Microsoft Office 365 Beware of insecure encryption

The 365 Message Encryption claims to offer a way to “send and receive encrypted email messages between people inside and outside your organization.”

lock

But according to F-Secure's WithSecure team, it is not suitable for this purpose: the encryption method used, known as Electronic Codebook (ECB), is unsafe for data with repeating patterns, such as plain text or uncompressed images or videos. And Microsoft isn't fixing it.

When using ECB mode, messages are split into a series of blocks. So plaintext that is in different blocks produces the same ciphertext. In the case of an image where the pixels of the same are represented by the same plaintext, the corresponding ciphertext is also the same for similar pixels.

The leakiness of ECB makes it unsuitable for secure communication, and cryptography experts advise against using it for cryptographic protocols. As America's NIST states, "the use of ECB to encrypt confidential information constitutes a serious security gap."

Η κρυπτογράφηση μηνυμάτων του 365 (OME από το Office Message Encryption) χρησιμοποιεί μια ισχυρή κρυπτογράφηση (AES), αλλά η WithSecure he says that this is irrelevant because the ECB mode is weak and vulnerable to cryptanalysis regardless of the encryption used. In other words, when AES is mapped to ECB mode, the resulting encryption is not secure.

The security team reports that encrypted OME messages are sent as email attachments and persist in email systems. An attacker with access to a sufficient number of these messages can deduce the content of the message by analyzing the repeating patterns of the ciphertext.

"Attackers who are able to get their hands on multiple messages can use the leaked ECB information to understand the encrypted content," said Harry Sintonen, security researcher at WithSecure.

"More emails make this process easier and more accurate, so it's something attackers can do after stealing email records during a data breach or by hacking into someone's email account, email server, or accessing copies of security.”

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
Office 365, encryption, iguru

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).