|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
AES 256-bit CertificateI am seeing that many websites are using AES-256 bit certificates. Is there
a way to generate these using Windows 2000 Certificate Server? If it is not offered in 2000, is it available in 2003 Server? Hi,
As I known, Advanced Encryption Standard(AES) is an algorithms similiar to DES, but not a cryptographic service provider (CSP). Windows XP SP1 and Windows 2003 begins to use AES algorithm replaces DESX: "The Windows XP operating system supports the use of a stronger symmetric algorithm than the default DESX algorithm included with the Windows 2000 operating system. The default algorithm for Windows 2000 and Windows XP is DESX. The default algorithm for Windows XP Service Pack 1 and Windows Server 2003 is Advanced Encryption Standard (AES) using a 256-bit key. For users requiring greater symmetric key strength with a FIPS 140-1 compliant algorithm, the 3DES algorithm can be enabled. " For SSL certificate key length, it's generally longer than 256 bits. If you use a Windows XP (SP1 or later)/2003 machine connect to a Windows 2003 CA to request a certificate (use the Advanced Certificate Request web form), you can select a CSP called "Microsoft Enhanced RSA and AES Cryptographic Provider", and you will see its min key size is 384. However if you use IIS web server certificate wizard to generate the request (CSR), there are only 2 CSPs can be selected by default: Microsoft RSA/Schannel Cryptographic Provider (the default option), Microsoft DSS and Diffie-Hellman/Schannel Cryptographic Provider . Hope this above can clarify some part of your question. Thanks. Best regards, WenJun Zhang Microsoft Online Partner Support This posting is provided "AS IS" with no warranties, and confers no rights. However, in IIS, the max we can configured or force is 128bits, right ?
-- Show quoteHide quoteRegards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ ""WenJun Zhang[msft]"" <v-wzh***@online.microsoft.com> wrote in message news:p7lWK$3LFHA.3476@TK2MSFTNGXA02.phx.gbl... > Hi, > > As I known, Advanced Encryption Standard(AES) is an algorithms > similiar to DES, but not a cryptographic service provider (CSP). > Windows XP SP1 and Windows 2003 begins to use AES algorithm replaces > DESX: > > "The Windows XP operating system supports the use of a stronger > symmetric algorithm than the default DESX algorithm included with the > Windows 2000 operating system. The default algorithm for Windows 2000 > and Windows XP is DESX. The default algorithm for Windows XP Service > Pack 1 and Windows Server 2003 is Advanced Encryption Standard (AES) > using a 256-bit key. For users requiring greater symmetric key > strength with a FIPS 140-1 compliant algorithm, the 3DES algorithm > can be enabled. " > > For SSL certificate key length, it's generally longer than 256 bits. > If you use a Windows XP (SP1 or later)/2003 machine connect to a > Windows 2003 CA to request a certificate (use the Advanced > Certificate Request web form), you can select a CSP called "Microsoft > Enhanced RSA and AES Cryptographic Provider", and you will see its > min key size is 384. > > However if you use IIS web server certificate wizard to generate the > request (CSR), there are only 2 CSPs can be selected by default: > Microsoft RSA/Schannel Cryptographic Provider (the default option), > Microsoft DSS and Diffie-Hellman/Schannel Cryptographic Provider . > > Hope this above can clarify some part of your question. > Thanks. > > Best regards, > > WenJun Zhang > Microsoft Online Partner Support > > This posting is provided "AS IS" with no warranties, and confers no > rights. > Hi Bernard,
The 128 bits encryption of IIS and IE browser is about the min session-key strength but not the certificate key length. :-) Here is the related info in IIS doc: Setting Encryption Strength You can configure your Web server to require a 128-bit minimum session-key strength, the default for members of the Microsoft Windows Server 2003 family, for all Secure Socket Layer (SSL) secure communication sessions. If you set a minimum 128-bit key strength, however, users attempting to establish a secure communications channel with your server must use a browser capable of communicating with a 128-bit session key. The session key is not the same as an SSL key pair, which is used to negotiate and establish a secure communication link. For information about upgrading browsers to 128-bit encryption capability, visit the Windows Support Web site. Best regards, WenJun Zhang Microsoft Online Partner Support This posting is provided "AS IS" with no warranties, and confers no rights. Ok. make me even confuse :)
-- Show quoteHide quoteRegards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ ""WenJun Zhang[msft]"" <v-wzh***@online.microsoft.com> wrote in message news:dRlH35DMFHA.2540@TK2MSFTNGXA03.phx.gbl... > Hi Bernard, > > The 128 bits encryption of IIS and IE browser is about the min > session-key strength but not the certificate key length. :-) > > Here is the related info in IIS doc: > > Setting Encryption Strength > You can configure your Web server to require a 128-bit minimum > session-key strength, the default for members of the Microsoft > Windows Server 2003 family, for all Secure Socket Layer (SSL) secure > communication sessions. If you set a minimum 128-bit key strength, > however, users attempting to establish a secure communications > channel with your server must use a browser capable of communicating > with a 128-bit session key. The session key is not the same as an SSL > key pair, which is used to negotiate and establish a secure > communication link. For information about upgrading browsers to > 128-bit encryption capability, visit the Windows Support Web site. > > Best regards, > > WenJun Zhang > Microsoft Online Partner Support > > This posting is provided "AS IS" with no warranties, and confers no > rights. > The detailed SSL handshake process is a bit complicated. In case you
are interesed in this area, take a look into the following RFC. :) http://rfc.sunsite.dk/rfc/rfc2246.html Best regards, WenJun Zhang Microsoft Online Partner Support This posting is provided "AS IS" with no warranties, and confers no rights. Another beer to you :)
-- Show quoteHide quoteRegards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ ""WenJun Zhang[msft]"" <v-wzh***@online.microsoft.com> wrote in message news:IFgKWxQMFHA.1264@TK2MSFTNGXA03.phx.gbl... > The detailed SSL handshake process is a bit complicated. In case you > are interesed in this area, take a look into the following RFC. :) > > http://rfc.sunsite.dk/rfc/rfc2246.html > > Best regards, > > WenJun Zhang > Microsoft Online Partner Support > > This posting is provided "AS IS" with no warranties, and confers no > rights. > 
Other interesting topics
Change in ASP.Net authentication between Win2000 and Win2003
Firewall and Win 2K multiple SSL sites on single IP/port OWA Exploit RE: How to create a client side certificate on a Windows 2000 Serv Front Page Server Extensions: Change Port? Integrated Windows Authentication Error, IIS Security Risks & Vulnerabilities Re: IIS metabase permissions when creating new VirDir's Login security issue. |
|||||||||||||||||||||||
