help with SSL certificate for IIS

[Billyb]

I have a CA server installed and on installation I
selected "Microsoft Enhanced Cryptographic Provider" for
CSP and a key length of 4096.

Now when I requested a Server Certificate for my IIS
Server, the first time I just left the defaults
of "Microsoft Base Cryptographic Provider" and a key
length of 512. Then I installed the certificate and
configured IIS to use it.

Now when I visit my webpage the lock icon shows at the
bottom of my browser and when I hold my mouse over it, it
says that I have SSL 128-bit.

-------

So to see if I could increase the SSL encryption I
requested, installed and setup IIS to use a different
Server Certificate which used the "Microsoft Enhanced
Cryptographic Provider" and a key length of 2048.

Now when I visit my webpage it shows that I still am using
SSL 128-bit encryption



I am confused. I thought that by selecting a the enhanced
CSP and greater key length that this would increase my
encryption.
Could someone please clarify ??

Thanks

 

[John Banes [MS]]

The server certificate is used to securely exchange key material between the
client and the server. This makes use of the 2048 bits in your certificate,
typically using the RSA algorithm.

Once the key exchange is finished, and the client and server are
transmitting encrypted data back and forth, a different encryption algorithm
is used, for performance reasons. IE and IIS default to using 128-bit RC4
for this operation, and this is what IE is reporting.

In the world of encryption ciphers, 128-bits is really quite strong. The RSA
key exchange algorithm requires many more bits to provide an equivalent
amount of security.

Regards,

John Banes
[Microsoft Security Developer]

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.