Select the Preferred Encryption Algorithm for Your Clients

The basis of any public key infrastructure (PKI) is its security message format and encryption algorithms. KMS supports a number of different encryption algorithms of varying strengths. These algorithms determine the length of the keys used to sign and encrypt messages, and so on. Generally, longer key lengths are more secure, but they require more processing time and increased system resources.

To determine the type of encryption your Exchange PKI will use:

1. Start System Manager
   On the Start menu, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. In the console tree, double-click Advanced Security.
3. In the details pane, right-click Encryption Configuration, and then click Properties.
4. In Encryption Configuration Properties, click the Algorithms tab.
5. If you have users running Outlook 97 or older, select an algorithm under Microsoft Exchange 4.0/5.0 encryption:

   Algorithm	Description
   DES (North America only)	Data Encryption Standard. The default selection, DES, is a 56-bit strength algorithm used for content encryption.
   CAST-64 (North America only)	A 64-bit strength algorithm.
   CAST-40	For use outside of North America. Similar to CAST-64, except that keys are only 40 bits long.

6. If you have users running Outlook 98 or later versions, select an algorithm under S/MIME encryption:

   Algorithm	Description
   3DES (North America only)	Known as "triple DES," this is the strongest encryption available in Exchange and is the recommended option. It is the default encryption method for S/MIME.
   DES (North America only)	Data Encryption Standard. DES is a 56-bit strength algorithm used for content encryption.
   RC2-128 (North America only)	Provides keys that are 128-bits in length. Note that messages encrypted with 128-bit keys require more time and processing to decrypt.
   RC2-40	For use outside of North America. Similar to RC2-128, except that keys are only 40 bits long.