Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Blackberry Privacy

RIM Agrees To Hand Over Its Encryption Keys To India 164

Posted by samzenpus
from the lets-see-what-you-got-there dept.
An anonymous reader writes "BlackBerry maker Research in Motion's (RIM) four-year standoff with the Indian government over providing encryption keys for its secure corporate emails and popular messenger services is finally set to end. RIM recently demonstrated a solution that can intercept messages and emails exchanged between BlackBerry handsets, and make these encrypted communications available in a readable format to Indian security agencies. An amicable solution over the monitoring issue is important for the Canadian smartphone maker since India is one of the few bright spots for the company that has been battling falling sales in its primary markets of the US and Europe. In India, RIM has tripled its customer base close to 5 million over the last two years,"
This discussion has been archived. No new comments can be posted.

RIM Agrees To Hand Over Its Encryption Keys To India

Comments Filter:
  • by Sir_Sri (199544) on Thursday August 02, 2012 @07:24PM (#40863177)

    Part of the appeal of RIM was that you knew governments weren't out there stealing secrets sent across your network. I understand that India has a legitimate security need to be able to wiretap communications and so on. But this isn't going to 'help' RIM. This takes away the only major competitive advantage they had, which was that using RIM meant you knew no one in the indian government was going to steal your work and sell it to someone else (which is a serious concern in india).

    If anything, this just levels the playing field. And that's bad for RIM, because they aren't competitive.

    • by Moblaster (521614) on Thursday August 02, 2012 @07:30PM (#40863237)

      It's pretty clear what happened. They kept the keys secret and held out for a long time on "principle" because that was the best business decision at the time. Then, as the onslaught of iPhone and Android took its toll, the principle changed to survival, because that became the new best business decision.

      It's sad, but at this point, it hardly affects any country but India anyway!

      • by Sir_Sri (199544)

        And in most other countries you aren't worried about the government stealing and reselling most of your secrets anyway. At least not your own government.

      • by Prune (557140) on Thursday August 02, 2012 @11:39PM (#40864727)
        They only have the keys to the non-business service. Corporate users deploying Blackberry Enterprise Server create their own key pairs when registering each handset with the company's BES server, and so control the encryption end-to-end. There are no third parties with access to these keys, making this far more secure than SSL, for example. The article is FUD.
        • Re: (Score:2, Insightful)

          by gl4ss (559668)

          sure that they don't ship a backdoor? that's essentially what they're asking for "This satisfies India's core demand that RIM provide intelligence and security agencies with automatic solutions to monitor all communication on BlackBerry smartphones on a real-time basis, an official aware of the development said."

          it's a pretty crazy requirement for a device that allows programmable code and tcp/ip though.

    • by narcc (412956) on Thursday August 02, 2012 @07:41PM (#40863317) Journal

      As has been pointed out over and over again, This Does Not Affect BES Users.

      Everyone else is just as insecure as they always were. If you want security in India, RIM is still your only real choice.

      More details here [crackberry.com]

      • And it is probably also worth pointing out that this means that RIM's BIS service provides better content protection than SMS/MMS, unencrypted email (which is virtually all e-mail, and indeed all Android phones using the inbuilt GMail app), and almost any IM out there. I've also missed other equally unprotected means of communication.

        Why? Because at least BIS is encrypted in transit to and from RIM. (To be fair, services like MSN Messenger in which all messages go through a central server could be considere

        • by Mr. X (17716)
          Are you saying that email sent via the Android GMail app isn't encrypted between the device and Google's servers? I can't believe that would be the case, since they made a big deal about forcing people onto SSL for web access to GMail quite a while ago.
          • Re: (Score:3, Insightful)

            by Anonymous Coward

            Are you saying you trust your smart phone to have only real, valid intermediate ssl certificates? Or are you so ignorant to think that governments aren't trying to man-in-the-middle SSL like crazy, especially on mobile networks.

            • by Fjandr (66656)

              Won't matter once CALEA is amended to include non-voice public networks. It'll happen eventually.

              This isn't to say I support the extension; I think those proposing it should be shot. That doesn't change the reality that it will eventually be enacted, whether it requires sneaking it into a broad authorization bill or actually getting the support to pass it on its own.

          • by gnoshi (314933)

            Are you saying that email sent via the Android GMail app isn't encrypted between the device and Google's servers?

            No, I'm not saying that GMail for Android (or via a browser, or iPhone) doesn't use SSL. However, GMail is an e-mail service using a client (on Android) which doesn't have support for encryption apart from SSL to the server. Sure, if I'm sending GMail to GMail that's fine - it falls into the same boat as MSN Messenger. If I'm sending to a non-GMail recipient, then that goes out the window.

            There are other apps which can use GMail, and do provide encryption functionality, but as with TextSecure - how common i

      • I think we need to make clearer what exactly the impact of this is.

        Does an Indian businessman who bought a Blackberry in SouthAmerica and is working in Europe be assured on some level of privacy on communications?

        Does an American businessman with a Blackberry bought in the USA visiting India on the way to China need to rethink how company documents are transmitted?

        Not very clear, especially as the BIS keys can't and therefore haven't been handed over.

        So we have a new server in India, but what is being route

        • by epiphani (254981) <epiphani.dal@net> on Thursday August 02, 2012 @09:20PM (#40864005)

          My god these posts are annoying.

          Does an Indian businessman who bought a Blackberry...

          Does an American businessman with a Blackberry...

          Do they have a BES? If they have a BES, nothing to worry about. Next question?

          • Backdoor? Implementation weaknesses? Hardware snooper?

            RIM just proved they would sell out your privacy if the price is right. Your response is "Don't worry, their other product is safe."

            How do you know?

      • by Sir_Sri (199544)

        This Does Not Affect BES Users.

        No, being within india they are already subject to indian laws, and already have to hand over any enterprise keys they have stored within india if they're 'asked'.

        If you're running your BES from outside the country then you might have a temporary reprieve, until the indian government gets wind of that plan.

        • by narcc (412956) on Friday August 03, 2012 @12:42AM (#40864925) Journal

          RIM doesn't have the keys to hand over. Again, see the link I sent. If you're referring to a company running BES in India being forced to give the gov't access to their communications, that's completely different and has absolutely nothing to do with RIM.

          Still, the point stands. RIM is the only secure option -- the playing field has not be leveled.

          • by Sir_Sri (199544)

            RIM doesn't have the keys to hand over

            Right, the company hosting the BES does. And has for a couple of years. For the moment if your BES is based outside of india you're 'safe', until the government figures out how to deal with that.

            the playing field has not be leveled

            It has. The situation is now no different from you running your own communications app on whatever platform(s) you want. If you're in india they can compel you to hand it over, if you base your servers outside india they can't do anything much to you, and you can't rely on RIM to provide you any inherent securi

            • by narcc (412956)

              I don't follow your reasoning? RIM still offers the only secure option, yet somehow they're just as insecure as the rest and thus a level playing field?

              Moreover, how does RIM giving in to the Indian gov't on BIS snooping change anything at all about BES before and after they gave it?

              Sorry, I just don't see how the playing field has been leveled in any way -- RIM is still way ahead in terms of security. They've been delt a blow, sure, but they've not been knocked down so far as to be on the same level as t

              • Why is RIM's option any more secure than using Exchange Activesync over HTTPS? I don't get the big deal when it comes to supposed BB security.

              • by Sir_Sri (199544)

                RIM still offers the only secure option

                No, it doesn't. That's the entirety of my reasoning. A BES isn't any more secure than any other product can be. And now you can no longer rely on RIM bouncing data through waterloo to keep it secure.

                A BES, or ANY communications server hosted in india: has to turn over keys or just the data to the government if asked.
                A BES or any communications not hosted in india: Can make a legal fight out of it, might not have to turn data over.
                Any communications via RIM are insecure from within india.

                • by narcc (412956)

                  You're really stretching here. Sorry, but when it takes manpower and possibly complex legal action (to say nothing the expense!) for the Indian gov't to read my messages while it takes virtually no effort for the Indian gov't to read messages on other platforms, my platform is more secure.

                  It's like saying Fort Knox is just as insecure as my tool-shed because a highly-trained team of tactical and explosive experts explosives could get in if they really tried.

          • by Hatta (162192)

            RIM is the only secure option -- the playing field has not be leveled.

            In what way is RIM more secure than anything that implements OTR? e.g. Gibberbot on Android

    • As others have pointed out, this doesn't affect BES - they're as secure as ever in the enterprise.

      Thing is, they've always given this level of access to governments (or we reasonably assume this is the case, anyway) for their BIS service The difference is officials in India needed to save face and made a big deal out of this - even though they're getting only what they were told they could get from the start, and certainly no more than any other government.

      • by Sir_Sri (199544)

        Well now they don't have to call to waterloo, and argue over just what they need to get the data. Now they can do whatever they want.

        Also, BES for indian companies is a separate issue, because companies already have to turn those keys over to the government because they're subject to indian law.

    • No, there is no legitimate need to wire tap without any kind of warrant. India calls itself the largest democracy and it behaves in an authoritarian manner.
      • by AK Marc (707885)
        If the people vote for authoritarian, does that make it non-democratic?
      • by Sir_Sri (199544)

        No, there is no legitimate need to wire tap without any kind of warrant

        I didn't talk about the requirements. Because 'requiring a warrant' is stupid. It's not stupid in the US legal system, but that doesn't mean that's appropriate for india, or oman, or the emirates or whatever. India has it's own legal system, it's up to them to decide what is or is not a sufficient condition for wiretapping, and that's a separate discussion.

    • by Prune (557140) on Thursday August 02, 2012 @11:37PM (#40864719)
      The article is misleading. The corporate service using Blackberry Enterprise Server has not been compromised because the encryption keys are controlled by the company deploying BES end-to-end. The company's IT generates the encryption key pairs when adding new handsets to the server. What's discussed only affects specific messaging over the non-business Blackberry service BIS.
      • by Sir_Sri (199544)

        Businesses in india will already be subject to indian laws though. RIM isn't subject to indian law, that's why they've been able to squabble over this as long as they have.

    • Landgrab (Score:4, Interesting)

      by Kirth (183) on Friday August 03, 2012 @01:59AM (#40865243) Homepage

      I understand that India has a legitimate security need to be able to wiretap communications and so on..

      Nope. This is a landgrab. Law enforcement is constantly talking about "going dark", where in fact, the light they have is much brighter than they've ever had before -- technology only made it possible to snoop on everything, and now they want the laws for actually doing so, and to lever out any countermeasures the user may take.

      In the 80ies, wiretapping actually meant either a) placing a wiretap in the users phone or b) going physically to the phone switch where the user was connected to, and placing the tap there. Both only done with a judical warrant, and for very specific cases. Wiretapping was _complicated_.

      Now, wholesale wiretapping is easy; so easy that a lot of people and companies take countermeasures. And now law enforcement wants "to have back" capabilities it never had?

    • Part of the appeal of RIM was that you knew governments weren't out there stealing secrets sent across your network. I understand that India has a legitimate security need to be able to wiretap communications and so on. But this isn't going to 'help' RIM. This takes away the only major competitive advantage they had, which was that using RIM meant you knew no one in the indian government was going to steal your work and sell it to someone else (which is a serious concern in india).

      If anything, this just levels the playing field. And that's bad for RIM, because they aren't competitive.

      I suspect that it will help them more than being kicked out of the country, though it certainly won't improve their product in any absolute sense...

  • by theNAM666 (179776) on Thursday August 02, 2012 @07:26PM (#40863191)

    ... to a democratically elected government...

    • by Sir_Sri (199544)

      The government in india is democratic, but that doesn't make it any less corrupt to the bone. I wouldn't trust anyone in the indian government with my business secrets. Including my own relatives (who are in the civil service).

      India is fully entitled to demand wiretap access. Democratic or not. But the whole reason to choose RIM over a competitor in india was precisely because the government couldn't get into the system, because you can't trust people in government to not just steal your secrets and sel

      • Re: (Score:2, Informative)

        by Anonymous Coward

        India's corruption puts any Western government to shame. Want to get anything done? You WILL pay a bribe, and a good one at that, down to the "untouchable" cleaning out poop out of the sewer.

        The caste system still stays there, same with the attitude of helping people is considered bad juju since it interferes with their divine punishment.

        Also remember: India isn't a friend to the West. During the Cold War, they were doing their best to cozy up to the Russians, and were willing to do almost anything for

        • by 0ld_d0g (923931)

          India's corruption puts any Western government to shame. Want to get anything done? You WILL pay a bribe, and a good one at that, down to the "untouchable" cleaning out poop out of the sewer.

          If you belong to the banker "caste" in the United States.. the laws apply differently to you. You can steal from the people, defraud them, gamble their pensions on the stock market, and then get bailed out by the Government .. and never ever have to face any kind of criminal investigation.

          If you belong to the executive branch "caste" you can do anything you want, including assassinate your own citizens abroad via drone strikes. You can lie your way into invading and killing civilians in other countries and

    • To a very corrupt democratically elected government. The keys will be in the hands of Russian mobsters in a few days.

    • Democratically elected doesn't mean jack anymore, if it ever did. Do you know any democratic government that's not for sale to the highest bidder?

  • by Shabbs (11692) on Thursday August 02, 2012 @07:34PM (#40863269)

    Please, the BES keys have not been handed over... because they can't be...

    http://crackberry.com/rim-encryption-keys [crackberry.com]

    BIS != BES.

    • by sphealey (2855)

      "I did not steal the stocks or the bonds"

      _Tales of the Black Widowers_, Isaac Asimov

      • by Prune (557140)
        I don't get it. Care to clarify?
        • by sphealey (2855)

          I wouldn't want to spoil the story for you, but the point is that one must read announcements of this type very carefully as there is generally far more hidden in them that appears on the surface. So your assurances are not entirely... reassuring.

          sPh

    • by whoever57 (658626)

      Please, the BES keys have not been handed over... because they can't be...

      I don't know how BBs work, so this is pure speculation, but when connecting to a BES server, does the device require a specific key that is tied to that server, or merely any valid key? If the latter, then a man-in-the middle system could allow connections to BES servers to be spied upon.

      • by Shabbs (11692) on Thursday August 02, 2012 @08:30PM (#40863685)

        It needs a specific key. A BES connection is secured by a key-pair that is generated when the BlackBerry is added to the BES. This allows for the 3DES encryption to occur for all communications over the BES connection.

        The situation you're talking about applies to BIS where any handset can decrypt the encrypted messages.

        This mis-understanding of the differences between BIS and BES lead to a lot of FUD unfortunately.

        And you know Apple is keeping an eye on this... cuz India will be coming after them too for access to their iMessage comms, if they have not already done so.

        • Note that BES servers by default use 3DES and (i think?) MD5, but can with the click of a button be transitioned to AES / SHA.

        • by Prune (557140)
          BES has been using AES by default for many years, and will only use 3DES for decade-old handsets that don't support AES.
  • Moral of the story (Score:5, Insightful)

    by characterZer0 (138196) on Thursday August 02, 2012 @07:37PM (#40863289)

    Moral of the story: If you do not control end-to-end encryption yourself, it is not secure.

    • by Opportunist (166417) on Thursday August 02, 2012 @07:47PM (#40863375)

      In this case you don't even control ANY part of the encryption, not even on your end. Something that is the absolute bare minimum for any kind of security.

    • by Lehk228 (705449)
      if you want to control end to end get a BES
    • Moral of the story: If you do not control end-to-end encryption yourself, it is not secure.

      This ^ period.

    • by Prune (557140)

      Except there's no story here, as BES, the service that corporate Blackberry deployments use, _is_ end to end--the encryption key pairs are generated by the company that deploys a BES installation, and neither RIM nor anyone else has access to them, unlike SSL certificates etc. The article is about the consumer BIS service and doesn't affect enterprise.

      • by v1 (525388)

        as BES, the service that corporate Blackberry deployments use, _is_ end to end--the encryption key pairs are generated by the company that deploys a BES installation, and neither RIM nor anyone else has access to them, unlike SSL certificates etc.

        Everyone in this thread seems to assume that all SSL keys are generated and provided by public CAs, who then could leak your private key. You can roll your own anytime you want. Then just tell the users and your servers to trust your public key. Works the same

  • It's OK... (Score:5, Funny)

    by tlambert (566799) on Thursday August 02, 2012 @08:04PM (#40863501)

    Half the country has been unable to recharge their Blackberries for two days in a row anyway.

  • Saving Face (Score:5, Informative)

    by Anonymous Coward on Thursday August 02, 2012 @08:30PM (#40863693)

    from the fine article:

    "But he said there was no access to secure encrypted BlackBerry enterprise communications or corporate emails as these were accessible only to the owners of these services."

    The reality is BES uses keys assigned by the owner of the BES server, RIM HAS NOT and CAN NOT give those to anyone, because they dont know them. This has been RIM's position from the begining, and still is. What they HAVE done is give access to the messaging services they run (and therefor have keys to) to the Indian authorities. My understanding is that this was always the case. The article really does not make the distinction between the two clear.

    TLDNR: RIM gave what they always give anyone, some minister is useing it to try and save face. Poor reporting means it worked.

    • by Prune (557140)
      Indeed. And even for messaging, if you're using BES, then you can use your own keys for PIN-to-PIN messaging and then it's fully secure. This article is mostly FUD.
  • Misleading title (Score:5, Informative)

    by gagol (583737) on Thursday August 02, 2012 @09:41PM (#40864147)
    Should read "India claims RIM gave encryption keys, RIM strongly denies". http://www.theregister.co.uk/2012/08/02/rim_keys_india/ [theregister.co.uk]
  • by _DangerousDwarf (210835) on Thursday August 02, 2012 @10:03PM (#40864293)
    From the Globe and Mail [theglobeandmail.com]

    "Although not all of a BlackBerry's messaging functions are encrypted, RIM has long maintained that it is unable to grant anyone access to its corporate e-mail service, which is encrypted from end-to-end. RIM responded in a statement late on Wednesday, saying it was necessary "to correct some false and misleading" information" that had appeared in the Indian media."

    "RIM is providing an appropriate lawful access solution that enables India's telecom operators to be legally compliant with respect to their BlackBerry consumer traffic, to the same degree as other smartphone providers in India, but this does not extend to secure BlackBerry enterprise communications," the company added."

  • There goes the customers to some other solution that can't be eavesdropped.

"In the face of entropy and nothingness, you kind of have to pretend it's not there if you want to keep writing good code." -- Karl Lehenbauer

Working...