[agentfat2004]

Hmm, hmm, no word from you about Forward Secrecy?
According to page 10 of the whitepaper "The pairwise key is derived from the BBM chat initiator’s private encryption key and the recipient’s public encryption key, using One-Pass ECDH." and the marketing phrase on their website says "Each message uses a new random symmetric key for message encryption."

Based on the white paper, all of the message encryption keys are derived from the session key using KDF. According to wiki forward secrecy requires that "...The key used to protect transmission of data must not be used to derive any additional keys, and if the key used to protect transmission of data is derived from some other keying material, then that material must not be used to derive any more keys" Since all of the message keys are derived from the session key, and all of the other keying material is sent in plain text an adversary(aka NSA), with the ability to store large amounts of data can save that keying material in order to decrypt messages once the private key is obtained. Blackberry should instead use ephemeral keys for each chat session. I assume a session stays active until a user clicks end chat. After that occurs the blackberry should erase any stored instance of the ephemeral key.

[Superdupont 2_0]

Please read fully what i said. Yes, BBM Protected allows you to verify the contact during key exchange, but it provides no mechanism for you to verify a contact after key exchange.

My understanding of the EFF criterion is that the critrion doesn't require a verification of a contact "after key exchange".
However, I would expect that BBM Protected will simply not accept a connection, when the public certificate of the contact was changed. That is security by a protocol and accordig to the EFF criterion a protocol is basically an acceptable alternative solution.

BBM does not provide perfect forward secrecy. First off as an end user my expectation for FS would be that if I end a chat conversation in BBM and I do not have any chat history enabled....

What's your point? Do you think the messages are stored on a server, when you have chat history enabled?

All message keys are derived from the session key, so a compromise of the session key compromises all chat conversations.

About the session key: "Each message uses a new random symmetric key for message encryption."

If for each message a new session key is generated *randomly*, the compromise of one session key cannot compromise all chat conversations (and the same is true for keys derived from a session key). Plain simple.

[agentfat2004]

Answering this one first as it will make the other answer clearer.

About the session key: "If for each message a new session key is generated *randomly*, the compromise of one session key cannot compromise all chat conversations (and the same is true for keys derived from a session key). Plain simple..

Just so we are on the same page, let us agree on terms. The session key refers to a symmetric key that is derived based on public/private key of the chat initiator and recipient. Each message that is sent over BBM also has a message encryption key.

Each message is sent with a random symmetric key, therefore the compromise of a single message encryption key does not allow the attacker to determine the session key. Understand however that the message encryption key is generated by a deterministic algorithm(KDF) that uses as input the keying material(which is sent unecrypted as part of the message envelope) and the session key. This means that anyone with the session key and keying material can determine what the message encryption key for a given message was. This is exactly how the recipient decrypts a given message.
What this tells us is that anyone who is able to determine the session key will be able to decrypt the messages for a given chat session. Looking at the white paper we are told that the session key is generated using ECDH with the chat initiators private key and the recipients public key. Forward secrecy is about ensuring that if the chat initiators private key is compromised it does not lead to compromises of previous session keys.
In order for chat sessions to be forward secret we should have multiple session keys that are securely randomly generated e.g. ecdhe. The current design does not have this and so BBM Protected is not forward secret.

What's your point? Do you think the messages are stored on a server, when you have chat history enabled?

No. I am just simplifying the scenario. As an end user, if I click end chat I would expect that any previous messages I sent during that session to disappear and not be recoverable if my physical device was acquired. If i have chat history then this assumption is no longer valid.

[Superdupont 2_0]

Forward secrecy is about ensuring that if the chat initiators private key is compromised it does not lead to compromises of previous session keys.
In order for chat sessions to be forward secret we should have multiple session keys that are securely randomly generated e.g. ecdhe. The current design does not have this and so BBM Protected is not forward secret.

Well, I may add a quote from the whitepaper to support you in one point:
"The session key is used to encrypt all messages in a BBM chat."

But still, we do not know if other messengers are really generating a new key for each single message in a chat.
Furthermore, I still consider this as Forward Secrecy for a multiple chats.

If we look at the criterion (below), it is not clear about FS for each single message or each single chat.
However, it does require for any reason "ephemeral keys" and actually I can't tell you what is behind the "One-Pass ECDH" of BBM Protected (I assumed it as something comparable to ECDHE ?), but if they let iMessage go away with "end-to-end"-encryption (criterion 2), they shouldn't be too picky with BBM.

Here is the criterion in all its beauty:

Are past communications secure if your keys are stolen?

This criterion requires that the app provide forward-secrecy, that is, all communications must be encrypted with ephemeral keys which are routinely deleted (along with the random values used to derive them). It is imperative that these keys cannot be reconstructed after the fact by anybody even given access to both parties' long-term private keys, ensuring that if users choose to delete their local copies of correspondence, they are permanently deleted. Note that this criterion requires criterion 2, end-to-end encryption.

[anon62607]

in terms of the 3DES key extraction issue - even if the key had never been extracted you could make use of any blackberry device to decrypt the messages once you present the message to it (the government of Canada's warning makes reference to this method)

[Superdupont 2_0]

in terms of the 3DES key extraction issue - even if the key had never been extracted you could make use of any blackberry device to decrypt the messages once you present the message to it (the government of Canada's warning makes reference to this method)

With "makes reference to this method" you make it sound to me like somebody already provided a proof of concept with a BlackBerry device, but afaik a proof of concept doesn't exist.

I have checked the warning from the Canadian government here:
BlackBerry not as secure as believed, memo warns federal workers | canada.com

It says about BBM on legacy BBOS that "Any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device."

In other words: They have no idea how applicable this could be in real life, but in theory the design of BBM would allow this attack.

And later they say "When a user turns in the device, the PIN stays with the device and doesn’t follow the user to a new BlackBerry. "

In other words: If you sell your BB on eBay, make sure your friends stop sending messages to your old pin number.

The fact that BBM is using a global 3DES key is known for many years.
The fact that BlackBerry says "scrambling" is known for many years, probably a business decision to motivate the customers to use a BES, which allows your organization to create individual 3DES keys for the legacy BBOS devices.

So, this warning with exactly the same wording could have been published already in 2008 or 2009.

But no security researcher ever demonstrated how to upload intercepted BBM traffic into another BlackBerry device, probably because even BBOS is still a black box.

3DES is still not crackable, when you don't have the key.

And if anybody could crack any BlackBerry OS to obtain the 3DES key or upload an intercepted message, BBM's security wouldn't be my first concern.



Aside from BBOS stories:
Note the Z30 wasn't hacked at this years pwn2own in Tokyo
See
iPhone, Galaxy S5, Nexus 5, and Fire Phone fall like dominoes at Pwn2Own | Ars Technica

[jefbeard911]

For all you crypto nerds out there I found this.


New Comparative Study Between DES, 3DES and AES within Nine Factors

http://www.google.com/url?q=http://a...ggzJA9XooVRqYA

I haven't had time to digest it yet as it is quite scholarly.

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

[SethDove]

Note the Z30 wasn't hacked at this years pwn2own in Tokyo
See
iPhone, Galaxy S5, Nexus 5, and Fire Phone fall like dominoes at Pwn2Own | Ars Technica

A bit misleading as I have not been able to find any mention of anyone even trying to hack the Z30 at this year's event. And BB10 has been hacked at past events.

Posted via CB10

[Superdupont 2_0]

A bit misleading as I have not been able to find any mention of anyone even trying to hack the Z30 at this year's event. And BB10 has been hacked at past events.
Posted via CB10

Quote from my link:

"The following targets are available for selection:

Amazon Fire Phone
Apple iPhone 5s
Apple iPad Mini with Retina Display
BlackBerry Z30
Google Nexus 5
Google Nexus 7
Nokia Lumia 1520
Samsung Galaxy S5"

BB was on the table, but indeed there is no info if somebody tried to prepare a hack.
You will never hear the stories about failure, because the audience wants to see only the winners.
But, okay, my personal view on this is that they try to hack the weakest systems first.
I can't remember that BB 10 was hacked on an event, maybe the last hack of a Berry in such a show was back in 2011 I think (webkit engine)?

[SethDove]

You will never hear the stories about failure, because the audience wants to see only the winners.

Hilarious non-sense. The only real news from these events are when hacks are unsuccessful. Because it's rare, and shows security.
But this is off topic so I'll stop.

Posted via CB10

[The Big Picture]

I read this reply by someone named frank to a notorious BlackBerry bear named KIA.

If anyone is interested in why the test was flawed read on
BBM Protected uses 3 layers of encryption:
?Standard TLS encryption
?BBM normal Triple DES encryption
?521 bit ECC generated for each message which based on the out-of-band shared passphrase.
The messages are encrypted multiple times, and ensured that all the keys are matching. You can read detailed information here http://docs.blackberry.com/en/404error.jsp, you should read it.
The most important part shows how the private keys are only stored on the device and cannot be retrieved from it. Also, the unique keys for each message ensures, that even if the encryption keys are compromised, only one message can be read, not the entire conversation. Adding to the mix BBM Protect is using FIPS140-2.
iMessage is also using a pretty good system ? which is detailed in this document https://www.apple.com/privacy/docs/i...te_en.pdf#mn_p (Page 30). It offers a quite reliable security model, which include device-based encryption keys. Also, similarly to BBM, it transports the messages through TLS. The reason why iMessage and Facetime is not as secure as BBM protect is because Apple allows multiple devices connected to the same account. Each device will have one private key locally, and a public key sent to Apple servers. When somebody sends a message, it?ll encrypt individually for each device, as the sender already has the public keys. This is still okay, though there?s a flaw in the concept: Apple handles most of the encryption and also the key exchange, they can easily add one more public key to ?device? list, which would allow sniffing.
This can?t be done with BBM, as it requires a BlackBerry ID to function and can only be used on one PIN at a time.
But why ruin a good story with the truth!

Posted via CB10

[xsacha]

It looks like BBM only lost points for not being opensource.

Code being open to review, having documented security and a recent code audit (that we know about) are pretty much entirely related to whether it is opensource. Of course it doesn't need any of those to be secure. It's very likely they have had a security audit on the software and you just wouldn't know about it.

Well, there was only one genuine check they lost on and that was being able to retrieve past messages when you have a valid key. I'm not even sure if that's a good or bad thing.

[agentfat2004]

You forget the perfect forward secrecy part that iMessage has that BBM lacks. Basically with iMesssage if the government ask apple to tap a user they can. In Blackberry's case likely they can't, but what they can do is record all of your conversation(which we know for a fact the NSA is doing), then one day when they are able to get your keys(and trust me its not a matter of it, its just if they want to), then they can decrypt all your previous conversation. So in the case of iMessage, if the gov was never tapping your line your previous chat history is safe, but they can easily tap your line. In the case of BBM they can't eassily hack your chat, but once they do everything is up for grabs. BBM could add PFS, then all will be well

[Prem WatsApp]

Yeah, agreed.

Carrier and manufacture initiated surveillance is a whole nother issue. I'm not sure BlackBerry has the balls to deny a NSA request for user information.

This is why I prefer other messenger services that offer ephemeral, self destructing messages and are client to client, not client to server, server to client.

Anyway, I hoping BlackBerry will shore up BBM and/or offer BlackBerry Protect to consumers, but I don't see that happening.

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

Guts to deny NSA request?

No one has. Snowden fled, Ladar Levison simply shut down, Google cooperated, etc. ...

CEOs all get routinely scared , and the Chinese threat certainly helps. All of them got pwned. Even security companies. If only half is true of what's written here, there won't be any security...

This is a tough piece and a bit of a longer read. Have fun. Definitely worth it:

http://www.salon.com/2014/11/16/goog...ecurity_state/

Grain of salt, please. :-)

The EFF's efforts are laudable, and there is a reason why they (and Stallman) insist on open standards, but we know this idea failed as soon as we look at Heartbleed...


? ? ? Zzzzmoqin'.... ? ? ?

[sinkingphoenix]

Guts to deny NSA request?

No one has. Snowden fled, Ladar Levison simply shut down, Google cooperated, etc. ...

CEOs all get routinely scared , and the Chinese threat certainly helps. All of them got pwned. Even security companies. If only half is true of what's written here, there won't be any security...

This is a tough piece and a bit of a longer read. Have fun. Definitely worth it:

http://www.salon.com/2014/11/16/goog...ecurity_state/

Grain of salt, please. :-)

The EFF's efforts are laudable, and there is a reason why they (and Stallman) insist on open standards, but we know this idea failed as soon as we look at Heartbleed...


? ? ? Zzzzmoqin'.... ? ? ?

The last part isn't true. Open Standards are a MUST for security. Yes, there will still be bugs that are absolutely crushing, but at least there's a chance that someone detects and publishes it. You can bet there's a whole lot like those bugs in closed source too, but it's harder to find, at least for the 'good guys'.

BlackBerry should give us S/MIME and PGP capabilities!

[Bluenoser63]

The last part isn't true. Open Standards are a MUST for security. Yes, there will still be bugs that are absolutely crushing, but at least there's a chance that someone detects and publishes it. You can bet there's a whole lot like those bugs in closed source too, but it's harder to find, at least for the 'good guys'.

BlackBerry should give us S/MIME and PGP capabilities!

Do you mean Open Source or Open Standards? You can have open standards like SMTP, FTP, etc, but the code for them can be closed source. If you mean open source for everything, then Heartbleed has shown that it doesn't work. The failure is when someone who finds the bug, doesn't announce it to the world. The other weak point is you are assuming that by putting your source code into open source, that people are actively looking for bugs in the code released. That means debugging the entire code looking for problems. If all source code for all applications were put into open source, there are not enough programmers in the world who could monitor, debug and test every change that is made to the source code. So to say that Open Source is a benefit and all bugs will be found by good people who report it to the software company and the world in a timely manner is foolish. Open Source is an idea that fails in the real world.

Get BES12 for S/MIME and PGP.

[agentfat2004]

Do you mean Open Source or Open Standards? You can have open standards like SMTP, FTP, etc, but the code for them can be closed source. If you mean open source for everything, then Heartbleed has shown that it doesn't work. The failure is when someone who finds the bug, doesn't announce it to the world. The other weak point is you are assuming that by putting your source code into open source, that people are actively looking for bugs in the code released. That means debugging the entire code looking for problems. If all source code for all applications were put into open source, there are not enough programmers in the world who could monitor, debug and test every change that is made to the source code. So to say that Open Source is a benefit and all bugs will be found by good people who report it to the software company and the world in a timely manner is foolish. Open Source is an idea that fails in the real world.

Get BES12 for S/MIME and PGP.

Actually both Open Source and Open Standards are important. Open Standards are important because they allow the ideas to be vetted. Its about the whole measure twice cut once, we at least know the protocol is secure theoretically. Anyone who writes software knows that there will always be bugs, but bugs are different from flaws in protocol design. People look on open source negatively from heartbleed, but i wonder if the bug would have been found had it been closed source.

[Bluenoser63]

Actually both Open Source and Open Standards are important. Open Standards are important because they allow the ideas to be vetted. Its about the whole measure twice cut once, we at least know the protocol is secure theoretically. Anyone who writes software knows that there will always be bugs, but bugs are different from flaws in protocol design. People look on open source negatively from heartbleed, but i wonder if the bug would have been found had it been closed source.

If OpenSSL was closed source, they may have not found the bug, but others probably wouldn't have found the exploit either. If you can't find the bug, you can't find the exploit.

[sinkingphoenix]

If OpenSSL was closed source, they may have not found the bug, but others probably wouldn't have found the exploit either. If you can't find the bug, you can't find the exploit.

I meant both actually, open standards and open source. There is an important and known principle in cryptography that states you should always assume that your enemy knows everything but the secret key about your scheme and it should still be secure. If you assume that, closed source becomes a disadvantage, because you still have to assume that a powerful adversary will steal and know your sourcecode. By publishing the code you give the 'good guys' at least a chance to find bugs. Heartbleed is not a testament to open source failing, such things will happen, at least now we know about it. Critical software like openssl should maybe be more audited by professionals though.

BlackBerry should give us S/MIME and PGP capabilities!

[Nickysoroyal]

The simple fact that whatsapp scored higher than bbm means I don't have to read that article because that's garbage. I was put in a whatsapp group without my consent now I get random calls and messages from all over the world because they got my number out of the group yea that's very secure I guess

Posted via CB10

[Bluenoser63]

A bit misleading as I have not been able to find any mention of anyone even trying to hack the Z30 at this year's event. And BB10 has been hacked at past events.

Posted via CB10

Please provide links where BB10 has been hacked at past events.

[Bluenoser63]

I meant both actually, open standards and open source. There is an important and known principle in cryptography that states you should always assume that your enemy knows everything but the secret key about your scheme and it should still be secure. If you assume that, closed source becomes a disadvantage, because you still have to assume that a powerful adversary will steal and know your sourcecode. By publishing the code you give the 'good guys' at least a chance to find bugs. Heartbleed is not a testament to open source failing, such things will happen, at least now we know about it. Critical software like openssl should maybe be more audited by professionals though.

BlackBerry should give us S/MIME and PGP capabilities!

They do with BES12.

[Bluenoser63]

I meant both actually, open standards and open source. There is an important and known principle in cryptography that states you should always assume that your enemy knows everything but the secret key about your scheme and it should still be secure. If you assume that, closed source becomes a disadvantage, because you still have to assume that a powerful adversary will steal and know your sourcecode. By publishing the code you give the 'good guys' at least a chance to find bugs.

It also gives the 'bad guys' an opportunity to find and exploit the flaws before and if 'good guys' find it.

Heartbleed is not a testament to open source failing, such things will happen, at least now we know about it. Critical software like openssl should maybe be more audited by professionals though.

At lease you know it now, but the rumor is that the NSA knew about the flaw TWO years ago and exploited it. Who says that hackers didn't find it also and exploited it for those TWO years.

[Dave Bourque]

Please provide links where BB10 has been hacked at past events.

Never heard of it either

Posted via CB10

[sinkingphoenix]

It also gives the 'bad guys' an opportunity to find and exploit the flaws before and if 'good guys' find it.



At lease you know it now, but the rumor is that the NSA knew about the flaw TWO years ago and exploited it. Who says that hackers didn't find it also and exploited it for those TWO years.

This might very well be, but the point of my post is that the NSA for example has the resources to steal the sourcecode and find the bug, no matter if it is published or not. Now we at least know about it, if it went unpublished, we might never have known, but powerful adversaries are not so easily hindered.

BlackBerry should give us S/MIME and PGP capabilities!