+ Reply to Thread
Results 1 to 2 of 2
  1. Senior Member shochan's Avatar
    Join Date
    Sep 2016
    Location
    AR
    Posts
    426

    Certifications
    A+, Network+, i-Net+, Server+, Security+, MCP 70-210, Novell CNA 5.0
    #1

    Default Exchange Server gurus & encrypting emails

    So, I found a vulnerability in our exchange servers this week (I'm not part of Exch team, so not for certain which svr version they are using) - because our S/MIME encrypting method is using 3DES - which was compromised by the Sweet32 attack.

    https://sweet32.info/
    CVE-2016-2183 : The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a bi
    https://csrc.nist.gov/News/2017/Upda...cation-of-TDEA

    I wondered why whoever setup this exchange didn't go with AES encryption (possibly being Exch 2003) idk, that's why I wanted to inquire with the TE folks/gurus out there. What encryption methods are you using? if any...or possibly 3rd party software?

    Cheers and Hi5!
    2017 -> Chillaxing & (reading C|EH - Matt Walker)
    2018 -> CCNA CyberOps (July Cohort)
    Reply With Quote Quote  

  2. Senior Member
    Join Date
    Jan 2015
    Location
    Chicago, IL
    Posts
    975

    Certifications
    Too many MCPs and MCTS, MCSA: Security, MCSE: Security, MCSA: 2003, 2008, 2012, MCITP: EA, CISSP-ISSAP, SCS DLP, GREM
    #2
    From what I remember from sweet description it's very hard to exploit. Not only it requires MITM, it's unlikely that a typical email size would be enough. They typically talk about hundreds of gigabytes of a single session for which this single encryption key was used which is by far much higher than a typical email size. I'd let it slide no issues if my memory serves me well and there's a reason for using 3DES in this case.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks