Indian Govt. has asked RIM (maker of the BlackBerry smartphone) to provide access to the data going through its servers for intelligence purposes and it appears that BlackBerry has accepted the demands. Due to the lack of understanding of encryption on the part of Indian media, misleading and ambiguous reports have been published on the same. This blog post is an effort to clarify the same.
BlackBerry and Encryption
BlackBerry has two types of customers
1) Enterprise Customers
2) Normal Customers
For enterprise customers, a single secret key cryptography across the enterprise is used and this key is known only to enterprises. (roughly, the equivalent of saying that all enterprise employees have a copy of the key to the main gate of the office and no one except the office staff has the key). Given the current state of encryption technology, no one can “read” the actual(plain text) messages without getting hold of the key. So, any end-to-end encrypted communication cannot be deciphered by a third party(including RIM).
“RIM was also asked to give access to its algorithms so that security agencies here could decrypt messages.”[ET]
Now, this kind of reporting is a pure pig-shit and ignorance of technology on the part of the media. Even if the government knows the algorithm, it will not be of any use. In fact, for that matter, the source code of most encryption algorithms is publicly known. The power of encryption lies not in the algorithm but in the key which is used by the algorithm to generate encrypted text from plain text.
Interestingly, it seems that for normal customers, messages are sent from handset to server in an encrypted format (I believe it should be using public-key cryptography) using the sender’s key. De-encrypted at the server and re-encrypted for the receiver. So, the traditional approach of eavesdropping fails in this case. The only way to access “data” is through servers. That is what, I believe the Indian government(and a lot of other governments) is trying to get access to.
Is BlackBerry a “low-hanging fruit”
Well, there are two problems with this approach
1) Too much hue and cry
Given the hue and cry the government has created in the name of security, no terrorist is ever going to use BlackBerry anymore. Also, if they are adamant, they can always ask their Pakistani/Middle-east funders to establish some dummy enterprise and all of them become enterprise customers of the service and hence, “un-interceptable” again.
2) Current state of the smartphone market.
What if someone implements an android/iPhone app to do encryption on-the-fly between communicating parties? In fact, there are algorithms where even the key can be established over the wiretapped channel rendering the rest of communication encrypted, so even, after listening to initial communication, it becomes impossible to decipher the rest].
What it actually means (in my opinion)
Given the track record of the government in wiretapping for political purposes. I see no reason, why the government is irked at un-interceptable phones.
Suggestions
- It is being planned that a similar restriction will be put on Google(for Gmail) and Skype.
I believe even if the government is planning to do something of this sort, any announcement of this type defeats the [honest part of] intent. - Rather than going ahead with blind wire-tapping which will obviously fail as encrypted communication becomes more pervasive and the mammoth amount of data which is too much to be handled manually, so probably, NTRO should try a newer approach (perhaps pattern-based identification of terrorists)
Note: This article is factually correct to the best of my knowledge.
I might be lacking understanding but not a will to understand, so in case, there is a factual mistake or a logical flaw, please do point that out in the comments.
References:
- http://futureoftheinternet.org/blackberry-22
- http://www.schneier.com/blog/archives/2010/08/uae_to_ban_blac.html
- https://cpj.org/blog/2010/08/why-governments-dont-need-to-crack-the-blackberry.php
- http://economictimes.indiatimes.com/infotech/hardware/BlackBerry-to-open-code-for-security-check/articleshow/6249666.cms
- http://online.wsj.com/article/SB10001424052748704271804575405403458659166.html
- http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
- http://www.outlookindia.com/article.aspx?265191
Nice post. Good summary of what’s happening.
Very good post. Hope to see more excellent posts in the future.
Thanks.
AFAIK NTRO/RAW/IB etc do tapping only on need to tap basis(there can obviously be tapping for ulterior motives but generally that’s the case). Problem of mountain of data therefore doesn’t arise in this case. There are rumours that terrorists in taj were using blackberry to chat.
@Piyush: if they are taping only on need-to-tap basis, the problem of mountains of data does not arise.
Regarding the Taj terrorists issues, even if the rumour is true
1) if blackberry is banned, they will start using some other smartphone which will have an app for that.
2) Govt should not have raised a hue-and-cry. [they should have forced blackberry to install a backdoor in the devices without disclosing it to public]. Now with such hue-and-cry, do you think terrorists will ever use BB?
Thanks Sumit.
good one
nice article. Cryptography is really interesting.
nice article…i would like to see more of it
if at all the servers of india were not able to encrypt the blackberry it would asked master control to the intelligence servers of india it is not a big deal to make such change in its app so that indian communication intelligence would be master server for bb in india