LTPA token are widely used in the IBM world for authentication between different physical machines, also known as WebSSO. There are
two three types available, LTPA1, LTPA2 and a Domino format.
LTPA1 and LTPA2 are commonly used with WebSphere, and Domino can import the keys to work with this kind of token. The Domino version of LTPA is normally used in the Domino world, and that’s the token I will write about.
First, what is a Domino LTPA token in general? It is a BASE64 encoded String containing the information about the user, including some timestamps. To avoid a security problem, the token is hashed and then encrypted (see here: LTPA versions and token formats).
So let’s look into a real world example. Here is a LTPA Domino token from my server*:
As you can see, there is my username insinde of the token. And at this point I am a little bit confused, because the IBM writes in the linked article above:
Domino uses a shared key and SHA-1 to calculate a MAC over the content. After the MAC is attached, the user data and MAC are encrypted with a 3DES key obtained from the LTPA key file.
Maybe it is because I have super powers which allow me to decrypt the 3DES encrypted userdata in my brain. But I think it is just a wrong information, and the userdata are not encrypted with 3DES.
This does not make the LTPA token unsafe, there is still a SHA-1 hash which protects the userdata from beeing changed in a text editor. Let’s look how the token is build up:
Anatomy of LTPA Domino Token
|Byte||0-3||4-11||12-19||20 – ?||? – ? + 20|
Header (4 Bytes)
Creation & Expiration (each 8 Bytes)
These values are Java Dates stored as Long value.
Username (Length different)
A string containing the abbreviated form of the current username. The length varies.
Hash (20 Bytes)
A SHA-1 hash, 160 Bits long. The hash is generated by adding the LTPA secret at the end of the userdata; the result is added to the end of the LTPA token.
The problem with LTPA Domino token is the use of an insecure hash algorithm. We had to change all SSL certificates because of it, the NIST has deprecated it in 2011. And the 3DES encryption is a myth.
But we are still protecting our infrastructure with this weak algorithm…
*: no, it’s not 😉