The abstract structure of Lotus Notes databases can be presented as follows. A database contains several documents and one document consists of several document fields. The fields contain the actual data. If databases contain data with an increased protection requirement, then this can be protected using encryption. Encryption can either be applied at database level - in which case the entire contents of the database are encrypted - or, if the database contains data having different protection requirements, to individual document fields. For example, in a product database the fields containing certain cost prices could be kept encrypted. Encryption is not carried out at document level. The storage location of a database - on the server or locally on the client - will have a critical effect on the encryption possibilities.
The aspects described below must be considered for the two types of encryption.
Database encryption
Database encryption protects databases against attacks at file level.
A database can only be encrypted for precisely one Notes ID. The database can then only be accessed under that Notes ID. This has the following consequences:
Databases which are stored on the server can only be encrypted with the server ID (since ultimately the server is accessing the database using the server ID on behalf of a client). In this case encryption cannot be used to make the database contents accessible to only one user.
Databases which have been replicated by the server on a client or have been created locally can be encrypted with (any) user ID. This requires access to the relevant ID and the relevant password. The database can then be (locally) accessed only under that user ID. If the database is copied back to the server, then the database will no longer be held there encrypted with the user ID. If the database stored on the server is encrypted with the server ID, then it will continue to be encrypted. If the database is not encrypted, the data will remain unencrypted.
The degree of encryption can be set to three different levels:
"Simple": a simple form of coding internal to Notes is used.
"Medium": a Notes proprietary stream cipher procedure is used.
"Strong": a procedure based on RC2/RC4 but which also is Notes-specific is used.
Use of the "Simple" encryption level cannot be recommended for confidential data.
Databases which are encrypted with either of the "Medium" or "Strong" encryption levels cannot be stored in compressed format.
With database encryption, the data is transmitted between server and client unencrypted using the Notes protocol. It must have additional protection to guard against interception (on this point see also S 5.84 Use of encryption procedures for Lotus Notes communication).
Field encryption
Field encryption allows protection against attacks at file system level and also offers protection against unauthorised viewing by the Administrator.
The fields must be defined as to be encrypted in the database design.
It is only possible to encrypt/decrypt all the encryptable fields in a document simultaneously.
Decryption/encryption is effected through the client. The encrypted data is therefore sent encrypted from the server to the client.
Both symmetric and asymmetric keys can be used for field encryption.
Several keys (symmetric and asymmetric) can be used simultaneously, so that the encrypted data is readable for several users.
Symmetric keys can be generated by any user with the Notes client. The following recommendations should be considered with regard to key exchange:
For groups the common, secret key must be distributed by a secure route. The Notes client provides an e-mail-based facility for transmitting the keys protected.
Alternatively, it is possible to export the key to a (initially unprotected) file. This can be encrypted with a password and hence protected against unauthorised access. However, the password must be communicated to the recipients of the file by a secure route.
The recipient of such a key can be prevented by an appropriate option from passing it on to third parties, so that use of the key can be limited to the recipient.
Where asymmetric keys are used, the public keys of the users who are to access the field contents are used. Here the public Notes keys which can be accessed via the Name and Address Book are used.
Steps must be taken to ensure that the fields requiring encryption are encrypted with at least one key of the users who will have to access the encrypted field contents.
Note. The use of "hidden paragraphs", i.e. text fields which are not displayed, is not a suitable way of protecting sensitive data. It is possible to view them, for example in the Properties dialogue of a database or with Notes Designer.
Depending on the type of information stored in a database and the related requirements of confidentiality and integrity, it might be necessary to encrypt this data. The boundary conditions should be defined here, e.g. in the security guidelines for Lotus Notes (seeS 2.207 ). The users must be informed of the functioning and protection mechanisms involved in the encryption of Lotus Notes databases.
Additional controls:
Does a concept for the encryption of Lotus Notes databases exist?
Have the responsible persons been briefed on proper key management?