Outlook 2010 encrypts using RC2, instead of 3DES


  • Hello

    There is a recent question about this on the Forum. It's been proposed as the same answer by the Author, and I've confirmed at lest in my case, it didn't work. I updated the registry as described, by setting the key


    default (REG_SZ) to 1

    The other setting to provide compatibility to other email clients ( and thunderbird), I've changed the encryption type in "current user"


    All emails are still being sent out using RC4 for this particular user.

    Another user receives the email that I send encrypted as 3DES, whereby they both have similar certificates issued by the same CA (CAcert).

    From the user that can receive only RC2, the EKUs are the same as the user that can receive 3DES. I see nothing in the public key that suggests the capabilities for S/MIME. They were using

    I'd appreciate any feedback. Thanks, Jason.

    • Edited by Jason Curl Friday, April 08, 2011 12:57 PM Corrected title
    Wednesday, April 06, 2011 8:21 PM

All replies

  • Hello Jennifer,

    I've read this site already. How does this help me to use 3DES encryption as a minimum? There is the MinEncKey setting which I've enabled to 128-bit, but this provides a warning only. It still encrypts to RC2. Or I can choose not to send the message at all, or unencrypted.

    There are two problems that I see:

    * Outlook doesn't see a Microsoft extension RFC 4262 in the recipients certificate. I doubt there are many certificates that implement this. And I have no idea how a user can provide this. One certificate per client sounds also suboptimal, dependent on the capabilities of the client.

    * RFC 3851 is a bunch of "shoulds" where RC2 is allowed, but the user should be warned (ok). It does ignore however, the fact that the recipient has already sent me messages encoded using 3DES, also a recommendation in this RFC, regardless if the S/MIME message sent doesn't have the capabilities as part of the message itself.

    How can I force outlook to use 3DES as the backup encryption, should say, AES-256, be determined as not usable. As I can tell, this was the behaviour in Outlook 2007 and earlier.

    Is there anywhere I can tell outlook what encryption a user can accept, perhaps in the contact list? Not all recipients receive RC2 encryption, only those with specific clients (Outlook 2002 and Thunderbird clients do get 3DES replies.



    Friday, April 08, 2011 12:55 PM
  • After some more investigation, I've determined at least why it might be encrypting RC2 according to the standards. When a particular client doesn't include any SMIME capabilities, I'm guessing that outlook assumes the conservative approach and is using RC2. However, if the user sends an email from a different computer and different email address with a different certificate, however, associated with the same contact in outlook (e.g. sent from outlook 2007 that does send SMIME), i would have expected to be able to encrypt my emails at higher grade. Instead it it still using low grade RC2.

    Is there anything I can change, to force outlook to use a highergrade encryption method for users, as specified in SMIME? I've deleted the contact, readded them with the email that does support SMIME, but somehow Outlook 2010 still thinks it should use RC2. I'm totally perplexed by this behaviour, and have no idea how to reconfigure outlook to use capabitilies, even this client, can use.

    Any help welcome,


    Sunday, April 10, 2011 9:27 PM
  • Hallo Jason

    This behavor is changed in the February 2011 Hotfix Package for Outlook 2010:


  • When you send an encrypted email message to a recipient and Outlook 2010 cannot determine the encryption algorithm that applies to this recipient, RC2-40 is selected as the encryption algorithm instead of the default 3DES. This issue occurs if the following conditions are true:
    • The certificate is auto-enrolled in the userCertificates attribute in Active Directory Domain Services (AD DS) or it is added to your contacts from a .cer file.
    • The certificate has no S/MIME Capabilities extension.




    Viele Grüsse Georg Flühmann
Friday, May 06, 2011 9:36 AM
  • Go to e-mail accounts and click properties,then click security and change Algorithm to whatever you want

    Paul Napolitano

    Saturday, January 26, 2013 1:34 AM