Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outlook launches End to End encryption


  • Please log in to reply
8 replies to this topic

#1 STS-1

STS-1

  • Malware Study Hall Sophomore
  • 218 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 PM

Posted 01 May 2018 - 04:42 PM

Hey everyone, Microsoft recently announced that Outlook will be launching end to end encryption, and I thought some discussion was warranted.

 

#1 As I understand it (correct me if I am wrong) but if I am using a extension such as Enigmail, as long as I have a person's public key then I can send them encrypted emails... the post from Microsoft says  "These encrypted emails cannot be forwarded or copied, and any documents in them will remain encrypted if access by another user without an Office 365 subscription".... Does this mean they are using an office subscription as the Public key? It seems like a blatant attempt to lock people into using office 365 (what if I don't have 365, Enigmail is free if using Thunderbird which is also free) 

 

#2 Outlook has also added a feature where it will automatically ask you if you'd like to encrypt an email if it detects sensitive information in the email such as a bank account number or social security number, the post noted... how exactly would that be accomplished?, how does it know that a certain group of numbers is sensitive information?

 

#3 Hypothetically would it be possible for Microsoft to put a backdoor into their end to end encryption so that if they needed to access specific emails they could if they were required to do so via a subpoena? If they did this would it be discover able through an audit, considering Windows source code is not "open source"  ?

 

Thank you in advance to anyone that can answer the above questions :) 

 

 



BC AdBot (Login to Remove)

 


#2 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,598 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:07:43 PM

Posted 01 May 2018 - 06:36 PM

1. Well, most services that do use end-to-end encryption do lock you in to both ends using said service.  It would be no shock if Microsoft did same.  Given the near ubiquity of MS-Outlook in the worlds of government and business that covers a lot of the intended target demographic.

 

2. Just like existing e-mail clients warn you that you haven't attached something if they encounter the word "attach" or "attached."   Most people write out SSNs as 999-99-9999 and if I found a 3-digit sequence, followed by a hyphen, etc., the first thing I'd flag is that it's an SSN.  A mention of account or account number would probably be the flag for any number of account types.  There are false positives for virtually any sort of "predictive guess" such as this and you can generally override it when these occur.

 

3.  Of course they could. Doing so would not be to their advantage as it makes the demand for "easy decryption" a virtual certainty.  Just like Apple you can be virtually certain that when encryption is offered the company does not want to have any access at all to the source material.  It assigns liability and legal obligations that they'd far sooner avoid.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#3 STS-1

STS-1
  • Topic Starter

  • Malware Study Hall Sophomore
  • 218 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 PM

Posted 01 May 2018 - 07:22 PM

Thanks Britechguy. re:#3... so is that not how a "password reset" works? If they can reset the password then they have access (which could potentially be exploited) the only "true" secure encryption (or password/key) is one that if you forget said key your hooped?  would said "liability" be of no concern as if you are served with a subpoena to reveal records you have to by law (which could then not be used against you in a civil suit as you were compelled to reveal the information in question) ?



#4 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,598 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:07:43 PM

Posted 01 May 2018 - 09:11 PM

There is a difference between a password and an encryption key, and it's far too complicated to go into here.  Encryption keys are very short-lived while passwords are definitely not.

 

The short answer is, "No, the two are not in any meaningful way equivalent."

 

One cannot produce that which one does not have, hence the reason that companies offering encrypted transmission do not retain encryption keys beyond the life of a transmission.  You can't (and don't) decrypt that which you cannot decrypt.   In addition, if your business model is based upon secure and absolutely private communications it is absolutely not in your own business interest to even attempt to do so.   We have seen this demonstrated on several occasions over the last few years, most notably the Apple iPhone of the mass shooter in San Bernardino, CA.  Untold barrels of ink and megawatts of pixels and radio/TV waves were gushed over this one.  See:  https://duckduckgo.com/?q=apple+encryption+controversy

 

Apple did not submit and the government poured enough money and expertise at that iPhone to eventually decrypt it.   Yet another reason that, even with encryption, there is absolutely nothing that cannot be decrypted if enough time and effort is put into it.  [Though I'll be the first to say that one has to have really deep pockets and a really, really, really good reason to even make the attempt.]


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#5 STS-1

STS-1
  • Topic Starter

  • Malware Study Hall Sophomore
  • 218 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 PM

Posted 04 May 2018 - 08:01 AM

So would it be fair to say, with the right resources, even an AES 256 bit cipher with a 20 digit keyspace would still be able to be decrypted in a reasonable amount of time (say less that 1 year?)



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 AM

Posted 06 May 2018 - 12:48 PM

#2 Outlook has also added a feature where it will automatically ask you if you'd like to encrypt an email if it detects sensitive information in the email such as a bank account number or social security number, the post noted... how exactly would that be accomplished?, how does it know that a certain group of numbers is sensitive information?

 


 

 

There are identifiers that have a checksum, and can thus be easily recognized. For example the Luhn algorithm is used for CC numbers: https://en.wikipedia.org/wiki/Luhn_algorithm


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 AM

Posted 06 May 2018 - 12:54 PM


#3 Hypothetically would it be possible for Microsoft to put a backdoor into their end to end encryption so that if they needed to access specific emails they could if they were required to do so via a subpoena? If they did this would it be discover able through an audit, considering Windows source code is not "open source"  ?


 

 

 

Although Windows is not open source, there are several organizations and even individuals that have access to the source code, for example for debugging reasons.

https://www.microsoft.com/en-us/sharedsource/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 AM

Posted 06 May 2018 - 01:10 PM

So would it be fair to say, with the right resources, even an AES 256 bit cipher with a 20 digit keyspace would still be able to be decrypted in a reasonable amount of time (say less that 1 year?)

 

I assume that with "20 digit keyspace", you mean a password of 20 digits. To be able to answer this question, you also have to mention which key derivation function you would use (https://en.wikipedia.org/wiki/Key_derivation_function).


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 STS-1

STS-1
  • Topic Starter

  • Malware Study Hall Sophomore
  • 218 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 PM

Posted 14 May 2018 - 09:14 AM

Thanks for the link Didier, will read up on it further when I have some free time!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users