Outlook hash algorithm choice

Question

Hello,

I am configuring S/MIME via:

Outlook / Trust Center / Trust Center Settings / Email Security / Encrypted Email / Settings.

I have two S/MIME certificates, from different suppliers. 

Using one I get a choice various different SHA algorithms, but using the other I only get a choice of SHA1.

How does Outlook determine which hash algorithms to offer?

I've looked at the details of the certificates, and there does not seem to be anything substantially different that would affect this.

They do use different CSPs.     Could if be the CSP is only offering SHA1?   How can I find out?

Thanks for any suggestions.

Colin

Answer 1

I can confirm that Outlook does not allow SHA-256 or AES when using a custom CSP.

I changed my certificate in my Certificate Authority to allow Any Cryptographic provider to be used with the certificate. This together with my Registry entries - in previous post in this thread - allowed me to sign an email with SHA-256 and SHA-512 and use AES encryption.

However, at the recipient the email is only signed with SHA-1 and encrypted with 3DES.

Doing research I found these articles:

https://blogs.technet.microsoft.com/enterprisemobility/2008/06/30/2008-web-enrollment-and-version-3-templates/

and

https://technet.microsoft.com/en-us/library/cc725838(v=ws.11).aspx

which states that

Version 3 certificate templates are new in Windows Server 2008. Version 3 certificate templates function similarly to version 2 templates, and they support new Active Directory Certificate Services (AD CS) features available in Windows Server 2008. These features include Cryptography Next Generation (CNG), which introduces support for Suite B cryptographic algorithms such as elliptic curve cryptography (ECC).

Version 3 Certificate Authority templates uses the Key Storage Provider and not the CSP. The suite B cryptographic algorithms also include SHA2 and AES, meaning that you have to change to a custom KSP in order to get support for SHA-256 and AES in Outlook.

Answer 2

I'm not certain this is the case, as both certificates look very similar.   The policy OIDs are the same.

There is no other field mentioning the hash algorithm.

Colin

Answer 3

Hi Colin,

As I know, it depends on how many Hash Algorithm types the certificate supported rather than the Outlook client.

Regards,

Larry

Answer 4

Thank you for the reply.

In the "Change Security Settings" dialog you show, for one of my certificates I see the hash algorithm choice you show.

However for the other (using a different certificate and CSP), I only see SHA1.

I am using Outlook, connected to Office 365 for Business exchange server (issue occurs if I am online of offline).

How does Outlook determine the list of hash algorithm to present?

Cheers,

Colin

Answer 5

Hi Colin,

Thank you for posting your concerns. Based on my test, that the choice of hash algorithms are the same on both certificates, whether you have created this under SHA-256 and SHA-1 formats.

After creating my S/MIME on one of third party Digital ID certificate services. I have checked that both SHA-1 and SHA-256 formats have the same Hash Algorithm options.

Is your S/MIME configured with Exchange Online or by Exchange Hybrid?

If I misunderstood your scenario, please let us know the details of the issue you encounter when configuring S/MIME on Outlook.

Feel free to post if you have questions.

Best Regards,

Ruel

[Updated by Ruel Mayoya MSFT Support, 2:28 AM, Oct, 18, 2016 (UTC)]