|
Home > Archive > IIS Server Security > March 2005 > AES 256-bit Certificate
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
AES 256-bit Certificate
|
|
|
| I am seeing that many websites are using AES-256 bit certificates. Is there
a way to generate these using Windows 2000 Certificate Server? If it is not
offered in 2000, is it available in 2003 Server?
| |
| WenJun Zhang[msft] 2005-03-23, 2:52 am |
| Hi,
As I known, Advanced Encryption Standard(AES) is an algorithms
similiar to DES, but not a cryptographic service provider (CSP).
Windows XP SP1 and Windows 2003 begins to use AES algorithm replaces
DESX:
"The Windows XP operating system supports the use of a stronger
symmetric algorithm than the default DESX algorithm included with the
Windows 2000 operating system. The default algorithm for Windows 2000
and Windows XP is DESX. The default algorithm for Windows XP Service
Pack 1 and Windows Server 2003 is Advanced Encryption Standard (AES)
using a 256-bit key. For users requiring greater symmetric key
strength with a FIPS 140-1 compliant algorithm, the 3DES algorithm
can be enabled. "
For SSL certificate key length, it's generally longer than 256 bits.
If you use a Windows XP (SP1 or later)/2003 machine connect to a
Windows 2003 CA to request a certificate (use the Advanced
Certificate Request web form), you can select a CSP called "Microsoft
Enhanced RSA and AES Cryptographic Provider", and you will see its
min key size is 384.
However if you use IIS web server certificate wizard to generate the
request (CSR), there are only 2 CSPs can be selected by default:
Microsoft RSA/Schannel Cryptographic Provider (the default option),
Microsoft DSS and Diffie-Hellman/Schannel Cryptographic Provider .
Hope this above can clarify some part of your question.
Thanks.
Best regards,
WenJun Zhang
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
| |
| Bernard 2005-03-23, 2:52 am |
| However, in IIS, the max we can configured or force is 128bits, right ?
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
""WenJun Zhang[msft]"" <v-wzhang@online.microsoft.com> wrote in message
news:p7lWK$3LFHA.3476@TK2MSFTNGXA02.phx.gbl...
> Hi,
>
> As I known, Advanced Encryption Standard(AES) is an algorithms
> similiar to DES, but not a cryptographic service provider (CSP).
> Windows XP SP1 and Windows 2003 begins to use AES algorithm replaces
> DESX:
>
> "The Windows XP operating system supports the use of a stronger
> symmetric algorithm than the default DESX algorithm included with the
> Windows 2000 operating system. The default algorithm for Windows 2000
> and Windows XP is DESX. The default algorithm for Windows XP Service
> Pack 1 and Windows Server 2003 is Advanced Encryption Standard (AES)
> using a 256-bit key. For users requiring greater symmetric key
> strength with a FIPS 140-1 compliant algorithm, the 3DES algorithm
> can be enabled. "
>
> For SSL certificate key length, it's generally longer than 256 bits.
> If you use a Windows XP (SP1 or later)/2003 machine connect to a
> Windows 2003 CA to request a certificate (use the Advanced
> Certificate Request web form), you can select a CSP called "Microsoft
> Enhanced RSA and AES Cryptographic Provider", and you will see its
> min key size is 384.
>
> However if you use IIS web server certificate wizard to generate the
> request (CSR), there are only 2 CSPs can be selected by default:
> Microsoft RSA/Schannel Cryptographic Provider (the default option),
> Microsoft DSS and Diffie-Hellman/Schannel Cryptographic Provider .
>
> Hope this above can clarify some part of your question.
> Thanks.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
| |
| WenJun Zhang[msft] 2005-03-24, 2:54 am |
| Hi Bernard,
The 128 bits encryption of IIS and IE browser is about the min
session-key strength but not the certificate key length. :-)
Here is the related info in IIS doc:
Setting Encryption Strength
You can configure your Web server to require a 128-bit minimum
session-key strength, the default for members of the Microsoft
Windows Server 2003 family, for all Secure Socket Layer (SSL) secure
communication sessions. If you set a minimum 128-bit key strength,
however, users attempting to establish a secure communications
channel with your server must use a browser capable of communicating
with a 128-bit session key. The session key is not the same as an SSL
key pair, which is used to negotiate and establish a secure
communication link. For information about upgrading browsers to
128-bit encryption capability, visit the Windows Support Web site.
Best regards,
WenJun Zhang
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
| |
| Bernard 2005-03-24, 7:53 am |
| Ok. make me even confuse 
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
""WenJun Zhang[msft]"" <v-wzhang@online.microsoft.com> wrote in message
news:dRlH35DMFHA.2540@TK2MSFTNGXA03.phx.gbl...
> Hi Bernard,
>
> The 128 bits encryption of IIS and IE browser is about the min
> session-key strength but not the certificate key length. :-)
>
> Here is the related info in IIS doc:
>
> Setting Encryption Strength
> You can configure your Web server to require a 128-bit minimum
> session-key strength, the default for members of the Microsoft
> Windows Server 2003 family, for all Secure Socket Layer (SSL) secure
> communication sessions. If you set a minimum 128-bit key strength,
> however, users attempting to establish a secure communications
> channel with your server must use a browser capable of communicating
> with a 128-bit session key. The session key is not the same as an SSL
> key pair, which is used to negotiate and establish a secure
> communication link. For information about upgrading browsers to
> 128-bit encryption capability, visit the Windows Support Web site.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
| |
| WenJun Zhang[msft] 2005-03-25, 2:48 am |
| The detailed SSL handshake process is a bit complicated. In case you
are interesed in this area, take a look into the following RFC.
http://rfc.sunsite.dk/rfc/rfc2246.html
Best regards,
WenJun Zhang
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
| |
| Bernard 2005-03-28, 2:48 am |
| Another beer to you
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
""WenJun Zhang[msft]"" <v-wzhang@online.microsoft.com> wrote in message
news:IFgKWxQMFHA.1264@TK2MSFTNGXA03.phx.gbl...
> The detailed SSL handshake process is a bit complicated. In case you
> are interesed in this area, take a look into the following RFC.
>
> http://rfc.sunsite.dk/rfc/rfc2246.html
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
|
|
|
|
|