The SSL you refer to is called a Server Gated Cryptography Certificate. I'm
not familiar with Verisign's product line, so I can't really help with which
product offers it, but here is some information about it:

Microsoft has some info in the IE4 Resource Kit:
http://www.microsoft.com/TechNet/archive/ie/reskit/ie4/Part7/part7b.asp

Info on Thawte's SuperCert:
http://www.thawte.com/support/server/supercert.html

This page used to work, but it looks like it might not anymore, maybe
they'll fix that soon
http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/README.GlobalID

It's a special SSL that is given by Verisign to certain organizations, such
as banks, that basically has special extensions in it that turn on special
flags in IE and Netscape which enables 128-bit for the duration of that
session. The main purpose for was to allow international users who weren't
allowed to use 128-bit browsers, due to export regulations, to have a
128-bit session.

-----Original Message-----
From: Mike Shaw [mailto:mshawwwisp.com]
Sent: Friday, January 04, 2002 11:29 AM
To: focus-mssecurityfocus.com
Subject: Implications of international SSL key in IE/IIS 5?

A company I'm working with recently asked for my assistance in renewing an
SSL key on an IIS server. It was a verisign key, so I'm relatively
familiar with these.

Looking at the certs they had ordered before, they had opted for the
"secure site pro" keys. In the past, I had used regular "secure site"
keys. The Secure Site Pro keys are billed as "128 bit keys" and the
regulars are billed as "40 bit keys", however as you read the fine print,
you see that regular non-"pro" keys are capable of 128 bit communication as
well, just with domestic grade browsers. Secure Site Pro keys are capable
of 128 bit communication with international/export grade browsers as well.

I've tested it, and on exportable IE 6 (says cypher strength of 56 bit in
the "about" box), it does indeed indicate that the SSL connection is 128
bit with an Secure Site Pro key. A non-pro key won't connect at 128.

Does anyone know if this is true 128 bit communication with export grade
browsers, or some kind of kludge that is degraded for use with exportable
crypto? The reason this is important is because

a) The company with the key is representing to customers with domestic IE
that this is "strong" encryption. If it isn't, or if it's some sort of
hacked version, then it shouldn't be called "strong".
b) It's twice as expensive for the "pro" keys.

Also, does anyone have any knowledge of how IE would allow true 128 bit
encryption and still remain exportable?

As a side note, Verisign does some very slick advertising in this
area. Unless you read carefully, you'd think you needed to use the Pro
certificate to use 128 bit at all. There's not telling how many people
have purchased Pro when they don't need it.

Any input or wisdom is appreciated.

-Mike

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]