Blackberry Ban- The Stalemate Continues.

There have been reports stating that RIM has given into the demands of the Saudi government and placed a local RIM server which would allow the security agencies to snoop on the conversations happening over BBM/PIN2PIN. This was easy to achieve considering that there is only a single encryption key involved and that the key was easily available.

It would be interesting to know how the demands of other governments would be met by RIM. Indian government has been demanding that it needs access to the emails being sent using the Blackberry Enterprise Servers. UAE government has concerns in the emails being sent out of the country.

The BES architecture uses multiple keys which are dynamically generated and managed between the device and the BES Server.  Let us see what happens when Alice sends an email to Bob who is a blackberry user in the same organization.

1.       Alice sends an email message to bob’s email address using her desktop email client.
2.       The email server receives the email and sends it to bob’s mailbox.
3.       The BES server receives the email from the Mail Server to be delivered to Bob’s BB Device.
4.       The BES server compresses and encrypts the message using multiple message keys.
5.       The message key is encrypted using the device transport key.
6.       The encrypted message and the encrypted device transport key are sent to the device thru the RIM relay Servers.
7.       The message gets delivered over the air (OTA) to the blackberry device thru the wireless connectivity provided by the ISP.
8.       The device decrypts the message keys with the transport key.
9.       The device applies the message keys to the encrypted message and displays it to Bob.

So it’s the device transport keys which the governments are expecting RIM to provide them so that they could intercept and decrypt the emails passing thru their ISP networks.

So how is this Device Transport Key generated and maintained? The following details are from security documentation published by RIM.

“The BlackBerry® Enterprise Server and BlackBerry device negotiate to select the strongest algorithm that they both support (either AES or Triple DES) and use that algorithm to generate a device transport key during an over the air activation of the device.”

“By default, the BlackBerry® Enterprise Server and BlackBerry device generate subsequent device transport keys every 30 days. The BlackBerry Enterprise Server and BlackBerry device generate the device transport key using existing long-term public keys and the ECMQV key exchange algorithm to negotiate a device transport key. This method is designed so that a potentially malicious user is unable to calculate the device transport key. The BlackBerry Enterprise Server and BlackBerry device discard the key pair after they generate the device transport key.”

RIM seems to have made sure with this architecture that there is no way a third party (including itself) will ever get access to the device transport keys.

So there is a device transport key unique to every device and it changes every 30 days.  In a country with a million blackberry users even if half of them were BES enabled, the ISP would require quite a large infrastructure to hold and manage these keys and probably a super computer to apply the corresponding device transport keys to decrypt the message keys and then apply the message keys to the encrypted message and then decrypt and store them.  All this to intercept communication between terrorists!!   As mentioned in my previous post, after all the media attention and the government demands for interception the Osama’s and Obama’s would never use a blackberry to do any serious communication.

The question remains on how RIM would get hold of these keys. It has to either alter the device configuration to send the device transport keys to a local server, or it has to modify the BES Server architecture to upload the device transport keys to the local server in the country. Both of which are difficult to achieve as it involves a software upgrade either on millions of devices or on thousands of servers.

What every government is demanding is a copy of the device transport key of every device connected to a BES Server in the country. Let’s say that I work in India and my company’s blackberry server is in Timbuktu. The Indian government would not have the keys to see my communication!!  Wouldn’t this be the typical case of a terrorist? Assuming that the typical terrorist is a foreigner he would be using a blackberry device supported by an ISP of another country to which my local government doesn’t have keys. I wonder how many terrorists have a registered office and a datacenter to host a blackberry enterprise server!

If the RIM documentations about the architecture are to be believed there is no foolproof technical solution to address the concerns of these government entities. It’s hard to believe that the RIM technical team hasn’t been able to communicate the same to the government agencies and close the issue. So how will the stalemate end? Will blackberry be banned in these countries or will it be a face saving exercise of placing a local server in every country which would just display lines of encrypted text on the screens?  If that is the case RIM will add another product line to its portfolio:-Face Saving Relay Servers in different colors. The countries will get to choose from a Red, Orange or a BLACK BOX.

Osama & Obama have lost trust in their Blackberry Devices

As mentioned in my previous article, Blackberry Messenger uses the same encryption key on all devices. This would mean that if one could intercept the PIN message sent to another device it could be decrypted and read.  

RIM does give its customers an option to replace the default encryption key on the devices with a company specific key. This would limit the BBM communication to company devices only which have the same key.  It should also be noted that it is only the message body which is encrypted and not the header which will still carry the source and destination device PIN identifiers in clear text.

The Blackberry Messenger communication is a PIN 2 PIN (device to device) message which passes only thru the RIM Relay Servers.  The BES Server or the local ISP is not party to this communication and this is where the concerns raised by many national security bodies are coming from. They have no way of intercepting the Blackberry Messenger Communication.  The solution these governments have demanded is a local RIM Relay server thru which all PIN to PIN communication should flow so that they could intercept and decrypt it on a demand basis or even real time basis.

It is easy to comprehend here that once the messages are routed thru a local proxy server the global encryption key could be used to decrypt the message and make the content available to the local security agencies.  What I fail to understand is that as the devices were communicating to the RIM relay using the internet connectivity provided by the local ISP why couldn’t the ISP transparently proxy/mirror all communication to the RIM Server and use the Global Encryption key to decrypt it themselves. What action was required by RIM to enable the local ISP get access to these messages? There are no encryption keys which RIM is going to provide for doing this as this key is available on blackberry devices.

The solution seems quite simple to implement, but given that RIM operates in 175 countries and most governments having expressed their concerns on this issue would RIM be forced to run individual servers in each of these countries? Who would own and operate these servers? Where these servers would be placed physically?  In countries where there are multiple ISP’s providing Blackberry Services, would a separate server have to be placed at each ISP’s datacenter? So is this a really practical solution?

It is difficult to understand why was this issue given so much exposure and media attention? Was the concern only in the way the data was routed or was it the encryption technology that is being used or was it the unfortunate combination which is unique to RIM’s implementation which has put blackberries in this turmoil?

I doubt if any terrorist who is seriously concerned about secure communication will ever use a blackberry device after having read all these articles of how RIM has struck deals with different governments. Are there more reasons why these countries are demanding a local server?  Are there more demands which are not known to the media? The secret shroud around this issue certainly makes one curious on what is actually transpiring between RIM and the different Government entities!

In fact the conflicting statements made by RIM actually make even the diehard crackberry loose the trust in the device and the secure architecture which they have been preaching all these years. According to RIM the whole solution is so secure that no one even RIM could not intercept the messages flowing thru their servers. If that is the truth then what is it that they are negotiating with the different governments? I am sure they are not considering changing the underlying architecture on which it operates.

I am sure both Osama and Obama would seriously consider sending any confidential message using their blackberry devices. Yes they certainly would continue to use Facebook on blackberryJ.