Schneier on Security
A blog covering security and security technology.
« Risk and Culture |
| Surveillance in China »
May 21, 2008
BlackBerry Giving Encryption Keys to Indian Government
RIM encrypts e-mail between BlackBerry devices and the server the server with 256-bit AES encryption. The Indian government doesn't like this at all; they want to snoop on the data. RIM's response was basically: That's not possible. The Indian government's counter was: Then we'll ban BlackBerries. After months of threats, it looks like RIM is giving in to Indian demands and handing over the encryption keys.
EDITED TO ADD (5/27): News:
BlackBerry vendor Research-In-Motion (RIM) said it cannot hand over the message encrytion key to the government as its security structure does not allow any ‘third party’ or even the company to read the information transferred over its network.
EDITED TO ADD (7/2): Looks like they have resolved the impasse.
Posted on May 21, 2008 at 2:09 PM
• 48 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Do they have a choice if they want to operate in India? Anyone know offhand what the record of US companies versus foreign countries might be? They don't seem to do so well on their own.
If I remember correctly it took the US State Department intervention in the eBay case before the Indian government backed down.
The scary part of this is that it is even possible, and that devices don't use device generated and stored keys. Does anyone here doubt that the US Gov has had the keys for a while?
BlackBerrys are often used because they are considered 'secure'. Wouldn't it be wise for RIM to let its customers enable their own encryption?
Sorry, should have said foreign companies dealing with national issues abroad, rather than just US.
I mean if a citizen travels abroad, should he/she be able to use his/her home company's encrypted communication channels even if it transits a local country's infrastructure?
Anyway, here's the eBay case I mentioned:
The article implies that Blackberry can choose what accounts or classes of accounts it wants to reveal the keys for. Perhaps it's even per-device. That implies that they're able to read it, even if they don't share the keys with anyone.
Why would I sign up for encrypted email (or encrypted anything, for that matter) if it's not end-to-end encrypted?
I don't blame Blackberry for caving in return for market access, I blame the market for trusting their "security".
@ Paul and Markus
You can, in general terms. MidpSSH, for example, is available for Blackberry and you can setup your own encryption.
I think the core issue is that the Indian gov't seems to be demanding RIM put a proxy or similar system in gov't control. So even if users setup their own encryption for their device, unless it was going to a different endpoint it would expose data to the gov't server.
This does seem a bit overblown. Most of that e-mail is transport-encrypted only on the last leg -- between the server and the blackberry device. But during the remainder of the transit, it's going over unencrypted smtp. So that e-mail has no presumption of encryption-guaranteed privacy anyway, as it could have been intercepted at any one of a number of gateways. Particularly if the government is doing the intercepting.
In fact, it's a little difficult for me to understand why the Indian government would care enough about this to put the screws on RIM. Why would they care about plucking e-mail out of the air, when they can just stake out the wires instead?
And, also, what about other devices (like, say, the Treo family) that can do secure IMAP and TLS/SMTP with a remote server? It is perfectly feasible for a "person of interest" to set up a secure mail link between such a device and a mail server, using nothing but commodity protocols. Is the Indian government going to demand that SMTP/IMAP servers not honor secure protocols if the remote client is detected to be a mobile device?
The government officials driving this would seem to be underinformed.
"Why would I sign up for encrypted email (or encrypted anything, for that matter) if it's not end-to-end encrypted?"
Er, it is end-to-end, which is why this rose up as an issue for the Indian gov't. The key management/strength is the bone of contention.
The RIM client sends encrypted messages through a RIM NOC to a RIM server managed by the RIM customer.
Given that, the Indian gov't gave two options: either weaken the encryption or allow the messages to be transparently proxied (allow messages to be decrypted and reencrypted) at a server run by the Indian gov't.
So while it appears key management is the, er, key you can still switch to SSH, or PGP, etc. on the Blackberry if you want end-to-end key management that you can control exclusively.
How long do think it will be before the keys "leak" to the hacker/cracker community?
Interesting ... first line of the article is " MUMBAI: In a major change of stance, Canada-based Research In Motion (RIM) may allow the Indian government to intercept non-corporate emails sent over BlackBerrys." This implies that corporate users who have Blackberry Enterprise Servers will NOT have their keys handed over, just those who use RIM's servers.
I hate to say it but this not the first time RIM have had their (supposedly) secure credentials called into question.
If I remember correctly the first time was over their KeyMat structure. In essence they issued the keys to the users so always knew what was going from A2B.
Which begs the question,
"if somebody who by defiition cannot be trusted holds the keys to your kingdom, who realy owns the kingdom?"
There is a second way more important issue that has not been mentioned "OS / app code update". If RIM can arbiteraly send a code patch to your handheld and have it install (as most mobile phone operators can) can you trust the device at any time?
Put more simply what is to stop them putting a "shim dll" between the keypad and OS and the OS and Screen Driver, the purpose of which is to send the raw keypress and screen image back to a third party?
If they can do this (and I have every reason to believe they can) then no security software will be secure on the device at any time (again true of all mobile phones).
So put simply end of game, executives have sold all their mobile security for the sake of a nice looking device...
Any one from RIM etc care to comment to the contary and back it with reliable provable evidence?
Justin, Mr. Schneier most likely made a typo as there is no such thing as 236-bit AES encryption.
Schneier is not very knowledgeble and not very competent, but he's allowed to make occasional typos.
@ Angus S-F
yes, good point.
"BlackBerry offers two kinds of services — for enterprise (corporate) customers and for individual (non-corporate) users. Majority of its 1,14,000-plus customers in India are from the enterprise segment. However, decrypting emails of non-corporate customers is a larger security concern for Indian intelligence agencies. "
Seems like this just emphasizes that if you want to encrypt your blackberry communication you need to control your own endpoint.
Sounds like "corporations" get more rights than those who truly are corporal.
"How long do think it will be before the keys 'leak'..."
They can be configured to rotate automatically. I think RIM recommends every 2 - 4 weeks. If the gov't gets the RIM proxy, then they could happily rotate along.
Ok, so what will India say about ActiveSync phones? I believe they use 128bit SSL. Will they go after any mail provider who serves the non-corporate?
There's a reason why my #1 request for mobile devices (like the iPhone I currently use) is full S/MIME signatures and encryption.
The Indian government suffers from the legacy of British colonialism and is a minority group trying to keep masses under control. VERY heavy bureacracy and very paranoid. Virtually everything is regulated to ridiculous levels. They raised the British art of Old Boy Network to an entirely new form.
The reason the govt wants access is because they have noticed many islamic terrorists that are being pushed into india via kashmir by the shithole known as pakistan have been caught with blackberries in possession since communication is encrypted. That's the main reason. P
I've done software development on the BlackBerry platform and my understanding from my past employer is that RIM (being a Canadian company) also had to give the encryption keys to for BlackBerry server traffic to the FBI before they could operate in the good old USA.
Simple solution: use S/MIME or PGP. With this you should have complete control of the encryption...granted there isn't an additional secret key controlled by Blackberry, it should be noted that Blackberry's S/MIME solution is proprietary
If someone else has your encryption keys, it really wasn't secure to begin with.
Who cares if the Indian government has access to something that was insecure to begin with.
If you want security, make sure you communicate using a method where only those on a need to know basis have access to encryption keys.
I have no idea how Blackberry encryption works, but if RIM can decrypt your communications, you would be stupid to trust that it's unbreakable.
So who cares? Who is this encryption supposed to protect you against anyway, if you're not in control of your own encryption keys?
I am an Indian. I don't think the Indian Govt is as paranoid as you assume it to be.
Atleast not as the US/UK governments are.
Good point. Perfect.
All it does is gives the Indian government the same access to your messages as the Canadians, US, Australians , UK, German, French,......
The difference is that access in this case will be given without the Indian government being supplied with the sort of decryption technology available in the US etc.
Give them a few months and they'll probably develop it themselves. I can only assume RIM will be quietly asked to give in just to make it unnecessary for the Indians to do it themselves.
Virtually real-time decryption of your messages is possible without the keys so they're bound to work it out soon.
The user would be better off selecting their own encryption, but that's a bit of a headache for RIM, and only a slight headache for powers that be.
Of course you can always encrypt your message and then email it, can't you? It just means you have to do the work.
I guess they're only only after the amateurs anyway. There are plenty of systems which the spooks can't penetrate, no matter how well equipped, with or without the help of network or service providers.
The real problem with all this surveillance is that there are too many corrupt government employees and officials everywhere to have this sort of thing not end in disaster eventually.
It's just a matter of who the disaster befalls. It's probably unlikely to be your average terrorist type.
If I were a corporate manager in India, my answer would be: then I'll not use BlackBerries.
The encryption keys can't be localized so potentially, the Indian govt will be able to read any and all email going through RIM, excuse the pun, anywhere in the world.
They would have been able to charge more and therefore make a higher profit margin on fewer customers if they had been trustworthy.
> Do they have a choice if they want to operate in India?
> Wouldn't it be wise for RIM to let its customers enable their own encryption?
If you look at the breakdown of OS use in the embedded market the numbers are scary. Maximum of 3 OSs with 90% market share. Most closed source.
> I mean if a citizen travels abroad, should he/she be able to use his/her home company's
according to the the PATRIOT act, no.
Oh, you mean traveling to countries other than the US; I see what you did there.
> Enterprise Servers will NOT have their keys handed over, just those who use RIM's servers.
I think RIM may have realized the giving the Indian government what they want, they could realize an increase in sales of their Enterprise product.
> How long do think it will be before the keys "leak" to the hacker/cracker community?
Not sure... but I suspect that Pakistan intelligence service will, followed by...
> what will India say about ActiveSync phones?
That's a separate conversation India will have with the appropriate parties... and with a billion potential consumers, it will be an easy conversation that will go India's way.
> VERY heavy [bureaucracy] and very paranoid.
Doesn't sound that different from any country where an extremely small minority control the vast majority of wealth.
> If someone else has your encryption keys, it really wasn't secure to begin with.
yes, but since nobody seems to have been able to do key management thing right for the masses, putting the keys in the control of "competent" hands and telling everyone that everything is "secure" improves market share.
> Who cares if the Indian government has access to something that was insecure to begin with.
Their customers who thought otherwise? Microsoft must be loving this.
> All it does is gives the Indian government the same access to your messages as the Canadians, US, Australians , UK, German, French,......
nothing that hasn't been done with Echelon in the past...
> encrypt your message and then email it[...] It just means you have to do the work.
If there's one think that you should know about users by now, it's that that they do what is easy, not what is secure.
> It's probably unlikely to be your average terrorist type.
Don't buy the "we surveil to prevent terrorism" hype. Make no mistake that domestic surveillance is about something far sinister.
Seriously, this is a very minor deal, not worth this kind of hyperventilation. All that e-mail travels at least one network segment in cleartext -- and probably more than one. Encrypting the server-to-device leg protects against guys with radio receivers, that's all. Even if the Indian government allowed maximum-security encryption on the wireless segment, they could easily sniff the traffic elsewhere. That's why their heavy-handed efforts make no sense, and are more to be pitied than despised.
There's plenty of other fuel for worries about government encroachment on privacy and liberty. This is just silliness, and not worth the outrage it is generating.
"if a citizen travels abroad, should he/she be able to use his/her home company's encrypted communication channels even if it transits a local country's infrastructure?"
Yes. Just as a citizen traveling abroad should be able to speak freely across the dinner table, free of government-installed listening devices.
From a marketing point of view it is a disaster. I agree with the readers who said the system wasn't secure to begin with, but many people believe(d) otherwise. I also agree that all the commotion is somewhat hypocritical. us customs has the right to access any single file on your computer when you cross a border into the country if they feel like it, how about that?
@ Carlo Graziani,
"All that e-mail travels at least one network segment in cleartext -- and probably more than one"
You are not quite looking at it correctly, if the server is in the U.S. and the person sending the email is also in the U.S. but the Crackberry user is in India (say a sales rep or contract negotiating executive). Then the Indian Gov does not have access to the unencrypted portion of the traffic only the encrypted.
As noted above the main reason is probably not Pakistan but "competative advantage" which the French have openly admitted to in the past and various countries including the "Democratic U.S.A." have been caught doing on a number of occasions.
Als oas I said earlier, due to the fact that the device manufacturer and the network provider can update the software on all Mobile Phone type devices then, there is no way these devices can ever be secure.
And please do not talk about "code signing" invariably this is "gateway" only security. Once an app or other code is loded on the device (signed or not) the code is not checked before it is executed due to such dull things such as resource limitations.
If you want security on your comms then do it properly not through some "executive toy" that is not 100% under your control.
The Indian government has shown over the past year that they are very concerned to monitor "Indian data" -not only for citizens or terrorist amongst those, but also global enterprises!- and put steep requirements onto international telcos. It's become a worrying trend globally where the large nations-of-state all to have their own needs over data that isn't actually theirs in the first place - anyone should nowadays better be careful with their personal data or IP going over wires without strong encryption.
Question is which (software) supplier won't sell their keys to their bit of cypherspace? Opensource seems to be the safest bet for now!
From Mordaxus over at Educated Guesswork:
"What I was told is that this is complete FUD and false. The BlackBerry crypto is real crypto, just like SSL, PGP, S/MIME or anything else. The keys are generated on the handsets and on the BES server. There is end-to-end crypto, using real protocols like SPEKE. RIM doesn't have the keys to give. RIM cannot give the keys over because only the devices have them."
In my understanding, BB has 2 different services, the corporate uses a server and works like it says above, which is why they didn't get the keys to them. The other, called BIS, uses RIM servers in Canada, so the Indian govt. got access to the encrypted channel only. I assume they set up servers in India for the service to give the goverment access.
Did anyone else notice this little gem?
> However, the government’s decryption software can decode messages encrypted only up to 40 bits. India wants RIM to either hand over the decryption keys or reduce encryption to 40 bits.
So, they just admitted that the Indian gov't can, at will, snoop & crack _any_ electronic message encrypted at 40 bits or less.
It should have been obvious to anyone that took time to think about it that such a service would never be safe from government eavesdropping. It only keeps it safe from the prying eyes of other members of the public.
Maybe I'm a bit of a Luddite in this regard but I use a cellular phone for phone calls and leave e-mail where it belongs, on my computer.
These articles in India are probably BS. The BlackBerry uses symmetric key encryption for enterprise and are generated by the end user. So RIM could not possibly hand over keys that it does not have.
According to the RIM website, the non-corporate BlackBerry emails are not encrypted, but they supposedly use some other weird system that protects from prying eyes. People buy Blackberry's because they are supposed to be keep your emails and stuff private, otherwise why buy the thing when an average mobile will do. If RIM execs sacrifice the average joe's emails while protecting big corporations, then that tells you something about the ethics of those execs. Shame on them, people expect better of them and if the average non-corporate BlackBerry user knew that RIM could read emails, they probably wouldnt buy the damned things.
Get it together RIM, grow a spine and fight back for the average people too, otherwise you're doing nothing but decieving people into a false sense of security.
Speaking of keys, i don't know anything about what they did, but there is some plausible speculation:
Assuming that blackberry uses some secure key exchange scheme, e.g. (for simplicity) Diffie-Hellman + signature check, the endpoint server could just log and give indian govt. its own private exponents. Then if indian govt. has sniffed key exchange, it could find shared secret and decode message.
(btw same applies to sniffed data from SSL and SSH sessions made with broken debian/ubuntu's openssl)
"What I was told is that this is complete FUD and false. The BlackBerry crypto is real crypto, just like SSL, PGP, S/MIME or anything else. The keys are generated on the handsets and on the BES server. There is end-to-end crypto, using real protocols like SPEKE. RIM doesn't have the keys to give. RIM cannot give the keys over because only the devices have them. "
"BlackBerry vendor Research-In-Motion (RIM) said it cannot hand over the message encrytion key to the government as its security structure does not allow any ‘third party’ or even the company to read the information transferred over its network. "
the Indian Governement is extremely paranoid. They do have a valid reason. If you dont understand, count the number of lives being lost to terrorism attacks in India every year. They are taking merely taking care of the larger interests of the nation.
Does RIM comply to US CALEA Communications Assistance for Law
Enforcement Act, 1994 ?? if RIM is allowing US to snoop on blackberry data why this double speak of impregnable encryption beyond control of RIM.
I guess RIM think people in India still ride elephants while sending emails.
> merely taking care of the larger
> interests of the nation.
Surveillance is an important tool for law enforcement organizations, but we should only allow them to violate our privacy in the limited context of a criminal investigation.
Here the Indian government is not requesting to investigate a particular suspect, but the ability to monitor the entire Blackberry user base.
If the intent isn't Orwellian, then it's just stupid. Like using radar on swimming pools to look for an escaped tiger.
The Economic Times reported on 30 May 2008 that India had given RIM an ultimatum.
"Open code or shut shop, DoT tells RIM"
"NEW DELHI: The department of telecom (DoT) is learnt to have issued an ultimatum to Canada’s RIM, the maker of the BlackBerry smartphone, that it will have to provide encryption solutions if it wants to continue operations in India...."
If people did their homework before posting it would be more productive.
RIM decision is based on 'Security vs $$$'.
Anyone remember what Benjamin Franklin said about security and liberty?
The amount of misinformation in this thread and around the India story is unbelievable. Obviously, no one took the time to perform research on RIM's website and read their security white papers.
When leaving a device, all BlackBerry emails are sent to the local cellular service provider and then routed through the RIM Operations Centre; the main one is in Waterloo.
If a corporation has a BlackBerry Enterprise Server (BES), all corporate emails are encrypted between the device and the corporation's BES, and are not accessible by the local service provider or RIM (or any other law enforcement agency) until the email hits the Internet after the BES decrypts it. RIM also offers a PGP or S/MIME support package for true end-end encryption between sender and receiver in these cases.
Non-corporate email service is handled by the BlackBerry Internet Service (BIS) hosted by the service provider of the local country (e.g., Rogers in Canada or Hutch in India). These are NOT encrypted, and if the local gov't needs access to these emails, they need only to legally request them from the service provider, as all these emails are stored in a webmail account. Therefore, a public user cannot expect any greater email security when using a BlackBerry then if using Hotmail or other webmail service.
So, for non-corporate users, RIM is not giving India anything more than it already has, as the BIS service provider is an Indian entity and not controlled by RIM.
Funny thing is that the above comment from Maxwell Smart has more good information than most of the blogs and articles I recently read about BlackBerry security - sometimes I just don't get why journalists have to dumb everything down or do not get facts right before writing...
An Enterprise BlackBerry handheld (using an Enterprise server) is totally different security technology than the consumer version!
so heres what apparently has happened. This is just second hand, so take it for what its worth> RIM made a temporary deal with the Indian government only a few weeks ago. RIM agreed to shut off the weak BIS encryption [aka compression] for all new devices and accounts established through Indian carriers. Existing devices will somehow slowly be converted over, possibly by forcing re-registration. PIN to PIN is not affected, but RIM may have provided the global key which allows devices to PIN outside of corporate networks (although that would be such a monumentally stupid thing it is highly unlikely they did that.)
BES email encryption has been left intact for now. What does this mean to you? If you travel to india, do not put a local carrier SIM card in your device. If you live in India, download a free copy of BlackBerry Unite. I dont think the Indian government won this one. Good for you RIM.
I would like to focus on another aspect: the security of the master encryption key (which encrypts the message keys) which is unique to BlackBerry device and (securely) stored on the BES and the BlackBerry device. In wireless environments the rollout of BlackBerrys and thus the creation and update of the master encryption key is made „over the air“ through the so called wireless enterprise activation. So the packets may be interceptet somehow (possibly as well through certain agencies...) und the security depends on the security of the technical and organizational implementation of wireless enterprise activation. Wireless enterprise activation uses the SPEKE protocol to derive and exchange the master encryption key between the BlackBerry device and the BES (BlackBerry Enterprise Server). Q Tang showed in May 2005 in his paper „On the security of some password-based key agreement schemes“ (see http://citeseerx.ist.psu.edu/viewdoc/summary?... ) that the BPKAS-SPEKE scheme suffers two vulnerabilities which are:
a. when one entity shares the same password with at least two other entities
b. when two instances oft he (SPEKE) protocol are concurrently executed
In my understanding these two theoretical vulnerabilities do not affect the BlackBerry Enterprise Solution because of:
a. only one entity (= BES) shares the (activation) password with only one entity (BlackBerry device). Furthermore: in the calculation of the master encryption key an identifier is included (in my interpretation this is the respective public key of the BES or the BlackBerry or the transaction ID) device). Thus, the wireless enterprise activation is immune to a.
b. the initial key establishment protocol as well al the key rollover protocol uses a unique ‚session identifier‘ in the computation of the (new) master encryption key (which is in my interpretation the transaction ID). Furthermore: I do not think that it possible to execute concurrently two instances of neither the enterprise activation nor the programm that executes the automatic update of the masterkey. Thus, the key rollover protocoll is immune to b.
Any comments on this?
Now I'm not an engineer but I do know this, regarding BES, even when emails are sent on the same email network where they are encrypted between device and server, all you have to do is gain access to the mailbox and voila, plain text.
And really, how hard is it to hack an email mailbox?
Google "Results 1 - 10 of about 18,400,000 for how to hack email. (0.33 seconds) "
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.