Tuesday, 26 July 2011

Admin Notes: Domino and Encryption

I often find myself running for this information, and I'm going to keep it here.   That way, it may benefit someone else as well.
Lotus Domino Server/User ID

- RSA dual-key Cryptosystem and RC2, RC4 and AES algorithms for encryption

- RSA keys can be at any of the following strengths:

    - 630 bit (Domino R6+)

    - 1024 bit (Domino R7+)

    - 2048 bit (Domino R8+)

- RC4 algorithm key

    - 128bit (Domino R6+)

- RC2 algorithm key

    - 128bit (Domino R6+)

- AES algorithm key

    - 128bit (Domino R8.0.1+) (Required for FIPS)

    - 256bit (Domino R8.0.1+) (Required for FIPS) 


Lotus Network Encryption

- RC4 key

    - 128bit (Domino R6+)


Local Database Encryption

- RC2

    - 128bit (Domino 6+)

- AES

    - 128bit (Domino 8.0.1+ based on UserID/ServerID encryption level)  (Required for FIPS)

    - 256bit (Domino 8.0.1+ based on UserID/ServerID encryption level)  (Required for FIPS)


Internet User

- X.509 certificate


SSL Encryption

SSLv3 Cipher Settings

    - AES encryption with 128bit key and SHA-1 MAC

    - AES encryption with 256bit key and SHA-1 MAC

    - RC4 encryption with 128bit key and MD5 MAC

    - RC4 encryption with 128bit key and SHA-1 MAC

    - Triple DES encryption with 168bit key and SHA-1 MAC

    - DES encryption with 56bit key and SHA-1 MAC

    - RC4 encryption with 40bit key and MD5 MAC


(MAC is Message Authentication Code, which ensures that a message has not been tampered with.)

   


Domino 8.0.1 and up support the Federal Information Processing Standard (FIPS) by using a FIPS 140-2 certified cryptographic library.  This certification applies only for Domino encryption, not for SSL encryption.   FIPS certified SSL requires that a proxy server that meets the FIPS standard be placed in front of the Domino server.


Sources:

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/supported-key-sizes-in-notesdomino

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/deploying-fips-140-2-certified-id-and-document-encryption

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_NOTES_AND_DOMINO_ENCRYPTION_2250_OVER.html

2 comments:

  1. Thanks, it may be useful to note which keys and algorithms are used for the generation of the random encryption key that encryptes a field or message body and the public/private key that is used to encrypt/decrypt the random key so that the message can in turn be decrypted. I find that many times the help text implies that the 2048Bit key pairs are used to encrypt a message, and you have to dig further. At least it explains why there are 2048 bit and 128/256bit keys.

    ReplyDelete
  2. Thanx, very useful info!

    ReplyDelete