Blackberries insecure?
Christoph Gruber
grisu at guru.at
Thu Jun 21 13:30:18 EDT 2007
alex at alten.org schrieb:
> Steve,
>
> It could be that the linkage between user ids and auth keys is too weak,
> allowing a MITM attack to be undetected that sniffs the data encryption
> key. This seems to be common problem with many of the secure protocols
> I've examined.
>
> - Alex
>
Ahoi!
Nobody knows, what the blackberry does with the decrypted data. The
whole device is a black-box, so it is able to do anything it is
programmed for, with all the data transmitted to it.
--
Grisu
>
>> ----- Original Message -----
>> From: "Steven M. Bellovin" <smb at cs.columbia.edu>
>> To: cryptography at metzdowd.com
>> Subject: Blackberries insecure?
>> Date: Wed, 20 Jun 2007 23:41:20 -0400
>>
>>
>> According to the AP (which is quoting Le Monde), "French government
>> defense experts have advised officials in France's corridors of power
>> to stop using BlackBerry, reportedly to avoid snooping by U.S.
>> intelligence agencies."
>>
>> That's a bit puzzling. My understanding is that email is encrypted
>> from the organization's (Exchange?) server to the receiving Blackberry,
>> and that it's not in the clear while in transit or on RIM's servers.
>> In fact, I found this text on Blackberry's site:
>>
>> Private encryption keys are generated in a secure, two-way
>> authenticated environment and are assigned to each BlackBerry
>> device user. Each secret key is stored only in the user's secure
>> regenerated by the user wirelessly.
>>
>> Data sent to the BlackBerry device is encrypted by the
>> BlackBerry Enterprise Server using the private key retrieved
>> from the user's mailbox. The encrypted information travels
>> securely across the network to the device where it is decrypted
>> with the key stored there.
>>
>> Data remains encrypted in transit and is never decrypted outside
>> of the corporate firewall.
>>
>> Of course, we all know there are ways that keys can be leaked.
>>
>>
>> --Steve Bellovin, http://www.cs.columbia.edu/~smb
>>
>> ---------------------------------------------------------------------
>> The Cryptography Mailing List
>> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list