Encryption in Company Networks Foiled

[InfoSec News <isn () c4i org>]

http://www.heise.de/english/newsticker/data/anw-26.02.02-007/

Published 26.02.2002 
Christiane Schulzki-Haddouti

The encrypting of e-mails in company networks is foiled if it is done
in a Microsoft Exchange/Outlook 9x/200x environment. In a POP3/IMAP4
environment this is not the case. In answer to a question by heise
online Microsoft confirmed that appended files encrypted with crypto
plug-ins are transmitted in an unencrypted form from client to server
even when the encryption function of the plug-in has been activated.

The problem lies in the fact that the appended file is transmitted
immediately via the RPC protocol (Remote Procedure Call) to the server
once the user has created a confidential e-mail and appended the file
- regardless of whether the encryption plug-in has been activated or
not. Neither does the "Save Drafts" option within the Outlook e-mail
program have an effect on the above procedure. Although Outlook does
activate the desired plug-in, encrypting both mail and appended file
once the user has completed his e-mail and presses the send button;  
however, prior to this taking place the unencrypted appended file has
already been sent. The problem can be detected with the aid of a
network sniffer.

Activating the RPC standard encoding procedure is the only means of
protection available, in some versions, though, this amounts to an
encoding of only 40 bits – a level widely considered unsafe. Microsoft
confirmed that if the line to the server is not encrypted at this
point the data are RPC-encoded only and not encrypted. A Microsoft
employee declared towards heise online that about half the
manufacturers of crypto plug-ins were affected; PGP, for instance, and
most of the Sphinx products were vulnerable

Experts suspect, however, that virtually all marketed crypto plug-ins
are affected. The problem has been discussed since January at the
Forum of Incident Response and Security Teams (FIRST), without a
result so far. When queried Microsoft informed heise online that
"after an analysis of the technical details" this operation could not
be labeled a "security breach within the MS Exchange/Outlook 9x/200x
environment." The "automatic MAPI-RPC-based potentially unencrypted
transmission of e-mail data" was "a standard procedure undertaken for
performance reasons within the domain of a protected network" by the
Outlook program.

An Exchange/Outlook environment might in the event of large amounts of
data being transmitted impede the performance of client applications,
Microsoft declared. Which is why Outlook for performance reasons
engaged in "pro-active background storage" of data already existing in
the message memory in question. These "optimizations" had been
introduced "at the request of a large number of Outlook users" so as
to optimize the use of the program in an exchange-server environment.  
Microsoft pointed out that the Outlook object model intended to be
used for programming plug-ins gave plug-in manufacturers the
opportunity of suppressing the automatic background transmission, thus
preventing data from leaving the local PC before being encrypted.

A manufacturer affected had been informed of this by the Microsoft
Service Department and was now discussing ways of redesigning his
product. When approached by heise online the company in question,
which did not want its name to be made public, denied this, however.  
The company said that rather than demand an elaborate redesign of the
plug-ins, it was up to Microsoft to modify the transmission routine.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.