BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 06-11-2006, 10:28 AM   #21 (permalink)
New Member
 
Join Date: Jun 2006
Model: 8700g
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Please Login to Remove!

Quote:
Originally Posted by JerryD
If you password protect your BB, it will wipe all data after 10 (incorrect) attempts to enter the password. You can't access the device in any way - connected to a computer or stand alone - without the password.

You can also encrypt the data, but it will slow down the device, and heavens forbid you have to wipe it with encryption on, it can take HOURS - seriously!

That's why all Federal Government agencies will use ONLY Blackberries - they're the only truly secure mobile email devices!

J
My uncle works for the Navy's IT dept, and he said they won't allow the use of Blackberry's because they are not secure.
Offline  
Old 06-11-2006, 12:23 PM   #22 (permalink)
Thumbs Must Hurt
 
Corman's Avatar
 
Join Date: Oct 2005
Location: Colorado
Model: 8330
Carrier: Verizon
Posts: 156
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by codpet
My uncle works for the Navy's IT dept, and he said they won't allow the use of Blackberry's because they are not secure.
As a mobile device the BB is hard to beat for security. It is only as good as the admin policies and adherence to those policies. Look around the secrecy business and the computer security people. A lot of BBs out there in that arena. I am sure the Navy feels it is easier to ban something than to gain compliance. Common military stance (22 years retired military).

As for the security of the information in a BB, even encrypted and password protected it is possible for a person to retreive the contents. It does require expertise, hardware and software. But, password protect it and the common person who picks up a lost BB will not be able to access the information stored inside.
__________________
Semper Fidelis
Corman's Blog: http://timeonlegs.blogspot.com/

7250, 7130e, 8703e, 8830 and now the 8330
Offline  
Old 06-11-2006, 03:19 PM   #23 (permalink)
New Member
 
Join Date: Jun 2006
Model: 8700g
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Corman
As a mobile device the BB is hard to beat for security. It is only as good as the admin policies and adherence to those policies. Look around the secrecy business and the computer security people. A lot of BBs out there in that arena. I am sure the Navy feels it is easier to ban something than to gain compliance. Common military stance (22 years retired military).

As for the security of the information in a BB, even encrypted and password protected it is possible for a person to retreive the contents. It does require expertise, hardware and software. But, password protect it and the common person who picks up a lost BB will not be able to access the information stored inside.
I work for a military contractor myself. I agree with you that most military agencies think that way. They don't even take the time out to realize that the device can be tied down. I bet they don't even know Blackberry's come with a firewall, which is disabled by default.

My company contracts for the DoD, and all other branches of military, domestic, and foreign, and we use Blackberry's.

However, as someone in the security field... If you can physically touch a device, you can access the data.
Offline  
Old 06-11-2006, 05:20 PM   #24 (permalink)
Thumbs Must Hurt
 
Join Date: Sep 2004
Model: 8700
Carrier: T-mo
Posts: 162
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by codpet
However, as someone in the security field... If you can physically touch a device, you can access the data.
How is it so? Assuming the encryption algorithm is secure and if the blackberry is set to encrypt data content "Content Protection Enabled", all data in the flash chip is encrypted and cannot be decrypted without the password. You can't access the data even if you physically take the memory chip out of the device.

- P
Offline  
Old 06-11-2006, 05:54 PM   #25 (permalink)
No longer Registered.
 
greggebhardt's Avatar
 
Join Date: Jan 2005
Location: Jacksonville, FLorida
Model: 9000!
PIN: NOT!
Carrier: AT&T
Posts: 3,762
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by codpet
My uncle works for the Navy's IT dept, and he said they won't allow the use of Blackberry's because they are not secure.
So what do they use for communications. If proper precautions are taken, the Blackberry is quite secure.
Offline  
Old 06-11-2006, 05:58 PM   #26 (permalink)
New Member
 
Join Date: Jun 2006
Model: 8700g
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by patrickh
How is it so? Assuming the encryption algorithm is secure and if the blackberry is set to encrypt data content "Content Protection Enabled", all data in the flash chip is encrypted and cannot be decrypted without the password. You can't access the data even if you physically take the memory chip out of the device.

- P
Where is the decryption key on the BB device kept? I assume the decryption key isn't as secure as the encryption of the data itself. You are only as secure as your decryption key. When dealing with encryption there is always a weak link. There is a good reason why while we do use Blackberrys, we DO NOT use them for classified data. The only type of electronic communication we allow through our BES is unclassified.

Sure, the data is encrypted, but how is the decryption key kept?

Quote:
Originally Posted by greggebhardt
So what do they use for communications. If proper precautions are taken, the Blackberry is quite secure.
They don't use any form of mobile device for communication that allows data to be transmitted. In other words, voice only, and never for classified information unless the line is cleared for classified use. I have never seen a wireless phone used for classified work. The government uses land lines for this.
Offline  
Old 06-11-2006, 06:07 PM   #27 (permalink)
Grumpy Moderator
 
NJBlackBerry's Avatar
 
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: i5s
Carrier: AT&T
Posts: 27,806
Post Thanks: 33
Thanked 441 Times in 381 Posts
Default

Wonder what security they were using at the VA and Department of Energy.
Doesn't matter how good the technology is - the people are the problems here.
Offline  
Old 06-12-2006, 11:56 AM   #28 (permalink)
Thumbs Must Hurt
 
Corman's Avatar
 
Join Date: Oct 2005
Location: Colorado
Model: 8330
Carrier: Verizon
Posts: 156
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by NJBlackBerry
Wonder what security they were using at the VA and Department of Energy.
Doesn't matter how good the technology is - the people are the problems here.
This is so right on track. The people are always the weakest link in security. Remember the slogan "Loose lips, sink ships".

As for patrickh's statement, there is a ton of ways to brute force encryption and passwords. I agree with codpet, if you can touch it, you can access it almost all of the time. There are a few exceptions and they are not based on the device. Just applied this concept last week alone.
__________________
Semper Fidelis
Corman's Blog: http://timeonlegs.blogspot.com/

7250, 7130e, 8703e, 8830 and now the 8330
Offline  
Old 06-12-2006, 03:00 PM   #29 (permalink)
New Member
 
Join Date: Jun 2006
Location: Cedar Rapids, Iowa
Model: 8830
PIN: 317B4322
Carrier: US Cellular
Posts: 13
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by codpet
Where is the decryption key on the BB device kept? I assume the decryption key isn't as secure as the encryption of the data itself. You are only as secure as your decryption key. When dealing with encryption there is always a weak link. There is a good reason why while we do use Blackberrys, we DO NOT use them for classified data. The only type of electronic communication we allow through our BES is unclassified.

Sure, the data is encrypted, but how is the decryption key kept?



They don't use any form of mobile device for communication that allows data to be transmitted. In other words, voice only, and never for classified information unless the line is cleared for classified use. I have never seen a wireless phone used for classified work. The government uses land lines for this.
Interesting, guess that makes the T.V. show "24" a bit more far-fetched, with their wide use of PDAs'/Smartphones to communicate during their missions, enabling them to download floor plans and satellite images to Jack Bauer...lol

I know alot of the federal law enforcement branches seem to have migrated to Nextel now for radio communications during routine and surveillance/recon missions. Their conventional VHF/UHF channels, which at one time contained some clear, but mostly DES digital voice encryption, are rarely used at least in my area.
Offline  
Old 06-12-2006, 07:02 PM   #30 (permalink)
Thumbs Must Hurt
 
Join Date: Feb 2006
Location: NY
Model: 9630
Carrier: Verizon Wireless
Posts: 147
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by codpet
I have never seen a wireless phone used for classified work. The government uses land lines for this.
There are both satellite and cellular (probaby AMPS and maybe GSM) terminals for STU-III. I've personally seen the cellular bag phone version as recently as summer 2004. There are plenty of people other than the president who need to always be in touch securely, and they aren't carrying around a desk phone scrambling around to find a POTS jack when there's a problem.

Not sure if STE has a version that works on public wireless networks, but there is a unit that can run on some kind of DOD radio system.
Offline  
Old 06-12-2006, 07:36 PM   #31 (permalink)
Talking BlackBerry Encyclopedia
 
Postalrecon's Avatar
 
Join Date: Jan 2006
Location: Florida
Model: N80
Posts: 327
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by codpet
My uncle works for the Navy's IT dept, and he said they won't allow the use of Blackberry's because they are not secure.
thats bs, every high ranking officer in the navy seems to have a blackberry, but as for the military, if youre sending top secret info over a blackberry youre an idiot anyways
__________________
My Blog

http://xninjax.vox.com/
Offline  
Old 06-12-2006, 07:37 PM   #32 (permalink)
Talking BlackBerry Encyclopedia
 
Postalrecon's Avatar
 
Join Date: Jan 2006
Location: Florida
Model: N80
Posts: 327
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by NJBlackBerry
Wonder what security they were using at the VA and Department of Energy.
Doesn't matter how good the technology is - the people are the problems here.
amen
__________________
My Blog

http://xninjax.vox.com/
Offline  
Old 06-12-2006, 08:14 PM   #33 (permalink)
Thumbs Must Hurt
 
Join Date: Sep 2004
Model: 8700
Carrier: T-mo
Posts: 162
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Simple.. The data encryption key in the device is encrypted by your password. With a good password and correct implementation of the security subsystem, the bb is secure.

- P

Quote:
Originally Posted by codpet
Where is the decryption key on the BB device kept? I assume the decryption key isn't as secure as the encryption of the data itself. You are only as secure as your decryption key. When dealing with encryption there is always a weak link. There is a good reason why while we do use Blackberrys, we DO NOT use them for classified data. The only type of electronic communication we allow through our BES is unclassified.

Sure, the data is encrypted, but how is the decryption key kept?
Offline  
Old 06-13-2006, 04:29 PM   #34 (permalink)
New Member
 
Join Date: Jun 2006
Model: 8700g
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by patrickh
Simple.. The data encryption key in the device is encrypted by your password. With a good password and correct implementation of the security subsystem, the bb is secure.

- P
So the decryption key is encrypted by the passcode? Then how does the device reference this decryption key? If the decryption key is encrypted, how is the device checking your passcode against it's credentials?

Simply put it doesn't work that way....

There is a good reason why if you are using secret key symmetric encryption that you never give access to both keys to a source.

The decryption key is not encrypted, as it is a part of the mathematical formula that allows decryption to take place to begin with. You can't encrypt any of the key's themselves.

I believe that the blackberry uses asymmetric key cryptography. That is, the device uses two private keys. The passcode is used to complete the formula which leads to the decryption process.

It would be too insecure to allow symmetric encryption on such a device.
Offline  
Old 06-13-2006, 07:28 PM   #35 (permalink)
VR6
Talking BlackBerry Encyclopedia
 
VR6's Avatar
 
Join Date: Dec 2004
Location: Canada
Model: 9800
Carrier: Rogers
Posts: 308
Post Thanks: 0
Thanked 1 Time in 1 Post
Default maybe he's talking about before it locks

Quote:
Originally Posted by mnv7498
If my Blackberry handheld is stolen, is my data secure? Would someone be able to connect an external cable to my Blackberry and access my data.
if they find your BB before it locks itself then they'll have access to all your information as long as they keep it active, unless of course you have it set to lock everytime it hits the holster or every 5 mins, which is probably a requirement for gov't agencies...no?
__________________
~VR6

Rogers 7280 -> 7100r -> 8310 -> 9000 -> 9800 -> 9900
Offline  
Old 06-13-2006, 09:15 PM   #36 (permalink)
Knows Where the Search Button Is
 
Join Date: Jul 2005
Location: Warrington, PA, USA
Model: 8703e
Carrier: verizon wireless
Posts: 33
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Wirelessly posted (BlackBerry7250/4.0.0 Profile/MIDP-2.0 Configuration/CLDC-1.1)

I work for a financial institution worth over 1 trillion dollars (total assets). If the blackberry was not secure do you really think they would issue me one with access to internal email and cust. access? I don't think so.
__________________
PIN: 32B54D76
VZW BB 8703e
VZW BB 7250
VZW Treo 700p
Offline  
Old 06-13-2006, 09:23 PM   #37 (permalink)
Knows Where the Search Button Is
 
Join Date: Jul 2005
Location: Warrington, PA, USA
Model: 8703e
Carrier: verizon wireless
Posts: 33
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default hmmm.

Quote:
Originally Posted by codpet
So the decryption key is encrypted by the passcode? Then how does the device reference this decryption key? If the decryption key is encrypted, how is the device checking your passcode against it's credentials?

Simply put it doesn't work that way....

There is a good reason why if you are using secret key symmetric encryption that you never give access to both keys to a source.

The decryption key is not encrypted, as it is a part of the mathematical formula that allows decryption to take place to begin with. You can't encrypt any of the key's themselves.

I believe that the blackberry uses asymmetric key cryptography. That is, the device uses two private keys. The passcode is used to complete the formula which leads to the decryption process.

It would be too insecure to allow symmetric encryption on such a device.

Not to sound condescending.. But please read this:

http://computer.howstuffworks.com/encryption.htm

Encryption would be far too easy to break if keys were plain-text/unencrypted. What would the point be? That would be like writing the logins to your network under your keyboard.
__________________
PIN: 32B54D76
VZW BB 8703e
VZW BB 7250
VZW Treo 700p
Offline  
Old 06-13-2006, 11:44 PM   #38 (permalink)
Thumbs Must Hurt
 
Join Date: Sep 2004
Model: 8700
Carrier: T-mo
Posts: 162
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

To check if a password is correct, you don't need to store the password itself. No properly implemented system is done that way. To verify if a password is correct, all you need is use the password to decrypt a block of data to see if it decrypts to a known value. (When you set the password, a block of fixed data is encrypted by your password so that it can be used for checking for exactly this purpose).

All (properly implemented) symmetric key encryption with a password works somewhat like this:
A random encryption key is used to encrypt/decrypt data.
The random encryption key is encrypted by your plain-text password (with extra stuff "salt" to make your password stronger. The "encrypted encryption key" is stored together with the encrypted data.

When the device is locked, the device itself no longer has access to the encrypted data. That is why some people complaining why names from their address book stopped showing up when phone calls arrive all of a sudden. It is because they have turned content protection on.

Public key encryption is used for an entirely different purpose..

-P

Quote:
Originally Posted by codpet
So the decryption key is encrypted by the passcode? Then how does the device reference this decryption key? If the decryption key is encrypted, how is the device checking your passcode against it's credentials?

Simply put it doesn't work that way....

There is a good reason why if you are using secret key symmetric encryption that you never give access to both keys to a source.

The decryption key is not encrypted, as it is a part of the mathematical formula that allows decryption to take place to begin with. You can't encrypt any of the key's themselves.

I believe that the blackberry uses asymmetric key cryptography. That is, the device uses two private keys. The passcode is used to complete the formula which leads to the decryption process.

It would be too insecure to allow symmetric encryption on such a device.
Offline  
Old 06-26-2006, 06:03 AM   #39 (permalink)
New Member
 
Join Date: Jun 2006
Model: 7900
Posts: 2
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Slightly off topic i'm afraid. I am an IT admin with a high concern over the security of our BB's.

I am concerned about the wipe feature of the Blackberry, as I do not want our data to be recoverable after the wipe.

However, there seem to be plenty of data recovery experts offering the ability to recover data off of bb's.

Ontrack say they can recover data, however when pushed if they can recover from wiped BB's they have not returned my call as promised.

I would like to ensure that there is the highest percentage of security when returning BB's providers or switching users etc.

Any ideas gratefully received - plus top notch forum been reading ALL morning.
Offline  
Old 06-26-2006, 06:46 AM   #40 (permalink)
CrackBerry Addict
 
JerryD's Avatar
 
Join Date: Oct 2005
Location: Brooklyn, NY
Model: 9000
OS: 5.0.0.106
Carrier: AT&T
Posts: 877
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by yimpster
Slightly off topic i'm afraid. I am an IT admin with a high concern over the security of our BB's.

I am concerned about the wipe feature of the Blackberry, as I do not want our data to be recoverable after the wipe.

However, there seem to be plenty of data recovery experts offering the ability to recover data off of bb's.

Ontrack say they can recover data, however when pushed if they can recover from wiped BB's they have not returned my call as promised.

I would like to ensure that there is the highest percentage of security when returning BB's providers or switching users etc.

Any ideas gratefully received - plus top notch forum been reading ALL morning.
I think you need to ask RIM rather than Ontrack, the issue being does a wipe actually delete the data - replace all data with nulls, or does it only delete the underlying data structure. I suspect it's the former given how long a wipe takes. Also, unlike magnetic media, silicon media doesn't retain a "shadow" of the data formerly held (as far as I know anyway!).

That said, there are two things you can do as a BES admin to make devices secure.

First, set your IT Policy to require a password. Given that 10 failed attempts will automatically wipe the device, you may not need to require as strong a password as you would on a network where typically an account will be locked for only a short period of time. Also, if you do this, anticipate two things. First, that 7100 series have a keyboard that's difficult to use for passwords. Recommend to your users that they use a password that's easy to enter on their keyboards. Second, anticipate users leaving your BES environment so you can send them a blank IT policy that won't require them to use a password. Replacing the IT Policy is a real pain once the user's BES account has been disabled.

Second, Encryption is also available on the Blackberry which you can also enforce via IT Policy. I don't know how this comes into play when accessing the data by other means, but I do know one thing - a Blackberry 8700 (which has the FASTEST processor on ANY BB) with an average amount of data which was compressed (default) and encrypted (not default) took over FOUR HOURS to wipe! Again, check with RIM, but I suspect that the wipe performed something like a DES wipe which replaces the data with NULLS, and when Encryption is on it does it more than once. An 8700 without encryption typically takes around 10-15 minutes to wipe. I know I indicated it shouldn't be necessary to replace data with NULLS more than once given the media is silicone rather than magnetic, but I suspect it's a requirement of a DES wipe to replace the data multiple times, and Blackberry is the only thing (most) DOD services will use, so RIM is very careful to be as compliant as possible.
__________________
.
.
J

Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.