Enabling Message Encryption in Office 365

As I mentioned in an earlier post, email encryption is a sticky thing. In a perfect world, everyone would have Opportunistic TLS enabled and all mail traffic would be automatically encrypted with STARTTLS encryption, which is a fantastic method of ensuring security of messages “in transit”. But some messages need to be encrypted “at rest” due to security policies or regulations. Unfortunately, researchers have recently discovered some key vulnerabilities in the S/MIME and OpenPGP. These encryption systems have been the most common ways of ensuring message encryption for messages while they are sitting in storage. The EFAIL vulnerabilities allow HTTP formatted messages to be exposed in cleartext by attacking a few weaknesses.

Luckily, Office 365 subscribers can improve the confidentiality of their email by implementing a feature that is already available to all E3 and higher subscriptions or by purchasing licenses for Azure Information Protection and assigning them to users that plan to send messages with confidential information in them. The following is a short How-To on enabling the O365 Message Encryption (OME) system and setting up rules to encrypt messages.

The Steps

To enable and configure OME for secure message delivery, the following steps are necessary:

  1. Subscribe to Azure Information Protection
  2. Activate OME
  3. Create Rules to Encrypt Messages

Details are below.

Subscribe to Azure Information Protection

The Azure Information Protection suite is an add-on subscription for Office 365 that will allow end users to perform a number of very useful functions with their email. It also integrates with SharePoint and OneDrive to act as a Data Loss Prevention tool. With AIP, users can flag messages or files so that they cannot be copied, forwarded, deleted, or a range of other common actions. For email, all messages that have specific classification flags or that meet specific requirements are encrypted and packaged into a locked HTML file that is sent to the recipient as an attachment. When the recipient receives the message, they have to register with Azure to be assigned a key to open the email. The key is tied to their email address and once registered the user can then open the HTML attachment and any future attachments without having to log in to anything.

Again, if you have E3 or higher subscriptions assigned to your users, they don’t need to also have AIP as well. However, each user that will be sending messages with confidential information in them will need either an AIP license or an E3/E5 license to do so. To subscribe to AIP, perform these steps:

  1. Open the Admin portal for Office 365
  2. Go to the Subscriptions list
  3. Click on “Add a Subscription” in the upper right corner
  4. Scroll down to find the Azure Information Protection
  5. Click the Buy Now option and follow the prompts or select the “Start Free Trial” option to get 25 licenses for 30 days to try it out before purchasing
  6. Wait about an hour for the service to be provisioned on your O365 tenant

Once provisioned, you can then move on to the next step in the process.

Activate OME

This part has changed very recently. Prior to early 2018, Activating OME took a lot of Powershell work and waiting for it to function properly. MS changed the method for activating OME to streamline the process and make it easier to work with. Here’s what you have to do:

  1. Open the Settings option in the Admin Portal
  2. Select Services & Add-ins
  3. Find Azure Information Protection in the list of services and click on it
  4. Click the link that says, “Manage Microsoft Azure Information Protection settings” to open a new window
  5. Click on the Activate button under “Rights Management is not activated”
  6. Click Activate in the Window that pops up

Once this is done, you will be able to use AIP’s Client application to tag messages for right’s management in Outlook. There will also be new buttons and options in Outlook Web App that will allow you to encrypt messages. However, the simplest method for encrypting messages is to use an Exchange Online Transport Rule to automatically encrypt messages.

Create Rules to Encrypt Messages

Once OME is activated, you’ll be able to encrypt messages using just the built in, default Rights Management tools, but as I mentioned, it’s much easier to use specific criteria to do the encryption automatically. Follow these stpes:

  1. Open the Exchange Online Admin Portal
  2. Go to Mail Flow
  3. Select Rules
  4. Click on the + and select “Add a New Rule”
  5. In the window that appears, click “More Options” to switch to the advanced rule system
  6. The rule you use can be anything from Encrypting messages flagged as Confidential to using a tag in the subject line. My personal preference is to use subject/body tags. Make your rule look like the below image to use this technique:Encrypt Rule

When set up properly, the end user will receive a message telling them that they have received a secure message. The email will have an HTML file attached that they can open up. They’ll need to register, but once registered they’ll be able to read the email without any other steps required and it will be protected from outside view.

 

 

Advertisements

Data Encryption – How it Works (Part 1)


I’ve decided to start a short series of posts on data encryption, which is becoming an increasingly important subject in IT as government regulations and privacy concerns demand ever increasing levels of privacy and security.

In this series, I’ll try to cover the more confusing concepts in encryption, including the three main types of encryption systems used today; Private Key encryption, Public Key Encryption, and SSL/TLS encryption. I will cover how those types of encryption function and vary from one another. I will also get some coverage on one of the most confusing topics in IT security, Public Key Infrastructure. If you haven’t already read by article on Digital Certificates, I would highly recommend doing so before going on to part two of this series, since digital certificates underpin the vast majority of encryption standards today.

What is Encryption?

The goal of encryption is to make any message or information impossible to understand or read without permission. Perfect encryption is (currently) impossible. What I mean by that is there is no way to encrypt data so that it can’t *possibly* be read by someone who isn’t authorized to do so. There are an unlimited number of ways to encrypt data, but some methods are significantly more effective at preventing unauthorized disclosure of data than others.

Encryption Parts

Every encryption system, however, has a few things in common. First, there’s the data. If you don’t have something you want to keep private or secret, there’s no reason to encrypt your data, so no need for encryption. But since we live in a world where secrecy and privacy are occasionally necessary and desirable, we are going to have stuff we want to encrypt Credit card numbers, social security numbers, birth dates, and things like that, for instance, need to be encrypted to prevent people from misusing them. We call this data “Clear-text” because it’s clear what the text says.

The next part is the “encryption algorithm”. Encryption is based very heavily in math, so we have to borrow some mathematical terminology here. In math, an algorithm is all the steps required to reach a conclusion. The algorithm for 1+1 is identified by the + sign, which tells use the step we need to take to get the correct answer to the problem, which is to add the values together. Encryption algorithms can be as simple as adding numbers or so complicated that they require a library of books to explain. The more complicated the algorithm, the more difficult it is (in theory) to “crack” the encryption and expose the original clear-text.

Encryption algorithms also require some value to be added along with the clear-text to generate encrypted data. The extra value is called an encryption “key”. The encryption key has two purposes. First, it allows the encryption algorithm to produce a (theoretically) unique value from the clear-text. Second, it allows people who have permission to read the encrypted data to do so, since knowing what the key is will allow us to decrypt, or reveal, the clear-text (more on this in a bit).

These three pieces put together are used to create a unique “Cipher-text” that will appear to be just gobbledygook to casual inspection. The cipher-text can be given to anyone and whatever it represents will be unknown until the data is “decrypted”. The process we go through to do this is fairly simple. We take the clear-text and the key, enter them as input in the encryption algorithm, and after the whole algorithm is completed with those values, we get a cipher-text. The below image shows this:

Encryption

 

Every encryption algorithm requires the ability to “reverse” or “decrypt” the data, so they all have a different decryption algorithm. For instance, in order to get back to the original value of 1 after adding 1 to it to get 2, you would have to reverse that process by subtracting 1. In this case, we know what input (1) and algorithm (adding) was used to reach the value, so reversing it is easy. We just subtract whatever number we need to get back to the original value (1 in this case). In general, decryption algorithms will take the key and cipher-text as input to the algorithm. Once everything in the algorithm is done, it should result in the original clear-text, as shown below:

Decryption

Simple Examples

Two early examples of encryption come to us from Greek and Roman history. The Skytale was a fairly ingenious encryption tool that used a wooden block of varying size and shape as its key. The clear-text was written (or burned) on a strip of leather that was wrapped around the key on a single side of the key, which was usually hexagonal. The person who was supposed to receive the message had a key of similar shape and size. Wrapping the leather strip around the other key would allow the recipient to receive the message. Using the above terminology, the Clear-text is the message, the key is the block of wood, and the encryption algorithm is wrapping a strip of leather around the key and writing your message along with some fake gobbledygook on all the other sides. Unwrapping the leather from the block gives a cipher-text. Decryption is just wrapping the strip around a similarly shaped and sized block, then look at all sides to see which one makes sense.

One of the more famous encryption algorithms is called the “Caesar Cipher” because it was developed by Julius Caesar during his military conquests to keep his enemies from intercepting his plans. You’ve probably used this algorithm before without knowing it if you ever enjoyed passing notes to friends in school and wanted to keep the other kids (or the teacher) from knowing what the message said if they “intercepted” it.

The Caesar Cipher is fairly simple, but works well for quick, easy encryption. All you do is pick a number between 1 and 26 (or the number of letters in whatever language you’re using). When writing the message, you replace each letter with whatever letter whose space in the alphabet is equal to the number you chose above or below in the alphabet. For instance, “acbrownit” is “bdcspxmju” in a +1 Caesar Cypher. Decrypting the message is a simple matter of reversing that. For a Caesar Cypher, the key is whatever number you pick, the clear-text is the message you want to send, the algorithm is to add the key to the clear-text’s letters, outputting cipher-text.

Key Exchange

For any encryption algorithm to function properly as a way to send messages, you must have a way to ensure that the recipient of the message has the correct key to decrypt the message. Without a key, the recipient will be forced to “crack” the encryption to read the message. So you need to be able to provide that key to the recipient. The process of ensuring that both the sender and recipient have the keys to encrypt and decrypt the message (respectively), a “key exchange” must occur. This is often as simple as telling your friend what number to use with your Caesar cipher.

But what do you do if you need to exchange keys in a public place, surrounded by prying eyes (like, for instance, the Internet)? It becomes much more difficult to exchange keys when needed if there is significant distance between the sender and recipient, which means that the biggest weakness in any encryption standard is making sure that the recipient has the key they need to decrypt the message. If the key can be intercepted easily, the encryption system will fail.

The exchange method used will usually depend on they type of key required for decryption. For instance, in World War II, the German military developed a mechanical encryption device called “Enigma” that was essentially a typewriter, but it changed the letters used when typing out a message with a mechanical series of gears and levels. If you pushed the I button on the keyboard, depending on the key used it would type a J or a P (or whatever). The keys were written down in a large notebook that was given directly to military commanders before they departed on their missions, and the index location of the key assigned to the message was set on the machine itself to encrypt and decrypt messages. The process of creating that key book and handing it to the commander was a key exchange. It was kept secure by ensuring that the only people who had the notebook of keys were people that were allowed to have them. Commanders were ordered to destroy their Enigma machines and accompanying notebooks if capture was likely. The Allies in the war were able to capture some of these machines eventually, which allowed a lot of incredibly smart people a chance to examine them and learn the algorithm used to encrypt data, which ultimately resulted in the Enigma machines becoming useless.

Modern encryption systems utilize a number of different methods for exchanging keys. For example, there are VPN tunnels that utilize “hardware” keys. In these solutions, the networks on each side of the tunnel have a device that is connected to another over the internet through a VPN. Before a connection between each side can be established, a small electronic dongle (about the size of a flash drive) has to be plugged in on each side. The dongle contains the key used to encrypt and decrypt data. The key exchange in this scenario involves having an authorized individual take a key to each site and plug it in. This is a very low-tech kind of key exchange, but is extremely secure because, as long as the individual carrying the keys is trustworthy, we can be sure that no one else has a copy of the key.

There are many other kinds of key exchanges that can occur in an encryption system, but most people don’t realize when a key exchange is even happening on the Internet. Whenever you visit an encrypted website, there are actually two different kinds of key exchange that have to happen before the website is presented. Without the technology to perform those exchanges, entering your credit card to purchase the latest gadget online would be a much more complicated and annoying process.

The Future of Encryption

Encryption techniques have come a long way since the early days of leather straps around wooden blocks. Encryption is also used in more ways, by more people, and for more purposes than you can imagine. Despite the improvements and technological developments that have come along, there is still no such thing as a perfect, unbreakable encryption technique. It’s always possible to decrypt data without permission. All we can do is ensure that the time it takes to “crack” the encryption is prohibitive. AES encryption, for example, can take as long as the universe has existed to crack using brute force techniques (based on the average computer’s processing power). The future, though, will require better, more ingenious encryption systems. Why? Because, theoretically, a sufficiently powerful quantum computer (which doesn’t exist yet) can crack even the strongest encryption in almost no time at all. Rest assured, however, that someone (or a group of someones) will develop a better system that will be much more difficult for quantum computers to crack.

Summing it Up

Encryption is a part of our daily lives, whether we realize it or not. Understanding how it works is becoming more important as time goes on and the need to protect ourselves from prying eyes increases. Hopefully, after reading this article, you can see why encryption is important and what it really does for everyone.