Monday, June 28, 2010

Outlook 2010 weak email encryption


For unknown reason Microsoft has changed the behavior of Outlook 2010 on the encryption method. If there is no SMIME capabilities attribute in the user certificate Outlook will use an RC2 40bit encryption without any warning to the sender or recipient.
In Outlook 2003 and 2007 the fallback encryption mechanism is 3DES 168bit, on 2002 (XP) was it also RC2 40bit.



Posted by at No comments:

Monday, March 29, 2010

Easy certificate export from IE internet options

If you were ever wondering why the export of certificates from Internet Explorer's internet options is so hard, check out this easy method with drag&drop.
btw: export as DER encoded binary is fine for Windows systems and to add a user certificate to one of your outlook contacts; base64 encoded is perfect for openssl-based applications or if you need to transfer a certificate via clipboard from your local host into a RDP-session or vice versa; export as PKCS#7 (p7b) is good if you need to export a user or machine certificate with the complete certificate chain. The exported p7b file is in binary format.




Posted by at No comments:

Friday, February 5, 2010

What is really encrypted in a S/MIME protected e-mail?

I was wondering what is protected in a S/MIME e-mail and what is in plain text?
So sender's address and recipient's address is readable, also the subject. And all SMTP headers, e.g. the gateway dns name or ip address from where I got the e-mail. So far so good, I cannot deny that I got an e-mail or that I sent an e-mail. I should be also careful on my e-mail subjects.
Also good is that attachment file names are encrypted as well and even on BBC mails the encryption is done per recipient, so you cannot see the other recipients e.g. on the list of used encryption certificates serials.


c:\temp>certutil.exe smime.p7m

....
No Signer
Recipient Count: 2

Recipient Info[0]:
CMSG_KEY_TRANS_RECIPIENT(1)
CERT_ID_ISSUER_SERIAL_NUMBER(1)
Serial Number: 169ad538
Issuer: CN=Verified Email, O=TrustedRoot.org

Recipient Info[1]:
CMSG_KEY_TRANS_RECIPIENT(1)
CERT_ID_ISSUER_SERIAL_NUMBER(1)
Serial Number: 9d71
Issuer: CN=StartCom Class 1 Primary Intermediate Client CA, OU=Secure Digita
l Certificate Signing, O=StartCom Ltd., C=IL

No Certificates
No CRLs
CertUtil: -dump command completed successfully.

Posted by at No comments:

Tuesday, January 26, 2010

Hire and fire

Managing digital identities is on open field. Some users are more then one identity, others getting a new surname after marriage, and of course some users changing the company. So no mystery, just the life of a human.
But let us have a look as we need it as an corporate manager for the identity management. Our company hires people and often they leave the company after a while. Others a happy and can retire. I see two points in this: 1. People come and go, but 2 persons can have the same name. 2. When they leave what do we do with data and the left digital identities.
1.) E.g. Bob Drake is a new employee with userid bobdr and email bob.drake@org.com. So what will happen when Bob leaves the company and 2 months later another Bob Drake gets hired. Is your identity management ready for this? what will be the userid and email for Bob #2? Do you have an underlying global unique identifier? Is every of your applications ready to see the different identities? Can you deal with that?
2.) In our Org.com we run an PKI system with key recovery as an backup/recovery solution if the primary certificate is lost. When Alice, another employee of the great Org.com, leaves for how long do we keep the data and for how do we keep the certificates for recovery? For example if you have to keep all company papers written by Alice for at least 10 years by law, for how long do you store the certificates?
Posted by at No comments:

Saturday, July 4, 2009

Top rules for a successful Certificate Management

In the next months I am working on the rules for a successful certificate management system. The idea behind that is not to much to see what we do with certificates, it is more about what is the foundation of a certificate in these days: Who has requested a certificate, who decided what is the content of a certificate, who has approved processing a certificate, how has the certificate traveled to a user or machine. So starting from the identitiy management view of users to the tracking process of a certificate over all phases in the lifecycle of a certificate. So I will start with that next.

Posted by at No comments:

Wednesday, March 25, 2009

Do we need another certificate managment system?

Do we need another certificate managment system? That is a good question. So when I am looking at OpenCA or Microsoft Certificate Lifecycle Manager it seems there is a lot of functionality included. But with less workflow functionality on one side and high costs and less compatibility to "other" operating systems on the other hand. And there are more sophisticated management systems on the market, some times also with sophisticated pricing. And most of all every system is bonded to one CA system, so if you are working in an enterprise environment you have probably more then one certificate management system. What is the conclusion: Do we need a meta certificate management system?
Posted by at No comments:

Monday, October 20, 2008

cltools (beta) available

Since last night the Crypto-Live Tools (cltools) are linked on the web site.
http://www.crypto-live.org/

Update March 24, 09: Unfortunately I cannot find a hosting provider which allows me to use openssl commands via PHP exec(). If you can help please send me a note at info at crypto dashlive dor org. I appriciate your help.
Posted by at No comments:
Subscribe to: Posts (Atom)