Encryption in IIS 6.0

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Encryption is the process of scrambling information by applying a mathematical function in such a way that it is extremely difficult for anyone other than an intended recipient to retrieve the original information. Central to this process is a mathematical value, called a key, which is used by the function to scramble the information in a unique and complex way.

Your Web server uses essentially the same encryption process to secure communication links with users. After establishing a link, a special session key is used by both your Web server and the user's Web browser to both encrypt and decrypt information. For example, when an authenticated user attempts to download a file from a Web site requiring a SSL–secured channel, your Web server uses a session key to encrypt the file and related HTTP headers. After receiving the encrypted file, the Web browser then uses a copy of the same session key to recover the file.

This method of encryption has an inherent drawback: During the process of creating a link, a copy of the session key might be transmitted across an unsecured network. This means that a malicious user can compromise the link by intercepting and stealing the session key. To safeguard against this possibility, however, your Web server implements an additional method of encryption.