Re: Recipients info for Enveloped Message
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 11/10/03
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Newbie : How to query a SAM (NT4) profile using System.DirectoryServices"
- Previous message: Ray Woodard: "ntvdm.exe, cmd.exe, and security"
- In reply to: Michel Gallant: "Re: Recipients info for Enveloped Message"
- Next in thread: Michel Gallant: "Re: Recipients info for Enveloped Message"
- Reply: Michel Gallant: "Re: Recipients info for Enveloped Message"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 10 Nov 2003 12:40:44 -0600
BTW, it would be really nice if there was a way to force Outlook XP to use
3DES by default too. I've looked around and haven't found a way to do this
in Outlook. I've figure out how to have it prompt you if it is going to
send a message encrypted below a certain strength threshold, but not
actually for it to a certain algorithm.
My current issue that is forcing me to look into PKCS#7 is that Outlook with
Exchange 2000 defaults to 40bit RC2 if algorithm capabilities are not
explicitly known, either through a cached local signature or a signed data
attribute value (userSMIMECertificate) in Active Directory.
Our problem is that our current certificate enrollment process doesn't
create the signed data blob in AD at the time the certs are issued, so by
default we only have public certs to go by and get RC2 encrypted email by
default which is not good enough. Since our environment is homogenous, we
could safely just use 3DES, but we don't have a way to force that, so
instead we are going to back fill the signed data blob, but that requires
access to the user's private key which means that we need user intervention
which makes the process much more complex to manage, especially in a really
large deployment like ours (>70K users).
The wrapper class I'm working on now will be used for a few read-only tools
for AD for validation and troubleshooting purposes, so your sample really
helps out there. Thanks again!
Joe K.
"Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message
news:%23igENW0pDHA.2188@TK2MSFTNGP11.phx.gbl...
> Hey Joe,
>
> OK, the "AuthAttrib" sample is there now:
> http://pages.istar.ca/~neutron/feature/AuthAttr
> (apologies to VB.net fans, but i do all my .NET coding in C# :-(
>
> Note that only the SMIMECapabilities authenticated attribute is actually
> decoded (the other auth attribs. are merely listed).
> I have also included a list of what SMIMECapabilities each of the
> following mail clients sends with in a signed message:
> OE6, O2000 Netscape Messenger 4.79 (note that all put 3DES as the
first preference :-)
>
> Note also in the reference list that Microsoft has a patch which forces
3DES as
> the default encryption preference for OE6 in the absense of any other
info.
> (without the patch, OE6 reverts to RC2 40 bit ... a security risk imho :-)
> The KB 331488 article initially indicates that you have to contact MS to
get the patch,
> but in fact it is directly available now from link posted.
>
> Cheers,
> - Mitch Gallant
> Security MVP
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message
> news:%23DsnCE0pDHA.2064@TK2MSFTNGP11.phx.gbl...
> > Wow, that would be very helpful, being exactly what I need :)
> >
> > I am kind of tempted to try to and figure it out myself as there is
nothing
> > quite as fun as obscure Crypto API P/Invokes, but it would certainly
save me
> > some time and frustration to get a jump start!
> >
> > Perhaps you would consider posting it as a sample on your website?
> >
> > Joe K.
> >
> > "Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message
> > news:uNybN3ZpDHA.2528@TK2MSFTNGP10.phx.gbl...
> > > I have some sample code which lists all Authenticated Attributes
> > > and decodes the SMIMECapabilities in the format shown below.
> > >
> > > I might be convinced to post the (C#.NET) code if someone
> > > wants to see it :-)
> > > -- Mitch Gallant
> > >
> > > 4 Authenticated Attributes for message signer 0
> > > OID: 1.2.840.113549.1.9.3 Content Type (1)
> > > OID: 1.2.840.113549.1.9.5 Signing Time (1)
> > > OID: 1.2.840.113549.1.9.4 Message Digest (1)
> > > OID: 1.2.840.113549.1.9.15 SMIME Capabilities (1)
> > >
> > > Extracting SMIME Capabilities Attribute ..
> > > 5 SMIME Capabilities
> > >
> > > OID: 1.2.840.113549.3.7 3des
> > > OID: 1.2.840.113549.3.2 rc2 (128 bits)
> > > OID: 1.3.14.3.2.7 des
> > > OID: 1.2.840.113549.3.2 rc2 (64 bits)
> > > OID: 1.2.840.113549.3.2 rc2 (40 bits)
> > > -------------------------------------------------------------------
> > >
> > >
> > > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
wrote
> > in message
> > > news:%23VkDSqOpDHA.1408@TK2MSFTNGP11.phx.gbl...
> > > > Thanks Mitch! I'll check that out and come back if I need some more
> > help.
> > > >
> > > > Joe K.
> > > >
> > > > "Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message
> > > > news:%23431EjMpDHA.2676@TK2MSFTNGP11.phx.gbl...
> > > > > Thanks.
> > > > > I think you can use CryptMsgGetParam with
> > > > dwParamType=CMSG_SIGNER_INFO_PARAM
> > > > > and then decode the authenticated attributes and look for the OID:
> > > > > sMIMECapabilities (1 2 840 113549 1 9 15)
> > > > >
> > > > > Alternatively, you can more directly use
> > > > dwParamType=CMSG_SIGNER_AUTH_ATTR_PARAM
> > > > >
> > > > > I haven't tried this, but should work, based on looking at asn.1
> > partial
> > > > dump appended below,
> > > > > of a signed message (signed my Netscape 4.9 showing 3DES as the
first
> > > > preference).
> > > > >
> > > > > Note that the same OID is supported as an actual certificate
> > extension,
> > > > but I don't think
> > > > > any commercial CA's issue certs with an sMIMECapabilities
extension
> > for
> > > > Personal certs.
> > > > >
> > > > > - Mitch Gallant
> > > > > ----------------------- partial asn.1 dump of CMS/PKCS #7 signed
> > > > essage -------------------
> > > > > 2410 30 82: SEQUENCE {
> > > > > 2412 06 9: OBJECT IDENTIFIER
> > > > > : sMIMECapabilities (1 2 840 113549 1
9
> > 15)
> > > > > 2423 31 69: SET {
> > > > > 2425 30 67: SEQUENCE {
> > > > > 2427 30 10: SEQUENCE {
> > > > > 2429 06 8: OBJECT IDENTIFIER
> > > > > : des-EDE3-CBC (1 2 840 113549 3
7)
> > > > > : }
> > > > > 2439 30 14: SEQUENCE {
> > > > > 2441 06 8: OBJECT IDENTIFIER rc2CBC (1 2
840
> > 113549
> > > > 3 2)
> > > > > 2451 02 2: INTEGER 128
> > > > > : }
> > > > > 2455 30 7: SEQUENCE {
> > > > > 2457 06 5: OBJECT IDENTIFIER desCBC (1 3 14
3 2
> > 7)
> > > > > : }
> > > > > 2464 30 13: SEQUENCE {
> > > > > 2466 06 8: OBJECT IDENTIFIER rc2CBC (1 2
840
> > 113549
> > > > 3 2)
> > > > > 2476 02 1: INTEGER 64
> > > > > : }
> > > > > 2479 30 13: SEQUENCE {
> > > > > 2481 06 8: OBJECT IDENTIFIER rc2CBC (1 2
840
> > 113549
> > > > 3 2)
> > > > > 2491 02 1: INTEGER 40
> > > > > : }
> > > > > "Joe Kaplan (MVP - ADSI)"
<joseph.e.kaplan@removethis.accenture.com>
> > wrote
> > > > in message
> > > > > news:ezPjwFMpDHA.3688@TK2MSFTNGP11.phx.gbl...
> > > > > > Hi Michel,
> > > > > >
> > > > > > I'm wondering if you have a good idea on how to get a user's
> > encryption
> > > > > > capabilities from a PKCS#7 signed data container? I need to be
able
> > to
> > > > > > extract a user's certificate (not hard) and this info from this
data
> > in
> > > > .NET
> > > > > > and figured you were the guy to ask about how to do it. I tried
> > > > figuring
> > > > > > out how to do it via crypto api P/Invoke myself, but I couldn't
> > figure
> > > > out
> > > > > > from the MSDN documentation exactly how this information is even
> > stored.
> > > > > >
> > > > > > Thanks in advance for your help on this and thank you for
posting
> > all of
> > > > our
> > > > > > .NET crypto samples. They have been very helpful to a lot of
> > people.
> > > > > >
> > > > > > Joe K.
> > > > > >
> > > > > > "Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message
> > > > > > news:Or6zqbLpDHA.2964@tk2msftngp13.phx.gbl...
> > > > > > > CAPICOM 2 currently does not support accessing enveloped
message
> > > > > > > recipients information if the EnvelopedData.Decrypt() fails.
It is
> > > > useful
> > > > > > > sometimes to have direct access to that information, without
> > > > necessarily
> > > > > > > being able to decrypt as a recipient. Good ASN.1 parses can
do
> > this
> > > > of
> > > > > > course.
> > > > > > >
> > > > > > > This C# .NET utility provides that capability, using the usual
> > > > CryptoAPI
> > > > > > > decoding functionality:
> > > > > > > http://pages.istar.ca/~neutron/feature/EnvelInfo
> > > > > > >
> > > > > > > It uses P/Invoke extensively, and uses a variety of different
> > > > marshaling
> > > > > > > approaches (there are usually several ways to do things).
> > > > > > >
> > > > > > > - Michel Gallant
> > > > > > > Visual Security MVP
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > >
> > >
> >
>
>
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Newbie : How to query a SAM (NT4) profile using System.DirectoryServices"
- Previous message: Ray Woodard: "ntvdm.exe, cmd.exe, and security"
- In reply to: Michel Gallant: "Re: Recipients info for Enveloped Message"
- Next in thread: Michel Gallant: "Re: Recipients info for Enveloped Message"
- Reply: Michel Gallant: "Re: Recipients info for Enveloped Message"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
