How to get AES 256 encryption using S/MIME with Outlook 2010

We want to encrypt emails with AES 256 bit encryption.  I've installed certificates for two users on our network from comodo.com.  I can only get 3DES encryption when sending mail and encrypting it.

I have been able to send mail to myself, from a third test account with a self signed certificate, and it arrived as encrypted with AES 256 encryption, so I know it's possible.

The details of the certificate being used reflects the proper certificate for the encryption, etc.  It is not using any localy signed certificates.

Both outlook clients are Outlook 2010 standard, with SP1.

All settings in the outlook profile are pointed to use AES 256.

I've checked the certificate store for both users, and can find no reason why it's only using 3DES.

 

Thanks for any help you can provide.

 

August 1st, 2011 9:47pm

Hi,

 

Does you Outlook 2010 connect to Exchange Server or other servers?

 

Do you send this email to recipient are on the same server or not?

 

Have you sent this email to other recipients for test, do they get the same issue?

 

When you try to send encrypt email message, please have a look for this document:

 

Encrypt e-mail messages

http://office.microsoft.com/en-us/outlook-help/encrypt-e-mail-messages-HP001230536.aspx

 

Thanks,

 

Evan

Free Windows Admin Tool Kit Click here and download it now
August 4th, 2011 7:03am

We're using Outlook 2010 SP1, connected to an Exchange 2007 sp3 server.  This is all internal at the moment.

All recipients are on the same server.

Other recipients are resulting in the message being 3DES encrypted, even though AES 256 bit encyption is set as the default for these users.

Kirk.

 

August 4th, 2011 2:57pm

Bump -

If I force mininum encryption using Group policy:

User Config>Policies>Admin Templates>Microsoft Outlook 2010>Security>Cryptography>minimum encryption settings set to 256, then outlook

complains on attempting to send an encrypted message:

This message will be encrypted using a 192 bit key so that all recipients can decrypt and read it. This may not be the security level you want.  Do you want to send the message?

Send|Cancel Send.

resulting message is still only 3DES encrypted. 

Free Windows Admin Tool Kit Click here and download it now
August 12th, 2011 7:06pm

Ok,

so your question is answered and you found the reason why your Outlook doesn´t use AES2566 encryption?

 

August 16th, 2011 7:35pm

No, I still don't have an answer as to why I can't get aes 256 encryption with outlook 2010.
Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2011 2:44pm

I'm looking for an answer to this exact issue. The symptoms are the same as described by Peddy1st. Has anyone else encountered this?

 

Regards,

Ed P

November 29th, 2011 5:17pm

Hi,

Start Outlook 2010 go to the file menu and then choose Options.

Select the Trustcenter and enter the securitysettings 

After that select E-Mail security on the top of the windows there is a button settings there you are able to configure your security settings for the S/MIME Settings.

There you are able to configure the excryption algorithm. The default is AES256 but perhps you have selected 3DES.

 

Free Windows Admin Tool Kit Click here and download it now
December 12th, 2011 5:10pm

Outlook's options are all set to AES 256 in the s/mime settings.  Regardless of choosing AES, the resulting email is arriving as being encrypted with 3DES.
December 13th, 2011 5:21pm

Hi,

there are serveral situations it is not possible to change the encryption tpye:

1.The recipient doesn’t support AES-256 encrypted emails.

2.There is no AES encryption algorithm if the versions are below:

Client

Server

KDC

Ticket/Message encryption

Operating systems earlier than Windows Vista

Windows Server 2008

Operating systems earlier than Windows Server 2008

No AES

Windows Vista

Operating systems earlier than Windows Server 2008

Operating systems earlier than Windows Server 2008

No AES

Operating systems earlier than Windows Vista

Operating systems earlier than Windows Server 2008

Operating systems earlier than Windows Server 2008

No AES

So, please check the following:

1. Check the version of your client, server and domain controller

2. Check whether the encryption algorithm is AES-256 when you send emails to yourself

3. Check whether the encryption algorithm is AES-256 when you send emails to internal users or external users

4. Check whether the recipient has an AES-256 certificate

Free Windows Admin Tool Kit Click here and download it now
December 13th, 2011 6:05pm

The table above appears to be from the Kerberos Enhancements document:

http://technet.microsoft.com/en-us/library/cc749438(WS.10).aspx

What does the Kerberos capability to support AES have to do with Outlook encryption?

 

Regards,

Ed P

December 13th, 2011 8:21pm

Even with OLK2010 SP1 fr on W7 sp1 I still get the same problem of having 3DES encryption and no AES. I use Outlook without exchange and I am able to send to myself using AES 256.

I tried by GPO:

- disabling FIPS compatibility : no change

- forcing use of suiteB: I have the message "your certificate is not valid"

Has anyone a solution?

Regards.

Free Windows Admin Tool Kit Click here and download it now
September 6th, 2013 11:54pm

We want to encrypt emails with AES 256 bit encryption.  I've installed certificates for two users on our network from comodo.com.  I can only get 3DES encryption when sending mail and encrypting it.

I have been able to send mail to myself, from a third test account with a self signed certificate, and it arrived as encrypted with AES 256 encryption, so I know it's possible.

The details of the certificate being used reflects the proper certificate for the encryption, etc.  It is not using any localy signed certificates.

Both outlook clients are Outlook 2010 standard, with SP1.

All settings in the outlook profile are pointed to use AES 256.

I've checked the certificate store for both users, and can find no reason why it's only using 3DES.

 

Thanks for any help you can provide.

 

Hi all, 

we have the same problem. But when we use Outlook Web App everything works fine. Very starnge....

Cheers,

Thorsten

November 6th, 2013 5:16pm

I ran into this as well using Outlook 2013.  Trust Center Settings are AES 256 but that will only work when you send/receive to yourself - another recipient (even though the other recipient is part of the same domain, same exchange server and settings) it starts using DES3.

I tried getting to the settings using the Office Customization Tool but I do not have an "admin" folder so I downloaded one, but still was not successful getting the Office Customization Tool to work. I am guessing my Office 2013 Professional is not "volume licensing" and that is why I can't successfully use the OCT. I was trying to do what Greg Alexandre did above, force the use of SuiteB. I appears he was not successful as he gets the message "Your Certificate is not valid."

I stumbled onto this thread by putting in search parameters to find some other email program to get SMIME across in AES 256..

Did anybody solve this problem?

Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2014 6:41am

So this hasn't worked in Outlook 2010 and now Outlook 2013 and nobody knows why?

February 24th, 2014 10:12pm

I am having the same issue with Outlook 2013.

Is this a "NSA-feature" or what? So much fail....

Free Windows Admin Tool Kit Click here and download it now
April 24th, 2014 11:20am

I pounded on this problem and came up empty.  I can't get the Blackberry to send AES 256 only read it, it will send DES3. After checking, it appears and iPhone is DES3. And we are all here because we can only get DES3 off Outlook unless we send/receive to ourselves.

It appears we are being blocked from AES 256 SHA512.

And no, I am not downloading some package and using S/MIME off the browser in OWA. 

If the setting is there in Outlook 2010/2013, we should be able to use it.

April 24th, 2014 6:03pm

The sender does not know the encryption level of the recipient. By default, Outlook will use the lowest encryption level to allow the recipient to open the email.

To resolve this, the recipeint must have UserSMIMECertificate attribute in Active Directory.

The userCertificate attribute is the standard Active Directory property for certificates. The userSMIMECertificate attribute is used specifically by Outlook and Microsoft Outlook Web App (OWA) for S/MIME message submission. The UserSMIMECertificate attribute includes additional data, such as the preferred encryption algorithm. This makes sure the Outlook experience is as good as possible. Either attribute can be used to encrypt the data.

http://blogs.technet.com/b/pki/archive/2008/12/17/outlook-s-mime-certificate-selection.aspx

http://support.microsoft.com/kb/2840546

Free Windows Admin Tool Kit Click here and download it now
June 5th, 2014 9:09pm

The sender does not know the encryption level of the recipient. By default, Outlook will use the lowest encryption level to allow the recipient to open the email.

To resolve this, the recipeint must have UserSMIMECertificate attribute in Active Directory.

The userCertificate attribute is the standard Active Directory property for certificates. The userSMIMECertificate attribute is used specifically by Outlook and Microsoft Outlook Web App (OWA) for S/MIME message submission. The UserSMIMECertificate attribute includes additional data, such as the preferred encryption algorithm. This makes sure the Outlook experience is as good as possible. Either attribute can be used to encrypt the data.

http://blogs.technet.com/b/pki/archive/2008/12/17/outlook-s-mime-certificate-selection.aspx

http://support.microsoft.com/kb/2840546

After reading both of those links it appears if you hit "Publish to Gal" under Outlook/Trust Center Settings/Email Security the encryption algorithm strength you selected for the cert you are publishing should then be set under Active Directory userSMIMECertificate Attribute. 

I tried "Publish to Gal" for both users (one is Outlook 2010 and the other is Outlook 2013)... and we can still only send/receive AES256 SHA512 to ourselves.

I thought I would try using OWA for SMIME since I haven't before, but am unable to install the SMIME control in OWA. I am running Windows 8.1 IE 11 and do see a thread about not being able to successfully use OWA SMIME on 8.1 and IE11 here:

http://answers.microsoft.com/en-us/ie/forum/ie11-iewindows8_1/internet-explorer-11-doesnt-load-smime-plug-in/b3178e17-ee07-4eef-9843-e3ad1a8db5b7

So unfortunately I still haven't been able to get around DES3 in regard to SMIME. But it do thank you for your helpful links : )

June 6th, 2014 3:26am

I DID

without Cached Exchange Mode

Q. Why OST is reverting Outlook to 3DES ?? And how to change ?

Free Windows Admin Tool Kit Click here and download it now
May 28th, 2015 6:28am

without Cached Exchange Mode + All recipients must Publish to GAL (to have userSMIMEcertificate populated)
May 28th, 2015 7:22am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics