LOTUS DOMINO/NOTES本地化安全扩展设计与实现

【作者】 徐伟；

【导师】 李大兴；

【作者基本信息】 山东大学 ， 计算机软件与理论， 2006， 硕士

【摘要】 Lotus Domino／Notes是IBM公司开发的优秀的办公电子协作平台，包括了通讯、群体合作和对等协调等三大支柱功能，并且提供自由的开发环境，支持全面的标准，它使人们高效地协同工作。Lotus Domino／Notes凭借其强大的功能、简便的管理操作和先进可靠的安全机制，使得它几乎已经成为群件的一个标准。在我国的办公自动化实施过程中，Lotus Domino／Nores得到了广泛的应用。因此，对其安全机制进行研究和拓展，是具有实际需求和重大意义的。 Lotus Domino／Notes系统的安全控制上具有：功能强大，技术面广、控制层次多，配置管理灵活等特点。它具有独特的安全特性，许多密码技术如公钥加密和对称密钥加密，数字签名和数字证书等，被用来保证数据的可靠性和完整性，进而形成了Notes的安全机制。其安全体系具有多个层次，每个层次都有相对的安全控制措施。身份认证是其安全体系中的重要环节，身份认证的安全性基于X．509数字证书。 然而在使用过程中，为提高在软件使用中安全技术的自主性要求以及克服Lotus Notes自身安全机制的一些弱点，针对R5版本设计了本地化安全扩展方案并将其实现。Lotus Domino／Nores本地化安全扩展基于PKI技术，集成了智能卡、数字签名、数字信封、LDAP技术，面向主流的Lotus Notes 5X平台，并且具有能够向高版本移植的可扩展性。安全扩展包括用户登录安全、SSL安全通道和邮件安全三个部分。 Lotus Domino Notes R5中用户登录的安全依赖于用户标识符文件，在本地化安全扩展中，增加了智能密码卡技术的应用。使用智能密码卡保存用户证书和作为用户标识符文件口令的安全随机数，在登录过程中，要求登录用户提供标识符文件、智能密码卡和PIN口令才能成功登录，并在身份认证过程中增加了用户个人证书的验证，增强了Notes登录的安全性和抗字典攻击性。在LotusDomino／Notes中提供了基于512位的RSA密钥对的SSL通道，为了增强安全性，我们使用IIS服务替换Domino服务器的web服务。通过将IIS本地化实现1024位密钥对的SSL通信信道安全。邮件的保护使用了数字信封和LDAP技术。在设计中定义安全邮件报文，使用第三方CA为用户颁发的个人证书和存储在智能密码卡更多还原

【Abstract】 Lotus Notes and Domino are groupware software of IBM. As an integrated collaborative environment, the Lotus Notes client and the Lotus Domino server combine enterprise-class messaging and calendaring & scheduling capabilities with a robust platform for collaborative applications. As the solution built on an open, unified architecture ,they are widely used and become the standard of multifunctional official platform.. Now they serve as the OA platform for many companies and enterprise in China. So it is in need and meaningful for us to study it’s security system and do our own security extension on them.Lotus Domino/Notes system has many features in security control, such as powerful function, technical extensive and multi-level control, flexible configuration management. And it has many cryptographic techniques, including public key encryption and symmetric-key cryptography, digital signatures and digital certificates etc.These techniques are used to ensure data reliability and integrity, thus forming Notes security mechanisms. Its security system has multiple levels; each level has a relative safety control measures. Authentication is an important component of its security system; and its security depends on X.509 certificate.Though the security architecture is powerful and complex, it is not perfect. In fact, nothing is absolutely security. When using software, we can’t completely rely on the security that offered by it. And security leaks are also found in Lotus Notes. So we should do our own security extension, to insure our security and be active in security. Our security extension based on PKI, which integrated smart card, digital signature, digital envelopes, and LDAP technology. Security extension mainly about Lotus Domino/Notes R5.0 and it’s three aspects are: user authentication, transmission security and email/document security.User ID is the Notes ID for a Lotus Notes user, the ID file contains important information and the password assigned to a user during registration is a mechanism to protect access to the Notes ID file. To defeat dictionary or brute force attacks on ID file passwords and to reduce the risk of password capture, we use intelligent key in our extension. When user log on, he should give the key’s PIN, the right certificate and the ID file. Lotus Domino/ Notes implement SSL protocol to achieve internet security.更多还原