Exchange Server gurus & encrypting emails

shochanshochan Member Posts: 1,014 ■■■■■■■■□□
So, I found a vulnerability in our exchange servers this week (I'm not part of Exch team, so not for certain which svr version they are using) - because our S/MIME encrypting method is using 3DES - which was compromised by the Sweet32 attack.

https://sweet32.info/
CVE-2016-2183 : The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a bi
https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA

I wondered why whoever setup this exchange didn't go with AES encryption (possibly being Exch 2003) idk, that's why I wanted to inquire with the TE folks/gurus out there. What encryption methods are you using? if any...or possibly 3rd party software?

Cheers and Hi5!
CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP

Comments

  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    From what I remember from sweet description it's very hard to exploit. Not only it requires MITM, it's unlikely that a typical email size would be enough. They typically talk about hundreds of gigabytes of a single session for which this single encryption key was used which is by far much higher than a typical email size. I'd let it slide no issues if my memory serves me well and there's a reason for using 3DES in this case.
Sign In or Register to comment.