Wednesday, 9 May 2018

Upgrade Notes Domino HTTP Passwords Domino Directory to Version 3 (V3)


During the past period, in addition to my developer tasks, I have also been assigned the administrator tasks for Notes Domino. For some of these tasks I use the Ytria EZ Suite Complete tools, like scanEZ. One of the tasks that I recently performed is the upgrade of the HTTP Passwords in the Domino Directory to version 3 (V3). I was made aware of this point by following the the Ytria Webcast Your Guide to Modern Defense Tactics and Risk Mitigation for a Secure IBM Domino Environment. First I used Ytria scanEZ to make an inventory of the current HTTP Password versions in the Domino Directory. In my case the HTTP Passwords where all Version 2, introduced in Domino version 6. You can view a great demo by Ben Menesi in the Ytria Webcast. Currently there are 3 versions.

Version 1 (V1), (SEC_pwddigest_V1)
Used in Domino versions prior to version 6. The hash attributes for version 1 are as follows:
Character set: 34 characters long, hexadecimal character set (A-F, 0-9), starts and ends in parentheses.
Running the algorithm against the same plain text always results in the same cipher text.
Can be invoked using the formula @Password(“PlainTextValue”) or, in LotusScript, Evaluate(“Password(PlainTextValue)”).
Can be verified using the formula @VerifyPassword(“PlainTextValue”;”CipherTextValue”) or, in LotusScript, @Password(“PlainTextValue”)=”CipherTextValue”.

Version 2 (V2), (SEC_pwddigest_V2)
Introduced in Domino version 6, this is significantly more secure than version 1, primarily because it produces a salted hash value. The hash attributes for version 2 are as follows:

Character set: 22 characters long, extended character set (A-Z including upper and lower case, 0-9 plus special characters), starts with “(G” and ends in “)”.
Can be invoked using the formula @Hashpassword(“PlainTextValue”).
$SecurePassword item with value of “1” present in documents with upgraded V2 hashes.
Can only be verified using the formula @VerifyPassword(“PlainTextValue”;”CipherTextValue”).

Version 3 (V3), (SEC_pwddigest_V3)
This is the current, and latest, hashing algorithm that was made available for use as of Domino 8.0. The hash attributes for version 3 are as follows:
Character set: 51 characters long, same character set as version 2 (A-Z including upper and lowercase, 0-9 plus special characters) starts with “(H” and ends in “)”.
Can only be invoked using the SECHashPassword3() API call.
$SecurePassword item with value of “2” present in documents with upgraded V3 hashes.
Can only be verified using the formula @VerifyPassword(“PlainTextValue”;”CipherTextValue”).

The following steps can be followed for updating the HTTP Passwords in the Domino Directory to Version 3. Note: the HTTP Passwords themselves are not changed by the upgrade.
- Open the Domino Directory (names.nsf) application
- Select Menu Actions - Edit Directory Profile


- Select the Field 'Use more secure Internet Passwords'.
- Next select the option 'Yes, Password verification release 8.01 or greater'


- Next select Save and Close to save the change.


To actually upgrade the HTTP Passwords to Version 3 select all Person Document in the View People in the Domino Directory.

- Select Menu Actions - Upgrade to More Secure Internet Password


- Select the Option Yes - Password verification release 7.01 or greater


The HTTP Passwords have now been upgraded to Version 3 (V3).

For more information see also the blog post Deep Dive into IBM Domino Security Part 1: Password Hashes by Ytria.

No comments:

Post a Comment