cryptography  

Re: Blackberries insecure?

Christoph Gruber
Thu, 21 Jun 2007 10:47:18 -0700

[EMAIL PROTECTED] schrieb:

Steve,

It could be that the linkage between user ids and auth keys is too weak,
allowing a MITM attack to be undetected that sniffs the data encryption
key. This seems to be common problem with many of the secure protocols I've examined. 

- Alex



Ahoi!
Nobody knows, what the blackberry does with the decrypted data. The whole device is a black-box, so it is able to do anything it is programmed for, with all the data transmitted to it. 

--
Grisu




----- Original Message -----
From: "Steven M. Bellovin" <[EMAIL PROTECTED]>
To: cryptography@metzdowd.com
Subject: Blackberries insecure?
Date: Wed, 20 Jun 2007 23:41:20 -0400


According to the AP (which is quoting Le Monde), "French government
defense experts have advised officials in France's corridors of power
to stop using BlackBerry, reportedly to avoid snooping by U.S.
intelligence agencies."

That's a bit puzzling.  My understanding is that email is encrypted
from the organization's (Exchange?) server to the receiving Blackberry,
and that it's not in the clear while in transit or on RIM's servers.
In fact, I found this text on Blackberry's site:

        Private encryption keys are generated in a secure, two-way
        authenticated environment and are assigned to each BlackBerry
        device user. Each secret key is stored only in the user's secure
        regenerated by the user wirelessly.

        Data sent to the BlackBerry device is encrypted by the
        BlackBerry Enterprise Server using the private key retrieved
        from the user's mailbox. The encrypted information travels
        securely across the network to the device where it is decrypted
        with the key stored there.

        Data remains encrypted in transit and is never decrypted outside
        of the corporate firewall.

Of course, we all know there are ways that keys can be leaked.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]