Simon Barratt

Charlie´s Security Session (NOT)

Crypto 001

There are two types of cryptography - one will stop your kid sister from reading your files, the other will prevent major government from reading your files.

Notes uses the latter!

Key Strength - Entropy
DES has 56 bits of entropy (log₂(2^56)

Crypto hashes
Quickly generate a unique fixed length block of data from a variable length message
One way
@Password (Internet password)

Symmetric Algorithm
Very fast, but use the same key to encrypt and decrypt

don't use 56 bit keys
64 bit should be ok
128 bits should be good enough for the next couple of decades

Asymmetric Algorithm
Very slow, requires public and private keys

630 bit size is the most common length, used in Notes/Domino

Notes Authentication
client connects
send name, certificates and a random number
server responds with name, certificate and another random number
server sends ticket encrypted with client public and hashed version

Notes Network
Port encryption, to prevent eavesdropping
replay attacks are prevented

Database encryption
Simple, Medium, Strong
Todays computers have enough power to encrypt at medium with no real impact

Support for larger keys in ND7
Larger keys are stored in the BER format.
New users will get by default
You can upgrade existing IDs to the new size
6.0.4/6.5.1 is the minimum client version to accept the larger keys.

User Key roll-over in ND7
Policies will be used implement
Client will generate new key pair and send request to Adminp for processing
Set policy to upgrade all users within a time frame and the server will spread the load out to minimise replication impacts (very nice)

New tab in security policy to set this up...

Spread new key generation over this many days... default is 180 days.

Server Key Roll-over
Controlled in a server document.
All automatic

Certifier Key Roll-over
Will not be available in 7.0, will be added in a 7.x release.

Passwords
Custom password policies feature added in 6.5.4 and 7.0, so we can set a custom set of rules (ie must have a number)
Change password on first use!!!!!!!!
Now we can combine min length, max length and quality, upper case, lower case, numbers etc.  We can really upset our users now!!!!!!

SmartCard Support
Notes is secure!  How secure is your OS or hardware?