Server gated cryptography

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Server Gated Cryptography (SGC) was created in response to United States federal legislation on the export of strong cryptography in the 1990s.[1]

The legislation had limited encryption to weak algorithms and shorter key lengths if used in software outside of the United States of America. When the legislation added an exception for financial transactions, SGC was created as an extension to SSL, with SGC certificates only issued to financial organisations.

This legislation has since been changed, resulting in vendors no longer shipping export grade browsers and SGC certificates being able to be issued to any organisation.

Today, SGC certificates are widely considered to be obsolete,[2] as "export grade" browsers are now all but extinct, and many parties contend that facilitating the use of older, insecure browsers creates more security concerns than it remedies.[3][4] However, some certificate authorities continue to charge a premium for this kind of certificate.

When an SSL handshake takes place, the software (e.g. a web browser) would list the ciphers that it supports. Although the weaker exported browsers would only include weaker ciphers in its initial SSL handshake, the browser did also contain stronger cryptography algorithms. There are actually two protocols involved to activate them. Netscape used Step-Up, which used the now obsolete insecure renegotiation to change to a stronger cipher suite. Microsoft used SGC which aborts the handshake and restarts from the beginning with a new ClientHello message listing the stronger cipher suites, and also supported Netscape Step-Up for compatibility.

Internet Explorer used SGC with 40-bit and 128-bit encryption starting with patched versions of Internet Explorer 3, version 4, and version 5+.


External links[edit]