Check public key for Notes IDs

The Check public key feature causes Notes to perform an additional step during authentication of a Notes user. After verifying that the typed password unlocks the Notes ID file, Notes extracts the user's public key from the ID file and then passes this key to the Domino server. Domino compares the public key from the Notes ID file to the public key stored in the user's Person document in the Domino Directory (names.nsf). If the two public keys match, Domino believes that this Notes ID file is valid for this person. If the public keys do not match, Domino rejects the log-on attempt. The entire feature is turned on/off by the setting at Names.nsf / Server / Servers / Security / Compare Notes Public Keys. Unlike Check password, however, Check public key cannot be enabled on a per-user basis.

So how is this feature useful? How could the two copies of the public keys not match? Suppose someone in your organization has stolen a copy of the corporate certifier ID and he/she uses the certifier to create another Notes ID file for your name. This ID file is valid, in some respects, because it is certified by the true corporate certifier. But the ID files are different in that they have different public/private key pairs. (Whenever a new ID file is created, the key pair is unique.) So the bogus ID file will work to authenticate a rogue user as having your name, if the public key is not checked. When Check public key is enabled, the server will reject the bogus ID file because its public key does not match your real one.

Readers who have had their cappuccino this morning will notice a problem in the above scenario. Suppose someone steals a copy of your exact Notes ID file, perhaps by sitting down at your computer while you are at lunch. In this case, the public key in the stolen ID exactly matches your true public key. Will the Check public key option help in this case? Yes, it will -- if you suspect the theft has occurred. Any time you want, you can force Notes to create a new public key for your Notes ID and export this key to the server's public directory. Doing so invalidates the stolen copy of your ID, because it no longer has your current public key. To perform this operation, see Domino Admin Help / Index / Public Keys / Verifying / Creating a New Notes Public Key.

For the reasons cited above, I encourage all my security customers to implement both Check password and Check public key. Used together, they close several holes in Notes/Domino related to stolen and bogus ID files.

Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes. CHC-3 allows companies to outsource their Domino administration needs via DominoAdministration.com and runs the popular security site DominoSecurity.org.

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Spam and Security Securely connect Lotus Domino servers on different domains Protect Lotus Notes from malicious code with the Domino ECL How to correct Lotus Notes public key mismatches in four easy steps A recipe for secure IM success Telecommuter security kit Spear phishing: Don't be a target FAQ: Lotus Notes Domino password issues Security awareness training: How to educate employees about spyware Seven tips to strengthen your Domino e-mail security Admin2005 preview: Tips, techniques, and a look at Notes/Domino Rel. 7 Lotus Notes Domino Password Management An introduction to ID Vault in Lotus Notes/Domino 8.5 How to manage passwords to secure Lotus Notes/Domino environments An introduction to Lotus Notes password options and essentials Secure Lotus Notes 8 with the Internet password lockout feature Lotus Notes Domino password management tips Cracked users' HTTP passwords still a threat on many Lotus Notes R6 and R7 domains Multiple new Sober variants spy on passwords Resetting a Lotus Notes password FAQ: Lotus Notes Domino password issues Hashing out stronger password authentication RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.