03-20-17 01:47 PM
156 ... 34567
tools
  1. Enclavet's Avatar
    GPG and PGP are suppose to be compatible and I think they are. The problem might be something else related to the crypto. I notice that even pure-php and pure-perl implementions of openpgp (using the same crypto libs as GNUpg) do not decrypt on the blackberry. Javascript libs like openpgp.js use their own crypto libraries. Also note that PGPgp (the blackberry app) is based on openpgp.js.

    If anyone wants to test real easy if this is the problem, use the whiteout.io client (pure Javascript email client) to send an email to an activesync server connected to your blackberry. I bet you will beable to decrypt the message.
    MeerMusik likes this.
    09-02-15 11:42 PM
  2. polytan02's Avatar
    I personally think that's much simpler than that : BB10 recognises if the email received is sent from a BlackBerry environment or not.
    - If yes, it decrypts the message which is sent in a perfect way for the system to know exactly what to do
    - If no, then display a ****ty message like "sorry but I cannot decrypt"

    I suppose they do this to be sure to decrypt (forcing the email to be in a certain manner) and lock the user in their environment.


    Enigmail can decrypt all the GPG PGP messages I have received so far, so why BlackBerry couldn't ?

    Posted via CB10
    09-04-15 02:52 AM
  3. geodorn's Avatar
    I personally think that's much simpler than that : BB10 recognises if the email received is sent from a BlackBerry environment or not.
    - If yes, it decrypts the message which is sent in a perfect way for the system to know exactly what to do
    - If no, then display a ****ty message like "sorry but I cannot decrypt"

    I suppose they do this to be sure to decrypt (forcing the email to be in a certain manner) and lock the user in their environment.
    If it was intentionally designed this way, this would be some kind of device to device chat and pretty useless.


    posted via CB10 on a Classic
    09-04-15 05:38 AM
  4. Enclavet's Avatar
    Yup I did notice a different issue also. As mentioned by someone else in this thread, the Exchange environment matters also. When using Mail-In-a-Box, the system doesn't even identify encrypted mails as encrypted so the blackberry doesnt even try to decrypt it. The email is just blank. I just spun up a Yunohost box (as mentioned by you) and that works. Encrypted emails are identified correctly and it will decrypt emails.

    I got my script up and running, works with all mime types generally (at least the ones I can test). The blackberry decrypts them fine also. When its clean enough i'll just throw it up on github and release it here for anyone that wants it. Basically takes the email from stdin and spits out pgpmime encrypted email to stdout. I use it in a dovecot sieve script so that it can be defined for each user on my system (separate public key also). All incoming emails to my box are encrypted and I can decrypt on the blackberry. Will get the steps to do that also if you want to replicate my setup.
    09-04-15 04:20 PM
  5. polytan02's Avatar
    That's sounds great, but what is the point of doing so ?

    You want to be protected in case someone steals your emails ?

    How is it managed when you write to someone not using gpg?

    Posted via CB10
    09-05-15 05:04 PM
  6. tickerguy's Avatar
    If you're worried about data at rest FDE the server and turn on encryption on the device... Pgp and S/MIME are about end-to-end encryption.

    Posted via CB10
    09-05-15 05:48 PM
  7. Enclavet's Avatar
    With a little more scripting you can filter your encrypted mails to re-encrypt using openpgp.js. That way anyone that sends you encrypted pgp emails will be viewable on your device. Why I don't suggest this is about keeping your private key on your server. I might do it if I have time.

    Regarding encrypting at the storage level, that only helps when someone steals the data when the system is off. How do you protect against someone that gains access to your system. Also about why I would do this. Every little bit helps in this game.

    Posted via CB10
    09-05-15 09:52 PM
  8. tickerguy's Avatar
    Regarding encrypting at the storage level, that only helps when someone steals the data when the system is off. How do you protect against someone that gains access to your system. Also about why I would do this. Every little bit helps in this game.

    Once you're signed into the phone (e.g. it is unlocked) the private key for decryption is unlocked and the phone will use it, so there's no protection if someone manages to seize your device while it is in that state.

    If someone gains access to the server (e.g. hacks into it) you must presume they can remain there until you log into it, at which point the key is unlocked and they have unrestricted access. For a physical intrusion situation a duress/chassis intrusion switch can force a reset or (better) power down.

    Re-encrypting an email in transit is rather foolish as you (properly) noted that requires an unlocked private key on the server. ANY intrusion into a machine with that key present on it requires a presumption that it has been compromised and thus so have the contents of anything ever encrypted with it. That's a very bad idea.

    Assumptions are the mother of all F-ups.
    09-06-15 08:31 AM
  9. Enclavet's Avatar
    Even with PGP encrypted end to end, someone could do what you mentioned in the first scenario. You are screwed if someone gets into your client device for any situation. I'm not trying to protect against that.

    For the second scenario, the private key is always kept on the client device. The only key that is on the server is the public key which is what i'm encrypting emails with. If an attacker gains access to my system they wont beable to read my emails (encrypted). Thats the point. Its why secure email services like Protonmail, Tutanota, Mailbox.org all encrypt all incoming "unencrypted" emails with Protonmail and Mailbox.org using PGP exactly like how I am doing it. The problem with PGP is that not everyone uses it and while it was designed to protect the email end-to-end it can also help you protect what is stored on your server.

    Yes to decrypt it and re-encrypt it on the server is foolish but look at it this way, how hard is it to hack the server vs your device or client? Also if you want PGP on your blackberry this is the only way short of having BES12. Most people would just give up but I rather not.

    Regarding a few more experiences I saw while building this environment. Like you mentioned before MIME structure/spacing etc/exchange protocols(I know nothing about this) all play a big part in whether the blackberry will decrypt it. But the encryption libraries also matter. It will no decrypt anything using GPG. The reason as I tried to explain to you so many times is becuase I am using the exact same mime structured message that I get from my blackberry, the exact same pgp/mime structure, the only difference is the encryption libraries I use. Pure javascript no problem, every other library (based on GPG) doesnt. Also I built all the mime structures by hand using notepad because GPG and OpenPGP.js just do encryption/decryption, they dont build pgp/mime structures for me.

    Either way the blackberry pgp implementation is related to how openpgp.js does it.
    09-06-15 12:37 PM
  10. Enclavet's Avatar
    Here is the script I use and instructions about how to setup your server (yunohost specific) to encrypt incoming emails.

    https://github.com/Enclavet/openpgpit

    I'm done with this subject now that I got what I want. Its up to blackberry to fix their implementation (don't think this will happen with the current state of BB10).

    Anyway cheers all.
    mprattmd likes this.
    09-06-15 08:26 PM
  11. polytan02's Avatar
    So, this code encrypts all your received emails using PGP on your local storage on the server, then your phone recivees the crypted message, decrypts using the pgp key, right ?

    What happens when you need to send an email to someone ? Does he needs to have your key or is it uncrypted ?



    Posted via CB10
    09-07-15 05:13 AM
  12. uvampelj's Avatar
    I have tested PGP again on 10.3.2.500 and it is working totally fine with two outlook 365 exchange accounts.
    No BES needed.
    No more need for additional apps. Everything right in the hub, Finally!

    The only hassle is to import your private and public key. As tickerguy mentioned above the keys have to be in one file, you cannot import them separately. I'm using Gpg4win and had to export my private key via the command line of the GNU Privacy Assistant like this:

    gpg --export-secret-keys -a A1234567 > mysecretkey.asc

    where A1234567 is the ID of the key

    Then I copied my public key to the top of the mysecretkey.asc file, so both keys are combined

    Transferred the file to the sd card and imported it, you get asked for the passphrase et voil!
    Hey I'm still having problems importing my private key.. cannot get it to work or exported under one file. If I succed I get en error saying failed to import pgp key.
    Can you please explain in more detail the last part of this? (copied my public key to the top of...)

    Thx

    Posted via CB10
    09-08-15 10:08 PM
  13. tipplex's Avatar
    Wil the key store password ever comeback on BlackBerry 10?

    Posted via CB10
    09-09-15 03:50 AM
  14. tollfeeder's Avatar
    Hey I'm still having problems importing my private key.. cannot get it to work or exported under one file. If I succed I get en error saying failed to import pgp key.
    Can you please explain in more detail the last part of this? (copied my public key to the top of...)

    Thx

    Posted via CB10
    Open the key files with a text editor, copy the text of the public key into the other file above the private key.

    Via Pasta CB10
    uvampelj and jerobarraco like this.
    09-09-15 04:19 AM
  15. uvampelj's Avatar
    Thx, that solved it.

    Posted via CB10
    09-09-15 05:37 AM
  16. polytan02's Avatar
    Yeah, to import your private and public key, you need them to be in a single file.

    Posted via CB10
    09-09-15 06:35 AM
  17. uvampelj's Avatar
    Ok got the keys all sorted out and lucky me, since i've abandoned gmail and switched to zoho, they also have exchange set up, so no problem there.
    Encrypting and sending works perfectly, but I get en error while trying to open the email. Basically the email is downloading and when it gets to 95% it stalls and eventually I get a error stating :
    This email cannot be downloaded in the alloted time. Check your network connections and try again.

    Anyone having similar problems?

    Posted via CB10
    09-09-15 10:35 AM
  18. Enclavet's Avatar
    So, this code encrypts all your received emails using PGP on your local storage on the server, then your phone recivees the crypted message, decrypts using the pgp key, right ?

    What happens when you need to send an email to someone ? Does he needs to have your key or is it uncrypted ?
    At that point your client should encrypt it using the recipients public key like a normal PGP sending process. I dont touch outgoing emails.
    09-09-15 11:53 AM
  19. Enclavet's Avatar
    Ok got the keys all sorted out and lucky me, since i've abandoned gmail and switched to zoho, they also have exchange set up, so no problem there.
    Encrypting and sending works perfectly, but I get en error while trying to open the email. Basically the email is downloading and when it gets to 95% it stalls and eventually I get a error stating :
    This email cannot be downloaded in the alloted time. Check your network connections and try again.

    Anyone having similar problems?

    Posted via CB10
    Many reasons for this. What email client sent you the encrypted email.
    09-09-15 11:55 AM
  20. tickerguy's Avatar
    Ok got the keys all sorted out and lucky me, since i've abandoned gmail and switched to zoho, they also have exchange set up, so no problem there.
    Encrypting and sending works perfectly, but I get en error while trying to open the email. Basically the email is downloading and when it gets to 95% it stalls and eventually I get a error stating :
    This email cannot be downloaded in the alloted time. Check your network connections and try again.

    Anyone having similar problems?

    Posted via CB10
    This is PROBABLY an issue with the Exchange server you're talking to.
    09-09-15 02:41 PM
  21. uvampelj's Avatar
    I have two zoho mail accounts, so I've sent a test msg from hub from one email to another.
    On both I can activate secure email settings.
    But if I check the email from browser I see two untitled attachments in it with .dat extension.

    Posted via CB10
    09-09-15 07:47 PM
  22. polytan02's Avatar
    At that point your client should encrypt it using the recipients public key like a normal PGP sending process. I dont touch outgoing emails.
    I agree with you.
    I'm interested, but I really don't get what happens for outgoing emails.

    Any details ?

    Posted via CB10
    09-10-15 02:55 AM
  23. Enclavet's Avatar
    I agree with you.
    I'm interested, but I really don't get what happens for outgoing emails.

    Any details ?

    Posted via CB10
    Outgoing email is left completely alone. If your client sends unencrypted it will go out unencrypted. If your client sends out encrypted it will be encrypted but you obviously need to use the correct public key (the recipient). Not sure if the blackberry has great PGP key management but most clients like enigmail, pgptools on mac etc.. have the ability to look up on a public key server by the recipient email address and give your client the public key published by that person. The client will then encrypt it using that key and then your send it to that person encrypted. And the only person that can decrypt it is the private key associated with that public key which we assume the recipient kept safe on their own client.
    09-10-15 12:13 PM
  24. polytan02's Avatar
    So to summary, the only action is to crypt the emails for local storage ?

    Isn't SSL sufficient for your phone to communicate with your server ?
    I'm really not sure of the interest. Local encryption I guess ?

    Posted via CB10
    09-10-15 02:49 PM
  25. ofutur's Avatar
    So to summary, the only action is to crypt the emails for local storage ?

    Isn't SSL sufficient for your phone to communicate with your server ?
    I'm really not sure of the interest. Local encryption I guess ?

    Posted via CB10
    I'm also puzzled by this config since anybody who has access to the server (admin/co-host/hacker) can grab the decryption key. The whole point of using e2e encryption is to make sure it's never decrypted in transit and using encrypted only emails will surely drain the battery faster, no mentioning all the problems with mixed content due to incompatible standards and BlackBerry's implementation.

    BTW, someone mentioned key management earlier. You can use the Symantec solution and BB will work with that.
    09-10-15 06:46 PM
156 ... 34567

Similar Threads

  1. New Classic on Amazon for only $379.99
    By Steveo989 in forum BlackBerry Classic
    Replies: 10
    Last Post: 03-25-15, 01:10 PM
  2. Delete auto suggestions on keyboard
    By pankajupadhyay05 in forum BlackBerry 10 OS
    Replies: 4
    Last Post: 03-24-15, 10:56 PM
  3. Can I get help with my Q10 OS 10.3.1.2576?
    By Sameeh657 in forum BlackBerry 10 OS
    Replies: 3
    Last Post: 03-24-15, 05:35 PM
  4. How do I edit the Calendar on Z10?
    By Kicker-69 in forum Ask a Question
    Replies: 1
    Last Post: 03-24-15, 04:30 PM
  5. Font size on lock screen
    By redlightblinking in forum BlackBerry Classic
    Replies: 2
    Last Post: 03-24-15, 03:30 PM
LINK TO POST COPIED TO CLIPBOARD