Microsoft Office 365 uses insecure block ciphers • The register

Microsoft Office 365 Message Encryption claims to provide a way to “send and receive encrypted email messages between people inside and outside of your organization.”

And according to F-Secure’s WithSecure lab, it’s not fit for purpose: the encryption method used, known as Electronic Codebook (ECB), is insecure for data with repetitive patterns, such as B. Plain text or uncompressed images or videos. And Microsoft doesn’t fix it.

When using ECB mode, messages are divided into a series of blocks, and plaintext that is the same in different blocks produces identical ciphertext. In the case of an image where pixels of the same color are represented by the same plaintext, the corresponding ciphertext is also the same for equal pixels, making the image visible through the ciphertext.

ECB’s leaky nature makes it unsuitable for secure communications, and cryptography experts advise against using it for cryptographic protocols. As the American NIST states, “the use of ECB to encrypt confidential information represents a serious security vulnerability”.

Office 365 Message Encryption (OME) relies on a strong cipher, AES, but WithSecure says this is irrelevant as ECB is weak and vulnerable to cryptanalysis, regardless of the cipher used. In other words, when AES is paired with ECB mode, the resulting encryption is poor.

The security lab says that OME-encrypted messages are sent as email attachments and therefore may be on email systems or may have been intercepted. An attacker with access to a sufficient number of these messages could potentially infer message content by analyzing repeated ciphertext patterns.

“Attackers able to get their hands on multiple messages can use the leaked ECB information to find out the encrypted content,” Harry Sintonen, security researcher at WithSecure, said in a statement.

“More email makes this process easier and more accurate, allowing attackers to do this after getting their hands on email archives stolen during a data breach, or by hacking into the email account or break into someone’s email server or gain access to backups.”

WithSecure attributes Microsoft’s continued use of ECB to a desire to maintain compatibility. The security firm notes that the Microsoft Information Protection (MIP) C++ library is a ProtectionHandler::PublishingSettings class that has one SetIsDeprecatedAlgorithmPreferred Method. This method, according to Microsoft’s documentation, “determines whether the legacy crypto-algorithm (ECB) is preferred for backwards compatibility.”

Microsoft obviously sees no problem with this. Alerted to WithSecure’s findings, the software giant reportedly said no action was needed: “The report was not met the bar for security services, nor was it deemed a breach. No code change was made and therefore no CVE was issued for this report. “

Microsoft introduced a data governance system called Microsoft Purview in April. Office 365 Message Encryption (OME) is now considered a legacy system. We’re told that the Windows giant is looking into alternative encryption methods for future products.

In an email to The registryA Microsoft spokesman said: “The rights management feature is intended as a tool to prevent accidental misuse and does not represent a security boundary. To prevent misuse, we encourage customers to follow best security practices, including updating systems and enabling Multi-factor authentication and using a real-time anti-malware product.”

WithSecure says organizations using Office 365 Message Encryption may want to consider the legal implications of this vulnerability, particularly in light of EU and California privacy regulations.

“Since Microsoft has no plans to address this vulnerability, the only workaround is to avoid using Microsoft Office 365 Message Encryption,” the lab concludes. ®

https://www.theregister.com/2022/10/14/microsoft_office_365_message_encryption/ Microsoft Office 365 uses insecure block ciphers • The register

Rick Schindler

World Time Todays is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – admin@worldtimetodays.com. The content will be deleted within 24 hours.

Related Articles

Back to top button