How does the ID vault protect ID files that are stored in the vault?
The ID Vault stores user ID files as attachments in ID vault documents. Because the IDs are encrypted using a strong encryption algorithm, the ID files are unusable if detached from the ID vault.
It is extremely important to protect the server ID file from unauthorized access because it is involved in encrypting the ID files (see below). A best practice would be for senior members of the Administration Team to create the ACL with input from appropriate members of the security, audit, and/or compliance teams to ensure that only those authorized employees have access to the ID vault.
More details: Each ID is protected in the ID vault with a different randomly generated 256 bit AES Storage Encryption (SE) key.The SE keys are encrypted with a 2048 bit RSA Vault Operations (VO) key, which is encrypted using the ID file of the ID vault servers.
How does the ID vault protect data transmitted over the network?
All ID files and authentication information transmitted between clients and servers are encrypted. Each time a transaction takes place a new key is generated to ensure the highest level of encryption.
More details: All ID files and authentication information transmitted between clients and servers are encrypted using a 256 bit AES Transport Encryption (TE) key. Each transaction uses a new TE key. A different Initialization Vector (IV) is used each time the TE key is used.
How does the Notes client protect against the use of an unauthorized vault?
A user ID can be uploaded to a vault only if a parent certifier of the user ID has issued a Vault Trust Certificate to the vault. This prevents a rogue administrator from creating an unauthorized vault and using that to steal user ID files.
How does the ID vault prevent unauthorized password resets?
Trust of a person's or application's authority to reset passwords is established through special-purpose cross-certificates called Password Reset Certificates.
1. A person requires a Password Reset Certificate issued by a parent certifier of a user ID to reset the password on the ID through the Domino Administrator.
2. A custom password reset application requires a Password Reset Certificate for the application signer and each server on which it is deployed.
Administrators can use the ID Vaults - Create or ID Vaults - Manage tool to issue Password Reset Certificates from parent certifiers of the user IDs stored in a vault. The certificates are created in the Configuration - Security - ID Vaults view of the Domino Directory. Trust of the identity of a user whose password is reset must be established by the person or application resetting the password.
How does the ID vault protect against an attacker who is attempting to download a user's ID file by guessing the user's password?
Downloading an ID file from the Notes ID vault requires knowledge of that user's password in the vault. If ten incorrect consecutive passwords are specified during one day in an attempt to download an ID file from a vault to a client, downloads are disabled for that ID for the day. Resetting a user's password in the vault will also reset the incorrect password count. You can use the server NOTES.INI variable "IDVault_Max_Auth_Failures" to set the maximum number of consecutive download attempts allowed in a day before attempts are denied.
For additional protection, administrators can require authorization for all ID downloads by disabling automatic ID downloads through policy configuration. Password Reset Authorities are then needed to approve ID file downloads and set a download count limit before a user may download his ID file from the vault. See the Miscellaneous administration FAQ.
How does the ID vault protect against hacked client attack programs?
A hacked client program offers no advantage in attacking the ID vault because the security is built into the server and therefore cannot be bypassed by a fake client. Only the server, and not the client, can verify password guesses. Administrators can also require authorization for all ID downloads and use the "10 strikes" daily download attempt to protect against hacked client attack programs. Administrators can use the server security logs and the Domino Domain Monitor (DDM) to detect a client attack.
Can an attacker search a vault server's hard drive for decrypted ID files?
No. Decrypted ID files are not written to disk by the ID vault. The ID vault feature uses in-memory ID files for ID file manipulation on both the client and the server to avoid leaving ID file traces on disk.
How hard would it be for an attacker who stole the vault.nsf file to execute a dictionary attack on users' passwords in the vault?
If the vault.nsf file is stolen, an attacker may attempt a dictionary attack, but it would be nearly impossible for the attacker to acquire any user passwords because (1) very strong hashing algorithms are used and (2) the password hashes are never stored.
More details: The password hashes are salted and iterated, and are approximately 7,000 times slower to guess than RC2-64 passwords. In addition, hashes are never stored, and verifying a guess involves modular exponentiation for each user and AES-256 decryption for each attempt in addition to the hash calculation.
As an administrator, what files do I need to protect and backup securely?
You need to protect your vault ID files just as you protect your certifier ID. As usual, you should also protect the certifier ID and server ID.