Slashdot Mirror

← Back to Stories (view on slashdot.org)

RIM Agrees To Hand Over Its Encryption Keys To India

Posted by samzenpus on from the lets-see-what-you-got-there dept.

An anonymous reader writes "BlackBerry maker Research in Motion's (RIM) four-year standoff with the Indian government over providing encryption keys for its secure corporate emails and popular messenger services is finally set to end. RIM recently demonstrated a solution that can intercept messages and emails exchanged between BlackBerry handsets, and make these encrypted communications available in a readable format to Indian security agencies. An amicable solution over the monitoring issue is important for the Canadian smartphone maker since India is one of the few bright spots for the company that has been battling falling sales in its primary markets of the US and Europe. In India, RIM has tripled its customer base close to 5 million over the last two years,"

14 of 164 comments (clear)

  1. Yes but this won't help by Sir_Sri · · Score: 5, Insightful

    Part of the appeal of RIM was that you knew governments weren't out there stealing secrets sent across your network. I understand that India has a legitimate security need to be able to wiretap communications and so on. But this isn't going to 'help' RIM. This takes away the only major competitive advantage they had, which was that using RIM meant you knew no one in the indian government was going to steal your work and sell it to someone else (which is a serious concern in india).

    If anything, this just levels the playing field. And that's bad for RIM, because they aren't competitive.

    1. Re:Yes but this won't help by Moblaster · · Score: 5, Insightful

      It's pretty clear what happened. They kept the keys secret and held out for a long time on "principle" because that was the best business decision at the time. Then, as the onslaught of iPhone and Android took its toll, the principle changed to survival, because that became the new best business decision.

      It's sad, but at this point, it hardly affects any country but India anyway!

    2. Re:Yes but this won't help by narcc · · Score: 5, Informative

      As has been pointed out over and over again, This Does Not Affect BES Users.

      Everyone else is just as insecure as they always were. If you want security in India, RIM is still your only real choice.

      More details here

      --
      Required reading for internet skeptics
    3. Re:Yes but this won't help by Prune · · Score: 4, Insightful

      They only have the keys to the non-business service. Corporate users deploying Blackberry Enterprise Server create their own key pairs when registering each handset with the company's BES server, and so control the encryption end-to-end. There are no third parties with access to these keys, making this far more secure than SSL, for example. The article is FUD.

      --
      "Politicians and diapers must be changed often, and for the same reason."
  2. Not quite the full story... by Shabbs · · Score: 4, Informative

    Please, the BES keys have not been handed over... because they can't be...

    http://crackberry.com/rim-encryption-keys

    BIS != BES.

    --
    Mark
  3. Moral of the story by characterZer0 · · Score: 4, Insightful

    Moral of the story: If you do not control end-to-end encryption yourself, it is not secure.

    --
    Go green: turn off your refrigerator.
    1. Re:Moral of the story by Opportunist · · Score: 4, Insightful

      In this case you don't even control ANY part of the encryption, not even on your end. Something that is the absolute bare minimum for any kind of security.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. It's OK... by tlambert · · Score: 4, Funny

    Half the country has been unable to recharge their Blackberries for two days in a row anyway.

  5. Saving Face by Anonymous Coward · · Score: 5, Informative

    from the fine article:

    "But he said there was no access to secure encrypted BlackBerry enterprise communications or corporate emails as these were accessible only to the owners of these services."

    The reality is BES uses keys assigned by the owner of the BES server, RIM HAS NOT and CAN NOT give those to anyone, because they dont know them. This has been RIM's position from the begining, and still is. What they HAVE done is give access to the messaging services they run (and therefor have keys to) to the Indian authorities. My understanding is that this was always the case. The article really does not make the distinction between the two clear.

    TLDNR: RIM gave what they always give anyone, some minister is useing it to try and save face. Poor reporting means it worked.

  6. Re:Sell now by LordLimecat · · Score: 4, Informative

    I hope you arent in a position where you advise anyone on IT.

    Active Sync's security is in LARGE part dependent on the security of SSL. For a HUGE number of organizations, those SSL keys are self-signed, which provides about the same security of WEP. All that is needed to break in is to somehow get the device to reach out to your server, and then have your server present a similar self-signed cert. Even if you are using a "proper" cert, you can be "easily" bugged by a government, since a large number of governments are considered trusted root authorities (including China); this means they can generate their own certificate, claim to be your Exchange CAS, and your device will happily talk back and forth with it. Presumably at that point your device would authenticate to that rogue server; Im not clear in what form the credentials would be sent, but we're already into "danger" territory.

    On the flip side, with a proper BES (which is NOT what is being discussed in TFA), SSL simply isnt in the loop. All communications are relayed through RIM, but the encryption keys (up to AES-256) are held completely internally. I believe (though I could be wrong) that each device has its own key which is derived from the master key, so under the absolute worst conditions someone could sieze a blackberry and -- shockingly-- have access to that user's email. But of course, they'd have to get around the in-memory encryption and flash encryption that a security-sensitive organization would obviously have enforced on their blackberries.

    At the end of the day, if absolute security is a necessity, you probably dont want your employees running around with smartphones, but if you do, youre using Blackberry / BES because there STILL isnt a good competitor in that range. Plus, if we're completely honest, most androids are touchscreen, and touchscreen devices simply arent as good at fulfilling the role of business communication device. They have other perks, but from personal experience I can say that they are a massive letdown when it comes to email and phone.

  7. Re:RIM's private keys by LordLimecat · · Score: 4, Insightful

    Once again. For the last time....
    RIM does NOT have the encryption keys used by BES servers. Those keys are held internally by businesses only, and those are then used (along with "random" data) to generate the device keys. Even if RIM somehow had the organization's master key, they wouldnt have access to the "random" data that was used to derive the device key (which is pulled from that "wiggle your mouse around for a while" procedure).

    In other words, BES servers continue as unaffected as before. Call me when India figures out how to large-scale crack AES256 with unknown keys.

  8. Misleading title by gagol · · Score: 5, Informative

    Should read "India claims RIM gave encryption keys, RIM strongly denies". http://www.theregister.co.uk/2012/08/02/rim_keys_india/

    --
    Tomorrow is another day...
  9. Already Debunked by RIM by _DangerousDwarf · · Score: 4, Informative
    From the Globe and Mail

    "Although not all of a BlackBerry's messaging functions are encrypted, RIM has long maintained that it is unable to grant anyone access to its corporate e-mail service, which is encrypted from end-to-end. RIM responded in a statement late on Wednesday, saying it was necessary "to correct some false and misleading" information" that had appeared in the Indian media."

    "RIM is providing an appropriate lawful access solution that enables India's telecom operators to be legally compliant with respect to their BlackBerry consumer traffic, to the same degree as other smartphone providers in India, but this does not extend to secure BlackBerry enterprise communications," the company added."

  10. Re:Sell now by bill_mcgonigle · · Score: 4, Insightful

    It seems to me VPN or IMAP over SSL has all the advantages of BB without the risk they'll sell you out. And has for some time.

    yeah, I was pointing this out to clients as early as 2004. I had a working IMAPS client on a Treo 650 at the time. They wanted Outlook integration over security (despite always talking about their multi-billion-dollar IP that had to be protected at all costs). Lesson learned: most people don't care about security, they just say they do.
     

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)