[This is preliminary documentation and subject to change]

Setting Encryption Strength

You can configure your Web server to require a 128-bit minimum session-key strength, rather than the default 40-bit key strength, for all SSL secure communication sessions. If you set a minimum 128-bit key strength, however, users attempting to establish a secure communications channel with your server must use a browser capable of communicating with a 128-bit session key.

• For information about upgrading to 128-bit encryption capability, visit the Windows Support Web site.
• When you set security properties for a specific Web site, you automatically set the same security properties for directories and files belonging to that site, unless the security properties of those individual directories and files have been set previously.
• Your Web server will prompt you for permission to reset the properties of individual directories and files when you attempt to set security properties for your Web site. If you choose to reset these properties, your previous security settings will be replaced by the new settings. The same condition applies when you set security properties for a directory containing subdirectories or files with previously set security properties. For more information about setting properties, see Properties and Inheritance of Properties on Sites in About Web and FTP Sites.

To set encryption strength

Please note that you cannot establish secure, encrypted communications unless you have installed a valid server certificate. See Using the New Security Task Wizards and Obtaining a Server Certificate for more information.

1. In the IIS snap-in, select a Web site, directory, or file, and open its property sheets.
2. If you have not previously created a server key pair and certificate request, select the Directory Security or File Security property sheet. Under Secure Communications, click Server Certificate. The new Web Server Certificate Wizard will guide you through the procedure. For more information about the new wizard, see Using the New Security Task Wizards.
3. If you have previously created a server key pair and certificate request, select the Directory Security or File Security property sheet. Under Secure Communications, click Edit.
4. In the Secure Communications dialog box, select the Require secure channel (SSL) check box.
5. Select the Require 128-bit Encryption check box if this level of encryption is required.

   Note    If you select the Require 128-bit encryption check box on a server that is only capable of 56-bit encryption, users will not be able to access resources for which this requirement is selected. Even though the 128-bit encryption check box is enabled, only 56-bit encryption can be used. To enable users to view these resources, clear the check box.

6. Click OK.

Note    The session key is not the same as an SSL key pair, which is used to negotiate and establish a secure communication link.

Server-Gated Cryptography

Server-Gated Cryptography (SGC) offers financial institutions the solution for worldwide secure financial transactions using 128-bit encryption. SGC is an extension of Secure Sockets Layer (SSL) that allows financial institutions with export versions of IIS to use strong encryption.

Server-Gated Cryptography does not require an application running on the client's browser and can be utilized by standard export versions of IIS, version 4.0 or later. A server configured for SGC can facilitate both 128-bit and 40-bit encryption sessions, so multiple versions of IIS are not required. Although SGC capabilities are built into IIS 4.0 and later versions, a special SGC certificate is required to use SGC. Contact your certification authority for availability information. For more information about SGC, see the article titled Secured online banking goes global! at the Server-Gated Cryptography (SGC) Web site.

Note    If you open your SGC certificate, you might receive a notice on the General tab saying, "The certificate has failed to verify for all of its intended purposes." This notice is issued because of the way SGC certificates interact with Windows 2000 and does not necessarily indicate that the certificate does not work properly.

Selectable Cryptographic Service Provider

Selectable Cryptographic Service Provider (CSP) allows you to select a Microsoft or third party cryptographic provider to handle cryptography and certificate management. Each cryptographic provider can create a public and private key to encrypt data sent to and from the Web server. The private key is stored at the server end on hardware, on a PCI card, on a SmartCard, or in the registry as it is for the two default providers that Microsoft installs: Microsoft DH SChannel Cryptographic Provider and Microsoft RSA SChannel Cryptographic Provider. The Microsoft Cryptographic API (CryptoAPI) for every provider contains identical methods and properties. This allows for switching between providers without having to rewrite code. For more information on CSP and managing installed third-party cryptographic providers, see the Microsoft CryptoAPI Overview on MSDN's Web Workshop. For the latest list of cryptographic service providers supporting Internet Information Services, select Endorsements in that page.

© 1997-2001 Microsoft Corporation. All rights reserved.