Content:
- Why does Outlook sticks to SHA-1 and 3DES when creating S/MIME signatures and encrypting the content
- How to set the use modern and secure hash functions and encryption algorithms for S/MIME in Outlook
- How to sign your outgoing e-mail messages
- How to check the algorithm used for creating the S/MIME signature
1. Why does Outlook sticks to SHA-1 and 3DES when creating S/MIME signatures and encrypting the content
That is not clear at the moment. If one tries to select different hash function for S/MIME signature (SHA256, SHA384, SHA512) and an encryption algorithm different than 3DES (AES-256, for instance), those changes cannot be saved under the default S/MIME settings profile. Outook keeps using SHA-1 and 3DES. The most strange thing is that even the support of the Microsoft products cannot provide a solution:
2. How to set the use modern and secure hash functions and encryption algorithms for S/MIME in Outlook
Important: You cannot use a hash function that is of a higher order than the one used by your Certificate Authority to sing your X.509 certificate. For instance, if the CA signature on your certificate is SHA256, you cannot use SHA384 and SHA512 when creating the S/MIME signatures. Obviously, if the CA signature on your X.509 certificate is one based on SHA-1, you cannot use even SHA-256 for signing in Outlook. Therefore, check your case before starting with the instructions bellow.
Before starting, you need to have your certificate installed - either in Windows Certificate Store of the current user, via PKCS#12 file, or by connecting the smart card reader to the system. Once the certificate is accessible, start Outlook and in the main window go to "File":
Click there on "Options":
Next, go to "Trust Center" (1) and from there open "Trust Center Settings" (2):
Finally, click on "Email Security" (1) and "Settings"(2) to start modifying the S/MIME profile:
And here comes the big problem. You cannot change the hash function and the encryption algorithm in the default profile (that profile is created automatically). Therefore, you have to create manually a new default profile, by naming it differently and select there the desired combination of hash and encryption algorithms. This is what is done bellow.
First, select the certificate for signing (if it is not already selected):
And here comes the trick. Select the desired encryption algorithm (1), then the desired hash function (2), and CHANGE THE NAME OF THE PROFILE WITH SETTINGS - THIS MAKES THE MAGIC (3):
Press "OK" to exit (4) and in the previous window be sure the new profile is selected:
You may close the corresponding windows in the configuration menu and start signing your outgoing e-mail messages.
3. How to sign your outgoing e-mail messages using the new S/MIME settings
Nothing new here. Compose a new short e-mail message, addressed to yourself, do not send it yet, and open the tab "Options":
Click on "Sign", then press the button "Send" to send the message:
A new window will pop up. There you should either enter your password for protecting the private key in the Windows Certificate Store of the current user, or the PIN for unlocking the access to the smart card processor for signing:
4. How to check the algorithm used for creating the S/MIME signature
Once the signed email is received in the Inbox, click on the seal icon:
In the new window, check if the S/MIME signature is valid:
and them click on "Details":
If you click on "Signer" you will see the algorithm used for creating the S/MIME signature:
