Secure website - explanation required.

TheMSsForum.com: The Microsoft Software Forum

Dear all

I'm in need of an explanation of secure websites and authenticated
certificates. I believe that my understanding is particularly flawed....

What I understand is as follows - please comment/correct:

When one wants to set up a secure web site, one has to generate a
certificate. The "level" of security is obviously based on the bit length.
The copy on my workstation offers anywhere between 512 and 4096 bit
encryption. There's also a check box for "server gated cryptography" which
I don't understand.

My understanding of the "hand-shake" process is as follows. The browser
connects to the secure site which then sends it the public key. The browser
then generates a session key which is encrypted using the public key and
returned to the secure site which decrypts it using the private key. Both
server and browser are then aware of the session key for encrypting data.

If one really requires good security then one should choose the biggest bit
length available, but this obviously will affect performance. Presumably,
this only will be an issue for the initial encryption/decryption of the
session key; once the session key is used then the bit length of the
private/public key is irrelevant. I'm assuming that the bit length of the
private/public key will have no affect on the bit length of the session
key - is that correct?

Does one have to worry about old browsers? If one chooses a high bit length
for the public/private key then will all browsers be able to handle it? If
not, what guidelines are available to choose the most appropriate bit
length?

Having chosen an appropriate bit length, one can then generate the
certificate. Having done this, one needs to have the certificate
authenticated to prevent those annoying boxes stating that the site may be
untrustworthy.

I understand that there are companies such as Verisign who will authenticate
the certificate. They offer "pro" and "normal" options here. What does
this really mean? If you have chosen a long bit length then do you have to
choose the pro version or are the two things completely unrelated? I know
that the pro version is more expensive.... If I understand correctly, then
the authentication is also encrypted - the "pro" version uses a longer
encryption for the authentication.

Presumably, the highest security is offered by having the longest bit length
available for the private/public key and the highest level of encryption on
the authentication. However, how would a long bit length on the
private/public key with low authentication encryption compare with a short
bit length on the private/public key coupled with a high level of
authentication encryption?

I guess that I want to set up my server with a good level on security that
will be accessible by all our customers (browsers unknown) but I'd rather
not have to pay too much to a company such as Verisign. Suggestions?

Many thanks in advance

Griff
Top

Re: Secure website - explanation required. by Ken

Ken
Wed Mar 03 04:26:37 CST 2004

You've pretty much got the explanation correct. If you want an "official"
line to compare your notes against, Microsoft has the KB article:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;257591

Cheers
Ken


"GriffithsJ" <GriffithsJ_520@hotmail.com> wrote in message
news:%23luh8gQAEHA.688@tk2msftngp13.phx.gbl...
: Dear all
:
: I'm in need of an explanation of secure websites and authenticated
: certificates. I believe that my understanding is particularly flawed....
:
: What I understand is as follows - please comment/correct:
:
: When one wants to set up a secure web site, one has to generate a
: certificate. The "level" of security is obviously based on the bit
length.
: The copy on my workstation offers anywhere between 512 and 4096 bit
: encryption. There's also a check box for "server gated cryptography"
which
: I don't understand.
:
: My understanding of the "hand-shake" process is as follows. The browser
: connects to the secure site which then sends it the public key. The
browser
: then generates a session key which is encrypted using the public key and
: returned to the secure site which decrypts it using the private key. Both
: server and browser are then aware of the session key for encrypting data.
:
: If one really requires good security then one should choose the biggest
bit
: length available, but this obviously will affect performance. Presumably,
: this only will be an issue for the initial encryption/decryption of the
: session key; once the session key is used then the bit length of the
: private/public key is irrelevant. I'm assuming that the bit length of the
: private/public key will have no affect on the bit length of the session
: key - is that correct?
:
: Does one have to worry about old browsers? If one chooses a high bit
length
: for the public/private key then will all browsers be able to handle it?
If
: not, what guidelines are available to choose the most appropriate bit
: length?
:
: Having chosen an appropriate bit length, one can then generate the
: certificate. Having done this, one needs to have the certificate
: authenticated to prevent those annoying boxes stating that the site may be
: untrustworthy.
:
: I understand that there are companies such as Verisign who will
authenticate
: the certificate. They offer "pro" and "normal" options here. What does
: this really mean? If you have chosen a long bit length then do you have
to
: choose the pro version or are the two things completely unrelated? I know
: that the pro version is more expensive.... If I understand correctly,
then
: the authentication is also encrypted - the "pro" version uses a longer
: encryption for the authentication.
:
: Presumably, the highest security is offered by having the longest bit
length
: available for the private/public key and the highest level of encryption
on
: the authentication. However, how would a long bit length on the
: private/public key with low authentication encryption compare with a short
: bit length on the private/public key coupled with a high level of
: authentication encryption?
:
: I guess that I want to set up my server with a good level on security that
: will be accessible by all our customers (browsers unknown) but I'd rather
: not have to pay too much to a company such as Verisign. Suggestions?
:
: Many thanks in advance
:
: Griff
:
:


Top

Re: Secure website - explanation required. by GriffithsJ

GriffithsJ
Wed Mar 03 05:03:17 CST 2004

Hi Ken

Still rather unsure about which options to choose regarding bit length and
particularly regarding authentication by VeriSign (or equivalent
organisations).

Thanks

Griff


Top

Re: Secure website - explanation required. by GriffithsJ

GriffithsJ
Wed Mar 03 06:42:32 CST 2004

Think I've worked out the solution....

VeriSign offer a "Pro" and a "normal" package. The former requires 1024 bit
keys, the latter accepts 1024 and 512 bit keys. The normal package will
allow 128 bit encryption with browsers that allow this (most do nowadays in
the UK).

So, I need to export a 1024 bit private/public key certificate from IIS, get
the far cheaper package from VeriSign (the non-Pro version) and will then be
offering 128-bit session key communication with all my customers, providing
they don't use the crippled 40-bit version of the browser.

Griff


Top