Exchange Server gurus & encrypting emails

shochanshochan Senior MemberArkansasPosts: 736Registered Members ■■■■□□□□□□
So, I found a vulnerability in our exchange servers this week (I'm not part of Exch team, so not for certain which svr version they are using) - because our S/MIME encrypting method is using 3DES - which was compromised by the Sweet32 attack.

https://sweet32.info/
CVE-2016-2183 : The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a bi
https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA

I wondered why whoever setup this exchange didn't go with AES encryption (possibly being Exch 2003) idk, that's why I wanted to inquire with the TE folks/gurus out there. What encryption methods are you using? if any...or possibly 3rd party software?

Cheers and Hi5!
2018 goals -> PenTest+ Beta (failed), Linux+ Beta (pending results), CEH (mid Dec)
2019 goals -> Linux+ 103/104 (Jan/Mar/Depends on Beta results), KLCP (June), RHCSA (Dec)

Comments

  • gespensterngespenstern Posts: 1,243Registered Members ■■■■■■■□□□
    From what I remember from sweet description it's very hard to exploit. Not only it requires MITM, it's unlikely that a typical email size would be enough. They typically talk about hundreds of gigabytes of a single session for which this single encryption key was used which is by far much higher than a typical email size. I'd let it slide no issues if my memory serves me well and there's a reason for using 3DES in this case.
Sign In or Register to comment.