Skip to main content

Admin Notes: Domino and Encryption

I often find myself running for this information, and I'm going to keep it here.   That way, it may benefit someone else as well.
Lotus Domino Server/User ID

- RSA dual-key Cryptosystem and RC2, RC4 and AES algorithms for encryption

- RSA keys can be at any of the following strengths:

    - 630 bit (Domino R6+)

    - 1024 bit (Domino R7+)

    - 2048 bit (Domino R8+)

- RC4 algorithm key

    - 128bit (Domino R6+)

- RC2 algorithm key

    - 128bit (Domino R6+)

- AES algorithm key

    - 128bit (Domino R8.0.1+) (Required for FIPS)

    - 256bit (Domino R8.0.1+) (Required for FIPS) 


Lotus Network Encryption

- RC4 key

    - 128bit (Domino R6+)


Local Database Encryption

- RC2

    - 128bit (Domino 6+)

- AES

    - 128bit (Domino 8.0.1+ based on UserID/ServerID encryption level)  (Required for FIPS)

    - 256bit (Domino 8.0.1+ based on UserID/ServerID encryption level)  (Required for FIPS)


Internet User

- X.509 certificate


SSL Encryption

SSLv3 Cipher Settings

    - AES encryption with 128bit key and SHA-1 MAC

    - AES encryption with 256bit key and SHA-1 MAC

    - RC4 encryption with 128bit key and MD5 MAC

    - RC4 encryption with 128bit key and SHA-1 MAC

    - Triple DES encryption with 168bit key and SHA-1 MAC

    - DES encryption with 56bit key and SHA-1 MAC

    - RC4 encryption with 40bit key and MD5 MAC


(MAC is Message Authentication Code, which ensures that a message has not been tampered with.)

   


Domino 8.0.1 and up support the Federal Information Processing Standard (FIPS) by using a FIPS 140-2 certified cryptographic library.  This certification applies only for Domino encryption, not for SSL encryption.   FIPS certified SSL requires that a proxy server that meets the FIPS standard be placed in front of the Domino server.


Sources:

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/supported-key-sizes-in-notesdomino

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/deploying-fips-140-2-certified-id-and-document-encryption

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_NOTES_AND_DOMINO_ENCRYPTION_2250_OVER.html

Comments

  1. Thanks, it may be useful to note which keys and algorithms are used for the generation of the random encryption key that encryptes a field or message body and the public/private key that is used to encrypt/decrypt the random key so that the message can in turn be decrypted. I find that many times the help text implies that the 2048Bit key pairs are used to encrypt a message, and you have to dig further. At least it explains why there are 2048 bit and 128/256bit keys.

    ReplyDelete
  2. Thanx, very useful info!

    ReplyDelete

Post a Comment

Popular posts from this blog

Policies and Controls are King in the IT Security world

I came across an article by Roger Grimes over at Infoworld on how security policies and controls are the real power when it comes to IT security. Roger mentions the SANS 20 Critical Security Controls for Effective Cyber Defence , which are a great read for anyone looking at updating or auditing your policies for completeness. The SANS top 20 controls are a must for any organization: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Boundary Defense Maintenance, Monitoring, and Analysis of Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access Based on the Need to Know Continuous Vulnerability Assessment and Remediation Account Monitoring and Control Malware Defenses Limitation and Control

Fun Little Earthquake

It's 1:45pm EST in Ottawa, Ontario, Canada. We just had an earthquake.  Not strong enough to damage anything, but enough that I watched people run out of buildings. What a fun Wednesday.

Error 217 - Error creating product object on Domino 64 bit

I'd like to share something with you.   An error that you'll get if you are trying to use ODBC with Domino 8.5.1 64bit. It starts out with an agent error of Error 217.  The text of the error is "Error creating product object" You can read about it here on the Notes/Domino forum . You can find the solution here as well . I guess I'm now waiting for Domino 8.5.2 for a solution for this.   It would have been nice to have had this in the release notes.  It would have help me greatly.