upgrading ibm notes id certificate key strength, encryption strength and password quality


IBM Notes and Domino: Tips & Tricks

Upgrading IBM Notes ID certificate key strength, encryption strength and password quality
May 22, 2014

By Lance Zakin, IBM CASA, CAAD
Notes and Domino
IBM BP NotesMail
Domino administrators can upgrade user Notes ID security strength by using Domino Security Policy Settings, Certifcate Authorty (CA) Process, or Administration Process (AdminP) with semi-automated steps. This article discusses AdminP with semi-automated steps which is sometimes necessary due to several reasons including a delicate environment, non-existent testing environment, minimal budget, minimal implementation time, or minimal Domino expertise to configure Security Policy Settings or CA Process.


Many Domino customer sites were architected many years ago, but even though users are using Notes versions 9/8/7/6 they still are using ridiculously low Notes ID security settings available in Notes 5/4/3. i.e. 512 and 630 bits Notes ID certificate key strengths, 64 bit RC2 Notes ID encryption strength. This low Notes ID security level is unacceptable in today's world of cyberterrorism, hacking and information warfare.

How can I check the Notes ID certificate key strength for my users? Opening their Person document in the IBM Domino Directory (DD), then click the Certificates tab. It will display adjacent to "Current key strength". If the key strength is less than 2048 bits in the "Current key strength" field, then you should inform you company's security compliance team immediately of this issue.

How can I check the Notes ID encryption strength for my users? Open the user's Notes ID, then click File - Security - User Security and type the user's password. It will display adjacent to "ID file encryption strength". If the encryption strength is less than 256 bits, then you should inform you company's security compliance team immediately of this issue.
  • You must upgrade to at least Notes and Domino 7 to take advantage of Notes ID certificate key strengths using 2048 bits.
  • You must upgrade to at least Notes and Domino version 8.0.1 to take advantage of Password-derived keys (ID file encryption keys) using 256 bit AES with iterated HMAC-SHA1.
  • You must upgrade to at least Notes and Domino 9 to take advantage of ID file encryption keys using 256 bit AES with iterated HMAC-SHA256 and iterated HMAC-SHA512.
How can I check the Notes password quality scale (password strength) for my users? Unfortunately, you cannot check it without trying to actually change their Notes ID password and test different password qualities. The password quality scale can be set when registering a new Notes user (creating a Notes ID). If you need to change it for your users, then you must configure Domino Security Policy Settings.

IBM Notes user instructions

1. Upgrade IBM Notes certificate key strength (used when communicating with server; Updates Notes ID file and IBM DD account)

A. Open Notes.
B. Click File - Security - User Security from the top tool bar menu, then type your password.
C. Click Your Identity - Your Certificates, then click "Other Actions" button and "Create New Public Keys" as seen below.



D. Select "Compatible with 7.0 and later (2048 Bits)" as seen below (or highest version available). NOTE: You should not select an option which is greater than your Notes (Domino) server version.
E. Select "Authentication Protocol - Recommended" as seen below, click "Create keys" button, then click OK.
F. Contact your IT help desk or Notes (Domino) administrator that you completed the steps above and to process the new key request.
NOTE: After your request is processed you simply need to restart Notes. FYI: The Notes (Domino) administrator must manually process your new key request using the "Requests - Certify New Key Requests" Notes view in the "Administration Requests" (admin4.nsf) Notes app.




2. Upgrade IBM Notes ID file encryption strength (used for password and encrypting local Notes apps)

A. Open Notes.
B. Click File - Security - User Security from the top tool bar menu , then type your password.
C. Click "Change Password" button as seen below, then type your password.



D. Enter your current password (or new password) twice as seen below.
E. Change the Encryption Strength to the highest number available (the bottom selection). i.e. 256 bit AES and SHA-512
NOTE: You will not see the the "SHA-512" and "SHA-256" options below unless you upgrade to at least Notes 9. You will not see the the "256 bit AES" and "128 bit AES" options below unless you upgrade to at least Notes 8.0.1.
F. Click OK - OK.



NOTE: If you use Notes on multiple computers, then you must copy and replace your Notes ID on your other computers after you follow all steps above. However, you must first wait until the IT help desk or Domino administrator instructs you to restart Notes . FYI: The Notes (Domino) administrator must first manually process your request after step 1F above using the "Requests - Certify New Key Requests" Notes view in the "Administration Requests" (admin4.nsf) Notes app.


Reference Sources

CA key rollover not recommended in large organizations
In Domino 8, administrators can assign a new set of public and private keys to a Domino certificate authority (CA), which are used to certify the keys of OUs, users and servers in that organization.

Creating a new Notes public key and adding it to the Domino Directory
The process for creating a new IBM Notes public key differs, depending on which version of IBM Domino you use.

Configuring encryption for ID files
Any ID used with the current IBM Notes client benefits from the strong security provided by AES encryption.

Supported key sizes in Notes/Domino
Due to export restrictions, Notes ID files have always contained two RSA key pairs, one for "Domestic" use, and one for "International" use. The domestic key was used when domestic versions of Notes communicated with each other, and the weaker international keys were used when an international version of Notes is involved.

The password quality scale
When creating passwords for user, server, or certifier IDs, you need to understand the criteria by which Domino measures password strength and security. Domino measures this criteria according to the level assigned on its password quality scale. The scale assigns a minimum level of quality to the password on an ID file. Domino bases the password quality on the number and variety of characters in the password.

B
.