Security at the RRI
Security
DENIC uses TLS (RFC 6125) to safeguard the Realtime Registry Interface. By applying this tool, all the requirements concerning authentication of server, message integrity and confidentiality through encryption are met.
For server authentication vis-à-vis the client you can use an X.509-version-3 certificate.
Client authentication vis-à-vis the server is made by means of the user and the password.
Validation of Server Certificate
When communicating with DENIC's RRI server you must always use a TSL-encrypted connection. With the certificate used for this purpose you may also check if you are indeed connected with no other but DENIC's RRI server. Three different alternatives are available for validation.
-
No validation: Your are not in any way forced to check/validate the RRI server certificate. However, if you do not carry out any validation, you will never have any guarantee that you are really and definitively connected with DENIC's RRI server. Performing no validation represents a security risk, so DENIC does not recommend this method!
-
Validation via the Root-CA, this is the method that DENIC recommends: When validation is executed by the root certification authority (Root-CA), a check is performed to establish which certification authority signed the RRI server certificate. Currently, the RRI server certificate is signed by a CA which in turn has been signed by several superordinate certification bodies. So you should process requests as follows:
- Initialize TLS
- Read in the root certificate, if necessary (but note that the root certificate is not currently contained in all libraries - for example not in OpenSSL).
- Open TPC-Connect
- Start TLS
- Check certificate (RFC 6125)
- Send your request
- Read the response
- Close the connection
- End TLS
The advantage of this method is that, when DENIC renews its certificate, there is usually no need for the client to take any action at all, even if there is a change in the certification authority.
Transport encryption
The RRI server offers the following cipher suites and TLS protocols in all environments (live and test):
| TLS Protocol Version | Cipher Suites |
|---|---|
| 1.3 | 128 Bit / TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 (preferred) |
| 1.2 | 256 Bit / ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253 (preferred) |
| 1.2 | 256 Bit / DHE-RSA-AES256-GCM-SHA384 DHE 1024 bits |
| 1.2 | 256 Bit / ECDHE-RSA-AES256-SHA384 Curve 25519 DHE 253 |
| 1.2 | 256 Bit / DHE-RSA-AES256-SHA256 DHE 1024 bits |
| 1.2 | 128 Bit / AES128-SHA |