Security notes domino
-
Upload
saravana-kumar -
Category
Documents
-
view
231 -
download
4
Transcript of Security notes domino
-
7/26/2019 Security notes domino
1/54
ID209: Lotus Notes and Domino Security:ID209: Lotus Notes and Domino Security:Basics and BeyondBasics and Beyond
Kevin Lync hKevin Lynch
IBM Lotus Software GroupIBM Lo tus Software Group
-
7/26/2019 Security notes domino
2/54
Agenda
Notes and Domino Security Overview
Single Sign On Considerations
Feature Refresher - R6 and Beyond
Questions & Answers
-
7/26/2019 Security notes domino
3/54
Challenges to Building Secure Systems
How can I control who reads/writes
information?
How can I know you are who you say you are?
How can I protect information from disclosure?
How can I be sure someone really wrote
information?
-
7/26/2019 Security notes domino
4/54
Domino Security
Benefits
Enhance interoperability
Reduce cost of development, administration,
ownership
Technical Strategy - Adopt standards-based
data structures - certificates
protocols - secure email
interfaces - architecture and design
-
7/26/2019 Security notes domino
5/54
Notes/Domino Security
Mutual Authentication and Validation
Access Control Lists for servers, databases, views,
documents, sections and fields
Roles-based access control
Encryption
Port Encryption
Mail EncryptionDocument Encryption
Database Encryption
Digital signaturesData integrity
Originator authentication
Execution Control Lists
-
7/26/2019 Security notes domino
6/54
ACLs and ACL-like Controls
Access to the Network (Firewalls)
Access to Servers
Rights to DatabasesDepositor / Reader / Author / Editor / Designer /
Manager
Rights to DocumentsReader Lists / Author Lists
Rights to Sections
Rights to update sections of a document can be
controlled independently
-
7/26/2019 Security notes domino
7/54
What is a PKI?
All of these things working together:
Certificates
Certificate authorities
Directories for storing and retrieving Certificates
Policies for deciding which certifiers to trust
Mechanisms for authenticating endpoints, issuing
certificates, and delivering them
Some means of expiration/revocation
-
7/26/2019 Security notes domino
8/54
Types of Cryptography
Secret key (aka Symmetric key)
Same key used to encrypt and decrypt
Public key (aka Asymmetric key)
Each person has a pair of keys:
Public key which is published
Private key which is kept secret
Public key is used to encrypt, private key to decrypt
-
7/26/2019 Security notes domino
9/54
Encryption for Privacy
Secret Key Encryption (e.g. 3DES, RC2, IDEA)
Plaintext Encrypt
Key A
Ciphertext Decrypt Plaintext
Key A
Plaintext Encrypt
Public Key
Ciphertext Decrypt Plaintext
Private Key
Public Key Encryption (i.e. RSA)
-
7/26/2019 Security notes domino
10/54
Encryption for Integrity and OriginAuthentication
Secret Key Signatures
Sign Verify
Plaintext
Signature
Key Key
Public Key Signatures (encrypted message digest)
Sign Verify
Plaintext
Signature
Private Key Public Key
Yes/No
Yes/No
-
7/26/2019 Security notes domino
11/54
Public Key Certificates
A message signed by a certifier stating: "JaneDoe's public key is 4829b3d28f386h"
Certificate Authority
A trusted third party
Sign certificates to demonstrate trust and assure
identity and public key assoc.
CA's public key must be known
Signer of certificates (CA) must be trusted
Server must trust signer of client cert
Client must trust signer of server cert
-
7/26/2019 Security notes domino
12/54
Public Key Authentication
Every user and server has private/public key pair and
certificate
Certificate Authorities (and Notes certifier IDs) signcertificates
Private key is stored in ID file encrypted with a
password
Public key and certificates are held in ID file and posted
in the Domino directory
-
7/26/2019 Security notes domino
13/54
Notes Authentication
Alice ServerI'm Alice, here are my certificates
I'm Server, here are my certificates
Find trusted CA,check public key
Encrypt randomchallenge with Alice'spublic key
If you're Alice, what's this number?Decryptchallenge withprivate key The number was x
If you're Server, what's this number?
The number was y
Encrypt randomchallenge withServer public key Decrypt challenge
with private key
Find trusted CA ,check public key
Two-way authentication based on proof of knowledge
of private key
-
7/26/2019 Security notes domino
14/54
I'net Public Key Authentication
Every user and every server has at least one
private/public key pair and certificate, stored in key
ring file or browser
Certificate Authorities sign certificates using standards
X.509 V3
PKCSAuthentication is through SSL
-
7/26/2019 Security notes domino
15/54
I'net Certificate Authentication
Alice ServerHello, I'm Alice
I'm Server, here are my certificates
Here's a secretEncrypt secretencryption key
with server publickey
Send your certificates
Here are my certificates
Decrypt secret keywith Server privatekey - use for securedata exchange
Find trusted CA,check public key
Find trusted CA andcheck public key
Secure data
Two-way authentication based on proof of knowledge
of private key
-
7/26/2019 Security notes domino
16/54
-
7/26/2019 Security notes domino
17/54
Why is it so difficult to achieve?
Each application system has its own unique...
Security system
Directory structure
Naming conventions
Each company has multiple...
Applications
HTTP servers
Clients
Platforms
-
7/26/2019 Security notes domino
18/54
-
7/26/2019 Security notes domino
19/54
Web Realms
Problem: User is prompted for username
and password for each directory
accessedhttp://www.host.com/file.nsf
http://www.host.com/dir/file2.nsf
Solution: Web Realms reduce redundant
password prompt
Zone of protection in file system
Define Web Realm in document in the Domino
Directory
Browser caches the username and password
-
7/26/2019 Security notes domino
20/54
HTTP Session Authentication Support
"Log in"Occurs at authentication
Creates unique session ID on that server
Creates browser cookie with Session ID
"Log out"
Session ID is invalidated on server
Cookie is destroyed
Benefits
Name and password only passed once
Credential sent every time (regardless of realm)
-
7/26/2019 Security notes domino
21/54
Domino Web Server API (DSAPI)
C API for writing extensions to Domino
Web Server (used for SSO)
Filter is notified when certain events
occur in web server
Built as shared library (example DLL onwindows platform)
Supported on all Domino Serverplatforms
-
7/26/2019 Security notes domino
22/54
Domino R5 Security Features
X.509 V3 Certificate SupportS/MIME and SSL in Notes Client
API for security infrastructure (Domino Web Server API
- DSAPI)Web Realms
HTTP Session Authentication
Group Management
ACL Management
Just In Time encryption
Encryption of message / document upon
reconnection (S/MIME and Notes mail)
Local copy of certificates unnecessary
-
7/26/2019 Security notes domino
23/54
Domino R5 Security Features (cont.)
Password QualityTesting - Domino computes effective passwordlength
R5.01
Functional Separation of Keys - dual key support
non-repudiation (auth+signing)
confidentiality (encryption)
R5.02
PKCS 12 - key ring exchange
Token support for Domino Server
RSA ACE/Agent for Lotus Domino
RSA SecurID
RSA ACE/Server
-
7/26/2019 Security notes domino
24/54
R6 Security Update
-
7/26/2019 Security notes domino
25/54
Encryption Update
Large key support for Notes
protocols128-bit RC4 for Notes portencryption
128-bit RC2 for local database
encryption
Underlying changes for 1024-bitRSA keys (will allow backwardcompatibility)
-
7/26/2019 Security notes domino
26/54
User Security Dialog
-
7/26/2019 Security notes domino
27/54
Internet Password Management
-
7/26/2019 Security notes domino
28/54
Change Password Dialogs
l D b E i b D f l
-
7/26/2019 Security notes domino
29/54
Local Database Encryption by Default
-
7/26/2019 Security notes domino
30/54
D i 6 C tifi ti A th it
-
7/26/2019 Security notes domino
31/54
Domino 6 Certification Authority
Better securityAdministrators don't need certifier ID files & passwords
Certifiers can be password- protected on server, either individually or as a group
Tamper-resistant auditing of all activity
CA Process server task
Signs certificates when requested via admin4
Maintains list of administrators who can approve certificate
requests (RAs)
Manage both Notes and Internet (X.509) certificates
Publishes CRLs for Internet certificates, supports CDP
Better support for x.509 extensions
-
7/26/2019 Security notes domino
32/54
Information on source of ESAs
-
7/26/2019 Security notes domino
33/54
Information on source of ESAs
Central Administration of User ECLs
-
7/26/2019 Security notes domino
34/54
Central Administration of User ECLs
Smart Card Support
-
7/26/2019 Security notes domino
35/54
Smart Card Support
Smart Card enabled ID file
PIN Prompt replaces password prompt
Smart Card disables itself after 3 wrong guesses
Internet (S/MIME) RSA key pushed onto card
If Card lost or destroyed, ID file must be recovered from
backup
Roaming User Support
-
7/26/2019 Security notes domino
36/54
Roaming User Support
Permits use of Notes Client by
downloading ID file from server
Server never learns the user's password
Eavesdropper cannot test guesses of
user's passwordSeparate expensive interaction with
server for each password guessed
Domino Web Access support for SecureN t M il
-
7/26/2019 Security notes domino
37/54
Notes Mail
Security vs. Convenience Trade-off
Encrypted mail normally never readable on any server
Users' Private RSA keys protect the data
"Solution"
Place copy of user's ID file in mail file
User sends password to server
Server decrypts mail, then forgets password - 6.0.1
Server encrypts mail, then forgets password - 6.5
Administrator Hierarchy
-
7/26/2019 Security notes domino
38/54
Administrator Hierarchy
Full Access Administrator
Administrator
Database AdministratorFull Remote Console Administrator
View-only Remote Console Administrator
System AdministratorRestricted System Administrator
Full Access Administrator
-
7/26/2019 Security notes domino
39/54
Full Access Administrator
Method to resolve access control issues
Highest level of administrative rights on the server
All the rights granted to "Administrators", plus
Manager access, with all roles and access privileges enabled, to all
databases on the server, regardless of the database ACL settingsManager access, with all roles and access privileges enabled, to the Web
Administrator database (WEBADMIN.NSF)
Access to all documents within databases on the server, regardless of
reader name field controls
Unrestricted agent rights
Does not allow access to encrypted data
Enable byListing allowed entries into Full Access Administrators field on server
document
Select Administration\Full Access Administration from Admin Client menu
-
7/26/2019 Security notes domino
40/54
-
7/26/2019 Security notes domino
41/54
Q&A
-
7/26/2019 Security notes domino
42/54
BACKGROUND SLIDESBACKGROUND SLIDES
-
7/26/2019 Security notes domino
43/54
Full Access Administrators
-
7/26/2019 Security notes domino
44/54
Same as Local AccessManager access to all databases on server, regardless of
ACL
All programmability rights
All passthru rights
Issue OS-level commandsFor Emergency Use Only
-
7/26/2019 Security notes domino
45/54
-
7/26/2019 Security notes domino
46/54
Remote Console Administrators
-
7/26/2019 Security notes domino
47/54
Full -- Any console commandView-only -- safe subset of commands
SHOW SERVER, SHOW STATS, SHOW TASKS
Cannot affect server performance
Neither can maintain databases
System Administrators
-
7/26/2019 Security notes domino
48/54
Issue operating system commands
Including server restart
Requires new Domino Server Controller running onserver
Restricted -- restricted subset of commands
Agent Security -- R5
-
7/26/2019 Security notes domino
49/54
Agents run with the rights of their signer
Allows unprivileged agents on servers
Out of office agentSpecial privileged signers
Can only access databases local to server where agent
is runningServer can only authenticate as itself to another
server
Agent Security
-
7/26/2019 Security notes domino
50/54
Server can sign agent "On Behalf of"
user
Enable out of office agent via the web
Agent can open off-server databases
...if its server is privileged on the remote server
Unrestricted agent can choose to bypass
ACLs locally
-
7/26/2019 Security notes domino
51/54
-
7/26/2019 Security notes domino
52/54
Windows NT/2000 Single Logon
-
7/26/2019 Security notes domino
53/54
Works with other Windows single logon
programs
Manages password sync bidirectionallyOnce synced, NSL catches the password change from
either Windows or Notes and pushes it to the other
If changed in Windows, change will be held and pushed to
Notes upon startup
If configured for Notes/Internet password sync, change will
update HTTPPassword in person document also
Future Considerations
-
7/26/2019 Security notes domino
54/54
Support for 1024-bit RSA keys for Notes protocols128-bit RC2 support for bulk encryption keys and named
encryption keys
Administration tools to automate large key generation for
existing Notes users
Support use of Internet keys pre-installed onsmartcards
Support crypto accelerators
Support for Internet hierarchies in CA
Support for additional S/MIME features