2.13 Set 'Minimum key size (in bits):' to 'Enabled:168'

Information

This policy setting allows you to set the minimum key length for an encrypted e-mail
message. If you enable this policy setting, you may set the minimum key length for an
encrypted e-mail message. Outlook will display a warning dialog if the user tries to send a
message using an encryption key that is below the minimum encryption key value set. The
user can still choose to ignore the warning and send using the encryption key originally
chosen. If you disable or do not configure this policy setting, a dialog warning will be shown
to the user if the user attempts to send a message using encryption. The user can still
choose to ignore the warning and send using the encryption key originally chosen. The
recommended state for this setting is- Enabled-168.

*Rationale*

Cryptographic keys are used to encrypt and decrypt messages for transmission through
unsecured channels. Key sizes are measured in bits, with larger keys generally less
vulnerable to attack than smaller ones. 40-bit and 56-bit keys were common in the past,
but as computers have become faster and more powerful these smaller key sizes have
become vulnerable to brute-force attacks in which the attacking computer rapidly runs
through every possible key combination until it successfully decrypts the message. The
Advanced Encryption Standard (AES) published by the United States government requires
a minimum key size of 128 bits for symmetric encryption, which offers significantly more
protection against brute-force attack than smaller key sizes.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Enabled.

User Configuration\Administrative Templates\Microsoft Outlook
2010\Security\Cryptography\Minimum encryption settings\Minimum encryption settings

Then set the Minimum key size (in bits)- option to 168.

Impact-Users who see the minimum encryption warning display can still choose to send the
message with the selected key, so enabling this setting is unlikely to cause significant
disruptions. 128-bit encryption has been widely implemented for several years. Therefore,
enabling this setting is unlikely to cause any usability issues for users.

See Also

https://workbench.cisecurity.org/files/530

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-12

Plugin: Windows

Control ID: 90ed90d84784e46c6771ed7e230e51a2cccf772937eaf34f2be14e74eb48a21c