Consequent to the community's request in December 2012, the AFRINIC whois database will no longer display hashes of MD5 and CRYPT encrypted passwords in all mntner (whois database) objects.
Currently, majority of objects in the AFRINIC whois database are protected by and authenticate through a mechanism that uses clear text passwords encrypted with the md5 algorithm for authentication. There are two major concerns with this method:
- The md5-hashed password has traditionally been visible in all mntner objects. This makes it vulnerable to crackers, given that computers these days are armed with more than enough processing power to unhash these passwords in a relatively short time.
- When performing a whois database update, plain text passwords are attached into the objects to be updated and sent by email to the whois database. This introduces a possibility for the password to be sniffed in case there is no form of encryption between the sender, recipient and their relaying Mail Transfer Agents.
AFRINIC has enabled a filter in the whois database such that whois queries do not display those hashes again. This mitigates the potential for anyone to run a simple script or program that will crack these passwords, as they are no longer visible.
2) Updating objects in the whois database
There are basically two scenarios to consider:
- Modifying an existing mntner whois database object, which already has the hash filters applied.
- Authenticating against a maintainer object to update its protected object, and, creating, modifying or deleting child objects protected by the parent object's mnt-lower or (mnt-domains).
2.1) Modifying a mntner object
The process to create a new mntner object remains completely unchanged. However, once created, modifying and deleting an existing mntner requires the object owner to have access to the md5 and/or CRYPT hash that was used to create the mntner in the first place if the modifications involve other attributes.
It is therefore important that the hash be kept by the object owner for future retrieval when updating existing mntner objects. Below are examples of mntner objects, showing the previously unfiltered hash in the top object, and the new format at the bottom object, showing the hashes filtered.
Below are examples of mntner objects, showing the previously unfiltered hash in the top object, and the new format at the bottom object, showing the hashes filtered.
To modify an existing mntner:
a) Query the AFRINIC whois database for your object, add the hash to the result and send it to the server for updating, as follows:
- Go to https://afrinic.net/en/services/whois-query
- Type your object into the search form with the "-B" option prepended, such that attributes containing e-mail addresses are not filtered (a default measure to fight e-mail harvesting).
- The same web-based search can be used by the command line lovers by typing the following (using a Unix or Linux whois client):
whois –h whois.afrinic.net –r –B ISP1-MNT
- Copy the object into the body of a new-email.
b) If the e-mail returned by the server indicates that the update failed, there is a possibility that the hash was wrong (in which case a syntax error will appear in the bounce) or the clear text password was not correct (this will be shown as an authentication error)
c) In case you cannot retrieve your md5 hash (but know your plain text password that was used to generate the hash), it is possible to simply re-generate a new hash of the same password.
Please browse to the "Tools" section of our website, select the CRYPT/MD5 Password Tool, enter your plain text password and click "Generate".
The generated hash can be copied and pasted into your mntner object and submitted for update as usual.
- Your e-mail should contain an md5 hash of your preferred (new) password generated per step (c) above.
- The password change request must come from an authorized contact. If there has been change of contacts, we shall request an official signed letter from a senior executive of your organization detailing the new contacts.
3) Using PGP authentication (instead of md5 and CRYPT-PW)
In addition to MD5, the AFRINIC whois database supports PGP for authenticating whois database updates. In contrast to MD5, PGP provides stronger encryption techniques and guarantees that the signed update message was not tampered with. It is works by using a pair of keys generated by the user. The public key is uploaded to the whois database inside a key-cert object, and the user's email updates are signed using the private key on the user's device.
Since most whois database updates are submitted by e-mail, the only way to guarantee security is by using PGP, which AFRINIC strongly recommends to our members and the community.
This is because with the MD5 method, updates submitted by email are authenticated by the user inserting a clear text password in the e-mail body. Despite using technologies like SSL and TLS, AFRINIC has no control over all the stages that an e-mail goes through before final delivery to our whois server.
Combining different auth mechanisms
The whois database supports use of multiple authorization mechanisms in one mntner object. If an object is protected with a mntner that contains multiple md5 passwords and PGP keys, any one of the correct passwords or PGP-signed emails will authenticate. The mntner object captured below contains two "auth" attributes for both md5 and PGP authentication mechanisms. Either of the attributes can be used to authorize updates.
descr: Maintainer Toto telecom
auth: MD5-PW $1$09nxAH88$ZaDWuXGdly2boQi69atbN.
4) FAQ: Filtered MD5 Hashes
- Why did AFRINIC decide to hide the MD5 hash?
Because some one can crack it using any computer or even smartphone. Hiding it provides a deterrent from crackers trying all sorts of things on your hash.
- Can I update a mntner object without inserting the md5 hash?
No. You must replace the "FILTERED" string in the auth attribute with the actual encrypted hash otherwise the update will fail.
- I have forgotten my md5 hash.
If you remember the plain text password instead, please use our online md5 encrypted password generator. A different hash of the same password will be generated which can be used to update (but not delete) the object
- I know my plain text password. How can I get my md5 hash?
By using our online encrypted password generator. Please note the hash will always be different, as it's generated based on a timestamp.
- MD5 seems insecure. Are there other options?
You can use PGP, which involves using a pair of keys. More information about using PGP with the AFRINIC whois database can be found here.
- I forgot my password. Can you reset it?
- Can I still create customer assignments without knowing the hash?
Yes. All you need is to submit those assignments along with a clear text password to the whois database. You can even use MYAFRINIC for that.
- Does rDNS still work as before?
Yes. All other objects as well as whois database update procedures remain unchanged. Only mntner objects are affected, in that you need to have that hash handy whenever you must edit your mntner (which is not very common).
- How do I use PGP with the AFRINIC whois database?
Having generated your PGP key-pairs, export your public key into the whois database using a key-cert object. Then sign all your database updates using your private key. Please look here for more information.
- Can I use both PGP and MD5 encryption concurrently?
Yes. Either of the authenticated mechanisms will work if specified in a given mntner object.
- How can I get additional help?