- Hi,
I've been trying to find the specifics behind the encryption used to encrypt BBMs. Can someone point to any papers/concrete info?
The only thing I have found so far is one site mentioning 3DES (which is not good if that's the case), and some vague assumptions on random sites which cannot possibly be correct.
After all, there is a reason BlackBerry had DOD "Allowed to Operate".
I would also be very surprised if all of the encryption used is not open. I read a while ago that they hold the patents for Eliptical curve cryptography, but again, looking for something concrete on BBM.
Thanks.
Posted via CB using a Q1002-21-14 12:03 PMLike 0 - 168-bit Triple DES
http://docs.blackberry.com/en/admin/...1840226_11.jsp
If the standard BBM encryption doesn't meet your standard, you Could always consider combining BBM with Pretty Good Privacy (PGP):
http://appworld.blackberry.com/webst...ntent/47148895
Posted via CB1002-21-14 12:28 PMLike 5 - In the strict meaning of the term, regular BBM is not encrypted. Back when this was big in the news, BlackBerry used the word scrambled. But the important point is there is one key for everyone and all devices, and from what I've read that key is no great secret nowadays. I'm sure BBM on BES is a different matter. Bottom line, don't consider BBM messages to be readable only by you and the recipient.
EDIT: I see the link in the post before this uses the word encryption. But note the statement about one global all devices key.ventz likes this.02-21-14 12:33 PMLike 1 - In the strict meaning of the term, regular BBM is not encrypted. Back when this was big in the news, BlackBerry used the word scrambled. But the important point is there is one key for everyone and all devices, and from what I've read that key is no great secret nowadays. I'm sure BBM on BES is a different matter. Bottom line, don't consider BBM messages to be readable only by you and the recipient.
EDIT: I see the link in the post before this uses the word encryption. But note the statement about one global all devices key.
Posted via CB10ventz likes this.02-21-14 12:45 PMLike 1 - In the strict meaning of the term, regular BBM is not encrypted. Back when this was big in the news, BlackBerry used the word scrambled. But the important point is there is one key for everyone and all devices, and from what I've read that key is no great secret nowadays. I'm sure BBM on BES is a different matter. Bottom line, don't consider BBM messages to be readable only by you and the recipient.
:sigh:
Great if you have your own BES, not so much for everyone else.
I guess Whatsapp is still better for security for the general public.
Posted via CB using a Q1002-21-14 01:10 PMLike 0 -
http://blogs.mcafee.com/consumer/whatsapp-security-flaw
https://blog.thijsalkema.de/blog/201...-s-encryption/
Posted via CB1002-21-14 01:21 PMLike 0 - Guys, and ladies, too, regular BBM is private enough for almost all of us, and I'm fine with it. From what I understand I wouldn't want to use any of the other messaging apps, but I only know what I read. But here is the deal: If your life or freedom depends on it, don't use any of them, not even BBM. Keep proper perspective.02-21-14 02:35 PMLike 0
- The only serious Whatsapp problem is this one:
Crypto weaknesses in WhatsApp “the kind of stuff the NSA would love” | Ars Technica
The rest have actually been fixed at this point. For example, the first problem "discovered by the media" was blow out of proportions, and it was a theoretical attack that not a single person was able to execute.
But either way, it seems like currently a private jabber server with SSL + OTR is the way to go for privacy.
@aiharkness -- it's good enough for a coffee shop where some random guy is sniffing the traffic, and you care about a conversation satying private with your friend/significant other, but it's not good enough if it's something that truly needs to stay private. If you work in security and need a communication platform between your team (between all 3-4 major devices - Android, iOS, BB, Windows) -- currently, there is nothing on the market that's does it and "just works".
I was going to make the argument at work that BBM is the way to go, but it looks like that's not a viable option.
Whatsapp is also not a good solution. It's a tad better for personal conversations (security wise that is), but it's still crap. And now that FB owns it, who knows where it will go.02-21-14 08:54 PMLike 0 - This is only true with BES involved, from the papers provided.
And BES is not involved for cross-platform communication - so where a team of people uses multiple platforms or (is on all BBs but doesn't use BES) the security is next to useless. Using a key that is the same, and is stored in some place which you don't exclusively control is only good against the random person snooping on your conversation in a public place (ex: coffee shop)
The follow up to your link on thijsalkema is this:
https://blog.thijsalkema.de/blog/201...-encryption-2/
and the same as the author's first blog post, it doesn't actually provide any real or concrete information.
It is full of assumptions, guesses, and "interpreted conclusions". If you read through them you will find that he was not able to use his method in a single case against the real client.
If we are going only on facts and white papers:
1a.) BBM on BES is bullet proof
1b.) An alternative is a private (non open registration) Jabber server, with SSL/TLS, and where users use OTR.
2.) Whatsapp is the second best option for public conversations (even w/ the cert pinning issue, still in #2 compared to alternatives).
It seems like if you don't use whatapp on Wifi, or if you can verify that the Mobile station you are connected to is real, this is not an issue at all.
3.) BBM (on BIS or OS10) - this is a bit like using "WPA" encryption on wireless -- it's "ok/good", but has issues, and really should be replaced by WPA2. For anyone that has a work-related security requirement, this is simply not acceptable.02-21-14 09:06 PMLike 0 - If the standard BBM encryption doesn't meet your standard, you Could always consider combining BBM with Pretty Good Privacy (PGP):
PGpgp - BlackBerry World
Not sure about the dev's PGP implementation (i know a few different ones had issues on Android), but this is truly a good solution.
Sadly a tad clunky - it would be nice if it was cleanly integrated , but hopefully with the recent events, things will get much much better security wise in the next year or two.02-21-14 09:13 PMLike 0 - Whatsapp is not secure at all and in terms of security Whatsapp can't compete with BBM
Even more evidence:
http://www.channelnewsasia.com/news/...e/1008754.html
Posted via CB1002-22-14 10:25 AMLike 0 - The only way someone is going to see your BBM messages is by looking at your screen, or if the government "nicely" asks Blackberry to make it available to them (as they did in Britain during the riots, and in India recently). I am guessing your not some famous terrorist..Dodger52 likes this.02-22-14 11:02 AMLike 1
-
If it's just using the one everyone downloads on their z10/z30/q10/q5, or iOS, or Android, then whatsapp is currently more secure.
Posted via CB using a Q1002-22-14 12:49 PMLike 0 - Again, only the case if BBM is on BES, using a changed encryption key, and with a policy to block msgs from other keys.
If it's just using the one everyone downloads on their z10/z30/q10/q5, or iOS, or Android, then whatsapp is currently more secure.
Posted via CB using a Q10
There custom 'encryption' method is flawed and exploits are discovered, again and again.
As opposed to BBM-security which is time tested and secure.
And yet you continue to claim that whatsapp is safer. Face the facts
BBM is one of the most, if not the most secure messaging clint.
Posted via CB1002-22-14 03:46 PMLike 0 - The only serious Whatsapp problem is this one:
Crypto weaknesses in WhatsApp “the kind of stuff the NSA would love” | Ars Technica
The rest have actually been fixed at this point. For example, the first problem "discovered by the media" was blow out of proportions, and it was a theoretical attack that not a single person was able to execute.
But either way, it seems like currently a private jabber server with SSL + OTR is the way to go for privacy.
@aiharkness -- it's good enough for a coffee shop where some random guy is sniffing the traffic, and you care about a conversation satying private with your friend/significant other, but it's not good enough if it's something that truly needs to stay private. If you work in security and need a communication platform between your team (between all 3-4 major devices - Android, iOS, BB, Windows) -- currently, there is nothing on the market that's does it and "just works".
I was going to make the argument at work that BBM is the way to go, but it looks like that's not a viable option.
Whatsapp is also not a good solution. It's a tad better for personal conversations (security wise that is), but it's still crap. And now that FB owns it, who knows where it will go.
Everyone was able to intercept messages on a Wi-Fi network with an Android app called WhatsApp Sniffer.
I don't understand why you think WhatsApp is more secure than BBM. Clearly security is not a top priority for them if they released an app to tens of millions of people with zero encryption.02-22-14 04:20 PMLike 0 - I am baffled by your ignorance, WhatsApp has been proven to be insecure time and time again.
There custom 'encryption' method is flawed and exploits are discovered, again and again.
As opposed to BBM-security which is time tested and secure.
And yet you continue to claim that whatsapp is safer. Face the facts
BBM is one of the most, if not the most secure messaging clint.
Posted via CB10
BBM 2.0 on android and iOS is awesome. My concern/question is can BMM messages via these devices get intercepted on a Wi-Fi network?
Are these messages and/or attachments secure from a snoopy IT administration?
And is BBM more secure than SMS? In what sense?
Posted via the Android CrackBerry App!02-22-14 08:24 PMLike 0 - @dodger -- look the first link that you posted.
Either we are somehow completely miss-understanding each other, or every time you say BBM, you really mean BES.
Drop whatsapp for a second, I am not advocating for it or against it. Let's just examine BBM.
Let's say your message is is "hey there, what time is it?"
BBM simply encrypts that using a GLOBALLY SHARED key that's SET statically on a server. You realize how bad that is right?
Might as well be using using ROT13. Even BlackBerry tells you that:
"encryption using the global PIN encryption key is sometimes referred to as 'scrambling'".
That means if person "X" talking to person "Y" send that message, and person "A" talking to person "B" sent that message, they can both be decrypted by the same key. That is a massive fail.
To put this in perspective, if anyone records the "encrypted" conversation, they can later decrypt it. --> this is not secure. Secure means NO ONE can decrypt it, but the person that it is meant for.
This is not the case at all -- in fact, far from it. (Think about this -- the most secure messaging client uses a GLOBAL KEY?)
I think you mean BES is one of the most secure platforms.
BBM is simply a "mediocrely" secured client, which happens to sit on top of one of the best cryptographic systems.
BES -- is secure. Anything over BES is secure -- email, chat, web, etc...
BES has been tested over time.
BBM's BIS OR *without BES* is NOT secure. -- and this is from the mouth of BlackBerry.
Imagine if your SSL session on the internet was encrypted with a global key.
This would be the end of the internet.
The most secure messaging client currently on any platform is "ChatSecure" (https://guardianproject.info/apps/chatsecure/), and it utilizes XMMP. When combined with OTR, it is currently considered unbreakable - and that's from papers the NSA released about the algorithms which are the same ones used in TrueCrypt (AES256).
An article summarizing issue with BBM: Is BBM Secure? (Blackberry Messenger) | Encrypted Mobile
(start-quote)
"The Achilles’ heel of BBM is that while PIN-to-PIN messages are encrypted using Triple DES, RIM adds a global cryptographic “key”, which is shared between every BlackBerry device manufactured. This automatically allows a situation (in theory, at least) where, if the messages can be intercepted at the cellular service provider’s network and the hacker party manages to spoof the intended recipient’s PIN, any BlackBerry device can be used to decrypt all PIN-to-PIN messages sent by any other BlackBerry device.While this has never happened as yet, or at least has not been brought to our attention, the scenario lies entirely within the realm of possibility.
The same key, used by all BlackBerry devices to be able to decrypt PIN-to-PIN messages, can be used by RIM at their relay station to decrypt any user’s messages. Again, this is not to suggest that RIM is in the business of reading their users’ content. However, if legally put to the task, RIM can provide decrypted PIN-to-PIN messages in clear-text to law enforcement authorities."
(/end-quote)02-23-14 09:48 PMLike 0 - In the strict meaning of the term, regular BBM is not encrypted. Back when this was big in the news, BlackBerry used the word scrambled. But the important point is there is one key for everyone and all devices, and from what I've read that key is no great secret nowadays. I'm sure BBM on BES is a different matter. Bottom line, don't consider BBM messages to be readable only by you and the recipient.
EDIT: I see the link in the post before this uses the word encryption. But note the statement about one global all devices key.
"Secure" is IF AND ONLY IF the designated recipient can decrypt the information -- at the time of receive or at any later date/time.
With BBM, if your messages are recorded (over wifi or mobile), both BlackBerry AND your ISP can decrypt every message ever sent.
If you care about security, this means that the conversations might as well not be encrypted.02-23-14 09:57 PMLike 0 - @aiharkness -- EXACTLY!
"Secure" is IF AND ONLY IF the designated recipient can decrypt the information -- at the time of receive or at any later date/time.
With BBM, if your messages are recorded (over wifi or mobile), both BlackBerry AND your ISP can decrypt every message ever sent.
If you care about security, this means that the conversations might as well not be encrypted.
As for BlackBerry holding the encryption key, this is common for most encryption applications and thus for other messaging platforms. As long as a program doesn't allow you to create and implement private/public keys and distribute those keys only to those who you wan't to communicatie with, you will be dependent on the provider. But at least BBM encryption is secure as opposed to WhatsApp or Telegram
It's clear you knowledge of encryption is abissmall and you are unwilling to learn, and /or
take the advice from people who do know, so i will refrain from further discussing this with you here.
Posted via CB10Last edited by Dodger52; 02-24-14 at 01:37 AM.
02-24-14 01:19 AMLike 0 - Untrue BBM-messages are well encrypted and for the ISP or a third party it is impossible to read the encrypted messages which are sent via secure SSL-tunnel.
As for BlackBerry holding the encryption key, this is common for most encryption applications and thus for other messaging platforms. As long as a program doesn't allow you to create and implement private/public keys and distribute those keys only to those who you wan't to communicatie with, you will be dependent on the provider. But at least BBM encryption is secure as opposed to WhatsApp or Telegram
It's clear you knowledge of encryption is abissmall and you are unwilling to learn, and /or
take the advice from people who do know, so i will refrain from further discussing this with you here.
Posted via CB10
If I am not mistaken, this is quite secure and very difficult for an ISP to unscramble a BBM message. Below is from BBM.com support page:
The BBM for Android and iPhone application connects to the BBM Infrastructure using a SIP connection over a TLS transport to global.uci.blackberry.com on port 443.
Posted via the Android CrackBerry App!02-24-14 12:48 PMLike 0 - Only if the end device is controlled by you, and not an organization/administrator.
The reason for that is because otherwise they can push their own CA certificate, and you will never even know that they are MITM you.
Companies do this all the time by the way. Depending on where you work (any financial, banking, govn't, etc..), the computer provided to you has the CA cert of their proxy, so that all SSL traffic is re-written. This plays a huge role when visiting sites like gmail (over https) or banking sites, etc.. From the end user perspective, you think are completely secure. One way to check is via certificate pinning (back to the security hole Whatsapp is facing now).
I am not sure in regards to SIP - I believe the SIP part (voice specifically) over TLS is secure. I am not as familiar with SIP as I would like to be, but I think SRTP over TLS is completely secure (currently at least, and again, minus someone inserting a certificate on the endpoint).
SIP is very similar to HTTP, and HTTP over SSL can be MITM'ed, so maybe there is some way that people are not aware of currently?
@gdarmy - here is a pretty good description:
http://mitmproxy.org/doc/howmitmproxy.html
Also, here is another article about BBM being insecure (text part at least):
Myth - BBM is Secure: Blackberry MessengerLast edited by ventz; 02-24-14 at 02:51 PM.
02-24-14 02:34 PMLike 0 - Only if the end device is controlled by you, and not an organization/administrator.
The reason for that is because otherwise they can push their own CA certificate, and you will never even know that they are MITM you.
Companies do this all the time by the way. Depending on where you work (any financial, banking, govn't, etc..), the computer provided to you has the CA cert of their proxy, so that all SSL traffic is re-written. This plays a huge role when visiting sites like gmail (over https) or banking sites, etc.. From the end user perspective, you think are completely secure. One way to check is via certificate pinning (back to the security hole Whatsapp is facing now).
I am not sure in regards to SIP - I believe the SIP part (voice specifically) over TLS is secure. I am not as familiar with SIP as I would like to be, but I think SRTP over TLS is completely secure (currently at least, and again, minus someone inserting a certificate on the endpoint).
SIP is very similar to HTTP, and HTTP over SSL can be MITM'ed, so maybe there is some way that people are not aware of currently?
@gdarmy - here is a pretty good description:
http://mitmproxy.org/doc/howmitmproxy.html
Also, here is another article about BBM being insecure (text part at least):
Myth - BBM is Secure: Blackberry Messenger
Now I am wondering if just BBM messages on Android (no BES/BIS) and/or BBM attachments can be seen/read by a snoopy IT administration when using a company wifi? Is it possible?
Or is the SIP-TLS secure against a snoopy IT watching over a WiFi?
Posted via the Android CrackBerry App!02-24-14 04:24 PMLike 0 - Thank you for the info. Very interesting links too.
Now I am wondering if just BBM messages on Android (no BES/BIS) and/or BBM attachments can be seen/read by a snoopy IT administration when using a company wifi? Is it possible?
Or is the SIP-TLS secure against a snoopy IT watching over a WiFi?
While it IS theoretically and technically possible, it is not likely/probable. (Unless they get their hands on that global decryption key, which is highly unlikely for a local sysadmin specifically).
I think *not* being on BES is actually better against your local sysadmin (only in this case), otherwise it's a breeze for an admin to find and read anything on your device.
There are varying degrees of security, and the next question is who you are trying to keep secure from. My general question which started this thread was in the ultimate form of security - anyone/anywhere/with any resources. When I think of "something being truly secure", it means it is impossible (*absolutely impossible*) for any organization of any size to compromise, no matter how much time and resource they throw at it.
BBM is fine for that conversation you are having in a coffee shop/work over wifi with your family/spouse/kids. Pretty much any popular messenger is OK for that. The two scares here are:
1.) not using encryption (first issue with whatsapp, and the old fb app, which were both fixed)
2.) having the conversation stored on a central server - (this is an issue with gchat or whatsapp much more than bbm, since whatsapp is now owned by facebook).
However, if you are using it it for work where your work involves some level of secure/classified data, than that's a different story. (it's a whole different story if you are even allowed to use something that's not centrally managed/monitored). For example, certain people I know use this technology to discuss security incidents, and thus, I was curious as to what level of encryption BBM conforms.02-24-14 06:58 PMLike 0
- Forum
- BBM Central
- General BBM Chat
Specific Encryption Algorithms used for BBM
« Invite to channel sharing beautiful photos about your BlackBerry
|
BBM message with email link, curious »
Similar Threads
-
Stickers and BBM Shop coming to BBM
By ad19 in forum General BlackBerry News, Discussion & RumorsReplies: 20Last Post: 02-21-14, 06:47 PM -
Download snap perfect link for snap
By MANIBHINDER in forum General BlackBerry News, Discussion & RumorsReplies: 2Last Post: 02-21-14, 12:40 PM -
BlackBerry introduces BBM Stickers - Coming Soon
By CrackBerry News in forum CrackBerry.com News Discussion & ContestsReplies: 0Last Post: 02-21-14, 12:00 PM -
BBM Voice Chat to Android/IOS
By Senri Shiki in forum BlackBerry Bold SeriesReplies: 3Last Post: 02-21-14, 11:50 AM
LINK TO POST COPIED TO CLIPBOARD