The protocol used by Microsoft for email encryption has a weakness that can leak information meant to stay secret, warns cybersecurity company WithSecure.
Electronic Code Book encrypts repeated blocks of information with the same ciphertext – meaning that in the supposedly impenetrable gibberish encryption uses to protect information from prying eyes, patterns may emerge.
“You can have the correct cipher, a really secure way of creating the key and so forth, but if you’re using ECB, you have this problem,” WIthSecure senior consultant Harry Sintonen tells Information Security Media Group. Microsoft includes email encryption as part of its Azure Rights Management offering.
Electronic Code Book’s shortcomings aren’t a secret. The National Institute of Standards and Technology, the U.S. agency that develops encryption standards for civilian use, characterizes ECB as “a severe security vulnerability.” The agency earlier this year proposed limiting its use by the federal government.
Sintonen says he’s drawing attention to Microsoft’s use of the algorithm because Microsoft-encrypted email could betray its senders under conditions in which an adversary can gather large volumes of messages.
Because ECB encrypts repeated plaintext within a single message with the same characters, an authority able to capture and analyze email flows could infer parts of the encrypted text.
