關於加密的技術參考詳細資料Technical reference details about encryption

請參閱本文,以瞭解 Office 365 中用於加密的憑證、技術和 TLS 密碼套件。Refer to this article to learn about certificates, technologies, and TLS cipher suites used for encryption in Office 365. 本文也提供規劃取代的詳細資料。This article also provides details about planned deprecations.

Microsoft Office 365 憑證擁有權和管理Microsoft Office 365 certificate ownership and management

您不需要購買或維護 Office 365 的憑證。You don't need to purchase or maintain certificates for Office 365. 相反地,Office 365 會使用自己的憑證。Instead, Office 365 uses its own certificates.

目前的加密標準與計畫取代Current encryption standards and planned deprecations

若要提供最大的類別加密,Office 365 會定期檢查支援的加密標準。To provide best-in-class encryption, Office 365 regularly reviews supported encryption standards. 在某些情況下,舊的標準會被取代,但不會變得更安全。Sometimes, old standards are deprecated as they become out of date and less secure. 本文說明目前支援的密碼套件,以及有關規劃取代的其他標準及詳細資料。This article describes currently supported cipher suites and other standards and details about planned deprecations.

適用于 Office 365 的 FIPS 相容性FIPS compliance for Office 365

Office 365 支援的所有密碼套件都使用 FIPS 140-2 可接受的演算法。All cipher suites supported by Office 365 use algorithms acceptable under FIPS 140-2. Office 365 會繼承來自 Windows (到 Schannel) 的 FIPS 驗證。Office 365 inherits FIPS validations from Windows (through Schannel). 如需 Schannel 的詳細資訊,請參閱 TLS/SSL (SCHANNEL SSP) 中的密碼套件 For information about Schannel, see Cipher Suites in TLS/SSL (Schannel SSP).

Office 365 支援的 TLS 版本Versions of TLS supported by Office 365

Tls 和 TLS 之前的 SSL 是使用安全性憑證來加密電腦之間連線的加密通訊協定,可安全地透過網路進行通訊。TLS, and SSL that came before TLS, are cryptographic protocols that secure communication over a network by using security certificates to encrypt a connection between computers. Office 365 支援 TLS 版本 1.2 (TLS 1.2) 。Office 365 supports TLS version 1.2 (TLS 1.2).

TLS 版本1.3 目前不支援 (TLS 1.3) 。TLS version 1.3 (TLS 1.3) is currently not supported.

支援 TLS 1.0 和1.1 棄用Support for TLS 1.0 and 1.1 deprecation

在365年10月 31 2018 日,Office 已停止支援 TLS 1.0 和1.1。Office 365 stopped supporting TLS 1.0 and 1.1 on October 31, 2018. 在 GCC 高端和 DoD 環境中,我們已完成停用 TLS 1.0 和1.1。We have completed disabling TLS 1.0 and 1.1 in GCC High and DoD environments. 我們已開始從1.0 年10月15日開始,針對全球和 GCC 環境停用 TLS 和 1.1 2020,且會在今後的星期和月內繼續進行匯總。We began disabling TLS 1.0 and 1.1 for Worldwide and GCC environments beginning on October 15, 2020 and will continue with roll-out over the next weeks and months.

若要維護 Office 365 和 Microsoft 365 服務的安全連線,所有用戶端伺服器與瀏覽器-伺服器的組合都使用 TLS 1.2 和新式密碼套件。To maintain a secure connection to Office 365 and Microsoft 365 services, all client-server and browser-server combinations use TLS 1.2 and modern cipher suites. 您可能必須更新特定的用戶端-伺服器及瀏覽器伺服器組合。You might have to update certain client-server and browser-server combinations. 如需此變更如何影響您的詳細資訊,請參閱在 Office 365 中準備使用 TLS 1.2 的必要資訊。For information about how this change impacts you, see Preparing for the mandatory use of TLS 1.2 in Office 365.

3DES 的取代支援Deprecating support for 3DES

從2018年10月31日起,Office 365 不再支援使用3DES 密碼套件,以進行 Office 365 的通訊。Since October 31, 2018, Office 365 no longer supports the use of 3DES cipher suites for communication to Office 365. 更明確地說,Office 365 不再支援 TLS_RSA_WITH_3DES_EDE_CBC_SHA 密碼套件。More specifically, Office 365 no longer supports the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. 從2019年2月28日起,此加密套件已在 Office 365 中停用。Since February 28, 2019, this cipher suite has been disabled in Office 365. 與 Office 365 通訊的用戶端和伺服器必須支援一或多個支援的密碼。Clients and servers that communicate with Office 365 must support one or more of the supported ciphers. 如需支援之密碼的清單,請參閱 Office 365 支援的 TLS 密碼套件For a list of supported ciphers, see TLS cipher suites supported by Office 365.

Office 365 不再支援 SHA-1 憑證Deprecating SHA-1 certificate support in Office 365

從2016年6月起,Office 365 不再接受 SHA-1 憑證進行輸出或輸入連線。Since June 2016, Office 365 no longer accepts an SHA-1 certificate for outbound or inbound connections. 使用 SHA-2 (安全雜湊演算法 2) 或憑證鏈中強的雜湊演算法。Use SHA-2 (Secure Hash Algorithm 2) or a stronger hashing algorithm in the certificate chain.

Office 365 支援的 TLS 密碼套件TLS cipher suites supported by Office 365

TLS 使用 密碼套件(加密演算法的集合)建立安全連線。TLS uses cipher suites, collections of encryption algorithms, to establish secure connections. Office 365 支援下表所列的密碼套件。Office 365 supports the cipher suites listed in the following table. 表格會依強度順序列出密碼套件,最強的密碼套件優先列出。The table lists the cipher suites in order of strength, with the strongest cipher suite listed first.

Office 365 會先嘗試使用最安全的密碼套件進行連線,以回應連接要求。Office 365 responds to a connection request by first attempting to connect using the most secure cipher suite. 如果連線無法運作,Office 365 會嘗試在清單中第二個最安全的密碼套件,依此類推。If the connection doesn't work, Office 365 tries the second most secure cipher suite in the list, and so on. 服務會連續按清單,直到接受連接為止。The service continues down the list until the connection is accepted. 同樣地,當 Office 365 要求連線時,接收服務會選擇是否要使用 TLS 和要使用的密碼套件。Likewise, when Office 365 requests a connection, the receiving service chooses whether TLS will be used and which cipher suite to use.

重要

請注意 TLS 版本取代,如果有更新的版本,則 不應該使用 該版本。Be aware that TLS versions deprecate, and that deprecated versions should not be used where newer versions are available. 目前不支援 TLS 1.3。TLS 1.3 is currently not supported. 如果舊版服務不需要 TLS 1.0 或1.1,您應該將它們停用。If your legacy services do not require TLS 1.0 or 1.1 you should disable them.

密碼套件Cipher suite 金鑰交換演算法/強度Key exchange algorithm/strength 轉寄保密Forward Secrecy 密碼/強度Cipher/strength 驗證演算法Authentication algorithm
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECDH/192ECDH/192
Yes
AES/256AES/256
RSA/112RSA/112
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ECDH/128ECDH/128
Yes
AES/128AES/128
RSA/112RSA/112
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
ECDH/192ECDH/192
Yes
AES/256AES/256
RSA/112RSA/112
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
ECDH/128ECDH/128
Yes
AES/128AES/128
RSA/112RSA/112
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
ECDH/192ECDH/192
Yes
AES/256AES/256
RSA/112RSA/112
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDH/128ECDH/128
Yes
AES/128AES/128
RSA/112RSA/112
TLS_RSA_WITH_AES_256_GCM_SHA384TLS_RSA_WITH_AES_256_GCM_SHA384
RSA/112RSA/112
No
AES/256AES/256
RSA/112RSA/112
TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256
RSA/112RSA/112
No
AES/256AES/256
RSA/112RSA/112

這些密碼套件支援 TLS 1.0 和1.1 通訊協定,直到其版本到期為止。These cipher suites supported TLS 1.0 and 1.1 protocols until their deprecation date. 針對已取得日期為2020年1月15日的 GCC 高和 DoD 環境,而全球和 GCC 環境為2020。For GCC High and DoD environments that deprecation date was January 15, 2020, and for Worldwide and GCC environments that date was October 15, 2020.

通訊協定Protocols 加密套件名稱Cipher suite name 金鑰交換演算法/強度Key exchange algorithm/Strength 轉寄保密支援Forward Secrecy support 驗證演算法/強度Authentication algorithm/Strength 密碼/強度Cipher/Strength
TLS 1.0、1.1、1.2TLS 1.0, 1.1, 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
ECDH/192ECDH/192
Yes
RSA/112RSA/112
AES/256AES/256
TLS 1.0、1.1、1.2TLS 1.0, 1.1, 1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDH/128ECDH/128
Yes
RSA/112RSA/112
AES/128AES/128
TLS 1.0、1.1、1.2TLS 1.0, 1.1, 1.2
TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA
RSA/112RSA/112
No
RSA/112RSA/112
AES/256AES/256
TLS 1.0、1.1、1.2TLS 1.0, 1.1, 1.2
TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA
RSA/112RSA/112
No
RSA/112RSA/112
AES/128AES/128
TLS 1.0、1.1、1.2TLS 1.0, 1.1, 1.2
TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256
RSA/112RSA/112
No
RSA/112RSA/112
AES/256AES/256
TLS 1.0、1.1、1.2TLS 1.0, 1.1, 1.2
TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256
RSA/112RSA/112
No
RSA/112RSA/112
AES/256AES/256

Windows 10 v1903 中的 TLS 密碼套件TLS Cipher Suites in Windows 10 v1903

Office 365 中的加密Encryption in Office 365

設定 Office 365 企業版中的加密Set up encryption in Office 365 Enterprise

在 Windows 安全性狀態更新中,TLS 1.0 的 Schannel 執行:11月24日(2015)Schannel implementation of TLS 1.0 in Windows security status update: November 24, 2015

(Windows IT 中心的 TLS/SSL 加密增強功能) TLS/SSL Cryptographic Enhancements (Windows IT Center)

在 Office 365 和 Office 365 GCC 中準備 TLS 1.2Preparing for TLS 1.2 in Office 365 and Office 365 GCC