Big numbers make my head hurt
May 14, 2008 11:19 AM Subscribe
Can someone help me understand the relationship between the bit size of an SSL certificate and the size of the session key used? (If any).
posted by cayla to technology (3 answers total)
Essentially, my question is this: Does generating a 512 bit certificate signing request limit the session key in any way? Or rather, is a 512 bit CSR capable of facilitating a reliable 128 bit session key?
I am usually pretty good at googling stuff like this, but I am striking out this time. Some of the pages I found indicate that the only thing that determines the session key is the capabilities of the web server and web client. Other pages indicate that a 512 bit CSR limits you to a 40/56 bit session key. Is there any hard rule on this?
For the purposes of this question, assume I have to use a 512 bit certificate. Also assume, I know about the mounting risks with 512 bit keys and that I know a 1024 bit key is much more secure.
(While I am on the subject, how does Verisign's mandatory 128 bit session encryption work? Is that a matter of signing the cert with only certain encryption protocols allowed?
I just heard about this for the first time the other day. Apparently, there is a standard signing process where the session key size fluctuates based on the connecting browser and there is an 'enhanced' cert that makes 128 bit mandatory. How is this any different than selecting 'require 128bit encryption' in IIS?)