Re: Secure website - explanation required.

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 03/03/04 

Date: Wed, 3 Mar 2004 21:26:37 +1100

You've pretty much got the explanation correct. If you want an "official"
line to compare your notes against, Microsoft has the KB article:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;257591

Cheers
Ken

"GriffithsJ" <GriffithsJ_520@hotmail.com> wrote in message
news:%23luh8gQAEHA.688@tk2msftngp13.phx.gbl...
: Dear all
:
: I'm in need of an explanation of secure websites and authenticated
: certificates. I believe that my understanding is particularly flawed....
:
: What I understand is as follows - please comment/correct:
:
: When one wants to set up a secure web site, one has to generate a
: certificate. The "level" of security is obviously based on the bit
length.
: The copy on my workstation offers anywhere between 512 and 4096 bit
: encryption. There's also a check box for "server gated cryptography"
which
: I don't understand.
:
: My understanding of the "hand-shake" process is as follows. The browser
: connects to the secure site which then sends it the public key. The
browser
: then generates a session key which is encrypted using the public key and
: returned to the secure site which decrypts it using the private key. Both
: server and browser are then aware of the session key for encrypting data.
:
: If one really requires good security then one should choose the biggest
bit
: length available, but this obviously will affect performance. Presumably,
: this only will be an issue for the initial encryption/decryption of the
: session key; once the session key is used then the bit length of the
: private/public key is irrelevant. I'm assuming that the bit length of the
: private/public key will have no affect on the bit length of the session
: key - is that correct?
:
: Does one have to worry about old browsers? If one chooses a high bit
length
: for the public/private key then will all browsers be able to handle it?
If
: not, what guidelines are available to choose the most appropriate bit
: length?
:
: Having chosen an appropriate bit length, one can then generate the
: certificate. Having done this, one needs to have the certificate
: authenticated to prevent those annoying boxes stating that the site may be
: untrustworthy.
:
: I understand that there are companies such as Verisign who will
authenticate
: the certificate. They offer "pro" and "normal" options here. What does
: this really mean? If you have chosen a long bit length then do you have
to
: choose the pro version or are the two things completely unrelated? I know
: that the pro version is more expensive.... If I understand correctly,
then
: the authentication is also encrypted - the "pro" version uses a longer
: encryption for the authentication.
:
: Presumably, the highest security is offered by having the longest bit
length
: available for the private/public key and the highest level of encryption
on
: the authentication. However, how would a long bit length on the
: private/public key with low authentication encryption compare with a short
: bit length on the private/public key coupled with a high level of
: authentication encryption?
:
: I guess that I want to set up my server with a good level on security that
: will be accessible by all our customers (browsers unknown) but I'd rather
: not have to pay too much to a company such as Verisign. Suggestions?
:
: Many thanks in advance
:
: Griff
:
:

Relevant Pages

  • Re: Secure website - explanation required.
    ... The browser ... private/public key will have no affect on the bit length of the session ... the authentication is also encrypted - the "pro" version uses a longer ... : encryption for the authentication. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Secure website - explanation required.
    ... The browser ... private/public key will have no affect on the bit length of the session ... the authentication is also encrypted - the "pro" version uses a longer ... : encryption for the authentication. ...
    (microsoft.public.inetserver.iis)
  • Re: Encryption and authentication
    ... have encryption without authentication? ... it seems that encryption couldn't exist without authentication. ... and example is asymmetric key cryptography technology. ... http://www.garlic.com/~lynn/aadsm24.htm#7 Naked Payments IV - let's all go naked ...
    (comp.security.firewalls)
  • Re: OT - Re: Internet Explorer 7
    ... And encryption isn't one of those mechanisms. ... and Firefox doesn't display it in the same broken way that IE does. ... I'm focusing on functionality. ... broken browser and it renders as they expect there, ...
    (rec.collecting.coins)
  • Re: Signatures and encryption headers
    ... breached when an attacker can modify the message received? ... But I see how the lack of authentication can cause the receiver to act ... not for the iv or other encryption ... A create a payload, S signs it with public key crypto (most likely ...
    (sci.crypt)
Quantcast