Hi,

I have developed a custom smart card Cryptographic Service Provider (CSP) and would like to use that when signing and encrypting emails through Outlook. I have setup a small test network, with an active directory and certificate authority, and was able to successfully enroll for a certificate using my CSP. When I try to use the certificate in Outlook by going to trust center, I only see 3DES but no AES even though my CSP supports AES. I am also only given the option to use SHA-1 for signatures even though my CSP supports SHA-256, SHA-384 and SHA-512. Any ideas what might be causing the problem?

Note that I am able to successfully send and receive encrypted emails using 3DES with the certificate that I acquired using my custom CSP. Digital signatures calculated using SHA-1 and my CSP are also verified by Outlook as correct.

Here is some additional information on the setup. I am using Window Server 2008 R2 on the server side and Windows 7 x64 Ultimate with Outlook 2010 on the client side. The active directory and certificate authority have been setup on the server.

I have installed my custom CSP only on the client side and registered it as an RSA_FULL type provider in the registry. I have also tried registering it as an RSA_AES (RSA Full and AES) provider but still no AES. My custom CSP has been digitally signed using a valid Microsoft Authenticode certificate.

I have written a small information extraction program in C using CryptoAPI, comparing different CSPs already installed on the client PC. The program shows provider attributes that I think might contribute to the CSP's capabilities as seen by Outlook (Using the 'CryptGetProvParam' function). Here is the output for two providers that I think should support AES:
---------------------------------------------------------------------
Microsoft Enhanced RSA and AES Cryptographic Provider
Provider Type: 0x18 (RSA Full and AES)
Provider Implementation Type: 0x2 (Software)
Provider Version: 0x200
Supported Algorithms: "ALG_ID | Short Name | Long Name | Min Len | Max Len"
0x6602: RC2, RSA Data Security's RC2, 40, 128
0x6801: RC4, RSA Data Security's RC4, 40, 128
0x6601: DES, Data Encryption Standard (DES), 56, 56
0x6609: 3DES TWO KEY, Two Key Triple DES, 112, 112
0x6603: 3DES, Three Key Triple DES, 168, 168
0x8004: SHA-1, Secure Hash Algorithm (SHA-1), 160, 160
0x800C: SHA-256, Secure Hash Algorithm 256 (SHA-256), 256, 256
0x800D: SHA-384, Secure Hash Algorithm 384 (SHA-384), 384, 384
0x800E: SHA-512, Secure Hash Algorithm 512 (SHA-512), 512, 512
0x8001: MD2, Message Digest 2 (MD2), 128, 128
0x8002: MD4, Message Digest 4 (MD4), 128, 128
0x8003: MD5, Message Digest 5 (MD5), 128, 128
0x8008: SSL3 SHAMD5, SSL3 SHAMD5, 288, 288
0x8005: MAC, Message Authentication Code, 0, 0
0x2400: RSA_SIGN, RSA Signature, 384, 16384
0xA400: RSA_KEYX, RSA Key Exchange, 384, 16384
0x8009: HMAC, Hugo's MAC (HMAC), 0, 0
0x660E: AES 128, Advanced Encryption Standard 128-bit, 128, 128
0x660F: AES 192, Advanced Encryption Standard 192-bit, 192, 192
0x6610: AES 256, Advanced Encryption Standard 256-bit, 256, 256

--------------------------------------------------------------------
My CSP
Provider Type: 0x1 (RSA Full)
Provider Implementation Type: 0xB (Hardware, Software and Removable)
Provider Version: 0x200
Supported Algorithms: "ALG_ID | Short Name | Long Name | Min Len | Max Len"
0x6603: 3DES, Three Key Triple DES, 168, 168
0xA400: RSA_KEYX, RSA Key Exchange, 1024, 4096
0x2400: RSA_SIGN, RSA Signature, 1024, 4096
0x8004: SHA-1, Secure Hash Algorithm (SHA-1), 160, 160
0x800C: SHA-256, Secure Hash Algorithm 256 (SHA-256), 256, 256
0x800D: SHA-384, Secure Hash Algorithm 384 (SHA-384), 384, 384
0x800E: SHA-512, Secure Hash Algorithm 512 (SHA-512), 512, 512
0x660E: AES 128, Advanced Encryption Standard 128-bit, 128, 128
0x660F: AES 192, Advanced Encryption Standard 192-bit, 192, 192
0x6610: AES 256, Advanced Encryption Standard 256-bit, 256, 256

I am baffled by why Outlook only allows me to use outdated algorithms, 3DES, and not the more secure algorithms such as AES and SHA2 even though I am advertising that my CSP is AES capable. There must be some attribute or setting that I am missing somewhere.

Also note, when I use a certificate that has been acquired using a Microsoft Provider, like the Microsoft Enhanced Cryptographic Provider, Outlook provides me with the AES option for encrypting emails. I have also tried a certificate issued by Comodo, using the Microsoft Enhanced Provider during the certificate enrollment process, and Outlook provides me with the option of using AES for that certificate as well. So I am assuming it must be possible with my current setup.

Any help will be much appreciated!

One possible cause is that you are not using the registry keys to tell Outlook that the additional algorithms are present.

We need to create some registry keys to notify Outlook that it needs to look for new encryption and signing algorithms.

Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\14.0\Outlook\Security\AdditionalSmimeCapsAlgs
Key Name: <AlgName> where AlgName is the name displayed to the user

Under each key name you will have the following values:

Value Name: OID
Value Type: REG_SZ
Required: Yes
Description: The OID of the algorithm

Value Name: Bits
Value Type: REG_DWORD
Required: Yes
Description: Number of bits used with the algorithm

Value Name: Flags
Value Type: REG_DWORD
Required: Yes
Description: Any flags that go with this algorithm

Should at least give type (signing/encryption)
Supported flags are:
EAF_SIGNING = 0x01 - This is a signing algorithm
EAF_ENCRYPTION = 0x02 - This is an encryption algorithm
EAF_FIPS_COMPLIANT = 0x10 - Can use with FIPS140
EAF_SMIME_DEFAULT = 0x20 - Should be included in SMIME Default smime caps
EAF_FORTEZZA_DEFAULT = 0x40 - Should be included in FORTEZZA Default smime caps,
EAF_DH_COMPATIBLE = 0x100 - Can be used with Diffie Hillman
EAF_DSS_COMPATIBLE = 0x1000 - Can be used with DSS

Value Name: AlgId
Value Type: REG_DWORD
Required: Yes
Description: Algorithm Id of the Algorithm

Value Name: Parameters
Value Type: REG_BINARY
Value Data: Algorithm parameters (if any)
Required: No
Description: Algorithm parameters

Value Name: CSPAlgName
Value Type: REG_SZ
Required: No
Description: Named used by CSPs for this algorithm.  If not present then the key name is used.

Having the same problem with smartcard CSP and Outlook 2013. 2010 works fine (check that you have AES in smime capability extension in your certificate).

I've added these settings to registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\Outlook\Security\AdditionalSmimeCapsAlgs\AES 256]
"Bits"=dword:00000100
"OID"="2.16.840.1.101.3.4.1.42"
"Flags"=dword:00000172
"CSPAlgName"="AES 256"
"AlgID"=dword:00006610

but it doesn't help. Regmon shoes that Outlook reads these records, but AES256 does not appear in the Encryption Algorithm combo.

Hi All,

We have the same with our custom CSP using Smart Card for Outlook 2010 (64 bit).

We try to use those suggestions but still the AES algorithm is not appearing for outlook 2010 to encrypt the email.

When we are using (import into the machine manually) same .PFX file of our certificate from the local machine without Smart card. The AES options are appearing in the outlook 2010 s/MIME security option in the trusted settings.

Also CSP's capabilities by Outlook (Using the 'CryptGetProvParam' function) returning the following for our custom CSP:

Supported Algorithms: "ALG_ID | Short Name | Long Name | Min Len | Max Len"

0x6603: 3DES, Three Key Triple DES, 168, 168

0xA400: RSA_KEYX, RSA Key Exchange, 1024, 4096

0x2400: RSA_SIGN, RSA Signature, 1024, 4096

0x8004: SHA-1, Secure Hash Algorithm (SHA-1), 160, 160

0x800C: SHA-256, Secure Hash Algorithm 256 (SHA-256), 256, 256

0x800D: SHA-384, Secure Hash Algorithm 384 (SHA-384), 384, 384

0x800E: SHA-512, Secure Hash Algorithm 512 (SHA-512), 512, 512

0x660E: AES 128, Advanced Encryption Standard 128-bit, 128, 128

0x660F: AES 192, Advanced Encryption Standard 192-bit, 192, 192

0x6610: AES 256, Advanced Encryption Standard 256-bit, 256, 256

Is there anything we need to add in our settings or any other suggestion?

Regards,

Riktam