BlackBerry encryption, time to talk turkey

With all the news these days of about encryption on the BlackBerry solution there is a great amount of misunderstood reporting in the media on just what is at stake between RIM and governments of the world. I'm not going to pretend that this article will be the ultimate encryption thesis it's my hope to explain things plainly and clearly.

As global terrorism rages, governments are trying to keep up with the perpetrators and the BlackBerry has become the symbol of all that is secure. Many government agencies themselves use BlackBerry devices for their security, so it's understandable that they would be concerned with encrypted communications of terrorist BlackBerry devices. Various countries have been in the news lately demanding that RIM give them the keys to read all the BlackBerry traffic within their countries. Many have put down deadlines if RIM does not comply they will close down all BlackBerry traffic inside that country. That potentially wouldn't be a problem is these demand were being made by Madagascar but the countries are India and United Arab Emirates.

This situation has come up in the past and the reaction from the media or the man on the street is always the same. "I thought BlackBerry was secure? If RIM has the key to give to that country will they give it every country?"  I'm not a spokesperson for Research in Motion so I can't answer on behalf of Mike & Jim - but I say the easy way out is to just say YES. I've been selling the BlackBerry professionally in the corporate space since 1999 and the BIS and Web Client product have never been positioned as a secure communication. If I send an email from my @carrier.blackberry.net account to my wife's Gmail account the message is a wide open communication over the net.

As for PIN to PIN, although the it's been widely assumed that PIN to PIN is encrypted that is only partially true.  As I covered in a previous article PIN messaging uses a common encryption key shared by all BlackBerry devices.  My impressions of the stories in the press, is that RIM is negotiating giving all the encryption keys to government's who blackmail them - and this is simply not the case. What's at stake here is BIS email, PIN to PIN, BIS browsing & BlackBerry Messenger traffic. All of this data is over the public network using the generic encryption key shared by all BlackBerry devices, NOT the BlackBerry Enterprise Server. This is something RIM can't give to anyone who asks for the key because RIM does not have the keys to BES encryption.

For those of you joining the game in progress, the BlackBerry Enterprise Server (BES) is a server that resides behind your companies firewall and is a link between your corporate mail server and the corporate BlackBerry devices. When a corporate BlackBerry device is first provisioned on the BES a unique key using AES 256-bit encryption is generated with random bits of data. If this is total techo-weenie speak, if the key generated was 10 characters long a P4 1.6 GHz with 512 MB of RAM would take 2,304 years to brute force.

RIM doesn't have this key?

No they don't. The key is never revealed to RIM at any point of the message flow. The end user of the BlackBerry doesn't know they key, it's generated randomly by your BlackBerry device and is store on your BlackBerry and the BES. My boss and I are both on the same BES but have unique encryption keys. If a government wants to know what messages flow to and from corporate BlackBerry devices attached to a BES, they will need to show up and seize the company's mail server that is the only location where the unencrypted messages can be found. The mail server is the weak link if it resides in a country whose government wants the data.

Sample Scenario - How to Create a Secure BlackBerry Environment

If you're Col. Hannibal Smith and wanted a secure link between you and your A-Team you need a BES.

• Install a Microsoft Small Business Server and BES Express on a laptop
• Have a programming master to create a script that runs the mailbox management tools every 60 minutes to wipe each users inbox/sent/deleted items
• Force a password lock on all your BlackBerry devices through IT policies
• Use a dynamic DNS IP-update client
• Move the laptop from location to location frequently

In this situation all communications will be completely secure between BlackBerry devices attached to the BES and Col. Decker will not have the ability to see your conversations with BA, Face or Murdock.