Hi,
I have developed a
custom smart card Cryptographic Service Provider (CSP) and would like to use that when signing and encrypting emails through Outlook. I have setup a small test network, with an active directory and certificate authority, and was able to successfully enroll
for a certificate using my CSP. When I try to use the certificate in Outlook by going to trust center, I only see 3DES but no AES even though my CSP supports AES. I am also only given the option to use SHA-1 for signatures even though my CSP supports SHA-256,
SHA-384 and SHA-512. Any ideas what might be causing the problem?
Note that I am able
to successfully send and receive encrypted emails using 3DES with the certificate that I acquired using my custom CSP. Digital signatures calculated using SHA-1 and my CSP are also verified by Outlook as correct.
Here is some additional
information on the setup. I am using Window Server 2008 R2 on the server side and Windows 7 x64 Ultimate with Outlook 2010 on the client side. The active directory and certificate authority have been setup on the server.
I have installed my
custom CSP only on the client side and registered it as an RSA_FULL type provider in the registry. I have also tried registering it as an RSA_AES (RSA Full and AES) provider but still no AES. My custom CSP has been digitally signed using a valid Microsoft
Authenticode certificate.
I have written a small
information extraction program in C using CryptoAPI, comparing different CSPs already installed on the client PC. The program shows provider attributes that I think might contribute to the CSP's capabilities as seen by Outlook (Using the 'CryptGetProvParam'
function). Here is the output for two providers that I think should support AES:
---------------------------------------------------------------------
Microsoft Enhanced
RSA and AES Cryptographic Provider
Provider Type: 0x18
(RSA Full and AES)
Provider Implementation
Type: 0x2 (Software)
Provider Version: 0x200
Supported Algorithms:
"ALG_ID | Short Name | Long Name | Min Len | Max Len"
0x6602: RC2, RSA Data
Security's RC2, 40, 128
0x6801: RC4, RSA Data
Security's RC4, 40, 128
0x6601: DES, Data Encryption
Standard (DES), 56, 56
0x6609: 3DES TWO KEY,
Two Key Triple DES, 112, 112
0x6603: 3DES, Three
Key Triple DES, 168, 168
0x8004: SHA-1, Secure
Hash Algorithm (SHA-1), 160, 160
0x800C: SHA-256, Secure
Hash Algorithm 256 (SHA-256), 256, 256
0x800D: SHA-384, Secure
Hash Algorithm 384 (SHA-384), 384, 384
0x800E: SHA-512, Secure
Hash Algorithm 512 (SHA-512), 512, 512
0x8001: MD2, Message
Digest 2 (MD2), 128, 128
0x8002: MD4, Message
Digest 4 (MD4), 128, 128
0x8003: MD5, Message
Digest 5 (MD5), 128, 128
0x8008: SSL3 SHAMD5,
SSL3 SHAMD5, 288, 288
0x8005: MAC, Message
Authentication Code, 0, 0
0x2400: RSA_SIGN, RSA
Signature, 384, 16384
0xA400: RSA_KEYX, RSA
Key Exchange, 384, 16384
0x8009: HMAC, Hugo's
MAC (HMAC), 0, 0
0x660E: AES 128, Advanced
Encryption Standard 128-bit, 128, 128
0x660F: AES 192, Advanced
Encryption Standard 192-bit, 192, 192
0x6610: AES 256, Advanced
Encryption Standard 256-bit, 256, 256
--------------------------------------------------------------------
My CSP
Provider Type: 0x1
(RSA Full)
Provider Implementation
Type: 0xB (Hardware, Software and Removable)
Provider Version: 0x200
Supported Algorithms:
"ALG_ID | Short Name | Long Name | Min Len | Max Len"
0x6603: 3DES, Three
Key Triple DES, 168, 168
0xA400: RSA_KEYX, RSA
Key Exchange, 1024, 4096
0x2400: RSA_SIGN, RSA
Signature, 1024, 4096
0x8004: SHA-1, Secure
Hash Algorithm (SHA-1), 160, 160
0x800C: SHA-256, Secure
Hash Algorithm 256 (SHA-256), 256, 256
0x800D: SHA-384, Secure
Hash Algorithm 384 (SHA-384), 384, 384
0x800E: SHA-512, Secure
Hash Algorithm 512 (SHA-512), 512, 512
0x660E: AES 128, Advanced
Encryption Standard 128-bit, 128, 128
0x660F: AES 192, Advanced
Encryption Standard 192-bit, 192, 192
0x6610: AES 256, Advanced
Encryption Standard 256-bit, 256, 256
I am baffled by why
Outlook only allows me to use outdated algorithms, 3DES, and not the more secure algorithms such as AES and SHA2 even though I am advertising that my CSP is AES capable. There must be some attribute or setting that I am missing somewhere.
Also note, when I use
a certificate that has been acquired using a Microsoft Provider, like the Microsoft Enhanced Cryptographic Provider, Outlook provides me with the AES option for encrypting emails. I have also tried a certificate issued by Comodo, using the Microsoft Enhanced
Provider during the certificate enrollment process, and Outlook provides me with the option of using AES for that certificate as well. So I am assuming it must be possible with my current setup.
Any help will be much
appreciated!