[EMAIL PROTECTED] schrieb:
Steve,
It could be that the linkage between user ids and auth keys is too weak,
allowing a MITM attack to be undetected that sniffs the data encryption
key. This seems to be common problem with many of the secure protocols
I've examined.
- Alex
Ahoi!
Nobody knows, what the blackberry does with the decrypted data. The
whole device is a black-box, so it is able to do anything it is
programmed for, with all the data transmitted to it.
--
Grisu
----- Original Message -----
From: "Steven M. Bellovin" <[EMAIL PROTECTED]>
To: cryptography@metzdowd.com
Subject: Blackberries insecure?
Date: Wed, 20 Jun 2007 23:41:20 -0400
According to the AP (which is quoting Le Monde), "French government
defense experts have advised officials in France's corridors of power
to stop using BlackBerry, reportedly to avoid snooping by U.S.
intelligence agencies."
That's a bit puzzling. My understanding is that email is encrypted
from the organization's (Exchange?) server to the receiving Blackberry,
and that it's not in the clear while in transit or on RIM's servers.
In fact, I found this text on Blackberry's site:
Private encryption keys are generated in a secure, two-way
authenticated environment and are assigned to each BlackBerry
device user. Each secret key is stored only in the user's secure
regenerated by the user wirelessly.
Data sent to the BlackBerry device is encrypted by the
BlackBerry Enterprise Server using the private key retrieved
from the user's mailbox. The encrypted information travels
securely across the network to the device where it is decrypted
with the key stored there.
Data remains encrypted in transit and is never decrypted outside
of the corporate firewall.
Of course, we all know there are ways that keys can be leaked.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]