Microsoft Exchange Server supports three different secret key algorithms, including DES for 56-bit encryption and CAST 40 and CAST 64 for 40-bit and 64-bit encryption. The type of encryption you implement in your organization depends on the level of security your organization requires and whether you are using an international or North American version of Microsoft Exchange Server. Organizations that require strong encryption should use either DES or CAST 64.
As you determine the type of encryption that is appropriate for your organization, keep in mind the following:
An encrypted message is only as secure as the algorithm that's used to encrypt it. The security of an encryption algorithm is measured by how easy it is to find weaknesses in the algorithm that allow someone to decrypt a message without its key. The most secure algorithm is one that can be cracked only by trying every possible key combination, which could take many lifetimes depending on the length of the key. The algorithms chosen for Microsoft Exchange Server, including DES and CAST, have been studied extensively by cryptography experts and have no known methods of attack other than a brute-force approach of trying every key.
Algorithms that use longer keys are generally more secure than algorithms that use shorter keys because there are more possible key combinations. For example, since a 64-bit key is a bigger number than a 40-bit key, 64-bit encryption is approximately 16 million times more secure than 40-bit encryption and takes 16 million times longer to crack. In Microsoft Exchange Server, cracking the key for one message doesn't crack the key for another message because every message is encrypted with a unique key.
International versions of Microsoft Exchange Server are available only with CAST 40 encryption because of U.S. export restrictions that limit the strength of cryptographic systems shipped outside the U.S. Currently, DES and CAST 64 are available only in versions of Microsoft Exchange Server sold in the U.S. and Canada. Some countries, such as France, have their own restrictions on the use of cryptography. For example, Microsoft Exchange Server advanced security can't be used in France.
International organizations that use Microsoft Exchange Server in a variety of countries can mix and match more than one type of encryption. This is possible because Microsoft Exchange Server maintains information in the directory about the type of encryption that is supported for every user in the organization. If a message is addressed to multiple recipients who are using different types of encryption, Microsoft Exchange Server automatically attempts to encrypt the message using the type of encryption that all recipients share. For example, if a message is addressed to a recipient using CAST 40 and another recipient using CAST 64, the message will be encrypted using CAST 40. If a message is addressed to a recipient who is not using advanced security, Microsoft Exchange Server allows the user to either not send the message to that recipient or send the message in plaintext format.
Current U.S. State Department export regulations prohibit the export of software containing strong encryption outside the U.S. and Canada. To help administrators in the U.S. comply with these regulations, the Microsoft BackOffice Resource Kit: Part One includes a form for temporarily exporting encryption products. You can use this form if you're traveling outside the U.S. with a laptop that uses advanced security with the Microsoft Exchange Client. For more information, see the Tools directory on the Microsoft BackOffice Resource Kit: Part One compact disc.
If users move to another location within your organization that uses a different type of encryption, they can transfer their encrypted messages from one type of encryption to another using the Bulk Advanced Security tool (Sectool.exe). For example, a user transferring from an office in the U.S. to Britain can use Sectool.exe to convert encrypted mail from CAST 64 to CAST 40.
The following describes the steps to follow when using Sectool.exe. For more information about using the tool, see the online Help for Microsoft Exchange Server Resource Kit Tools (Exchtool.hlp) that is included on the Microsoft BackOffice Resource Kit: Part One compact disc.