Blackberries insecure?

Christoph Gruber grisu at guru.at
Thu Jun 21 13:30:18 EDT 2007 

alex at alten.org schrieb:
> Steve,
> 
> It could be that the linkage between user ids and auth keys is too weak,
> allowing a MITM attack to be undetected that sniffs the data encryption
> key. This seems to be common problem with many of the secure protocols 
> I've examined.
> 
> - Alex
> 

Ahoi!

Nobody knows, what the blackberry does with the decrypted data. The 
whole device is a black-box, so it is able to do anything it is 
programmed for, with all the data transmitted to it.

-- 
Grisu

> 
>> ----- Original Message -----
>> From: "Steven M. Bellovin" <smb at cs.columbia.edu>
>> To: cryptography at metzdowd.com
>> Subject: Blackberries insecure?
>> Date: Wed, 20 Jun 2007 23:41:20 -0400
>>
>>
>> According to the AP (which is quoting Le Monde), "French government
>> defense experts have advised officials in France's corridors of power
>> to stop using BlackBerry, reportedly to avoid snooping by U.S.
>> intelligence agencies."
>>
>> That's a bit puzzling.  My understanding is that email is encrypted
>> from the organization's (Exchange?) server to the receiving Blackberry,
>> and that it's not in the clear while in transit or on RIM's servers.
>> In fact, I found this text on Blackberry's site:
>>
>> 	Private encryption keys are generated in a secure, two-way
>> 	authenticated environment and are assigned to each BlackBerry
>> 	device user. Each secret key is stored only in the user's secure
>> 	regenerated by the user wirelessly.
>>
>> 	Data sent to the BlackBerry device is encrypted by the
>> 	BlackBerry Enterprise Server using the private key retrieved
>> 	from the user's mailbox. The encrypted information travels
>> 	securely across the network to the device where it is decrypted
>> 	with the key stored there.
>>
>> 	Data remains encrypted in transit and is never decrypted outside
>> 	of the corporate firewall.
>>
>> Of course, we all know there are ways that keys can be leaked.
>>
>>
>> 		--Steve Bellovin, http://www.cs.columbia.edu/~smb
>>
>> ---------------------------------------------------------------------
>> The Cryptography Mailing List
>> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
> 
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
> 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list