561-RIPE, 2:463/253@FIDO)
On Jul 24, Max Tulyev <president@ukraine.su> wrote:
It is good idea even to hide PGP key data (open key) because why we need to provide extra data to evil persons? http://en.wikipedia.org/wiki/Kerckhoffs%27_principle
HTH. -- ciao, Marco
Marco d'Itri wrote:
On Jul 24, Max Tulyev <president@ukraine.su> wrote:
It is good idea even to hide PGP key data (open key) because why we need to provide extra data to evil persons?
http://en.wikipedia.org/wiki/Kerckhoffs%27_principle
HTH.
http://www.google.ru/search?q=RSA+factoring+crack&start=0&start=0&ie=utf-8&oe=utf-8&client=firefox&rls=org.mozilla:en-US:unofficial ;) -- WBR, Maxim V. Tulyev (MT6561-RIPE, 2:463/253@FIDO)
Dear db-wg@ripe.net, [24.07.2006 19:37] Marco d'Itri wrote: MdI> On Jul 24, Max Tulyev <president@ukraine.su> wrote:
It is good idea even to hide PGP key data (open key) because why we need to provide extra data to evil persons? MdI> http://en.wikipedia.org/wiki/Kerckhoffs%27_principle
As I understand, Max is probably concerned that open MD5 hashes provide an easy way to conduct offline attacks - bruteforce or more effective (esp. with recent reports of MD5 not being as strong as supposed). As far as bruteforce is concerned, offline attacks are most dangerous, because the speed is limited only by the attacker's available processing power, whereas an authentication server could impose delays, detect and block abnormal volume of requests, etc. This seems to be the same consideration as the one behind shadowing /etc/passwd. e.g. in FreeBSD: -rw------- 1 root wheel /etc/master.passwd <-- Contains MD5 hashes -rw-r--r-- 1 root wheel /etc/passwd Best Regards, Alexander Yemelyanov, Comintern I.S.P.
Hello All, At the first place it is a good Idea to removed MD5-Hashes from public view. But there a some stuff that should be though of. - At the moment you have to supply the hole object if you delete an object. -> So you have to store the origin object locally. -> Is it a good Idea to remove an object when someone submitting it without the crypted pw's ? - How can you remove password in this case? -> Simply by submitting the object without the auth attributes that contain MD5-PW's is IMHO error prone. I decided (in 2005) to remove the MD5-PW at all. We just use pgp keys andfor fallback the X509 cert from the LIR Portal. The lir Portal account uses also PKI login and has as fallback a password. And if the worse case happens, you could ask the hostmaster@ripe.net to unlock the maintainer for you. But IMHO the worse case doesn't happen all to often. Anyway the RIPE-NCC should considere to bill cases if somebody ask twice a day:-) IMHO you should not remove the PGP-Keys and the X509 Cert from public view. It see no sercurity reasons for this. with kind regards || Mit freundlichen Gruessen i.A. Markus Werner -- WOBCOM GmbH - IP-Services (W8) phone: +49.5361.189-473 Hesslinger Str. 1-5, D-38440 Wolfsburg faxno: +49.5361.189-199
Markus Werner wrote:
IMHO you should not remove the PGP-Keys and the X509 Cert from public view. It see no sercurity reasons for this.
For now it is probably safe to show your public keys. But processor power is growing almost exponentially as well as quality of factoring algorythms. Somedays ago we also believed CRYPT-PW is safe ;) -- WBR, Maxim V. Tulyev (MT6561-RIPE, 2:463/253@FIDO)
Hi I have just been thinking about this discussion and have a suggestion. I have not thought it all the way through the code so it is only an idea at this stage. We can obscure the authentication information from mntner, key-cert and irt objects and make it no longer publically accessible. This would initially give rise to the problems illustrated below. We can get round these problems using dbupdate. We can add a new keyword 'full' to be used in the subject line of an e-mail update or entered through webupdates/syncupdates. If this keyword is used and at least the primary keys and source attributes are supplied with correct authentication, dbupdate can return the full object from the database. This effectively makes dbupdate a query mechanism. But this would only need to be done for modifications and deletions of mntner, key-cert and irt objects. These are only a small percentage of the updates we receive. This is not a proposal, it is just an idea. If there is any interest in the idea then we can spend some time looking at it in more detail. regards denis Software Engineering Department RIPE NCC Markus Werner wrote:
Hello All,
At the first place it is a good Idea to removed MD5-Hashes from public view. But there a some stuff that should be though of.
- At the moment you have to supply the hole object if you delete an object. -> So you have to store the origin object locally. -> Is it a good Idea to remove an object when someone submitting it without the crypted pw's ?
- How can you remove password in this case? -> Simply by submitting the object without the auth attributes that contain MD5-PW's is IMHO error prone.
I decided (in 2005) to remove the MD5-PW at all. We just use pgp keys andfor fallback the X509 cert from the LIR Portal. The lir Portal account uses also PKI login and has as fallback a password.
And if the worse case happens, you could ask the hostmaster@ripe.net to unlock the maintainer for you. But IMHO the worse case doesn't happen all to often. Anyway the RIPE-NCC should considere to bill cases if somebody ask twice a day:-)
IMHO you should not remove the PGP-Keys and the X509 Cert from public view. It see no sercurity reasons for this.
with kind regards || Mit freundlichen Gruessen
i.A. Markus Werner
Max Tulyev wrote:
Do you really thinking MD5 much safer? ;) It is not.
the "sense of the room" was that CRYPT-PW was by far the weakest authentication mechanism and security improvements should start with deprecating this particular method without ignoring problems in MD5, i.e. PGPKEY/X.509 would be recommended. That's what already happens in <http://www.ripe.net/db/support/security/>. The reasons for keeping MD5-PW for the moment are minuted <http://www.ripe.net/ripe/wg/db/minutes/ripe-51.html> <http://www.ripe.net/ripe/wg/db/minutes/ripe-52.html>
It is good idea even to hide PGP key data (open key) because why we need to provide extra data to evil persons?
IIRC the reason not to hide any attributes was operational, i.e. it should be easy to fetch-edit-submit an object without the danger of accidentally losing one auth mechanism in those cases where an object allows more than one. -Peter
Peter Koch wrote:
IIRC the reason not to hide any attributes was operational, i.e. it should be easy to fetch-edit-submit an object without the danger of accidentally losing one auth mechanism in those cases where an object allows more than one.
Hm. It sounds reasonable. But we can make another object holding password like key-cert: for pgp-key. And in that object (which can be invisible for anonymous users) password will be placed. In mntner we will put that object instead of crypted password. -- WBR, Maxim V. Tulyev (MT6561-RIPE, 2:463/253@FIDO)
participants (6)
-
Alexander Yemelyanov
-
Denis Walker
-
Markus Werner
-
Max Tulyev
-
md@Linux.IT
-
Peter Koch