Outlook does not always use the configured algorithm for digital signature (S/MIME)

Question

I am working with the Outlook version:

Microsoft® Outlook® para Microsoft 365 MSO (versión 2403 compilación 16.0.17425.20176) de 64 bits

For the digital signature of the messages I have configured the SHA256 algorithm. All messages are signed with this hash algorithm. Perfect.

The problem comes when I encrypt and sign a message. In that case, the encryption is done with the algorithm I have configured (AES256), but the signature uses a SHA1 hash.

Given the progressive lack of trust in SHA1 by mail clients, signing messages with this algorithm is very problematic.

Is it a bug? Can the configuration be further tweaked?

Answer 1

Hi Eleni,

Thank you for the quick response.

But the problem is unique to the Outlook client. There is no server involved in signing/encrypting my messages.

I don't use an Exchange account and the certificates (and private keys) are only accessible to the client.

Regards

Answer 2

HI mimaen,

Good day!

Thank you for Replying to the Microsoft Community. We are glad to assist.

after alotof search about your problem , you need to check configure Outlook to use modern algorithm settings ,

you need to follow below steps :

These registry keys need to be set before you configure the security profile. If a security profile has already been set up, make a note of the settings, then delete the security profile, restart Outlook, and create a new security profile. 

To view and configure security settings, click the File menu, then click Options, Trust Center, click the Trust Center Settings button, then click Email Security, and then the Settings button.

To set the following higher security algorithms as the new defaults, use the registry settings below:

• Encrypted email - AES 128 bit (2.16.840.1.101.3.4.1.2)
• Digital signature - SHA 384 bit (2.16.840.1.101.3.4.2.2)

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Security]

"UseAlternateDefaultHashAlg"=dword:00000001

"DefaultHashOID"="2.16.840.1.101.3.4.2.2"

"UseAlternateDefaultEncryptionAlg"=dword:00000001

"DefaultEncryptionAlgOID"="2.16.840.1.101.3.4.1.2"

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Security\CNGAlgs\3DES]

"Flags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Security\CNGAlgs\RC2]

"Flags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Security\CNGAlgs\SHA1]

"Flags"=dword:00000001

The security profile should look like this:

REF : Recommended SMIME algorithm settings for modern Outlook builds

**Note :**please update your Vote to help other people have same Question .

Thanks for your precious time. Have a nice day!

Answer 3

Hi Eleni,

Thank you very much for the information. That article provides very interesting information about the registry keys needed to try to solve the problem.

But the proposed configuration is a half-baked solution: if this policy is applied it will always use the same algorithm for signing and the same algorithm for encryption, for all the accounts managed in the Outlook client, regardless of the security configuration set for each one.

Thus, we have two scenarios:

• without applying the policy in the registry: the settings in the security configuration for an account are not always applied (when signing and encrypting simultaneously a default hash is used, not the configured one).
• applying the policies in the registry: security settings are useless, as the same algorithms are always applied, both for signing and encrypting

The ideal solution would be for the Outlook client to follow the security settings set by the user for each account. Simply put.

I have thought that a good option would be to disable the use of SHA1, but without forcing the algorithms to be used (so that each account can be configured differently). That is, adding to the registry only these keys:

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Security\CNGAlgs\SHA1]
"Flags"=dword:00000001

But, frustratingly, Outlook still uses SHA1 when encrypting and signing simultaneously, even though another signing algorithm is set in the security settings.

Do you know if any work is being done to properly manage the security settings in the Outlook client?

Best regards

Answer 4

HI mimaen,

Good day!

Thank you for posting to Microsoft Community. We are glad to assist.

Based on your post regarding with "Outlook does not always use the configured algorithm for digital signature (S/MIME)". It seems that the cause of the problem is most likely due to an error on the server backend. Because our forum lacks relevant resources and permissions, It is advised to create a service ticket in the Microsoft 365 admin center, as they have more access permissions than on this forum, and the dedicated team of professional engineers will further assist you.

Here is how to get Online support | Microsoft Learn

1. Go to the admin center at https://admin.microsoft.com. If you get a message that says you don't have permission to access this page or perform this action, you aren't an admin. For more information, see Who has admin permissions in my business?.
2. On the bottom right side of the page, select Help & support.
3. Type a question or keyword into the text box. If you get a drop-down list, select the one closest to your question, or continue typing your question, then press Enter.
4. If the results don't help, at the bottom, select Contact Support.
5. Enter a description of your issue, confirm your contact number and email address, select your preferred contact method, and then select Contact Me. The expected wait time is indicated in the Contact support pane.

Note: If you are not using an admin account, kindly reach out to your IT administration within your organization for help.

Thanks for your precious time. Have a nice day!

Answer 5

HI mimaen,

Good day!

Thank you for Replying to the Microsoft Community. We are glad to assist.

Certainly! The use of SHA1 as the default hash algorithm for digital signing in the Outlook client has been a topic of discussion
to Changing Default Algorithms:

• If you’d like to change the default hash algorithm in Outlook, you can do so by navigating to: File > Options > Trust Center > Trust Center Settings > E-Mail Security > Settings > Hash Algorithm.
• If only SHA1 appears in the list of available algorithms, it means your certificate only supports SHA1. You might want to check with your certificate provider to see if other hash algorithms (such as SHA512, SHA384, or SHA256) are supported^1^.
• For higher security, consider setting the following as new defaults:
  • Encrypted email: AES 128-bit (2.16.840.1.101.3.4.1.2)
  • Digital signature: SHA384-bit (2.16.840.1.101.3.4.2.2)^2^.

while SHA1 remains the default, it’s essential to stay informed about security updates and consider using stronger algorithms .

you can see also : Issues you might encounter when SHA-1 Trusted Root Certificate

Note : Please update your vote to can help other people have same problem.

Thanks for your precious time. Have a nice day!