Notes Password Mystery

HCL Domino Domino Forum
1

Hi All ,

i checked the information on this thread link

http://www-10.lotus.com/ldd/nd6forum.nsf/55c38d716d632d9b8525689b005ba1c0/bb75dd9158a6c79c85256fab006d31a7?OpenDocument

" The password is not stored anywhere "

Now my doubt is , if password is not stored anywhere then how these two lines of code in notes.ini reveal the password in plaintext ?

code is :

KFM_ShowEntropy=1

Debug_Outfile=C:\testvowe.txt

I also want to know when we put the password in password prompt box for lotus notes what happen next ?

I read on this link

http://www-10.lotus.com/ldd/nd6forum.nsf/55c38d716d632d9b8525689b005ba1c0/c887540771c18ce985256fac00611f59?OpenDocument

" Notes will derive a key from the Notes password, and then use that key to decrypt the encrypted portions of the ID file. If the ID file decrypts successfully, then we know that the right key was used. How do we know that the decryption succeeded? Well, the most common technique involves the padding.

Many ciphers can only be used on data that is a multiple of their “block size” in length. For example, RC2, DES, and 3DES all have block sizes of 8 bytes, and AES is defined to use a block size of 16 bytes. However, most data doesn’t conveniently fall upon onto these boundaries – can you imagine how annoying it would be to send encrypted email if you program refused to send the message until it was the correct length? Therefore, the end of data that is being encrypted is typically padded out to the next block boundary – and an entire padding block is used if the end of the plaintext fell onto a block boundary. In the padding scheme defined in PKCS#5, each byte in the padding block is filled with the number of pad bytes used. With this padding scheme, if you decrypt a message, and the last byte is “0x05”, and the previous four bytes are also “0x05”, then you have a high degree of probability that the decryption succeeded - and you also know how much of the message was padding and can therefore be discarded. Notes doesn’t use PKCS#5 – we predate the PKCS series of specifications by quite a few years – but the same concept applies to the ID file. We decrypt the ID file using a key derived from the password, and if the padding matches and our internal checksums are correct, then we know that the correct password was entered."

I am new to domino envoirment i dont have that deep knowledge on this , i wll be greatful if any detailed explaintion can be provided on this from the scratch , like i dont how RC2 or Padding ( all about bit and bytes concept ) works ?

Educate me to know all the concept in details as i am very much excited about all these stuff. Any URL or Redbook will be very helpful for me

Looking forward for all positive replies

Vikalp

2

Subject: Notes Password Mystery

HiIBM have released a Technote indicating that the first debug line was inadvertently exposed as an aid to troubleshoot password changes.

Lotus Notes versions 8.0, 7.0.3 and all future versions will contain a fix that will remove the use of this undocumented debug variable.

Rm

3

Subject: RE: Notes Password Mystery

Hi

Ok i agreed that it is an aid to troubleshoot password change . But how actually it works ? what these 2 line of code works ?

If you could send me the URL for technotes which you mentioned in your post will be useful for me

Vikalp

4

Subject: Notes Password Mystery

If I understand the issue correctly, those .ini commands were for debuging the password change process, and would write out the new password as it was being changed (and so still available). It would not (and cannot) expose the current password, as that is never stored in the ID file.

5

Subject: RE: Notes Password Mystery

Hi

I tried it on my workstation , Once the password get change from the lous client it create the text file which have the new password in it . So my question is how its possible because

when we enter the password all hash algo concept come into picture.

So how come password revealed in it ? Hash dont work when we change password or what ?

Vikalp

6

Subject: RE: Notes Password Mystery

This is what’s happening as I understand it.

The user enters the new password

The password is written to the debug file

The password is used to create an encryption key (i.e. Hashed)

The password is then discarded - from this point on it’s no longer available or known

The key is used to encrypt the ID file

When you log onto Notes …

The user enters the a password

The password is used to create an encryption key (i.e. Hashed)

The key is used to attempt to decrypt the ID file

If it’s sucessfull (i.e. The correct number of padding characters is at the end of the decrypted version) the client presumes it has unlocked the file, and the user provided a correct password.

Note : Because the password is hashed, it is possible (although extreamly unlikelly) that the password could be different than the one used to lock the ID file.

Please note - the above is my understanding only - I have no special knowldege of the detailed process, and I may be mistaken in some points. I don’t think you will get precise and exact answers to the details in this forum. We’re only users of the product, not the developers.

7

Subject: Crypto primer

You’re looking for a bit more than just a redpaper – “how does RC2 work” involves a great deal of complex math. :slight_smile:

I’d recommend reading a book on cryptography – “Network Security: Private Communication in a Public World” by Charlie Kaufman, Radaia Perlman, and Mike Speciner is one of my favorites.

dave

8

Subject: RE: Crypto primer

Hi ,

Its really nice to have a word from you , it was your post on those URL which i mentioned in my earlier post which made me curious to know about the Domino Security in detail.

If you could please brief me about your post( who password hashing work )  in more simpler terms i think i wll grab more out of your mentioned book .

Thanks you in advance

Vikalp