Sie sind auf Seite 1von 54

ID209: Lotus Notes and Domino Security:

Basics and Beyond


Kevin Lynch
IBM Lotus Software Group

Agenda
Notes and Domino Security Overview
Single Sign On Considerations
Feature Refresher - R6 and Beyond
Questions & Answers

Challenges to Building Secure Systems


How can I control who reads/writes
information?
How can I know you are who you say you are?
How can I protect information from disclosure?
How can I be sure someone really wrote
information?

Domino Security
Benefits
Enhance interoperability
Reduce cost of development, administration,
ownership
Technical Strategy - Adopt standards-based
data structures - certificates
protocols - secure email
interfaces - architecture and design

Notes/Domino Security
Mutual Authentication and Validation
Access Control Lists for servers, databases, views,
documents, sections and fields
Roles-based access control

Encryption
Port Encryption
Mail Encryption
Document Encryption
Database Encryption

Digital signatures
Data integrity
Originator authentication

Execution Control Lists

ACLs and ACL-like Controls


Access to the Network (Firewalls)
Access to Servers
Rights to Databases
Depositor / Reader / Author / Editor / Designer /
Manager

Rights to Documents
Reader Lists / Author Lists

Rights to Sections
Rights to update sections of a document can be
controlled independently

What is a PKI?
All of these things working together:
Certificates
Certificate authorities
Directories for storing and retrieving Certificates
Policies for deciding which certifiers to trust
Mechanisms for authenticating endpoints, issuing
certificates, and delivering them
Some means of expiration/revocation

Types of Cryptography
Secret key (aka Symmetric key)
Same key used to encrypt and decrypt
Public key (aka Asymmetric key)
Each person has a pair of keys:
Public key which is published
Private key which is kept secret
Public key is used to encrypt, private key to decrypt

Encryption for Privacy

Secret Key Encryption (e.g. 3DES, RC2, IDEA)


Key A

Key A
Plaintext

Encrypt

Ciphertext

Decrypt

Plaintext

Public Key Encryption (i.e. RSA)


Public Key
Plaintext

Encrypt

Private Key
Ciphertext

Decrypt

Plaintext

Encryption for Integrity and Origin


Authentication

Secret Key Signatures


Key

Key

Plaintext
Sign

Signature

Verify

Yes/No

Public Key Signatures (encrypted message digest)


Private Key

Public Key

Plaintext
Sign

Signature

Verify

Yes/No

Public Key Certificates


A message signed by a certifier stating: "Jane
Doe's public key is 4829b3d28f386h"
Certificate Authority
A trusted third party
Sign certificates to demonstrate trust and assure
identity and public key assoc.
CA's public key must be known

Signer of certificates (CA) must be trusted


Server must trust signer of client cert
Client must trust signer of server cert

Public Key Authentication


Every user and server has private/public key pair and
certificate
Certificate Authorities (and Notes certifier IDs) sign
certificates
Private key is stored in ID file encrypted with a
password
Public key and certificates are held in ID file and posted
in the Domino directory

Notes Authentication
Two-way authentication based on proof of knowledge
of private key

Alice

I'm Alice, here are my certificates

Find trusted CA ,
check public key

I'm Server, here are my certificates

Decrypt
challenge with
private key

If you're Alice, what's this number?

Encrypt random
challenge with
Server public key

Server
Find trusted CA,
check public key
Encrypt random
challenge with Alice's
public key

The number was x


If you're Server, what's this number?
The number was y

Decrypt challenge
with private key

I'net Public Key Authentication


Every user and every server has at least one
private/public key pair and certificate, stored in key
ring file or browser
Certificate Authorities sign certificates using standards
X.509 V3
PKCS
Authentication is through SSL

I'net Certificate Authentication


Two-way authentication based on proof of knowledge
of private key

Alice

Hello, I'm Alice

Find trusted CA,


check public key

I'm Server, here are my certificates

Encrypt secret
encryption key
with server public
key

Here's a secret
Send your certificates
Here are my certificates
Secure data

Server
Decrypt secret key
with Server private
key - use for secure
data exchange
Find trusted CA and
check public key

Single Sign On
Users want...
Fewer id's and passwords to remember/forget
Fewer places to change passwords
Fewer prompts when using application(s)
Administrators want...
Less overhead in creating and maintaining id's and
passwords
Increased security, arguably

Why is it so difficult to achieve?


Each application system has its own unique...
Security system
Directory structure
Naming conventions
Each company has multiple...
Applications
HTTP servers
Clients
Platforms

Single Sign On
Centralize or Synchronize?
Technology assists
Web Realms
HTTP Session Authentication
Cookies
Domino Web Server API (DSAPI)
LDAP v3 client integrated with Notes client
Domino with Microsoft IIS
Directory options - Public Address Book (R4.6 server),
Domino directory (R5.0 server) configured for LDAP, or
foreign LDAP directory

Web Realms

Problem: User is prompted for username


and password for each directory
accessed
http://www.host.com/file.nsf
http://www.host.com/dir/file2.nsf

Solution: Web Realms reduce redundant


password prompt
Zone of protection in file system
Define Web Realm in document in the Domino
Directory
Browser caches the username and password

HTTP Session Authentication Support


"Log in"
Occurs at authentication
Creates unique session ID on that server
Creates browser cookie with Session ID

"Log out"
Session ID is invalidated on server
Cookie is destroyed

Benefits
Name and password only passed once
Credential sent every time (regardless of realm)

Domino Web Server API (DSAPI)

C API for writing extensions to Domino


Web Server (used for SSO)
Filter is notified when certain events
occur in web server
Built as shared library (example DLL on
windows platform)
Supported on all Domino Server
platforms

Domino R5 Security Features


X.509 V3 Certificate Support
S/MIME and SSL in Notes Client
API for security infrastructure (Domino Web Server API
- DSAPI)
Web Realms
HTTP Session Authentication
Group Management
ACL Management
Just In Time encryption
Encryption of message / document upon
reconnection (S/MIME and Notes mail)
Local copy of certificates unnecessary

Domino R5 Security Features (cont.)


Password Quality Testing - Domino computes effective password
length
R5.01
Functional Separation of Keys - dual key support
non-repudiation (auth+signing)
confidentiality (encryption)
R5.02
PKCS 12 - key ring exchange
Token support for Domino Server
RSA ACE/Agent for Lotus Domino
RSA SecurID
RSA ACE/Server

R6 Security Update

Encryption Update

Large key support for Notes


protocols
128-bit RC4 for Notes port
encryption
128-bit RC2 for local database
encryption
Underlying changes for 1024-bit
RSA keys (will allow backward
compatibility)

User Security Dialog

Internet Password Management

Change Password Dialogs

Local Database Encryption by Default

Email Encryption / Signing

Domino 6 Certification Authority


Better security
Administrators don't need certifier ID files & passwords
Certifiers can be password- protected on server, either individually or as a group
Tamper-resistant auditing of all activity

CA Process server task


Signs certificates when requested via admin4
Maintains list of administrators who can approve certificate
requests (RAs)
Manage both Notes and Internet (X.509) certificates
Publishes CRLs for Internet certificates, supports CDP
Better support for x.509 extensions

What's an Execution Control List?

Information on source of ESAs

Central Administration of User ECLs

Smart Card Support


Smart Card enabled ID file
PIN Prompt replaces password prompt
Smart Card disables itself after 3 wrong guesses
Internet (S/MIME) RSA key pushed onto card
If Card lost or destroyed, ID file must be recovered from
backup

Roaming User Support

Permits use of Notes Client by


downloading ID file from server
Server never learns the user's password
Eavesdropper cannot test guesses of
user's password
Separate expensive interaction with
server for each password guessed

Domino Web Access support for Secure


Notes Mail
Security vs. Convenience Trade-off
Encrypted mail normally never readable on any server
Users' Private RSA keys protect the data
"Solution"
Place copy of user's ID file in mail file
User sends password to server
Server decrypts mail, then forgets password - 6.0.1
Server encrypts mail, then forgets password - 6.5

Administrator Hierarchy
Full Access Administrator
Administrator
Database Administrator
Full Remote Console Administrator
View-only Remote Console Administrator
System Administrator
Restricted System Administrator

Full Access Administrator


Method to resolve access control issues
Highest level of administrative rights on the server
All the rights granted to "Administrators", plus
Manager access, with all roles and access privileges enabled, to all
databases on the server, regardless of the database ACL settings
Manager access, with all roles and access privileges enabled, to the Web
Administrator database (WEBADMIN.NSF)
Access to all documents within databases on the server, regardless of
reader name field controls
Unrestricted agent rights
Does not allow access to encrypted data
Enable by
Listing allowed entries into Full Access Administrators field on server
document
Select Administration\Full Access Administration from Admin Client menu

Additional Resources
Lotus Security Handbook Redbook
http://www.redbooks.ibm.com/redpieces/abstracts/sg247017.html

LDD Notes/Domino Security Zone


http://www.lotus.com/ldd/security
Domino 6 Technical Overview
Be the authority on the new Domino 6 Certificate Authority
Bonding with User Security in Notes 6
Policy-based system administration with Domino 6
Decoding the new Notes/Domino 6 agent features
Building web applications in Domino 6: Accessing and protecting the
file system

Q&A

BACKGROUND SLIDES

HTTP Connection Settings

Persistent connections
Network timeouts
Client IP address filtering

Full Access Administrators


Same as Local Access
Manager access to all databases on server, regardless of
ACL
All programmability rights
All passthru rights
Issue OS-level commands

For Emergency Use Only

Administrators
Same rights as R5
Can execute remote console commands
Can perform database maintenance tasks
Can manage message tracking

Database Administrators
Database maintenance
Set admin server on ACLs
Compact and delete dbs
Maintain full text indexes
Maintain directories
Create databases
Maintain certain db options
E.G., in/out of service, database quotas, etc.

Remote Console Administrators


Full -- Any console command
View-only -- safe subset of commands
SHOW SERVER, SHOW STATS, SHOW TASKS
Cannot affect server performance

Neither can maintain databases

System Administrators
Issue operating system commands
Including server restart

Requires new Domino Server Controller running on


server
Restricted -- restricted subset of commands

Agent Security -- R5
Agents run with the rights of their signer
Allows unprivileged agents on servers
Out of office agent
Special privileged signers
Can only access databases local to server where agent
is running
Server can only authenticate as itself to another
server

Agent Security

Server can sign agent "On Behalf of"


user
Enable out of office agent via the web

Agent can open off-server databases


...if its server is privileged on the remote server

Unrestricted agent can choose to bypass


ACLs locally

Agent Security -- On behalf


Access Remote Servers
Server A can now execute an scheduled or web-based agent that accesses database on
Server B
Server A must be listed in "Trusted Servers" field in Server B's server document
Both servers must be running Release 6

Modifying and saving agents on the server


Agent can enable another agent if it has the same effective user OR
Agent's signer is listed in "Sign agents to run on behalf of someone else" field
Agent cannot modify itself

Enabling scheduled agents using a web browser


Allows Outof Office agent to be enabled by web user
Run as web user
Maximum Internet name/password access must be set to Designer

Allow editors to activate agents


Allows Outof Office agent to be activated by users with Editor access to their mail file

Web Server Security


Server document
Protocol security options allow you to filter requests that may be potential attacks
Deny/allow access fields can now be applied to all Internet protocols

HTTP Plug-In Architecture allows for reverse proxy access to


Domino servers inside firewall
IIS
Websphere IHS

Web Single Sign On (SSO) enhancements


Can be configured to work with DSAPI authentication in addition to
name/password
APIs available to Generate and Verify tokens
Can create multiple SSO documents within Domino directory/domain
Still restricted to one DNS domain

API functions available to support "more secure Internet password format

Windows NT/2000 Single Logon


Works with other Windows single logon
programs
Manages password sync bidirectionally
Once synced, NSL catches the password change from
either Windows or Notes and pushes it to the other
If changed in Windows, change will be held and pushed to
Notes upon startup
If configured for Notes/Internet password sync, change will
update HTTPPassword in person document also

Future Considerations
Support for 1024-bit RSA keys for Notes protocols
128-bit RC2 support for bulk encryption keys and named
encryption keys
Administration tools to automate large key generation for
existing Notes users

Support use of Internet keys pre-installed on


smartcards
Support crypto accelerators
Support for Internet hierarchies in CA
Support for additional S/MIME features