[148299] in cryptography@c2.net mail archive
Re: [Cryptography] Microsoft announces new email encryption
daemon@ATHENA.MIT.EDU (Dave Howe)
Wed Nov 27 14:21:45 2013
X-Original-To: cryptography@metzdowd.com
Date: Wed, 27 Nov 2013 09:35:35 +0000
From: Dave Howe <davehowe.pentesting@gmail.com>
To: cryptography@metzdowd.com
In-Reply-To: <201311270403.rAR43JoW028360@new.toad.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 27/11/2013 04:03, John Gilmore wrote:
> "Messages are 2048-bit encrypted using SHA-256 with the private key
> of the Office 365 tenant domain. Recipients have no knowledge of
> this key, so when they receive the message, they'll see that it
> contains an encrypted attachment together with some instructions as
> to how to view the content. ...
This sounds very similar indeed to how cisco/ironport's CRES solution
works. The mail body is encrypted and sent hidden in a series of "image"
files stored as mime multipart/related, along with some javascript that
interacts with a web service to provide login, key download and
localized decryption etc etc.
All the key material is held on a server controlled by cisco, in US
jurisdiction, and the *only* security review cisco were willing to share
with a UK dot-gov security auditor was on the *physical* security of the
non-cisco-owned hosting site. (!)
Needless to say, they weren't too impressed and recommended the
dot-gov went with a similar, but on-premise system from PGP instead.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography