Unable to decrypt email after installing Encryption Desktop 10.4.2 MP1 or above

book

Article ID: 173550

calendar_today

Updated On:

Products

Desktop Email Encryption Encryption Management Server Desktop Email Encryption, Powered by PGP Technology Encryption Management Server Powered by PGP Technology

Issue/Introduction

After upgrading to Encryption Desktop version 10.4.2 MP1 or above, you are unable to decrypt emails automatically. The PGP Viewer can successfully decrypt the email content. The issue occurs when the email was encrypted with a release of Encryption Desktop below 10.4.2 MP1 but is being decrypted by 10.4.2 MP1 or above.

NOTE: If you are experiencing issues decrypting PGP Zip files or other encrypted files after upgrading to Encryption Desktop 10.4.2 MP1 or above, please see article 173613.

Entries like this appear in the Encryption Desktop log file:

MAPI Proxy: Decryption failed with error: PGPError #-12562

Cause

Encryption Desktop version 10.4.2 MP1 introduced mitigations for the Efail vulnerability. Efail can affect both PGP encryption and S/MIME encryption.

In 10.4.2 MP1 and above, Encryption Desktop only decrypts email messages that include SEIP (Symmetric Encryption Integrity Protection) packets, not just SE (Symmetric Encryption) packets. The Integrity Protection feature mitigates the Efail vulnerability.

When encrypting an email with Encryption Desktop 10.4.2 MP1 and above, Encryption Desktop will enforce the use of SEIP packets regardless of the key(s) used to encrypt the email.

For Encryption Desktop versions below 10.4.2 MP1, there are two conditions in which emails could be sent using the SE packets instead of the more secure SEIP packets. Both involve keys that would be considered to be old and/or deprecated, especially with the discovery of the Efail vulnerability:

  1. The email message is encrypted with version 3 key(s). The current standard is to use version 4 keys.
  2. The email message is encrypted with version 4 key(s) but the preferred cipher is set to something other than AES and it is missing a Modification Detection flag.

These conditions do not affect emails encrypted by Encryption Desktop 10.4.2 MP1 or above.

Environment

  • Symantec Encryption Desktop 10.4.2 MP1 and above.
  • Symantec Encryption Management Server 3.4.2 MP1 and above.

Resolution

Upgrade all clients to 10.4.2 MP1 or above and generate new keys so that SEIP packets will be used regardless of the key settings. Distribute the new keys to third parties.

If an ADK (Additional Decryption Key) is being used, please replace it with a key generated with release 10.4.2 MP1 or above.

Decrypting older email messages

The steps above will not allow email messages sent or received before upgrading to be decrypted automatically. These messages can be decrypted with PGP Viewer. Note, however, that PGP Viewer does not work correctly with some versions of Outlook.

Encryption Desktop 10.4.2 MP2 and above includes two new policy options:

  1. Turn off Efail protection completely. This option is not recommended.
  2. Allow older messages encrypted with SE to be decrypted automatically while still offering mitigation against direct Efail attacks. This option offers users considerably more convenience at the cost of some additional risk.

If your organization understands these risks and wishes to implement one of these policy options, please contact Technical Support for assistance in configuring these policy options.