BlackBerry Forums Support Community

BlackBerry Forums Support Community (
-   BlackBerry In the News (
-   -   BlackBerry = Security Hmmmm, maybe not... (

ZombieBerry 01-20-2014 11:05 AM

BlackBerry = Security Hmmmm, maybe not...
The strange connection between the NSA and an Ontario tech firm - The Globe and Mail

At the heart of digital security is the concept of encryption – making information indecipherable to anyone who doesn’t have the right passcode.

And since 1995, any software developer building encryption for technology they intended to sell to the American or Canadian government has had to consult something called the Cryptographic Module Validation Program. It’s a list of algorithms blessed by the CMVP that are, according to the government agencies that publish it, “accepted by the Federal Agencies of both countries for the protection of sensitive information.”

“This has been known since 2006,” said Steve Marquess, co-founder of the OpenSSL Software Foundation. “Why the heck was this officially blessed? A lot of my colleagues and a lot of people in the cryptography community are asking that question.”

Today, many of those people are coming to the conclusion that the flaws in the algorithm were not the product of sloppy work, but deliberately inserted to make it easy for at least one spy agency – the National Security Agency – to break the encryption.

Because the algorithm in question made it onto the CMVP, it was used by dozens of technology companies looking to make their products government-approved.

Such companies include BlackBerry Ltd. – which not only uses the algorithm, but also owns the patent on the concepts that form its foundations.

In addition to BlackBerry, companies such as RSA Security LLC, Cisco Systems Inc., Samsung Electronics Co. Ltd., Symantec Corp. are all known to have implemented the algorithm in some of their products.

And the revelation that American and Canadian agencies (the CMVP is a joint venture between the U.S. National Institute of Standards and Technology and the Communications Security Establishment Canada) gave its blessing to a compromised encryption scheme has erupted into a major scandal within the cryptography community, the roots of which can be traced back to a Mississauga computer security firm.

In early 2005, two employees at Mississauga-based Certicom Corp. began filing a patent application for a type of random number generator using a mathematical concept called elliptic curves. The patent also described another functionality – a set of keys that could be used, for example, by “trusted law enforcement agents” to do an end-run around the encryption. (Dan Brown, one of the Certicom employees who filed the patent, did not respond to a request for comment.)

At the time, the patent generated relatively little interest. But in 2007, the NIST released its new list of approved encryption algorithms. There were four items on the list, one of which was called Dual Elliptic Curve Deterministic Random Bit Generator, or Dual_EC_DRBG for short.

From the very beginning, cryptographic researchers noticed something strange about

Dual_EC. In 2007, two Microsoft researchers showed that the algorithm contained a set of constants that, when combined with a secret key, could essentially break the encryption generated by Dual_EC. In effect, Dual_EC implemented in the real world a version of the backdoor described in the Certicom patent.

Nobody could say for certain who had the secret key. But the very existence of such a backdoor caused security researchers to strongly urge a boycott of Dual_EC.

“While we were saying don’t use it, don’t use it, government contractors were demanding it,” security researcher Bruce Schneier said.

For years, many wondered why the NIST in America and CSEC in Canada would continue to give their official blessing to a compromised algorithm. Last year, a potential answer to that question emerged, when documents leaked by Edward Snowden revealed the NSA to be a holder of the Dual_EC secret keys – essentially, allowing the spy agency to crack the encryption at will. In addition, a Reuters report in December revealed that the NSA had paid RSA Security LLC $10-million to continue making Dual_EC the default form of encryption on its products.

In BlackBerry’s case, an NIST fact sheet shows the company implemented the algorithm as part of its cryptography toolkit for its BlackBerry 10 Enterprise service, among other products. But BlackBerry’s relationship with Dual_EC is even closer than other companies. In 2009, the company purchased Certicom – in the process acquiring the patent that forms the basis for the Dual_EC algorithm.

Given the company’s adamant denials in recent years that it offers backdoor access to intelligence agencies, critics argue BlackBerry owes its customers and shareholders an explanation.

“While it is true that many engineers and others were aware of this compromised algorithm, and the engineering security community as a whole is now dealing with this apparent lack of integrity among its members, in the case of BlackBerry’s knowledge of the backdoors the implications are far more serious,” said Ronald Deibert, director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “Users of BlackBerry the world over … must now assume without evidence to the contrary that all of their communications are shared with security services, and possibly industry competitors as well.”

BlackBerry did not respond to a request for comment for this story.

A CSEC spokesperson would not say whether the Canadian agency had any say in including Dual_EC in the list of approved algorithms. “Guidance approved by NIST and CSE recommends several different algorithms which commercial developers can choose to implement in their products,” the spokesperson said. “CSE continually reviews its guidance on algorithm use. Accordingly, we will update our guidance once our latest review, currently under way, is complete.”

In September, the NIST began urging users not to use Dual_EC any more. A spokesperson said “community concerns” prompted the change. “NIST takes seriously the concerns of the cryptographic community, which plays an integral role in the development of cryptographic standards,” the spokesperson said.

But researchers are now questioning what other backdoors have yet to be discovered, and whether the NSA made similar payments to other companies to keep flawed algorithms in use. “This is the poison of NSA action, they taint everything,” Mr. Schneier said. “You have no idea what has been tainted, so you think everything is tainted.”

cowgirl05 01-24-2014 10:51 PM

Re: BlackBerry = Security Hmmmm, maybe not...
I'm so angry and feel SO stupid! I think I remember reading an article once about how some third world, or tyrannical governments forbade BlackBerries for their people. Because of the security of the BlackBerry, they couldn't spy on the people and at the time, RIM wasn't releasing the info to allow them to do so. Now I find that A) I saved my money to buy a Q10 and it was foolish. I like the Q10 a lot, don't get me wrong. But basically, it's kind of a android with a lot fewer app choices. A LOT fewer. B) I've talked friends into getting a BlackBerry because "they are secure, they set the standard for security. It's one of the things BlackBerry is known for". I'm sending them apology letters.....I can only speak for myself of course, but the one thing that BlackBerry had that I knew google based OS didn't was the security. Now we find out that not only does NSA have the ability to spy on us as well, but it's not like the NSA broke the code or something, no, BlackBerry GAVE it to them! The one thing that BlackBerry had that encouraged, at least MY & my business's customer loyalty is gone. While BB has survived a small app world, delayed releases, delayed software updates, changing CEOs and the host of other problems, I don't think it will survive this. But, I've been wrong before, after all, I've been buying BlackBerrys for years now. Sorry, that was kind of snarky. Thank you though, very much for the article ZB.

ZombieBerry 01-25-2014 12:33 AM

Re: BlackBerry = Security Hmmmm, maybe not...
Well, according to their official response. they do own the company responsible for the dual ec (bought after it was developed) but they (BlackBerry) says they do not use it in their current or past devices.

tsac 01-25-2014 01:38 PM

Re: BlackBerry = Security Hmmmm, maybe not...
And Canada is south of the Mexican boarder. Why would Blackberry lie? Besides there is no snow in Canada and Blackberry is really made from Blueberrys!!

cowgirl05 01-25-2014 04:45 PM

Re: BlackBerry = Security Hmmmm, maybe not...
This article is from 2010. Now I'm looking for the official BlackBerry response ZB mentioned and this is one of the articles I ran across. It seems to say the sellout happened long ago!

Is RIM Allowing Government Spying Or Not? - BerryReview

I am totally confused here. On one hand RIM has issued a statement to multiple news sources that “RIM assures customers that it will not compromise the integrity and security of the BlackBerry Enterprise Solution.” On the other hand we have the India Times reporting that “Research in Motion (RIM) has for the first time agreed to allow Indian security agencies to monitor its BlackBerry services.”

So which one is it? According to the India Times:

The company (RIM) has offered to share with security agencies its technical codes for corporate email services, open up access to all consumer emails within 15 days and also develop tools in 6 to 8 months to allow monitoring of chats… With regard to its general consumer email, RIM has said the services provided by Bharti Airtel, Vodafone Essar, Loop and Tata can already be monitored. RIM also assured that it is working with mobile phone companies like Aircel, BSNL, MTNL, Idea and Reliance Communications to install the requisite infrastructure to ensure that general consumer emails offered by these firms are in formats that can monitored by security agencies within the next 15 days, documents with the telecom ministry said. Voice and SMS services on BlackBerry handsets can be intercepted by security agencies here, the DoT’s internal note adds.

Now on the other hand RIM has issued the following statement that we saw on IntoMobile:

Due to recent media reports, Research In Motion (RIM) recognizes that some customers are curious about the discussions that occur between RIM and certain governments regarding the use of encryption in BlackBerry products. RIM also understands that the confidential nature of these discussions has consequently given rise to speculation and misinterpretation. RIM respects both the regulatory requirements of government and the security and privacy needs of corporations and consumers. While RIM does not disclose confidential regulatory discussions that take place with any government, RIM assures its customers that it is committed to continue delivering highly secure and innovative products that satisfy the needs of both customers and governments.

Many public facts about the BlackBerry Enterprise Server security architecture have been well established over the years and remain unchanged. A recap of these facts, along with other general industry facts, should help our customers maintain confidence about the security of their information.

RIM operates in over 175 countries today and provides a security architecture that is widely accepted by security conscious customers and governments around the world.
Governments have a wide range of resources and methodologies to satisfy national security and law enforcement needs without compromising commercial security requirements.
The use of strong encryption in wireless technology is not unique to the BlackBerry platform. Strong encryption is a mandatory requirement for all enterprise-class wireless email services.
The use of strong encryption in information technology is not limited to the wireless industry. Strong encryption is used pervasively on the Internet to protect the confidentiality of personal and corporate information.
Strong encryption is a fundamental requirement for a wide variety of technology products that enable businesses to operate and compete, both domestically and internationally.
The BlackBerry security architecture was specifically designed to provide corporate customers with the ability to transmit information wirelessly while also providing them with the necessary confidence that no one, including RIM, could access their data.
The BlackBerry security architecture for enterprise customers is based on a symmetric key system whereby the customer creates their own key and only the customer ever possesses a copy of their encryption key. RIM does not possess a “master key”, nor does any “back door” exist in the system that would allow RIM or any third party to gain unauthorized access to the key or corporate data.
The BlackBerry security architecture for enterprise customers is purposefully designed to exclude the capability for RIM or any third party to read encrypted information under any circumstances. RIM would simply be unable to accommodate any request for a copy of a customer’s encryption key since at no time does RIM, or any wireless network operator, ever possess a copy of the key.
The BlackBerry security architecture was also purposefully designed to perform as a global system independent of geography. The location of data centers and the customer’s choice of wireless network are irrelevant factors from a security perspective since end-to-end encryption is utilized and transmissions are no more decipherable or less secure based on the selection of a wireless network or the location of a data center. All data remains encrypted through all points of transfer between the customer’s BlackBerry Enterprise Server and the customer’s device (at no point in the transfer is data decrypted and re-encrypted).

RIM assures customers that it will not compromise the integrity and security of the BlackBerry Enterprise Solution.

So now I am still confused. Which one is it? Do they allow government monitoring or not? Maybe BES server email is excluded? What do you make of it? Maybe these governments will tackle how frustrating it is to open an envelope without the receiver noticing it was tampered with…

tsac 01-25-2014 10:34 PM

Re: BlackBerry = Security Hmmmm, maybe not...
Ok so I'm not trying to start a twitter war here but you must be very naïve if you think governments are not able to monitor virtually all data sent today. Email, cell calls, land line or other data sent wirelessly or via a wire. Once it leaves your device it becomes public domain data and free to monitor. Most people who are trying to hide something either illegal or some form of terrorism are the ones they are after. Company's also routinely monitor ALL data sent by its employees and I would also say all large company's require some form of release or acceptance to a code of conduct.
I would not get too worried and just go about your business and you should never have need to be concerned.
You can search the internet for company’s selling SIMS type software and read how easy it has become to monitor.

All times are GMT -5. The time now is 02:10 AM.

Powered by vBulletin® Version 3.6.12
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.