[Superdupont 2_0]

See screen shot in post 43 for the mention of a derived key.

I wonder if this file exists in backup if cloud sync not enabled.

Posted via CB10

Yes, but this key is derived from the "app key".

We are talking about a key that has nothing to do with the app key.

IMHO this news could be worth further investigation by tech journalists.

If this turns out to be what I think it is, I will have left the whole platform next year (work and private).


Posted via CB10

[KermEd]

Yes, but this key is derived from the "app key".

If this turns out to be what I think it is, I will have left the whole platform next year (work and private).

Posted via CB10

It's OK. The phone will be running Android by then anyways

Posted to CB via my Passport | Lloyd Summers | FileArchiveHaven

[jasonvan9]

"the key that is derived from your password does also not store your password"

I don't know what you're saying. Keys don't store passwords. They are keys only and do not have storage.

"but if you can decipher the key and you could decode the password keeper app password that would be the only way it could work."

If you have the escrow key, you don't need the "app password". The escrow key is only encrypted by the BBID and password. So you decrypt the backup using BBID/password. This gives you the escrow key, and the Password keeper container in another encrypted form. The container is decrypted further using BBID and password. Using escrow key and decrypted container, all stored Password Keeper passwords are pwned.

"decode the password keeper app password that would be the only way it could work.."

No, that is the whole point of this thread. No need to know the "password keeper app password" as long as you have BBID, password, and a backup. You do not need to reverse or figure out the original master password set by the user.

The unique escrow key is generated by the password keeper app using the user input password for the app, at least that is what it says in the screen shot I posted from the app

But since it uses the escrow algorithm to encrypt using the password as the key, than if you could decrypt the escrow algorithm in theory you could derive the password from the decrypted escrow key since the app password was used to generate it

Where did the thought come from that you only need a backup, BBID and password to gain access to all of the passwords in the password keeper app? even after you restore a phone from a backup, you would still need to know the password for the password keeper app as that data is still encrypted using that same unique escrow key... if you dont know the app password, you cant get the passwords contained in it without brute forcing the password or cracking the escrow key used to encrypt them





Posted via CB10

[Superdupont 2_0]

The unique escrow key is generated by the password keeper app using the user input password for the app, at least that is what it says in the screen shot I posted from the app

Nope, your screenshot doesn't say that.
Your screenshot is about a well-kown key, which is used to encrypt the data before they are uploaded to BlackBerry Cloud.

The escrow key we are talking about here has NOTHING to do with BlackBerry Cloud, it is not related to the app password.

More simple: Both keys exists, but they are not related.

Everything you said is true for key 1, but we are talking about key 2.

This second key shouldn't exists.

It's like as if my landlord would give me the keys to my appartment, but keeps a copy without telling me (and when I'm gone for vacation he plunders my mini-bar).

[BCITMike]

The unique escrow key is generated by the password keeper app using the user input password for the app, at least that is what it says in the screen shot I posted from the app

But since it uses the escrow algorithm to encrypt using the password as the key, than if you could decrypt the escrow algorithm in theory you could derive the password from the decrypted escrow key since the app password was used to generate it

Where did the thought come from that you only need a backup, BBID and password to gain access to all of the passwords in the password keeper app? even after you restore a phone from a backup, you would still need to know the password for the password keeper app as that data is still encrypted using that same unique escrow key... if you dont know the app password, you cant get the passwords contained in it without brute forcing the password or cracking the escrow key used to encrypt them

Posted via CB10

You did read the OP, right? If not, read it again. I don't think you're on the same page as us. This is offline hacking. Get access to someone's backup, and brute force decryption by guessing BBID password using a fast computer. Once that is done, the tool can use the escrow key to decrypt the Password Keeper container. Voila, pants down around ankles.

Essentially, we’ve discovered a backdoor hidden in recent versions of BlackBerry Password Keeper allowing us to decrypt the content of that app instantly without brute-forcing the master password.
...
That escrow key is stored in BlackBerry 10 backups alongside the data. Notably, BlackBerry 10 backups are encrypted, and must be decrypted with Elcomsoft Phone Breaker (using the correct BlackBerry ID and password) in order to gain access to Password Keeper data.
...
Note that BlackBerry 10 backups containing BlackBerry Password Keeper containers are also encrypted, and must be decrypted with ElcomSoft Phone Breaker using the original BlackBerry ID and password prior to accessing BlackBerry Password Keeper data.

I hope that helps better understand the issue.

[jasonvan9]

You did read the OP, right? If not, read it again. I don't think you're on the same page as us. This is offline hacking. Get access to someone's backup, and brute force decryption by guessing BBID password using a fast computer. Once that is done, the tool can use the escrow key to decrypt the Password Keeper container. Voila, pants down around ankles.

I hope that helps better understand the issue.

Much better, thank you for the explanation also searching the definition of "escrow" also helped the cause lol alright, now that you all have helped me get on the same page here... yes this escrow key is dangerous, and is this the only escrow key used in blackberry applications? or is that still yet to be determined and password keeper is the only one found thus far?

Posted via CB10

[jasonvan9]

"Key escrow is proactive, anticipating the need for access to keys; a retroactive alternative is key disclosure law, where users are required to surrender keys upon demand by law enforcement, or else face legal penalties. Key disclosure law avoids some of the technical issues and risks of key escrow systems, but also introduces new risks like loss of keys and legal issues such as involuntary self incrimination. The ambiguous term key recovery is applied to both types of systems."

sounds like it could be completely innocent in which they could help you recover a lost backup and you forgot your password lets say.. but it also enables a back door like was mentioned if they ever wanted access without you knowing...

that seems to be the big debate surrounding escrow keys because no key held in an escrow system can be fully trusted based on past abuses.. to be honest, lets say its an honest system and they were trying to help me to recover keys if I forgot my password, id rather have that data lost for ever, unable to be decrypted by myself or blackberry than have a backdoor introduced for recovery and convenience

Posted via CB10

[keithhackneysmullet]

Okay, the set-up you described would certainly never require the password to be sent.


There is only one problem:
The escrow key is not described in any kb article or other public documentation I am aware of.
Hence it wasn't planted for the customers.

For whom was it planted?


I can very clearly remember that John Chen said that there are no backdoors in BlackBerry products a couple of times (also when he spoke against US proposals to plant "frontdoors" in IT products).


Posted via CB10

The escrow key is a way for BlackBerry to provide "law enforcement" a back door to decrypt password keeper with out the master password. There really can't be another explanation for it.

Posted via CB10

[Prem WatsApp]

Guys, isn't it obvious that this is a simple backdoor for certain chrime cases?

The police have seized the computer of the suspect and finds a device backup (because you always should make a backup).
Then they ask BlackBerry to disclose BB ID and BB ID Password.
Finally they use this information to open up Password Keeper with the escrow key.

I am a BB 10 fan and always defend them when people argue about backdoors, but this looks like a backdoor on purpose.

Yeah, I hope you are wrong, mate... :-D

 Ahoy, Privateers, ... get ready for some data piracy...! ;-) 