Forgot your password?

FAQ: What Communication Is Encrypted on Your BlackBerry

school_apples With the recent security of the BlackBerry infrastructure put into question this month in the Middle East and India I thought I would cover what exactly IS secured on your BlackBerry. These governments are unhappy that they cannot view encrypted messages sent to a BlackBerry but I think most people don’t realize what is encrypted. Since its inception very few email and instant messaging protocols and services have used any encryption since the protocol naturally moves in clear text.

The thing to note is that if you are not on a BlackBerry Enterprise Server little is encrypted! That means if you are using your carriers BIS (BlackBerry Enterprise Server) to receive email on your BlackBerry that communication is NOT encrypted. It might be encrypted between RIM’s BIS infrastructure and your mail server but between your device and RIM’s infrastructure it goes in the clear. The only thing that is regularly encrypted on a regular device is SSL websites like your bank when you are browsing the internet and to a separate degree PIN and BlackBerry Messenger messages. RIM has been very honest about this by specifically stating that it is only BES traffic that is encrypted beyond these governments reach.

BlackBerry Internet Service Encryption

RIM clearly states this in their knowledge base:

Email messages sent between the BlackBerry Internet Service and the BlackBerry Internet Service subscriber’s BlackBerry smartphone are not encrypted. When transmitted over the wireless network, the email messages are subject to the existing or available network security model(s).

That means that the only protection is what your carrier offers by encrypting their wireless traffic using the standard 3G and 2G protocols. If a carrier is tapping the line and giving the government access to sniff the traffic then they are seeing all of this communication in the clear. RIM has even admitted that they would provide such a wiretap if they were required by a court order though they would not decrypt the traffic which is not necessary since it is not encrypted in the first place.

BlackBerry Enterprise Server Encryption

Now you might ask what is encrypted. If your device is on a BlackBerry Enterprise Server then all email sent between the BES server and your device is encrypted using Triple DES (3DES) or AES encryption. Please note that if you have both BES and BIS email on your device ONLY the BES email is encrypted. This encryption for BES email means that ONLY your company can decrypt these messages. RIM does not and cannot provide these keys to a government organization. Other applications that are designed and let you choose to work over your BES MDS connection can also make use of the Transcoder API to also communicate securely but by default applications usually DO NOT use this API.

BlackBerry Messenger and PIN to PIN messages

When it comes to PIN messaging and BlackBerry Messenger there is a bit of confusion. RIM clearly states that:

The BlackBerry device scrambles PIN messages using the PIN encryption key. By default, each BlackBerry device uses a global PIN encryption key, which allows the BlackBerry device to decrypt every PIN message that the BlackBerry device receives. Your organization can use a global PIN encryption key, a PIN encryption key that is specific to your organization, or both.

That means that it is up to your BES admin to decide if messages between users on your BES server are encrypted with RIM’s global key that they can provide governments or a private organization key that will encrypt messages within your company with a key that RIM does not know.

So all in all I think these governments that are banning BlackBerrys need to truly understand how this all works. For example, ActiveSync is the technology most other devices use to sync Exchange data over the air. That by default is not encrypted but just as easily can use a certificate. Other email protocols like POP3 and IMAP are also not encrypted by default but can just as easily add an SSL certificate to encrypt that traffic. RIM truly is not unique in this since even Gmail’s website now uses SSL traffic for all email by default… While SSL might be easier to crack it is all based on the same encryption concepts so they are relatively similar.

Any other questions? :) In short RIM cannot and will not ever share the BES encryption keys so I am not sure what these countries want from them…

5 total comments on this postSubmit your comment!
  1. Thanks for the explanation. It really shows these Government don’t have a clear knowledge and understanding how BlackBerry works :(

  2. What? Overbearing governments being out of touch and having no clue what they are talking about and resorting to drastic solutions to problems they don’t properly understand? That’s unpossible…

  3. It’s easy to complain when you don’t understand the technology. I like Mike’s response, and I’ll paraphrase, “The Internet is encrypted… deal with it!” I think what he was leading to was MSN, gmail, and other webmail providers, as well as a ton of other mail services support SSL/TLS encrypted mail. Those countries are complaining about something RIM can do little about. RIM cannot get a corporate BES key any more than they can. RIM cannot provide them gmail’s SSL key either, not can Apple or Google, for that matter. I believe the deal is that RIM’s BBM messages are encrypted and they want RIM to give them the key or turn it off — doing so will accomplish nothing except to hurt the company’s image. I’m glad Mike stood firm on that. Again, what are you going to say to the other messaging providers like Google Mail, MSN, and others? Good luck with that!

  4. SSL using AES 128-bit keys aren’t easy to crack — that’s what most banks use. Browsers usually refers to it as “https”. Note that the emails themselves aren’t encrypted. The POP3 and SMTP protocols are simply overlayed with SSL/TLS to create an encrypted tunnel between client & server. The provider picks the encryption keys and cipher suite, but Google’s cipher is DES-CBC3-SHA. DES is not too difficult to crack with enough horsepower; however, the average person cannot so it is sufficient security for WiFi or public network security.

  5. Keep in mind that SSL certificates have had a history of being faked by government spying agencies…
    http://www.zdnet.com/blog/government/eff-gmail-vulnerable-to-snooping-ssl-certificates-often-faked/8257

3 total pingbacks on this post

BlackBerry© is a registered Trademark of BlackBerry Limited. BerryReview is in no way affiliated with BlackBerry Limited though sometimes their lawyers send us love letters...

Copyright © 2007-‘2016’ BerryReview LLC