Session Keys and Browsers

Applies To: Windows Server 2003, Windows Server 2003 with SP1

During the exchange of information that establishes a SSL–secured connection, the server creates a session key, also called an encryption key. IIS and the browser use the session key to encrypt and decrypt information that is exchanged during a session. The required encryption strength is measured in bits (for example, 40-bit encryption or 128-bit encryption). The encryption strength provides the degree of confidentiality that is deemed necessary for the application. A large number of bits indicates greater encryption strength because attackers who do not have the session key find it difficult to decrypt larger encrypted strings. Although greater encryption key strengths offer greater security, they also require more server resources to implement. The session key for your Web server is typically 128 bits long. The session key is not the same as an SSL key pair, which is used to negotiate and establish a communication link.

You can configure your Web server to require a 128-bit minimum session-key strength, the default for Microsoft Windows .NET, for all SSL–secured communication sessions. If you set a minimum 128-bit key strength, however, users attempting to establish a SSL–secured communications channel with your server must use a browser capable of communicating with a 128-bit session key.

You can require users to establish an encrypted channel (https:// rather than https://) with your server before accessing a restricted Web site, directory, or file. The use of an encrypted channel, however, requires that the user's Web browser and your Web server both support the encryption scheme used to secure the channel. Specifically, when you enable your Web server's default communication security settings, you require the user's Web browser to support a session key strength of 40 bits, or greater.