[T�nis]

I have had my car searched 3 times and they alway rip up the insides and throw things everywhere. I have also been searched multiple times throughout my life so far and not once have they tried to access my phone. However, one time a cop knew my phone number and my smartphone was still in my pocket. This is also when I had a BB, password locked, encrypted on strongest settings. My 9000 with BBOS 5.

Whoa, didn't see this first time around! Please elaborate. I don't see how he would have known your phone number or that you even had a phone on you at that point unless he already knew who you were and/or had called in your plate and had run your information beforehand where it might have turned up. And why did he mention your phone number to you? I mean did he like say, "I know your phone number. It's 555-5555."?

[T�nis]

I have been pulled over multiple times randomly for routine stops and have been searched almost every single time. I have bad allergies in the Spring/summer and my eyes are always red, glossy and somewhat tearing (if the pollen count is really high). Cops always think I am high so they search everything. They even called the dogs on me one time just to make sure I was telling the truth. Wasted over an hour of my life.

I don't want they touching my things too. I just don't understand how this program can get deleted data. That means nothing really deletes. If a full reset doesn't delete data off of devices then something is wrong.

I wonder if this can become a lawsuit. It specifically tells you all data will be removed when you reset. If this device has the ability to get that data, then these software companies are straight up lying.

Well, I'm thinking it's like a computer hard drive. The data is "deleted" (i.e. removed from your view) until it's actually written over again. That's why if the data is encrypted to begin with, it will still be encrypted (and useless to a snoop) when it's recovered or accessed (read directly from the hard drive) by equipment with the capability.

[avt123]

Well, I'm thinking it's like a computer hard drive. The data is "deleted" (i.e. removed from your view) until it's actually written over again. That's why if the data is encrypted to begin with, it will still be encrypted (and useless to a snoop) when it's recovered or accessed (read directly from the hard drive) by equipment with the capability.

Oh ok. That makes sense then.

[13echo4]

Good info, but I think the length of the password does affect the strength of the encryption setting. If you choose "Stronger," your password should be 12 characters; if you choose "Strongest," your password should be 21 characters, at least according to this:

"Choose a content protection strength level that optimizes either the ECC encryption strength or the decryption time. If you set the content protection strength to Stronger (to use a 283-bit ECC key) or to Strongest (to use a 571-bit ECC key), consider setting the Minimum Password Length IT policy rule to enforce a minimum BlackBerry device password length of 12 characters or 21 characters, respectively. These password lengths maximize the encryption strength that the longer ECC keys are designed to provide. The BlackBerry device uses the BlackBerry device password to generate the ephemeral 256-bit AES encryption key that the BlackBerry device uses to encrypt the content protection key and the ECC private key. A weak password produces a weak ephemeral key."

(http://docs.blackberry.com/en/admin/...yption_STO.pdf -- Pages 4-5 of the document, page 8 of the PDF)

But I'm not exactly sure about this. Perhaps I don't understand what I'm reading. Maybe it only applies when a BES is in use.

Another thing to bear in mind is that older devices and OS's (like my 8330m on OS 4.5) only support passwords up to twelve or thirteen characters. My 9650 on OS 6 supports up to (I think) thirty characters.

I believe your thinking about 2 different things. Selecting a key to encrypt and pw hash. Your password to unlock your device isn't the key to encrypt the data.

Posted from my CrackBerry at wapforums.crackberry.com

[T�nis]

I believe your thinking about 2 different things. Selecting a key to encrypt and pw hash. Your password to unlock your device isn't the key to encrypt the data.

Posted from my CrackBerry at wapforums.crackberry.com

Please elaborate. Why does it say to choose device passwords in the lengths specified (12 & 21) for encryption strength(s) ("stronger," & "strongest")?

[13echo4]

Please elaborate. Why does it say to choose device passwords in the lengths specified (12 & 21) for encryption strength(s) ("stronger," & "strongest")?

Aight then, on your blackberry you can choose to encrypt by device key or device password. You chose your password to lock/unlock you phone. Then you chose what to encrypted it with.
So with limited trys and a one way hash brute forceing is out of the question and cracking is just not feasable.
Now let's just say you chose your password just to use for an encryption key. That is exactly what you did. You built an encryption key.
You can encrypt using a device generated key and device pw.
As I said I chose a pw. This is to lock my device and keep unwanted security changes. I use pw and device key to encrypt data.
This leaves the pw on part of the equation. And hence a 7 chaf pw makes for a strong pw and lend itself to a strong encryption key.

Posted from my CrackBerry at wapforums.crackberry.com

[T�nis]

Aight then, on your blackberry you can choose to encrypt by device key or device password. You chose your password to lock/unlock you phone. Then you chose what to encrypted it with.
So with limited trys and a one way hash brute forceing is out of the question and cracking is just not feasable.
Now let's just say you chose your password just to use for an encryption key. That is exactly what you did. You built an encryption key.
You can encrypt using a device generated key and device pw.
As I said I chose a pw. This is to lock my device and keep unwanted security changes. I use pw and device key to encrypt data.
This leaves the pw on part of the equation. And hence a 7 chaf pw makes for a strong pw and lend itself to a strong encryption key.

Posted from my CrackBerry at wapforums.crackberry.com

Thank you for coming back to this. I'm still confused. Please help some more.

Why does it say to use 12 & 21 character passwords for the "strong" and "stronger" encryption strengths respectively? I realize that I can set a password just to keep people from using my BlackBerry while leaving encryption off altogether. But from the RIM material it appears (to me) that if I turn encryption on the length of the password has a direct correlation to the usefulness potential of the encryption strength I choose. Otherwise, why does it say to use a minimum of 12 characters for the "stronger" encryption strength setting and 21 characters for the "strongest" encryption strength setting? I guess what I'm unclear about is this: does that RIM information about password length and encryption strength pertain to encrypted data that's stored on my BlackBerry, to encrypted data that's trasmitted over a BES network, or to both?

[13echo4]

The length of pw only helps if you use it as the key by selecting encrypt with device pw. If you use device generated key your pw is only used to unlock your phone. Unless you use option 3 which is to use pw and device key to encrypt.
So as a person that read the material and decided to use the pw for encryption key and wanted a strongest key. Came jp with a pw +12 chars is just really making an encryption key because the pw protection wasn't the reason for the lenghty pw.
The data on the device is the only thing that's encrypted by your settings. The transfered data is encrypted by Rim. Your phone calls is encrypted by your carrier. I've never read anything thing about smsnor mms so I'm not sure about that. I know its handled by your carrier.

Posted from my CrackBerry at wapforums.crackberry.com

[N467RX]

That's a lot of security concern for the average person to worry about.

Maybe, but he has a non-camera 9650, which suggests that he may or may not require those features.

There was a case in my school a few semesters back, some girl lost her phone which had some *interesting* photos of her (presumably topless and/or naked), and apparently they were spread around by whoever found and kept the phone. Not that I have anything like that on my phone, but I wouldn't want someone to find my phone and go through my emails, contacts and stuff like that.



Anybody knows if Cellebrite can circumvent AES? I figure your regular phone password can be circumvented, but AES sounds like an almost impossible thing, just because that is some pretty strong military-grade encryption, and not even the FBI could crack the encryption on some hard drives.

Also, for non-BB stuff, there's TrueCrypt for encrypting your USB drives, hard drives, etc. That's what I use for some of my documents and most of my USB drives.

[T�nis]

Thanks for clarifying.

The length of pw only helps if you use it as the key by selecting encrypt with device pw. If you use device generated key your pw is only used to unlock your phone. Unless you use option 3 which is to use pw and device key to encrypt.

I'm using option three: both Device Password & Device Key. And that's what I suspected. Even with the "Device Password" only setting the password has some bearing on encryption and its strength. I mean, it must. How else would the BlackBerry (or even a different BlackBerry) decrypt the files? It's either Device Password, Device Key, or both. And if the password doesn't have anything to do with encryption or encryption strength, how else (or why) would the Elcomsoft software be able to extrapolate the BlackBerry's password using data on its media card containing files encrypted using the Device Password method? Unless I misunderstand you, I think what you're saying is that a longer password will provide better encryption than a shorter password when the Device Password method is used. Maybe if it's Device Key only, it will have no bearing. But if both are used, it's logical to conclude that the device password and its length will have some bearing (along with the Device Key) on encryption strength.

The data on the device is the only thing that's encrypted by your settings. The transfered data is encrypted by Rim ...

Or the BES.

[T�nis]

Anybody knows if Cellebrite can circumvent AES? I figure your regular phone password can be circumvented, but AES sounds like an almost impossible thing, just because that is some pretty strong military-grade encryption, and not even the FBI could crack the encryption on some hard drives.

Also, for non-BB stuff, there's TrueCrypt for encrypting your USB drives, hard drives, etc. That's what I use for some of my documents and most of my USB drives.

There's no way a CelleBrite device can crack AES. What it can do is circumvent the password on a lot of devices (maybe even a BlackBerry) and read the devices' data directly from the hardware. Where BlackBerry has the edge over other devices is that unless the CelleBrite user actually knows the BlackBerry's password, he won't be able to decrypt the BlackBerry's encrypted files even if he circumvents the password and reads the data directly from the BlackBerry's hardware. AES can't be cracked, but other devices don't have this design; obviously their AES is vulnerable because all the keys are stored on the devices, almost like when a BlackBerry media card is encrypted with the Device Password method only. When a BlackBerry Device Key is introduced and used together with a device password, the AES is impenetrable, because no more than ten passwords can be entered or the BlackBerry will wipe and the key(s) will be gone. Don't forget, the Elcomsoft software figures out a BlackBerry's password using the media card, but only if the encryption mode is "Device Password." If "Device Password & Device Key" is used, it can't get enough information from the media card, and it's limited by the ten tries on the BlackBerry itself.

[CiderGuru]

Judging by the OP's overly paranoid obsession with security, the reference to "Revenue Agents" and the content of the Sig I am assuming T�nis has fallen under the spell of Alex Jones or some other blithering idot.

Hint: Noone is trying to peep into your BlackBerry. Noone cares!

[T�nis]

Judging by the OP's overly paranoid obsession with security, the reference to "Revenue Agents" and the content of the Sig I am assuming T�nis has fallen under the spell of Alex Jones or some other blithering idot.

Hint: Noone is trying to peep into your BlackBerry. Noone cares!

Why would RIM even include these features if they weren't important or desireable? Is it because RIM is listening to Alex Jones? Thanks for your useless reply. I reported it and asked that you be issued an infraction.

[CiderGuru]

Why would RIM even include these features if they weren't important or desireable? Is it because RIM is listening to Alex Jones? Thanks for your useless reply. I reported it and asked that you be issued an infraction.

Which features? Security / Encryption?
They exist to keep sensitive data secure / encrypted, not for people who believe in silly stories invented by InfoWars of all places.

There are websites devoted to conspiracy theories as you well know, I would suggest CrackBerry is not one of them.

[howarmat]

Keep the personal attacks and name calling out of it please. discuss the matter of security and not the users.

[T�nis]

Which features? Security / Encryption?
They exist to keep sensitive data secure / encrypted, not for people who believe in silly stories invented by InfoWars of all places.

There are websites devoted to conspiracy theories as you well know, I would suggest CrackBerry is not one of them.

Your reply is irrelevant and has nothing to do with a BlackBerry's encryption features or how to use them. What is your point? We shouldn't discuss it? I'm reporting this bs post of yours for being argumentative and a veiled personal attack against me.

[Branta]

Anybody knows if Cellebrite can circumvent AES? I figure your regular phone password can be circumvented, but AES sounds like an almost impossible thing, just because that is some pretty strong military-grade encryption, and not even the FBI could crack the encryption on some hard drives.

Here's a simple analysis.

1. Cellbrite has been commercially available for some time. You can be sure it has attracted the attention of and been tested by US authorities.
2. AES is still on the list of crypto systems with federal approval. That approval would have been withdrawn with a LOT of publicity if AES had been found vulnerable.

From that I conclude that AES remains non-vulnerable to known attacks, both practical and theoretical.

[T�nis]

Here's a simple analysis.

1. Cellbrite has been commercially available for some time. You can be sure it has attracted the attention of and been tested by US authorities.
2. AES is still on the list of crypto systems with federal approval. That approval would have been withdrawn with a LOT of publicity if AES had been found vulnerable.

From that I conclude that AES remains non-vulnerable to known attacks, both practical and theoretical.

Yes, AES is, as of today, uncrackable. Maybe not because nobody knows how, but because there isn't enough time in the next fifty years (without a quantum computer) to crack it. Where AES becomes vulnerable on a mobile device is in its implementation. For example, the Elcomsoft software can be used to extrapolate a BlackBerry's password using the media card if the BlackBerry's media card is encrypted using the "Device Password" method. Why? Because all (or enough) of the information is actually stored on the card. That's not the case when "Device Password and Device Key" are used.

[N467RX]

2. AES is still on the list of crypto systems with federal approval. That approval would have been withdrawn with a LOT of publicity if AES had been found vulnerable.

From that I conclude that AES remains non-vulnerable to known attacks, both practical and theoretical.

Well, I figured that since AES is approved for top secret documents by the government (DOD included), there was no way they would approve a device that can crack it, but I wasn't sure if the makes of Cellebrite had come up with a way of bypassing the encryption.

Time to encrypt mine.

[13echo4]

Thanks for clarifying.

I'm using option three: both Device Password & Device Key. And that's what I suspected. Even with the "Device Password" only setting the password has some bearing on encryption and its strength. I mean, it must. How else would the BlackBerry (or even a different BlackBerry) decrypt the files? It's either Device Password, Device Key, or both. And if the password doesn't have anything to do with encryption or encryption strength, how else (or why) would the Elcomsoft software be able to extrapolate the BlackBerry's password using data on its media card containing files encrypted using the Device Password method? Unless I misunderstand you, I think what you're saying is that a longer password will provide better encryption than a shorter password when the Device Password method is used. Maybe if it's Device Key only, it will have no bearing. But if both are used, it's logical to conclude that the device password and its length will have some bearing (along with the Device Key) on encryption strength.



Or the BES.

How Elcomsoft recovers your device's pw is by brute forceing the decrypting of the sd card. It will only successful if you used the device password for the key. If you use the device key they can't get your pw. For another blackberry to decrypt your card you have to have device pw for the key. Have the same done on the other device. If you have it set up to use device key your s.o.l.
Your pw only effects te encryption if you use it for the key. If you don't its just used to unlock you device.

Posted from my CrackBerry at wapforums.crackberry.com

[Branta]

Yes, AES is, as of today, uncrackable. Maybe not because nobody knows how, but because there isn't enough time in the next fifty years (without a quantum computer) to crack it. Where AES becomes vulnerable on a mobile device is in its implementation. For example, the Elcomsoft software can be used to extrapolate a BlackBerry's password using the media card if the BlackBerry's media card is encrypted using the "Device Password" method. Why? Because all (or enough) of the information is actually stored on the card. That's not the case when "Device Password and Device Key" are used.

Yes... that would be more or less the equivalent of having the server's password written on the side of the monitor. Oops!

[olblueyez]

Adding subscription

[T�nis]

Well, I figured that since AES is approved for top secret documents by the government (DOD included), there was no way they would approve a device that can crack it, but I wasn't sure if the makes of Cellebrite had come up with a way of bypassing the encryption.

Time to encrypt mine.

Just be careful. Use one of the following modes if you encrypt your media card:

1. "Device Password"

Use this method if you are not the type of person who properly backs up his media card files to a pc. The security risk that comes with this mode is that someone with Elcomsoft software who has access to your media card can use the software and your media card to figure out your BlackBerry's password. I would think the risk of someone actually doing this to you would be small, and I would be surprised if CelleBrite devices were advanced enough to do it, but I don't know, so be aware of this risk. The advantage to this mode is that, as long as you remember your password, you can view your encrypted media card's files on a different BlackBerry. I back up all my encrypted media card files to my pc -- it has to be done with BlackBerry Desktop Software 6 -- so the only time I would switch to this mode is if I wanted to migrate my media card to a different BlackBerry. But lots of people who don't back up their media card files to a pc have been heartbroken when they encrypted using one of the other modes, and their BlackBerry died rendering all their files unreadable.

2. "Device Password & Device Key"

Use this mode only if you are in the habit of properly backing up your media card files to a pc. As noted in 1 above, you must transfer encrypted files from your BlackBerry to your pc using the "Files" feature of BlackBerry Desktop Software 6. It won't work if you try to use the USB (mass storage mode) method; the files will be unreadable. If you back up your files properly to your pc, you'll be able to restore them to your media card if your BlackBerry should die on you. The advantage to this method is that someone using Elcomsoft software won't be able to use your encrypted media card to figure out your BlackBerry's password. And you can always temporarily switch to "Device Password" if you want to move your media card to a different BlackBerry. You'll just have to enter the media card's password in the new BlackBerry. You can then re-enable "Device Password & Device Key" once you've moved your card.


An additional warning:

I have no idea how well encryption plays with certain media. I only have pictures and some text files like im logs on my media card. If I had music, I definitely wouldn't encrypt it. I would just transfer that to the media card using the USB method. Video, I'm not even sure how well that would work. Back when I was using my 8330m, I couldn't get videos I had made with the cam to work if encryption was turned on even in the BlackBerry I used to make the videos! So, make a few tests before leaving encryption on and losing any memorable moments.

[N467RX]

I simply disabled the encryption on the card, at least for now.

[13echo4]

I simply disabled the encryption on the card, at least for now.

My approach to this is; your securing what from whom?
I lock my phone so someone doesn't have access to my contacts. I don't put any media on the card I want encrypted. I look at it this way my 9800 had 4gb of memory and my 9860 has 2.5 gb. 8gbs is on the 9810 and others. I put media I want secure on the phone.
If 2.5gb wasn't enough space I would get a device with more storage or I would encrypt the card. I would encrypt with password so if something where to happen to my device I can use the card in another blackberry to get my data. This mythod will keep prying eyes from files you don't want seen.
If your carring goverment secrets then you should just really put em in a script then compile it then decompile it when you need it back in orginal format. Lol
I think its safe to say that for most of us, our data is safe. When its confirmed that these ways aren't good enough we'll come up with something else.
If you encrypt the card with device key snd something happens to your phone you lost that media. You'll just write over ut.

Posted from my CrackBerry at wapforums.crackberry.com