Public and privatekeys

Domino® usespublic and private keys so that data encrypted by one of the keyscan be decrypted only by the other. The public and private keys aremathematically related and uniquely identify the user. Both are storedin the ID file. Within the ID file, the public key is stored in acertificate, but the private key is stored separately from the certificate.The certificate containing the public key is also stored in theDomino® Directory, where it isavailable to other users.

Domino® usestwo types of public and private keys --Notes® and Internet. You use theNotes® public key to encrypt fields, documents,databases, and messages sent to otherNotes® users,while theNotes® private keyis used for decryption. Similarly, you use the Internet public keyfor S/MIME encryption and the Internet private key for S/MIME decryption.For bothNotes® and Internetkey pairs, electronic signatures are created with private keys andverified with public keys.

You can use one set of Internet public and private keys or you can set upNotes® to use a set of Internet keys for S/MIME signatures and TLS and another set for S/MIME encryption.

Whenyou register a user,Domino® canautomatically create aNotes® certificate,which contains the user's public keys, and add it to the ID file andtheDomino® Directory. Theprivate key is created and stored in the ID file. You can also createInternet public and private keys after user registration.Domino® stores Internet certificates,which contain public keys, in the ID file and also in theDomino® Directory. The Internetprivate key is stored in the ID file, separately from the certificate.

TocreateNotes® public and privatekeys,Domino® uses the dual-keyRSA Cryptosystem and the RC2, RC4, and AES algorithms for encryption.To create the Internet public key,Domino® usesthe X.509 certificate format, which is an industry-standard formatthat many applications, includingDomino®,understand.

Both theNotes® clientandDomino® server supportregistration of as many as:

• 4096-bit RSA keys for bothNotes® andInternet certifiers. You can also roll over existingNotes® certifiers with smaller keys to 4096-bitkeys;
• 2048-bit RSA keys for user and server certificates;
• 256-bit symmetric key for S/MIME and TLS.

TheNotes® proprietary protocols support the use of 630-bit, 1024-bit, 2048-bit, and 4096-bit keys for key exchange, signing, and authenticating user identity, and can use 64-, 128-, and 256-bit keys for bulk data encryption. TheNotes® proprietary protocols also support 2048-bit user keys, and can still use old keys (630-bit) that were created with earlier versions ofDomino®.

Largerkeys provide stronger security from hackers. For instance, it wouldbe more difficult for a private key to be deciphered based on a publicone. It would also be more difficult for someone to forge cryptographicsignatures on documents, agents, forms, and email.

Encryption strength

TheDomino® server and theDomino® Administrator,Domino® Designer, andNotes® client products use onestrong encryption level -- Global. The Global release adopts theencryption characteristics previously known as North American. Strongencryption in Global products can be used worldwide, except in countrieswhose import laws prohibit it, or except in those countries to whichthe export of goods and services is prohibited by the U.S. government.Customers are not required to orderNotes® softwareaccording to cryptographic strength.