Archived Forum Post

Index of archived forum posts

Question:

AES with Outlook?

Feb 28 '17 at 08:50

AES with Outlook seems to be a quite a big problem looking at various forums. Have you had any experience with this issue when using AES256 for encryption algorithm when sending mails using Chilkat ?


Answer

The Outlook application implementation would be hooking into the software installed on a particular Windows machine to do the PKCS7 encryption/signing. Specifically, it's going to use Microsoft's CryptoAPI (internally) which uses a CSP (Cryptographic Service Provider) to do the work. It is the capabilities of the CSP that determine what is or is not possible.

If your app runs on an older machine (Windows 7, Windows XP, etc.) then the CSP is likely missing newer algorithms. (Nowadays, "AES" is hardly "new")

Of course, if your app is using a token / smartcard / hardware dongle, then it's using the CSP of the token manufacturer, and thus the capabilities are dependent on it.

The CSP on Windows has access to the private key, which could be stored in hardware (on a token) or in the Windows Protected Store. Thus, when a cert w/ private key is installed on a system, such as from a PFX, it can be installed to make the private key non-exportable. "Non-Exportable" means that only a CSP has access to the private key. In PKCS7 operations, the private key is needed to create a signature, or to decrypt. The act of encrypting or validating signatures only requires the public key, which is freely available within the certificate itself.

With Chilkat, you shouldn't have any issues encrypting or validating signatures, because these don't involve the private key. If the private key is installed on the system and is exportable, then Chilkat can do the private key operations itself, and there should be no problem. If Chilkat finds that the private key is non-exportable, it will automatically fall back to using the CryptoAPI (and indirectly whatever CSP is associated with the cert/private key). This is a good way to check to see if the CSP is the problem -- install such that the private key is non-exportable, and then see if Chilkat can decrypt.