Firewall Wizards mailing list archives
Re: Lotus Domino as an access control to internal network
From: Aleph One <aleph1 () dfw net>
Date: Fri, 27 Feb 1998 07:06:47 -0600 (CST)
On Thu, 26 Feb 1998, chuck wrote:
RE Authentication in notes: The Swedish(?) parliament was quite surprised to find that Notes' encryption uses a key escrow that the US Gov't has access to it. Strangely, the country's legislative body was not excited to have the US be able to decrypt their information. Use of Notes was severely curtailed. Never heard the outcome of that, but it was making a splash in December....
This is very old news. They switched to this scheme back in 1996. Notes used 64-bit session keys. The export version encrypts 24-bits of the key using a special government RSA key. This means that the government still needs to brute force the 40-bit key. Note a few things: a) this only affects the export version b) the approved export key size before this scheme was implemented was 40-bits. So in effect, even with the 24-bits in escrow, you are as secure or more than if you used their earlier version of the software.
* The Notes server requires authentication.Passwords. Reusable passwords. No provision for OTP use.
The password only unlocks your RSA key. The session key is used to exchange a randomly generated session key. There is no need for one time passwords.
* When granted access to the server, clients will *only* have access at database level (subject to ACL's; review the defaults!), and not at file level.Review them and hope they work - you're betting your business secrets on it.
Isn't this true of any software (including firewalls)? You may wish to actually point out deficiencies in Notes instead of trying to deride it using cynical statements. Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Lotus Domino as an access control to internal network dharris (Feb 24)
- Re: Lotus Domino as an access control to internal network Aleph One (Feb 24)
- Re: Lotus Domino as an access control to internal network Roger Nebel (Feb 25)
- <Possible follow-ups>
- Re: Lotus Domino as an access control to internal network Bart Smit (Feb 25)
- Re: Lotus Domino as an access control to internal network chuck (Feb 27)
- Re: Lotus Domino as an access control to internal network Aleph One (Feb 28)
- Re: Lotus Domino as an access control to internal network chuck (Feb 27)
- Re: Lotus Domino as an access control to internal network Aleph One (Feb 24)