Security Basics mailing list archives
Re: Lotus Notes Encryption
From: Philip Storry <phil () philipstorry net>
Date: Sun, 12 Jan 2003 01:24:41 +0000
Hello ullmic6, I'll happily help you with your problem. I'm a PCLP in Lotus Domino System Administration, and have spent a lot of time on the security side of the system. Wednesday, January 8, 2003, 7:38:57 PM, you wrote: uwd> Hello everybody, uwd> in my company we are using Lotus Notes/Domino R5 as mail tool. Even if uwd> the encryption is proprietary and just 64 bits I like this feature very uwd> much because it keeps the casual inside attacker from sniffing my mails. Side note: The mail encryption isn't proprietary. At least, not in the sense of "nobody trusts it" - Lotus have licensed the BSAFE librarsies from RSA. These libraries are fairly well respected in the cryptographic community, and for a long time represented the only commercial way to use public/private key cryptography commercially without infringing on patents. uwd> But now something interesting happened. Encrypted mails that I sent just uwd> disappeared. The explanation I got was: I have a subset of the domino uwd> directory (which is on the server and which includes the public key of uwd> the recipients) on my pc (called dircat). Directory Catalogues were new to R5. I love 'em. Nice and small. Did you know you can choose what does into them? You could add the public key field to the list, if you like (The field name is "Certificate", oddly enough.). The thing is, doing so rather increases the size of the Directory Catalogue. In fact, unless you're filling in all the fields in the Domino Directory, the Public Key fields will be the largest fields of the Directory. uwd> This local dir does not include the public keys due to size and uwd> performance for mobile users. In this scenario my Lotus Notes uwd> client does NOT download the public key from the server directory uwd> and encrypt the message. Instead it just sets a flag that this uwd> mail must be encrypted, sends it unenecrypted to the server and uwd> tells the server to do the encryption. My encrypted mails uwd> disappeared because these recipients public keys were missing on uwd> the server. I've seen that happen so many times it's untrue. The Domino Directory losing the public key details, that is. It's usually because a Person document has been accidentally deleted. Someone recreates it, but forgets to add in the public key details. Go to the person that has the public key missing, and look at their ID file (File - Tools - User ID). In the More Options section, you can choose to copy the publick key. That copies it to the clipboard. You'll probably be at their desk when doing this - unless you have a copy of their ID file handy, in which case you could Examine their ID file in the Administrator client (Go to the Configuration tab, open the tools menu at the right-hand side and choose ID Properties under the Certification section). If you're at their desk, paste the public key into an email which you can send to yourself. Then perform the next step. If you're using the Admin client, then just go to the People & Groups tab and locate their Person document. Open it, go to the Certificates tab and then, under the Notes Certificates tab remove whatever they have and paste in what you now have for them. The formatting won't look quite the same - that's normal, and can be ignored. Note that you can't paste into that field unless you're an Administrator - which is why you'll probably have to email the public key back to yourself if you're at their desk. :-) uwd> My problem here is that I want end-to-end encryption. Quite understandable. :-) uwd> I do not want to delegate the encryption to a server (even if I uwd> hope that port encryption is enabled like defined in our uwd> policies). If you really don't want to trust the delegated encryption, even after tidying up your Domino Directory and making sure it has people's certificates, then you can add the field to your Domino Directory Catalog. Just open the catalog, go to the Configuration view, open the configuration (for editing, of course) and add the field "Certificate" to the end of the list of fields that you want added to the Domino Directory. I've not tested this, beyond ensuring that the certificates appear in the Directory Catalog - but once they're there then the clients using the Directory Catalog should be able to encrypt mail for all recipients. The only reasonf for this not to work would be any truncation of the field that may take place when the Catalog is built. A small caveat - this would only work for recipients that have a certificate in the Domino Directory - remember that because the Catalog is built from the Domino Directory, it sounds like you're going to have to do some maintenance there anyway. uwd> Does anybody on this list know if the encryption process really uwd> works like described above. The infos on Lotus encryption on the uwd> web and in IBMs redbooks is to unspecific to explain what's uwd> really going on here. To find out how encryption (of all kinds) works, browser through the Security section of the Domino Administration Help (help5_admin.nsf). That has pretty good overviews of it all. IBM/Lotus documentation suffers severely from verbosity. All the information you need is in there - somewhere. I recommend taking a copy of the three main help files - Domino Administration Help, Domino Designer Help and Notes Client Help and full-text indexing them. Then make sure your first port of call is to learn about the indexing system, and how to search in Lotus Notes. That'll help you immensely. :-) Red Books, if available on a particular subject, are excellent because: a) IBM have dug the information out for you b) They include best practices and other things not in the documentation - only as suggestions, but often good ones. It's a shame that Domino doesn't have a few more Redbooks to help those new to administering it - but Domino is such a large product that I admit I wouldn't know where to start! -- Best regards, Philip mailto:phil () philipstorry net
Current thread:
- Lotus Notes Encryption ullmic6 () web de (Jan 11)
- Re: Lotus Notes Encryption Philip Storry (Jan 13)
- <Possible follow-ups>
- Re: Lotus Notes Encryption SMiller (Jan 24)