[Cryptography] Microsoft announces new email encryption misfeature?
Dave Howe
davehowe.pentesting at gmail.com
Wed Nov 27 04:35:35 EST 2013
On 27/11/2013 04:03, John Gilmore wrote:
> "Messages are 2048-bit encrypted using SHA-256 with the private key
> of the Office 365 tenant domain. Recipients have no knowledge of
> this key, so when they receive the message, they'll see that it
> contains an encrypted attachment together with some instructions as
> to how to view the content. ...
This sounds very similar indeed to how cisco/ironport's CRES solution
works. The mail body is encrypted and sent hidden in a series of "image"
files stored as mime multipart/related, along with some javascript that
interacts with a web service to provide login, key download and
localized decryption etc etc.
All the key material is held on a server controlled by cisco, in US
jurisdiction, and the *only* security review cisco were willing to share
with a UK dot-gov security auditor was on the *physical* security of the
non-cisco-owned hosting site. (!)
Needless to say, they weren't too impressed and recommended the
dot-gov went with a similar, but on-premise system from PGP instead.
More information about the cryptography
mailing list