About Encryption

Sensitive information transmitted across an unsecured network, such as the Internet, can potentially be intercepted by a computer vandal. For this reason, if you plan to provide users with access to Web sites that process sensitive financial or personal information, you need to protect your network links with encryption.

How Encryption Works

Encryption is the process of scrambling information by applying a mathematical function in such a way that it is extremely difficult for anyone other than an intended recipient to retrieve the original information. Central to this process is a mathematical value, called a key, used by the function to scramble the information in a unique and complex way.

Your Web server uses essentially the same encryption process to secure communication links with users. After establishing a secure link, a special session key is used by both your Web server and the user's Web browser to both encrypt and decrypt information. For example, when an authenticated user attempts to download a file from a Web site requiring a secure channel, your Web server uses a session key to encrypt the file and related HTTP headers. After receiving the encrypted file, the Web browser then uses a copy of the same session key to recover the file.

This method of encryption, although secure, has an inherent drawback: during the process of creating a secure link, a copy of the session key might be transmitted across an unsecured network. This means that a computer vandal intent on compromising the link need only intercept and steal the session key. To safeguard against this possibility, however, your Web server implements an additional method of encryption.

Public Key Encryption

Your Web server's Secure Sockets Layer (SSL) security feature utilizes a technique known as public key encryption to shield the session key from interception during transmission. Public key encryption, which involves the use of two additional keys, a private and a public key, works in the following manner:

  1. The user's Web browser establishes a secure (HTTPS) communication link with your Web server.
  2. Your Web server sends the user your server certificate along with your public key. (The certificate enables the user to confirm your identity and the integrity of the Web content.)
  3. The user's Web browser and your server engage in a negotiating exchange to determine the degree of encryption to use for securing communications.
  4. The Web browser generates a session key, and encrypts it with your public key. The browser then sends the encrypted session key to your Web server.
  5. Using the private key, your server decrypts the session key and establishes a secure channel.
  6. Your Web server and the browser both use the session key to encrypt and decrypt transmitted data.

Notice that the private key serves an important role in ensuring that your communication link remains secure. You should take every reasonable precaution to protect the private key from loss or theft. If you suspect that your private key has been compromised, notify your certificate authority, use Key Manager to create a new key pair, and then obtain a new server certificate. For more information, see Creating and Managing Server Key Pairs.

Session Key Encryption Strength

A session key's complexity, or strength, is proportional to the number of binary bits comprising the session key file. This means that session keys with a greater number of bits have a greater degree of security, and are considerably more difficult to forcibly decode.

When a user attempts to establish a secure communication channel with your Web server, the user's browser must negotiate the strongest possible level of encryption, or session key strength, that can be used to secure communications over that channel. This means that both your Web server and the user's browser must be equipped with compatible session key encryption and decryption capabilities. For example, when you configure your Web server to require a session key with a minimum 40-bit (default) encryption strength, a user attempting to secure a connection must have a Web browser capable of processing information with a 40-bit session key.


© 1997 by Microsoft Corporation. All rights reserved.