Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Lotus Domino > Domino security > ID vault security FAQ
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

Notes URLs

Notes URLs The launching of Notes URLs is the mechanism the client uses to create bookmarks and launch components. This document describes various configurations of that URL and the results of launching them. Format: notes:serverdbviewdocument?Commandparamsvalues Server Examples: NPD1, ...

IBM's phase 1 deployment of the Notes ID vault

IBM has begun its internal deployment of the Notes ID vault, the new Notes ID file recovery and management feature in Lotus Notes and Domino 8.5. This article provides a window on phase 1 of our ID vault deployment during which we deployed the ID vault in one of the domains used by the Lotus ...

Security Assertion Markup Language (SAML) Notes Federated Login

This article will cover the following topics for Security Assertion Markup Language (SAML) Notes Federated Login: Notes Federated Login Overview, Notes Federated Login Deployment Overview, Debug Tips. This content was provided by Na Pei of the IBM Notes Development team

Adding an ID vault password reset authority from a different organization

If a password reset authority is in an organization different from the organization assigned to your vault, you may need to take additional steps in order for the password reset authority to be able to reset passwords successfully. If not already created, you will need to create crosscertificates ...

Upgrading from Notes client single logon to Notes shared login

Lotus Notes 8.5 supports both Notes client single logon (introduced in an earlier release) and Notes shared login (new in 8.5). Notes single logon is not a supported configuration if you use the ID vault. Therefore, if you use the ID vault, use Notes shared login instead, which is designed to work ...
Community articleID vault security FAQ
Added by Michael Stewart on April 27, 2021 | Version 1
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
No abstract provided.
Tags: Notes ID Vault
How does the ID vault protect ID files that are stored in the vault?
The ID Vault stores user ID files as attachments in ID vault documents. Because the IDs are encrypted using a strong encryption algorithm, the ID files are unusable if detached from the ID vault.

It is extremely important to protect the server ID file from unauthorized access because it is involved in encrypting the ID files (see below). A best practice would be for senior members of the Administration Team to create the ACL with input from appropriate members of the security, audit, and/or compliance teams to ensure that only those authorized employees have access to the ID vault.

More details: Each ID is protected in the ID vault with a different randomly generated 256 bit AES Storage Encryption (SE) key.The SE keys are encrypted with a 2048 bit RSA Vault Operations (VO) key, which is encrypted using the ID file of the ID vault servers.

How does the ID vault protect data transmitted over the network?
All ID files and authentication information transmitted between clients and servers are encrypted. Each time a transaction takes place a new key is generated to ensure the highest level of encryption.

More details: All ID files and authentication information transmitted between clients and servers are encrypted using a 256 bit AES Transport Encryption (TE) key. Each transaction uses a new TE key. A different Initialization Vector (IV) is used each time the TE key is used.

How does the Notes client protect against the use of an unauthorized vault?
A user ID can be uploaded to a vault only if a parent certifier of the user ID has issued a Vault Trust Certificate to the vault. This prevents a rogue administrator from creating an unauthorized vault and using that to steal user ID files.

How does the ID vault prevent unauthorized password resets?
Trust of a person's or application's authority to reset passwords is established through special-purpose cross-certificates called Password Reset Certificates.
1. A person requires a Password Reset Certificate issued by a parent certifier of a user ID to reset the password on the ID through the Domino Administrator.
2. A custom password reset application requires a Password Reset Certificate for the application signer and each server on which it is deployed.
Administrators can use the ID Vaults - Create or ID Vaults - Manage tool to issue Password Reset Certificates from parent certifiers of the user IDs stored in a vault. The certificates are created in the Configuration - Security - ID Vaults view of the Domino Directory. Trust of the identity of a user whose password is reset must be established by the person or application resetting the password.

How does the ID vault protect against an attacker who is attempting to download a user's ID file by guessing the user's password?
Downloading an ID file from the Notes ID vault requires knowledge of that user's password in the vault. If ten incorrect consecutive passwords are specified during one day in an attempt to download an ID file from a vault to a client, downloads are disabled for that ID for the day. Resetting a user's password in the vault will also reset the incorrect password count. You can use the server NOTES.INI variable "IDVault_Max_Auth_Failures" to set the maximum number of consecutive download attempts allowed in a day before attempts are denied.

For additional protection, administrators can require authorization for all ID downloads by disabling automatic ID downloads through policy configuration. Password Reset Authorities are then needed to approve ID file downloads and set a download count limit before a user may download his ID file from the vault. See the Miscellaneous administration FAQ.



How does the ID vault protect against hacked client attack programs?

A hacked client program offers no advantage in attacking the ID vault because the security is built into the server and therefore cannot be bypassed by a fake client. Only the server, and not the client, can verify password guesses. Administrators can also require authorization for all ID downloads and use the "10 strikes" daily download attempt to protect against hacked client attack programs. Administrators can use the server security logs and the Domino Domain Monitor (DDM) to detect a client attack.

Can an attacker search a vault server's hard drive for decrypted ID files?

No. Decrypted ID files are not written to disk by the ID vault. The ID vault feature uses in-memory ID files for ID file manipulation on both the client and the server to avoid leaving ID file traces on disk.

How hard would it be for an attacker who stole the vault.nsf file to execute a dictionary attack on users' passwords in the vault?

If the vault.nsf file is stolen, an attacker may attempt a dictionary attack, but it would be nearly impossible for the attacker to acquire any user passwords because (1) very strong hashing algorithms are used and (2) the password hashes are never stored.
More details: The password hashes are salted and iterated, and are approximately 7,000 times slower to guess than RC2-64 passwords. In addition, hashes are never stored, and verifying a guess involves modular exponentiation for each user and AES-256 decryption for each attempt in addition to the hash calculation.

As an administrator, what files do I need to protect and backup securely?

You need to protect your vault ID files just as you protect your certifier ID. As usual, you should also protect the certifier ID and server ID.

  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (1)Apr 27, 2021, 5:24:21 PMMichael Stewart  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility