Secure website - explanation required.
From: GriffithsJ (GriffithsJ_520_at_hotmail.com)
Date: 03/03/04
- Next message: Ken Schaefer: "Re: Secure website - explanation required."
- Previous message: Patrick: "Re: ASP 145- HTTP/1.1: New Application Failed"
- Next in thread: Ken Schaefer: "Re: Secure website - explanation required."
- Reply: Ken Schaefer: "Re: Secure website - explanation required."
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 3 Mar 2004 10:13:52 -0000
Dear all
I'm in need of an explanation of secure websites and authenticated
certificates. I believe that my understanding is particularly flawed....
What I understand is as follows - please comment/correct:
When one wants to set up a secure web site, one has to generate a
certificate. The "level" of security is obviously based on the bit length.
The copy on my workstation offers anywhere between 512 and 4096 bit
encryption. There's also a check box for "server gated cryptography" which
I don't understand.
My understanding of the "hand-shake" process is as follows. The browser
connects to the secure site which then sends it the public key. The browser
then generates a session key which is encrypted using the public key and
returned to the secure site which decrypts it using the private key. Both
server and browser are then aware of the session key for encrypting data.
If one really requires good security then one should choose the biggest bit
length available, but this obviously will affect performance. Presumably,
this only will be an issue for the initial encryption/decryption of the
session key; once the session key is used then the bit length of the
private/public key is irrelevant. I'm assuming that the bit length of the
private/public key will have no affect on the bit length of the session
key - is that correct?
Does one have to worry about old browsers? If one chooses a high bit length
for the public/private key then will all browsers be able to handle it? If
not, what guidelines are available to choose the most appropriate bit
length?
Having chosen an appropriate bit length, one can then generate the
certificate. Having done this, one needs to have the certificate
authenticated to prevent those annoying boxes stating that the site may be
untrustworthy.
I understand that there are companies such as Verisign who will authenticate
the certificate. They offer "pro" and "normal" options here. What does
this really mean? If you have chosen a long bit length then do you have to
choose the pro version or are the two things completely unrelated? I know
that the pro version is more expensive.... If I understand correctly, then
the authentication is also encrypted - the "pro" version uses a longer
encryption for the authentication.
Presumably, the highest security is offered by having the longest bit length
available for the private/public key and the highest level of encryption on
the authentication. However, how would a long bit length on the
private/public key with low authentication encryption compare with a short
bit length on the private/public key coupled with a high level of
authentication encryption?
I guess that I want to set up my server with a good level on security that
will be accessible by all our customers (browsers unknown) but I'd rather
not have to pay too much to a company such as Verisign. Suggestions?
Many thanks in advance
Griff
- Next message: Ken Schaefer: "Re: Secure website - explanation required."
- Previous message: Patrick: "Re: ASP 145- HTTP/1.1: New Application Failed"
- Next in thread: Ken Schaefer: "Re: Secure website - explanation required."
- Reply: Ken Schaefer: "Re: Secure website - explanation required."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
