Return to list of client alerts
Security firm WithSecure has identified a structural weakness in Microsoft’s approach to encryption that is not easy to remedy. This is not a bug, this is a design flaw.
Microsoft uses the Electronic Code Book (ECB) mode in AES to do its encryption. This was a decision made years ago, likely before anyone understood the weakness of ECB mode. But the problem is that if you change your encryption algorithm you won’t be able to open old files.
While you could support two separate encryption algorithms – one for old files and messages and another for new ones.
The problem with ECB is that the same string of letters will always encrypt to the same encrypted string. That means if you have a significant amount of text, you may see patterns and make it easier to decrypt the data.
Microsoft, UNBELIEVABLY, says that their encryption is “intended as a tool to prevent accidental misuse and is not a security boundary”.
I never knew that Microsoft says that its encryption mechanism is not a security tool, but that is good to know.
If you need help finding a security tool using encryption, please contact us, because, apparently, Microsoft does not plan to fix this.
Credit: Bank Info Security