FYI: Microsoft Office 365 Message Encryption relies on insecure block cipher
Redmond says OME isn't supposed to be used for security, just for something else
Microsoft Office 365 Message Encryption claims to offer a way "to send and receive encrypted email messages between people inside and outside your organization."
And according to WithSecure, it's not fit for purpose: the encryption method employed, known as Electronic Codebook (ECB), is insecure for data with repeating patterns, such as plaintext or uncompressed images or videos. And Microsoft isn't fixing it.
When using ECB mode, messages are divided into a series of blocks, and plaintext that's the same in different blocks produces identical ciphertext. In the case of an image where pixels of the same color get represented by the same plaintext, the corresponding ciphertext is also the same for like pixels, which makes the image visible through the ciphertext.
The leaky nature of ECB makes it unsuitable for secure communication, and cryptography experts advise against using it for cryptographic protocols. As America's NIST states, "use of ECB to encrypt confidential information constitutes a severe security vulnerability."
Office 365 Message Encryption (OME) relies on a strong cipher, AES, but WithSecure says that's irrelevant because ECB is weak and vulnerable to cryptanalysis regardless of the cipher used. In other words, when AES is paired with ECB mode, the resulting encryption is poor.
The security lab says that OME encrypted messages get sent as email attachments, and thus may reside on email systems or may have been intercepted. An attacker with access to a sufficient number of these messages can potentially infer message contents by analyzing repeating ciphertext patterns.
"Attackers who are able to get their hands on multiple messages can use the leaked ECB info to figure out the encrypted contents," said Harry Sintonen, security researcher at WithSecure, in a statement.
"More emails make this process easier and more accurate, so it’s something attackers can perform after getting their hands on email archives stolen during a data breach, or by breaking into someone’s email account, e-mail server or gaining access to backups."
- Microsoft leaves the Office, rebrands everything as 365
- Microsoft extends deadline for partners to improve their clients' security with unauthorised AD tweaks
- Laugh all you want. There will be a year of the Linux desktop
- Microsoft: Watch out for password spray attacks – especially you, Basic Auth
WithSecure attributes Microsoft's continued use of ECB to the desire to maintain compatibility. The security firm notes that the Microsoft Information Protection (MIP) C++ library has a
ProtectionHandler::PublishingSettings class, which has a
SetIsDeprecatedAlgorithmPreferred method. This method, Microsoft's documentation explains, "Sets whether or not deprecated crypto algorithm (ECB) is preferred for backwards compatibility."
Microsoft evidently does not consider this a problem. Alerted to WithSecure's findings, the software giant reportedly said no action is necessary: "The report was not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report."
Microsoft in April introduced a data governance system called Microsoft Purview. Office 365 Message Encryption (OME) is now considered a legacy system. We're told the Windows goliath is looking into alternative encryption methods for future products.
In an email to The Register, a Microsoft spokesperson said, "The rights management feature is intended as a tool to prevent accidental misuse and is not a security boundary. To help prevent abuse we recommend customers follow best security practices, including keeping systems up to date, enabling multi-factor authentication, and using a real time anti-malware product."
WithSecure says that organizations using Office 365 Message Encryption may wish to consider the legal ramifications of this vulnerability, particularly with regard to EU and California privacy rules.
"Since Microsoft has no plans to fix this vulnerability the only mitigation is to avoid using Microsoft Office 365 Message Encryption," the lab concludes. ®