On 2009-06-01 12:07 PDT, Andrew Manore wrote: > I'm not able to see what encryption algorithms Thunderbird 2.0.x is > using. From what I've been able to tell (through downloading the > encrypted message into Microsoft Outlook), Thunderbird is using 3DES > encryption with SHA-1 hashes.
Thunderbird 2's S/MIME conforms to an old version of the specifications, RFC 2630 and RFC 2633, written in 1999, which was before the export control regulations were changed. As specified there, when you send a signed S/MIME message, it contains a record of your SMIME capabilities, the algorithms and key sizes that you support when you are RECEIVING S/MIME messages. A party who receives your signed message will know what algorithms you support and, when he sends you an enveloped message, he may use the strongest algorithms and key sizes that are mutually supported. However, if a party has only your certificate and not a signed message from you, he does not know your capabilities, and can only rely on your implementation implementing the minimum requirements for that version of S/MIME. The minimum requirements of that version were RC2 encryption with 40 bit keys. So, if you send an encrypted message to someone from whom you have never received a signed S/MIME message, you will use weak encryption. AFAIK, when you read an encrypted message, Thunderbird does not show you any information about the algorithms or key sizes used for the bulk data encryption. There are tools that can look at an encrypted message and tell you that information. They can do so even without having the certs or private keys of the recipient, because the information about the algorithms used is not encrypted. It is binary encoded however, so you need a tool to help decode it into a humanly readable form. Use if those tools is something a developer could do, but IMO, is not something that the average user could do. > I'm wondering if there's any way to change the encryption to AES (any > supported key length) and the hash to SHA-2. I'm also wondering if > there's a way to verify the form of encryption used. There doesn't seem > to be any option in the menus, nor any option in the advanced > configuration editor. AFAIK, there is no way for you to directly control the encryption algorithms used when you send an encrypted email. The algorithm is chosen automatically, as I explained above. Long ago, there were some preferences for choosing the ciphers that are sent out in your signed messages, which gave you some control over the ciphers that others use when sending encrypted messages to you. But those were removed long ago as part of an effort to "simplify" (read: dumb down) the security prefs. That was largely because EVERYONE assumed that the prefs controlled the encryption algorithms used when sending, not when receiving, and there was much angst among users over that. Finally, I will add that (IINM) Thunderbird 3 has support for AES. I don't know about the SHA1 vs SHA2 issue. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
