[service] Improving Security of the API Key Management in the, LIR Portal
Dear colleagues, If you are users of the API Key Management section in the LIR Portal (https://lirportal.ripe.net/api/) or if you use the API to submit resource requests, access "IP Analyser", "My Resources" or manage your ROAs, then please continue reading. Otherwise, this message should not concern you. During a recent security review of the LIR Portal, we identified that the API Keys created in the LIR Portal are stored in plain text. This functionality was developed in this way so that users are able to retrieve the keys even after they have created them. However, this poses a risk from a security point of view, because these API Keys are used for authentication and authorisation purposes. These keys should not be stored in plain text. Because there is no indication that the existing API Keys were leaked, and because we do not want to create any operational problems to the API users, we decided not to drop the existing keys. Therefore, your scripts will continue to work and *no change is needed from you*. However, we made the following changes: 1. We hashed all the existing API key values and updated the way the LIR Portal authenticates the keys accordingly. 2. We changed the User Interface in the LIR Portal, so that when a user creates an API key, the value is displayed only once to the user, and the hashed value is stored in the database. 3. Up until now, the keys had to be passed to the request as a URL parameter. Now, the above mentioned APIs also accept the API Key as a request header value. We strongly recommend using the header to pass the API Key value, so that the key is not stored in any server logs. You can find more information in the API Key management section in the LIR Portal. After this change, neither you nor the RIPE NCC can recover the existing keys from the LIR Portal. You can always create new keys, configure them in your scripts, and drop the old ones. Based on our risk evaluation, we plan to act similarly for API Keys used in other services. Please let us know if you have any questions regarding this change. Best regards, Theodoros Polychniatis Assistant Manager Software Engineering Department RIPE NCC
participants (1)
-
Theodoros Polychniatis