Lotus Nut

Blogs Blogs Home My Blog Edit My Blog
chris.whisonant@lotus911.com Tags Blog Tags Tags New to tags? A tag is a keyword that is used to categorize an entry. To view the entries with a particular tag, click a tag name in the tag cloud or enter a tag in the box. The tag cloud indicates the frequency of tag use. Popular tags appear darkest. The slider control adjusts how many tags are displayed in the tag cloud. Enter a tag to filter the current view more less administration applications bleedyellow community console domino im iphone mobile notes.ini phones sametime	Lotus Nut A blog for the Lotus Nut! All entries tagged with id_files id_files security administration domino Domino 8.0.1: 101 - Mandated ID Encryption Standard (SnTT) Chris Whisonantchris.whisonant@lotus911.com Continuing my series on Domino 8 Administration features, new with Domino 8.0.1 is the option to mandate the encryption standard for ID files. Full details can be found at the infocenter. With Notes 8.0 and Domino 8.0.1, there is an option to use AES for ID file encryption. Here's how strong AES is: "The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use." Implementation of AES requires a Domino 8.0.1 server. A Security Settings document is used to configure how the ID file's encryption will be enforced on your server. In a new or existing Security Settings document, you will need to go to the Password Management tab and then scroll to the bottom to the ID File Encryption Settings section: For both the Mandated and Allowed encryption standards fields, you have the following choices (the same choices as when you change your password in Notes 8.0): Compatible with all releases (64 bit RC2) Compatible with release 6 and later (128 bit RC2) Compatible with release 8 and later (128 bit AES) Compatible with release 8 and later (256 bit AES) First of all, this is great that companies can now mandate this. But the super swank option is the "Key derivation strength (iterations)" field. In layman's terms, the higher you set this value (the default is 5000), the longer a dictionary attack will take against the ID file. It won't be impervious to an attack, but you shouldn't be using passwords that are in dictionaries... From the infocenter: Key derivation strengthening is a technique used to make it more costly for malicious attackers to guess likely passwords through a brute force dictionary attack. They work by increasing the time it takes to generate a key from a password. The value for this field is the number of times an HMAC algorithm is applied as part of the operation that generates a key from the password. Specifying a larger number for this value increases the duration of each attempt during a dictionary attack. The default setting for this field is 5000, which is acceptable in most environments. Organizations with higher security requirements may wish to specify a higher value. So, once you have your servers at 8.0.1 and then have clients at 8.0 or higher, you can begin enforcing this. However, you may also phase this in with a tiered approach. For instance, if you have admins and/or developers that may have access to sensitive data, you may wish to get them on the Notes 8.0 + client and apply a special security settings document to their policy. Comments[2]	Dogear Bookmarks Archive July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008