I'm trying to understand the mechanism of encryption used on the web. One thing is not clear to me at this point: If I check, for example, google.com certificate, I can see that the public key is 4320 bits long, but Chrome shows that the connection is encrypted using AES_128_GCM, that I would expect to work with 128 bit keys. What am I missing here?
The 4320 bits in the public key algorithm are used to encrypt the 128 bits in the symmetric key algorithm. The public key establishes a secure channel of communication between two parties who initially don't have any shared key. Think of this as a low bandwidth channel, which isn't very useful due to the computationally expensive nature of the public key algorithm. In practice -- the sole use of this public-key is to communicate a shared key to establish a high bandwidth channel which uses something like AES (which requires both parties to have the same key). The overall process is an example of a hybrid cryptosystem.