Microsoft Office 365 uses insecure block ciphers

Microsoft Office 365 Message Encryption claims to offer a way"to send and receive encrypted email messages between people inside and outside your organization."F-Secure's WithSecure lab, it's not fit for purpose: the encryption method employed, known as Electronic Codebook , is insecure for data with repeating patterns, such as plaintext or uncompressed images or videos. And Microsoft isn't fixing it.

The leaky nature of ECB makes it unsuitable for secure communication, and cryptography experts advise against using it for cryptographic protocols. As America's NIST,"use of ECB to encrypt confidential information constitutes a severe security vulnerability." Office 365 Message Encryption relies on a strong cipher, AES, but WithSecure says that's irrelevant because ECB is weak and vulnerable to cryptanalysis regardless of the cipher used. In other words, when AES is paired with ECB mode, the resulting encryption is poor.

The security lab says that OME encrypted messages get sent as email attachments, and thus may reside on email systems or may have been intercepted. An attacker with access to a sufficient number of these messages can potentially infer message contents by analyzing repeating ciphertext patterns. "Attackers who are able to get their hands on multiple messages can use the leaked ECB info to figure out the encrypted contents," said Harry Sintonen, security researcher at WithSecure, in"More emails make this process easier and more accurate, so it’s something attackers can perform after getting their hands on email archives stolen during a data breach, or by breaking into someone’s email account, e-mail server or gaining access to backups.

ErrataRob _nobody_ uses AES-ECB, except OME. 'The rights management feature is intended as a tool to prevent accidental misuse and is not a security boundary.' ? ? ?

mikko MrJeffMan

United Kingdom Latest News, United Kingdom Headlines

Similar News:You can also read news stories similar to this one that we have collected from other news sources.

Microsoft rebrands everything that was Office as 365Now what does that flattened Möbius strip logo remind us of? 😜 “MS Office changed its name to Microsoft 365 years ago” theimportanceofpunctuation 🤣
Source: TheRegister - 🏆 67. / 61 Read more »

Microsoft is changing Microsoft Office after 30 yearsMicrosoft Office is getting a makeover, with the company announcing a new name and branding for the iconic brand 👨‍💻
Source: MetroUK - 🏆 13. / 82 Read more »

Eurogamer Newscast: Will Microsoft's $68bn Activision Blizzard buyout be blocked?This week on the Eurogamer Newscast, we're back discussing Microsoft's big Activision Blizzard deal and the latest deve… It'll go through one way or the other. Even if MS have to make a few concessions regarding Call of Duty. The positives still outweigh the negatives for both businesses. Nope
Source: eurogamer - 🏆 68. / 61 Read more »

The new Microsoft Office rebrand isn't going down wellEven the logo is confusing.
Source: CreativeBloq - 🏆 40. / 65 Read more »

Microsoft founder's masterpieces on display ahead of blockbuster $1bn auctionThe collection owned by late Microsoft co-founder Paul Allen is expected to break auction records.
Source: BBCNews - 🏆 3. / 97 Read more »

Jordan Adetunji wants you to 'Love Yourself'Showcasing a powerful message of self-reflection, Belfast-based artist Jordan Adetunji has released his new single ‘Insecure (Love Yourself)’ today.
Source: TheVoiceNews - 🏆 119. / 51 Read more »