• Messages sent to other users. Then an unauthorized user cannot read the message while it is in transit. You can also encrypt saved and incoming messages.
• Network ports. Encrypting information sent between a Notes workstation and a Domino server, or between two Domino servers, prevents unauthorized users from reading the data while it is in transit.
• SSL transactions. You can use SSL to encrypt information sent between an Internet client, such as a Notes client, and an Internet server, to prevent unauthorized users from reading the data while it is in transit.
• Fields, documents, and databases. Application developers can encrypt fields within a document, an entire document, and local databases. Then only the specified users can read the information.

For information on field, document, and database encryption, see Lotus Domino Designer 7 Help.

Public and private keys

For all types of encryption, Domino uses public and private keys so that data encrypted by one of the keys can be decrypted only by the other. The public and private keys are mathematically related and uniquely identify the user. Both are stored in the ID file. Within the ID file, the public key is stored in a certificate, but the private key is stored separately from the certificate. The certificate containing the public key is also stored in the Domino Directory, where it is available to other users.

Domino uses two types of public and private keys -- Notes and Internet. You use the Notes public key to encrypt fields, documents, databases, and messages sent to other Notes users, while the Notes private key is used for decryption. Similarly, you use the Internet public key for S/MIME encryption and the Internet private key for S/MIME decryption. For both Notes and Internet key pairs, electronic signatures are created with private keys and verified with public keys.

You can use one set of Internet public and private keys or you can set up Notes to use a set of Internet keys for S/MIME signatures and SSL and another set for S/MIME encryption.

For information on dual Internet certificates, see the topic Dual Internet certificates for S/MIME encryption and signatures.

When you register a user, Domino automatically creates a Notes certificate, which contains the user's public keys, and adds it to the ID file and the Domino Directory. The private key is created and stored in the ID file. You can also create Internet public and private keys after user registration. Domino stores Internet certificates, which contain public keys, in the ID file and also in the Domino Directory. The Internet private key is stored in the ID file, separately from the certificate.

To create Notes public and private keys, Domino uses the dual-key RSA Cryptosystem and the RC2 and RC4 algorithms for encryption. To create the Internet public key, Domino uses the x.509 certificate format, which is an industry-standard format that many applications, including Domino, understand.

Both the Notes client and Domino server support 1024-bit RSA key and 128-bit symmetric key for S/MIME and SSL. The Notes proprietary protocols support the use of 630- and 1024-bit keys for key exchange, and use 64- and 128-bit keys for bulk data encryption.

Encryption strength

All Notes IDs contain two public/private key pairs. Prior to 5.0.4, key lengths were restricted for the purposes of encrypting data, but not for authentication or signing. Anything over 512-bit RSA key and 56-bit symmetric key was considered strong encryption and was not allowed for export by the U.S. Government. Customers were required to order and choose among kits of different cryptographic strengths.

With the relaxation of US government regulations on the export of cryptography, the Domino server and the Domino Administrator, Domino Designer, and Lotus Notes client products have consolidated all previous encryption strengths -- North American, International, and France -- into one strong encryption level resulting in a single "Global" release of the products. The Global release adopts the encryption characteristics previously known as North American. Strong encryption in Global products can be used worldwide, except in countries whose import laws prohibit it, or except in those countries to which the export of goods and services is prohibited by the U.S. government. Customers are no longer required to order Notes software according to cryptographic strength.

When you upgrade to a Global release of Domino and Notes, stronger cryptography will be used without a requirement to reissue existing IDs. These changes are seamless to users as well as administrators. When two different versions of software are communicating, the encryption negotiation will result in a step-down to the weaker level. Therefore, the full benefits of stronger encryption will only be realized when all software has been upgraded to the Global (release 5.0.4 and later) level. However, any mixed versions of the software will interoperate.

The "Register New User" dialog box still offers a choice between North American and International IDs. It was left this way because administrators often use the North American or International distinction for administration purposes, or there may be older versions of the software still in use in some companies. In addition, countries have their own import rules. Preserving this distinction will allow Lotus to respond to specific country changes, if required.

Note These regulations pertain only to export from the United States. For other countries with import regulations, customers need to check the requirements of the specific country. While Lotus takes all steps to acquiesce with governmental encryption regulations worldwide, Lotus recommends that customers familiarize themselves with local encryption regulations to remain in compliance.

Interoperability issues

• Support for ID types. Both North American and International ID types continue to be supported for the Global release. This is for backward compatibility with pre-5.0.4 clients. Lotus Notes users can keep their existing International IDs if the Global version of the software is installed. The Global version will automatically allow the use of stronger encryption. Browser users can keep their existing key ring, but users must follow the manufacturer's recommendations for upgrading the browser to stronger encryption.
• Interoperability with post-5.0.4 releases. If your organization's clients and servers are all running release 5.0.4 or later, it makes no difference whether you create North American or International IDs. Both types of ID will work the same way.
• Interoperability with pre-5.0.4 releases. Lotus Notes users, as well as Domino servers which have been upgraded to release 5.0.4 and later, can authenticate and continue day-to-day operations securely with clients and servers running on earlier releases of software. However, if your organization has clients or servers running releases earlier than Notes and Domino 5.0.4, you should continue to create the same types of IDs you created with the earlier versions. International versions of releases prior to 5.0.4 do not allow users to switch to North American IDs, so when registering new international users, you shouldn't create only North American IDs. Similarly, North American versions of earlier releases use weaker cryptography when running with International IDs, so you shouldn't create only International IDs.

See also

Mail encryption
Setting up SSL on a Domino server

Glossary

Help on Help

All Help Contents

Glossary

Help on Help