Security notes domino

7/26/2019 Security notes domino

1/54

ID209: Lotus Notes and Domino Security:ID209: Lotus Notes and Domino Security:Basics and BeyondBasics and Beyond

Kevin Lync hKevin Lynch

IBM Lotus Software GroupIBM Lo tus Software Group


2/54

Agenda

Notes and Domino Security Overview

Single Sign On Considerations

Feature Refresher - R6 and Beyond

Questions & Answers


3/54

Challenges to Building Secure Systems

How can I control who reads/writes

information?

How can I know you are who you say you are?

How can I protect information from disclosure?

How can I be sure someone really wrote

information?


4/54

Domino Security

Benefits

Enhance interoperability

Reduce cost of development, administration,

ownership

Technical Strategy - Adopt standards-based

data structures - certificates

protocols - secure email

interfaces - architecture and design


5/54

Notes/Domino Security

Mutual Authentication and Validation

Access Control Lists for servers, databases, views,

documents, sections and fields

Roles-based access control

Encryption

Port Encryption

Mail EncryptionDocument Encryption

Database Encryption

Digital signaturesData integrity

Originator authentication

Execution Control Lists


6/54

ACLs and ACL-like Controls

Access to the Network (Firewalls)

Access to Servers

Rights to DatabasesDepositor / Reader / Author / Editor / Designer /

Manager

Rights to DocumentsReader Lists / Author Lists

Rights to Sections

Rights to update sections of a document can be

controlled independently


7/54

What is a PKI?

All of these things working together:

Certificates

Certificate authorities

Directories for storing and retrieving Certificates

Policies for deciding which certifiers to trust

Mechanisms for authenticating endpoints, issuing

certificates, and delivering them

Some means of expiration/revocation


8/54

Types of Cryptography

Secret key (aka Symmetric key)

Same key used to encrypt and decrypt

Public key (aka Asymmetric key)

Each person has a pair of keys:

Public key which is published

Private key which is kept secret

Public key is used to encrypt, private key to decrypt


9/54

Encryption for Privacy

Secret Key Encryption (e.g. 3DES, RC2, IDEA)

Plaintext Encrypt

Key A

Ciphertext Decrypt Plaintext

Key A

Plaintext Encrypt

Public Key

Ciphertext Decrypt Plaintext

Private Key

Public Key Encryption (i.e. RSA)


10/54

Encryption for Integrity and OriginAuthentication

Secret Key Signatures

Sign Verify

Plaintext

Signature

Key Key

Public Key Signatures (encrypted message digest)

Sign Verify

Plaintext

Signature

Private Key Public Key

Yes/No

Yes/No


11/54

Public Key Certificates

A message signed by a certifier stating: "JaneDoe's public key is 4829b3d28f386h"

Certificate Authority

A trusted third party

Sign certificates to demonstrate trust and assure

identity and public key assoc.

CA's public key must be known

Signer of certificates (CA) must be trusted

Server must trust signer of client cert

Client must trust signer of server cert


12/54

Public Key Authentication

Every user and server has private/public key pair and

certificate

Certificate Authorities (and Notes certifier IDs) signcertificates

Private key is stored in ID file encrypted with a

password

Public key and certificates are held in ID file and posted

in the Domino directory


13/54

Notes Authentication

Alice ServerI'm Alice, here are my certificates

I'm Server, here are my certificates

Find trusted CA,check public key

Encrypt randomchallenge with Alice'spublic key

If you're Alice, what's this number?Decryptchallenge withprivate key The number was x

If you're Server, what's this number?

The number was y

Encrypt randomchallenge withServer public key Decrypt challenge

with private key

Find trusted CA ,check public key

Two-way authentication based on proof of knowledge

of private key


14/54

I'net Public Key Authentication

Every user and every server has at least one

private/public key pair and certificate, stored in key

ring file or browser

Certificate Authorities sign certificates using standards

X.509 V3

PKCSAuthentication is through SSL


15/54

I'net Certificate Authentication

Alice ServerHello, I'm Alice

I'm Server, here are my certificates

Here's a secretEncrypt secretencryption key

with server publickey

Send your certificates

Here are my certificates

Decrypt secret keywith Server privatekey - use for securedata exchange

Find trusted CA,check public key

Find trusted CA andcheck public key

Secure data

Two-way authentication based on proof of knowledge

of private key


16/54


17/54

Why is it so difficult to achieve?

Each application system has its own unique...

Security system

Directory structure

Naming conventions

Each company has multiple...

Applications

HTTP servers

Clients

Platforms


18/54


19/54

Web Realms

Problem: User is prompted for username

and password for each directory

accessedhttp://www.host.com/file.nsf

http://www.host.com/dir/file2.nsf

Solution: Web Realms reduce redundant

password prompt

Zone of protection in file system

Define Web Realm in document in the Domino

Directory

Browser caches the username and password


20/54

HTTP Session Authentication Support

"Log in"Occurs at authentication

Creates unique session ID on that server

Creates browser cookie with Session ID

"Log out"

Session ID is invalidated on server

Cookie is destroyed

Benefits

Name and password only passed once

Credential sent every time (regardless of realm)


21/54

Domino Web Server API (DSAPI)

C API for writing extensions to Domino

Web Server (used for SSO)

Filter is notified when certain events

occur in web server

Built as shared library (example DLL onwindows platform)

Supported on all Domino Serverplatforms


22/54

Domino R5 Security Features

X.509 V3 Certificate SupportS/MIME and SSL in Notes Client

API for security infrastructure (Domino Web Server API

- DSAPI)Web Realms

HTTP Session Authentication

Group Management

ACL Management

Just In Time encryption

Encryption of message / document upon

reconnection (S/MIME and Notes mail)

Local copy of certificates unnecessary


23/54

Domino R5 Security Features (cont.)

Password QualityTesting - Domino computes effective passwordlength

R5.01

Functional Separation of Keys - dual key support

non-repudiation (auth+signing)

confidentiality (encryption)

R5.02

PKCS 12 - key ring exchange

Token support for Domino Server

RSA ACE/Agent for Lotus Domino

RSA SecurID

RSA ACE/Server


24/54

R6 Security Update


25/54

Encryption Update

Large key support for Notes

protocols128-bit RC4 for Notes portencryption

128-bit RC2 for local database

encryption

Underlying changes for 1024-bitRSA keys (will allow backwardcompatibility)


26/54

User Security Dialog


27/54

Internet Password Management


28/54

Change Password Dialogs

l D b E i b D f l


29/54

Local Database Encryption by Default


30/54

D i 6 C tifi ti A th it


31/54

Domino 6 Certification Authority

Better securityAdministrators don't need certifier ID files & passwords

Certifiers can be password- protected on server, either individually or as a group

Tamper-resistant auditing of all activity

CA Process server task

Signs certificates when requested via admin4

Maintains list of administrators who can approve certificate

requests (RAs)

Manage both Notes and Internet (X.509) certificates

Publishes CRLs for Internet certificates, supports CDP

Better support for x.509 extensions


32/54

Information on source of ESAs


33/54

Information on source of ESAs

Central Administration of User ECLs


34/54

Central Administration of User ECLs

Smart Card Support


35/54

Smart Card Support

Smart Card enabled ID file

PIN Prompt replaces password prompt

Smart Card disables itself after 3 wrong guesses

Internet (S/MIME) RSA key pushed onto card

If Card lost or destroyed, ID file must be recovered from

backup

Roaming User Support


36/54

Roaming User Support

Permits use of Notes Client by

downloading ID file from server

Server never learns the user's password

Eavesdropper cannot test guesses of

user's passwordSeparate expensive interaction with

server for each password guessed

Domino Web Access support for SecureN t M il


37/54

Notes Mail

Security vs. Convenience Trade-off

Encrypted mail normally never readable on any server

Users' Private RSA keys protect the data

"Solution"

Place copy of user's ID file in mail file

User sends password to server

Server decrypts mail, then forgets password - 6.0.1

Server encrypts mail, then forgets password - 6.5

Administrator Hierarchy


38/54

Administrator Hierarchy

Full Access Administrator

Administrator

Database AdministratorFull Remote Console Administrator

View-only Remote Console Administrator

System AdministratorRestricted System Administrator



39/54


Method to resolve access control issues

Highest level of administrative rights on the server

All the rights granted to "Administrators", plus

Manager access, with all roles and access privileges enabled, to all

databases on the server, regardless of the database ACL settingsManager access, with all roles and access privileges enabled, to the Web

Administrator database (WEBADMIN.NSF)

Access to all documents within databases on the server, regardless of

reader name field controls

Unrestricted agent rights

Does not allow access to encrypted data

Enable byListing allowed entries into Full Access Administrators field on server

document

Select Administration\Full Access Administration from Admin Client menu


40/54


41/54

Q&A


42/54

BACKGROUND SLIDESBACKGROUND SLIDES


43/54

Full Access Administrators


44/54

Same as Local AccessManager access to all databases on server, regardless of

ACL

All programmability rights

All passthru rights

Issue OS-level commandsFor Emergency Use Only


45/54


46/54

Remote Console Administrators


47/54

Full -- Any console commandView-only -- safe subset of commands

SHOW SERVER, SHOW STATS, SHOW TASKS

Cannot affect server performance

Neither can maintain databases

System Administrators


48/54

Issue operating system commands

Including server restart

Requires new Domino Server Controller running onserver

Restricted -- restricted subset of commands

Agent Security -- R5


49/54

Agents run with the rights of their signer

Allows unprivileged agents on servers

Out of office agentSpecial privileged signers

Can only access databases local to server where agent

is runningServer can only authenticate as itself to another

server

Agent Security


50/54

Server can sign agent "On Behalf of"

user

Enable out of office agent via the web

Agent can open off-server databases

...if its server is privileged on the remote server

Unrestricted agent can choose to bypass

ACLs locally


51/54


52/54

Windows NT/2000 Single Logon


53/54

Works with other Windows single logon

programs

Manages password sync bidirectionallyOnce synced, NSL catches the password change from

either Windows or Notes and pushes it to the other

If changed in Windows, change will be held and pushed to

Notes upon startup

If configured for Notes/Internet password sync, change will

update HTTPPassword in person document also

Future Considerations


54/54

Support for 1024-bit RSA keys for Notes protocols128-bit RC2 support for bulk encryption keys and named

encryption keys

Administration tools to automate large key generation for

existing Notes users

Support use of Internet keys pre-installed onsmartcards

Support crypto accelerators

Support for Internet hierarchies in CA

Support for additional S/MIME features

Security notes domino

Documents

Transcript of Security notes domino