Dailydave mailing list archives
Fwd: Classified Email
From: caelyx <sigint () caelyx net>
Date: Sun, 19 Jun 2005 04:19:45 +1000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [reposted, to the list this time] Hey, Sorry this is so late; I didn't see any replies, and I thought this might be remotely valuable. On 4 Jun 2005, at 00:15, Dave Aitel wrote:
Here in Harlem (always the best place to advertise advanced technology) every bus station has a three meter advertisement for the Microsoft Office system on it. The one near my house has a picture of a dwarf triceritops head on a human body. Anyways the advert says "Classified emails and reply-all buttons don't go together - the Microsoft Office System". This always puzzles me.
At best, it seems badly worded. :) AFAIK, the technology they're really selling is called 'Office Rights Management', which is the first application of the 'Windows Rights Management' stuff they're selling now. Essentially, individual documents (incl. emails, webpages, Word docs, etc) are "protected" in terms of who can read them and what they can do with them. So, Alice could say that only Bob and Charlie can read her email telling them that she's thinking of firing Eve, but they can't forward it to anyone or print it. The mechanics are a little messy (there's something like 4 separate RSA keys involved in any given transaction), and I've got a diagram somewhere in a presentation that a Microsoft rep gave me, if that would be helpful. In essence, each protected document gets encrypted against a document-specific AES key, which is then encrypted against the rights-management-server's public RSA key. That's then attached to a XrML document saying who can do what with the file, which is all then signed by another key (the sender's, I think). The whole signed XrML document is then appended (or prepended) to the encrypted document. When you get the file, you strip off the XrML and hand it to the RMS along with your authentication information (AD credentials). If you're allowed access to the file, it hands back the key and you can decrypt the file. The whole system relies on the claim that the applications (office and IE mostly) are impervious to attack, and will always obey the limitations in the XrML. I don't imagine that it'd be too difficult to break, if you were really serious. Otherwise, you could always use terminal services and hit print-screen or take a photo of the screen to get around the 'thou shalt not copy-paste, nor print' restrictions. Oh, and Microsoft tell you to save a rights-unencumbered (i.e.: unencrypted) version of your document before you encrypt it. In a big- business environment, most users are going to dump that on their (not- so-)'secure' network drive anyway. :(
[snip] How many companies go so far as to purchase "Confidential" stamps for their employees, or even educating them on what's confidential and what's not? What company has more than one level of confidentiality in the normal workforce?
AFAIK, it's one of those things that ISO 17799 unilaterally declares to be important. As a result, companies who need to be able to claim compliance install schemes. Most of the financial institutions here (Australia) have gone to great lengths to establish and maintain differentiated confidentiality levels. Hope that was at least slightly interesting. #sim -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQA/AwUBQrRl0g0PThLBxU2kEQJK3gCgjHTkrCL8bEtm+hLOxcQDQ2sxaV0An3FJ UcuXRZilQZoQ+uHKcUElIYAJ =gfmK -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Classified Email Dave Aitel (Jun 03)
- <Possible follow-ups>
- Fwd: Classified Email caelyx (Jun 18)