SECURING


Encryption standards

IBM® Domino® observes a number of encryption standards, in particular, standards that are required or regulated by the Federal Information Processing Standard (FIPS).

Federal Information Processing Standard (FIPS) 140-2 certification

The Federal Information Processing Standard (FIPS) regulates cryptography and the use of cryptographic libraries. Cryptographic libraries, not the applications that use them, can be FIPS 140-2 certified. The cryptographic libraries provided with IBM Notes® and Domino are FIPS 140-2 certified (GSKit-Crypto 8) on all platforms except Macintosh OSX and IBM i.

For more information, see the Web article on cryptographic modules listed in the related topics.

AES algorithm

The Advanced Encryption Standard (AES) algorithm is available for use with some encryption features on Windows™, AIX®, and Linux™. The AES algorithm is widely used and is approved by Federal Information Processing Standard (FIPS) 140-2. For more information on features that AES is available for in specific releases of Domino, see the Notes and Domino wiki article on key sizes in the related topics.

Note: Although the cryptographic libraries on platforms other than Windows and AIX are not FIPS 140-2 certified, those libraries nevertheless include the FIPS 140-2 approved AES algorithm.

Secure Hash Algorithm (SHA-2)

The Secure Hash Algorithm (SHA-2) is available for use with some encryption features on Windows, AIX, and on Linux, where SHA-2 is part of the new GSKit library that supports the algorithm. SHA-2 is widely used and is approved by Federal Information Processing Standard (FIPS) 140-2, to assist in compliance with government mandate NIST 800-131. SHA-2 is currently available to use for X.509 certificate signature verification and S/MIME signed mail, and some areas of Notes/Domino where a password such as the Internet (HTTP) password were previously "hashed." For more information on hashing, see the related topic on electronic signatures.

No Domino configuration is required to make use of SHA-2. When Notes client users receive S/MIME messages encrypted using the algorithm, SHA-2 is listed in the Document Encryption and Signing Properties box that a client user can open by clicking the Signature or Encryption icon in the Notes client status bar.

Tip: It is recommended that the Domino administrator use RSA-2048 and AES-128 with SHA-2. To do so, set all client user's ID files to use 2048-bit RSA keys, and configure all Person documents with the setting Can decrypt documents using FIPS 140-2 approved algorithms in order to ensure AES-128. For more information, see the related topic on configuring AES encryption:

Transport Layer Security (TLS) protocol

Transport Layer Security (TLS) is a cryptographic protocol based on the Secure Sockets Layer (SSL) specification.

Domino has the option of running the IBM HTTP Server (IHS) on the same Windows computer as a Domino HTTP server; the purpose of this enhancement is to support the Transport Layer Security (TLS) protocol.

A pass-through reverse proxy module named mod_domino is provided to forward HTTP requests to the Domino HTTP server. The pass-through reverse proxy module creates the context necessary to have the Domino HTTP server provide the HTTP request context expected by Domino Web applications, as if the Domino HTTP server were in direct contact with the browser client. When the proxy module is enabled, the IHS server functions as an intermediate node between the network and the Domino server.

For more information on installing the module that supports TLS, see the related topics.

Related concepts
Electronic signatures

Related tasks
Configuring encryption for ID files
Configuring AES for mail and document encryption
Creating a Web SSO configuration document
Modifying SSL cipher restrictions
Installing the IBM HTTP server module to support TLS

Related information
Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules
Supported key sizes in Notes/Domino