WHOIS Crypt
Protecting your data in the AFRINIC Database
Important: Please note that CRYPT-PW and MD5-PW are now deprecated. As such they may not be used in new DB objects or any future updates. For the time being, existing CRYPT-PW or MD5-PW secured maintainer objects can still be used for authentication. Future releases of the WHOIS DB may remove support completely. If you have a CRYPT or MD5 protected password inyour maintainer object, please update it to a BCRYPT-PW as soon as possible. |
BCRYPT-PW:
This method takes an argument consisting of a bcrypt-hashed password. When requesting a mntner object, the user must include an "auth:"attribute with a value corresponding to a Unix style encrypted passwordand the BCRYPT-PW keyword: auth: BCRYPT-PW
When submitting an update by e-mail to create, modify or delete an object protected by a maintainer using this method, the message sent tothe database server must include a line containing: "password:"
This pseudo attribute must be in the body of the e-mail message. If itis a multipart mime message it must also be in the same mime part as the object. Other than these restrictions, it may appear anywhere in the message in relation to the objects. It only needs to appear once in the message even if the update contains several objects protected by the same maintainer.
If this password, when hashed, matches the one stored in the mntner object, the update will be allowed. Otherwise it will be refused.
We recommend you to use the above Whois Crypt tool to generate aBCRYPT-PW password. bcrypt is not vulnerable to rainbow tables or brute-force attacks and it is unbroken to date. However, it is crucial that you choose a good password that is not easy to guess. Note that there are two types of attacks:
- Password cracking. An attacker might guess the password either by checking it against dictionaries or by trying all possible combinations.
- Mail snooping. As the update message contains the password in clear text, there is a chance that the password will be seen if the message is intercepted in transit between the user's system and the database server machine. To avoid that, you might want to use PGP orX509 (see below).