Dear Mr Heisterberg,
Our development team have released the following information about the encryption method of the ID file.
This is the Text which they sent back to me:
“Double encryption is chosen to securely deliver an ID file to the roaming user. It is a client – server interaction, where the Password the client enters is not necessarily the Password it is used to undisclosed the ID file.
This action can only be fulfilled together with the server. For basic concepts please see “Bellovin-Merritt Encrypted Key Exchange protocol”. It is implemented differently but this will give you an Idea what is going on. Diffi Hellman was choose as an encryption algorithm itself.”
I have also to advise you. The only supported configuration for Roaming Users it to upgrade the users via the information in the Administration help guide.
If a problem arose with Roaming Users where the config used was not done as per Admin help ,we would be unable to provide assistance.
Kind Regards,
Xxxxxx Yyyyyyy
Software Engineer – Lotus EMEA Support –
Apart from the fact that the references to the algorithms in the response are erroneous I guess I have to accept the answer. Just for the record – Diffie-Hellman is not an encryption algorithm but an algorithm to securely establish a session key across an unsecure network.
However after another round of clarifying questions with Lotus Support it is clear that any attempt to automate the process of pre-creating the roaming user databases on the server will be totally unsupported by Lotus. The only way is to manually mark users for roaming which leaves some room for improvement I’m afraid though I understand Lotus’ position.
I guess it’s back to the drawing board now to find a way to automate the migration process to roaming as much as possible and find a way to make it as easy for existing users as possible. During my research I did find the a method in the Notes C API (SECAttachIdFileToDB()) that might be of interest to some – the customer I am researching this for will probably not go so far as to do C API development.
To end on a positive note. Enabling roaming for new users isn’t an issue since it’s simply a matter of checking a box in the registration dialog. That’s easy! 🙂
Further reading:
- The Bellovin-Merritt algorithm is mentioned in the Redbook “Security Considerations in Notes and Domino 7: Making Great Security Easier to Implement“.
- More indepth on the Bellovin-Merritt algorithm from a Google search: “Augmented Encrypted Key Exchange: a Password-Based Protocol Secure Against Dictionary Attacks and Password File Compromise“.
