Encryption Management Server and Encryption Desktop warn about weak S/MIME encryption and weak MD5 signing

book

Article ID: 169648

calendar_today

Updated On:

Products

Desktop Email Encryption Encryption Management Server Gateway Email Encryption

Issue/Introduction

Both Encryption Management Server and Encryption Desktop add the following warnings to certain decrypted S/MIME email messages:
* PGP Warning: The sender encrypted this message using weak S/MIME encryption
* PGP Warning: The sender signed this message using the weak MD5 algorithm

Cause

If an S/MIME message uses the 40-bit or 128-bit RC2 cipher for encryption, it is considered weak by Encryption Management Server and Encryption Desktop and the following warning is added to the decrypted message:
* PGP Warning: The sender encrypted this message using weak S/MIME encryption

The security of the MD5 algorithm is severely compromised, therefore if this algorithm is used for signing, the following warning is added to the decrypted message:
* PGP Warning: The sender signed this message using the weak MD5 algorithm

These warnings are generated only when the sender uses MD5 and/or 40-bit or 128-bit RC2.

Note that these warnings were added to the product prior to 2010.

Environment

  • Encryption Management Server 3.3 and above.
  • Encryption Desktop 10.3 and above.

Resolution

Notify the sender that they should use a stronger cipher for encryption and stop using MD5 for signing. The email application that the sender uses will determine whether they are able to do this.

For example, by default, Microsoft Outlook 2013 uses the following settings. Note that neither MD5 or RC2 (40-bit) is supported but RC2 (128-bit) is still supported:

  • Hash algorithm: SHA1. The following are also supported: SHA256, SHA385, SHA512.
  • Encryption algorithm: AES (256-bit). The following are also supported: AES (192-bit), 3DES, AES (128-bit), RC2 (128-bit), RC2 (64-bit).

Note that by default, for outbound S/MIME messages, Encryption Management Server uses SHA1 and 3DES (168-bit).