How can we ensure IIS uses only strong ciphers for SSL/TLS? Does the setting "Require 128-bit encryption" achieve that? What are strong ciphers, anyway? We'll try to answer these questions today.
First of all, does the IIS setting "Require 128-bit encryption" ensure strong ciphers?
Unfortunately, "No". This setting only ensures that 128-bit keys are used for encryption. But that's not the same as promising strong ciphers.
Let's step back for a minute. Remember SSL/TLS supports a range of algorithms? For symmetric encryption, it can use AES, 3DES, RC2, or RC4. For message integrity, it can use MD5 or SHA. For asymmetric encryption, the algorithm is RSA.
A cipher suite is a combination of algorithms. RSA_AES_SHA is an example of a cipher suite. FIPS has approved specific cipher suites as strong. These use AES or 3DES for encryption, and SHA for integrity. FIPS does not consider other cipher suites strong.
The setting "Require 128-bit encryption" enables all 128-bit encryption algorithms, including RC2 and RC4. It also enables suites that use MD5 for integrity. Since they are all unsafe, we need to disable them separately.