RIM Agrees To Hand Over Its Encryption Keys To India 164
An anonymous reader writes "BlackBerry maker Research in Motion's (RIM) four-year standoff with the Indian government over providing encryption keys for its secure corporate emails and popular messenger services is finally set to end. RIM recently demonstrated a solution that can intercept messages and emails exchanged between BlackBerry handsets, and make these encrypted communications available in a readable format to Indian security agencies. An amicable solution over the monitoring issue is important for the Canadian smartphone maker since India is one of the few bright spots for the company that has been battling falling sales in its primary markets of the US and Europe. In India, RIM has tripled its customer base close to 5 million over the last two years,"
Not quite the full story... (Score:5, Informative)
Please, the BES keys have not been handed over... because they can't be...
http://crackberry.com/rim-encryption-keys [crackberry.com]
BIS != BES.
Re:Yes but this won't help (Score:5, Informative)
As has been pointed out over and over again, This Does Not Affect BES Users.
Everyone else is just as insecure as they always were. If you want security in India, RIM is still your only real choice.
More details here [crackberry.com]
Did any of you yahoos bother to read the article? (Score:2, Informative)
"RIM recently demonstrated a solution developed by a firm called Verint that can intercept messages and emails exchanged between BlackBerry handsets, and make these encrypted communications available in a readable format to Indian security agencies..."
Re:Nothing like giving in... (Score:2, Informative)
India's corruption puts any Western government to shame. Want to get anything done? You WILL pay a bribe, and a good one at that, down to the "untouchable" cleaning out poop out of the sewer.
The caste system still stays there, same with the attitude of helping people is considered bad juju since it interferes with their divine punishment.
Also remember: India isn't a friend to the West. During the Cold War, they were doing their best to cozy up to the Russians, and were willing to do almost anything for them.
India demanding keys from RIM is no surprise. I'm sure that any US or European messages in that region will wind up in the hands of them, or their Chinese buds.
Makes you want to trust the broken CA system in SSL/TLS. At least you can possibly dump all other CAs and use your own root certs with have your own trust, as opposed to RIM's "trust us, or buy a new device". Oh... run a BES backend... sure. Like anyone bothers with that.
Re:Not quite the full story... (Score:4, Informative)
It needs a specific key. A BES connection is secured by a key-pair that is generated when the BlackBerry is added to the BES. This allows for the 3DES encryption to occur for all communications over the BES connection.
The situation you're talking about applies to BIS where any handset can decrypt the encrypted messages.
This mis-understanding of the differences between BIS and BES lead to a lot of FUD unfortunately.
And you know Apple is keeping an eye on this... cuz India will be coming after them too for access to their iMessage comms, if they have not already done so.
Saving Face (Score:5, Informative)
from the fine article:
"But he said there was no access to secure encrypted BlackBerry enterprise communications or corporate emails as these were accessible only to the owners of these services."
The reality is BES uses keys assigned by the owner of the BES server, RIM HAS NOT and CAN NOT give those to anyone, because they dont know them. This has been RIM's position from the begining, and still is. What they HAVE done is give access to the messaging services they run (and therefor have keys to) to the Indian authorities. My understanding is that this was always the case. The article really does not make the distinction between the two clear.
TLDNR: RIM gave what they always give anyone, some minister is useing it to try and save face. Poor reporting means it worked.
Re:Sell now (Score:5, Informative)
I hope you arent in a position where you advise anyone on IT.
Active Sync's security is in LARGE part dependent on the security of SSL. For a HUGE number of organizations, those SSL keys are self-signed, which provides about the same security of WEP. All that is needed to break in is to somehow get the device to reach out to your server, and then have your server present a similar self-signed cert. Even if you are using a "proper" cert, you can be "easily" bugged by a government, since a large number of governments are considered trusted root authorities (including China); this means they can generate their own certificate, claim to be your Exchange CAS, and your device will happily talk back and forth with it. Presumably at that point your device would authenticate to that rogue server; Im not clear in what form the credentials would be sent, but we're already into "danger" territory.
On the flip side, with a proper BES (which is NOT what is being discussed in TFA), SSL simply isnt in the loop. All communications are relayed through RIM, but the encryption keys (up to AES-256) are held completely internally. I believe (though I could be wrong) that each device has its own key which is derived from the master key, so under the absolute worst conditions someone could sieze a blackberry and -- shockingly-- have access to that user's email. But of course, they'd have to get around the in-memory encryption and flash encryption that a security-sensitive organization would obviously have enforced on their blackberries.
At the end of the day, if absolute security is a necessity, you probably dont want your employees running around with smartphones, but if you do, youre using Blackberry / BES because there STILL isnt a good competitor in that range. Plus, if we're completely honest, most androids are touchscreen, and touchscreen devices simply arent as good at fulfilling the role of business communication device. They have other perks, but from personal experience I can say that they are a massive letdown when it comes to email and phone.
Re:Who does it effect? (Score:4, Informative)
My god these posts are annoying.
Does an Indian businessman who bought a Blackberry...
Does an American businessman with a Blackberry...
Do they have a BES? If they have a BES, nothing to worry about. Next question?
Misleading title (Score:5, Informative)
Already Debunked by RIM (Score:4, Informative)
"Although not all of a BlackBerry's messaging functions are encrypted, RIM has long maintained that it is unable to grant anyone access to its corporate e-mail service, which is encrypted from end-to-end. RIM responded in a statement late on Wednesday, saying it was necessary "to correct some false and misleading" information" that had appeared in the Indian media."
"RIM is providing an appropriate lawful access solution that enables India's telecom operators to be legally compliant with respect to their BlackBerry consumer traffic, to the same degree as other smartphone providers in India, but this does not extend to secure BlackBerry enterprise communications," the company added."
Re:Yes but this won't help (Score:4, Informative)
Re:Yes but this won't help (Score:4, Informative)
RIM doesn't have the keys to hand over. Again, see the link I sent. If you're referring to a company running BES in India being forced to give the gov't access to their communications, that's completely different and has absolutely nothing to do with RIM.
Still, the point stands. RIM is the only secure option -- the playing field has not be leveled.