With the recent security of the BlackBerry infrastructure put into question this month in the Middle East and India I thought I would cover what exactly IS secured on your BlackBerry. These governments are unhappy that they cannot view encrypted messages sent to a BlackBerry but I think most people don’t realize what is encrypted. Since its inception very few email and instant messaging protocols and services have used any encryption since the protocol naturally moves in clear text.
The thing to note is that if you are not on a BlackBerry Enterprise Server little is encrypted! That means if you are using your carriers BIS (BlackBerry Enterprise Server) to receive email on your BlackBerry that communication is NOT encrypted. It might be encrypted between RIM’s BIS infrastructure and your mail server but between your device and RIM’s infrastructure it goes in the clear. The only thing that is regularly encrypted on a regular device is SSL websites like your bank when you are browsing the internet and to a separate degree PIN and BlackBerry Messenger messages. RIM has been very honest about this by specifically stating that it is only BES traffic that is encrypted beyond these governments reach.
BlackBerry Internet Service Encryption
RIM clearly states this in their knowledge base:
Email messages sent between the BlackBerry Internet Service and the BlackBerry Internet Service subscriber’s BlackBerry smartphone are not encrypted. When transmitted over the wireless network, the email messages are subject to the existing or available network security model(s).
That means that the only protection is what your carrier offers by encrypting their wireless traffic using the standard 3G and 2G protocols. If a carrier is tapping the line and giving the government access to sniff the traffic then they are seeing all of this communication in the clear. RIM has even admitted that they would provide such a wiretap if they were required by a court order though they would not decrypt the traffic which is not necessary since it is not encrypted in the first place.
BlackBerry Enterprise Server Encryption
Now you might ask what is encrypted. If your device is on a BlackBerry Enterprise Server then all email sent between the BES server and your device is encrypted using Triple DES (3DES) or AES encryption. Please note that if you have both BES and BIS email on your device ONLY the BES email is encrypted. This encryption for BES email means that ONLY your company can decrypt these messages. RIM does not and cannot provide these keys to a government organization. Other applications that are designed and let you choose to work over your BES MDS connection can also make use of the Transcoder API to also communicate securely but by default applications usually DO NOT use this API.
BlackBerry Messenger and PIN to PIN messages
When it comes to PIN messaging and BlackBerry Messenger there is a bit of confusion. RIM clearly states that:
The BlackBerry device scrambles PIN messages using the PIN encryption key. By default, each BlackBerry device uses a global PIN encryption key, which allows the BlackBerry device to decrypt every PIN message that the BlackBerry device receives. Your organization can use a global PIN encryption key, a PIN encryption key that is specific to your organization, or both.
That means that it is up to your BES admin to decide if messages between users on your BES server are encrypted with RIM’s global key that they can provide governments or a private organization key that will encrypt messages within your company with a key that RIM does not know.
So all in all I think these governments that are banning BlackBerrys need to truly understand how this all works. For example, ActiveSync is the technology most other devices use to sync Exchange data over the air. That by default is not encrypted but just as easily can use a certificate. Other email protocols like POP3 and IMAP are also not encrypted by default but can just as easily add an SSL certificate to encrypt that traffic. RIM truly is not unique in this since even Gmail’s website now uses SSL traffic for all email by default… While SSL might be easier to crack it is all based on the same encryption concepts so they are relatively similar.
Any other questions? In short RIM cannot and will not ever share the BES encryption keys so I am not sure what these countries want from them…