Tuesday, August 9, 2011

BlackBerry Controversy

BlackBerry Controversy in India

Indian Govt. has asked RIM (maker of BlackBerry smart phone) to provide access to the data going through its servers for intelligence purposes and it appears that BlackBerry has accepted the demands. Due to the lack of understanding of encryption on the part of Indian media, misleading and ambiguous reports have been published on the same.

BlackBerry and Encryption
BlackBerry has two type of customers
1) Enterprise Customers
2) Normal Customers

For enterprise customers, a single secret key cryptography across the enterprise is used and this key is known only to enterprise. (Roughly, equivalent of saying that all enterprise employees have copy of key to main gate of the office and no one except the office staff has the key). Given the current state of encryption technology, no one can “read” the actual(plain text) messages without getting hold of the key. So, any end-to-end encrypted communication cannot be deciphered by a third party (including RIM).

RIM was also asked to give access to its algorithms so that security agencies here could decrypt messages.”
Now, this kind of reporting is a pure ignorance of technology on the part of media. Even if government knows the algorithm, it will not be of any use. In fact, for that matter, source code of most encryption algorithms are publicly known. The power of encryption lies not in the algorithm but the key which is used by the algorithm to generate encrypted text from plain text.

Interestingly, it seems that for normal customers, messages are sent from handset to server in encrypted format (I believe it should be using public-key cryptography) using the sender’s key. De-encrypted at the server and re-encrypted for the receiver. So, traditional approach of eavesdropping fails in this case. The only way to access “data” is through servers. That is what, I believe Indian government (and a lot of other govts) is trying to get access to.

Is BlackBerry a “low-hanging fruit”
Well, there are two problems with this approach
1) Too much hue and cry
Given the hue and cry government has created in the name of security, no terrorist is ever going to use BlackBerry anymore. Also, if they are adamant, they can always ask their Pakistani/Middle-east funders to establish some dummy enterprise and all of them become enterprise customers of the service and hence, “uninterceptable” again.

2) Current state of smart phone market.
What if someone implements an android/iPhone app to do encryption on-the-fly between communicating parties. [in fact, there are algorithms where even the key can be established over the wiretapped channel rendering the rest of communication encrypted, so even, after listening to initial communication, it becomes impossible to decipher the rest].

What it actually means
Given track record of government of wiretapping for political purposes. I see no reason, why government is irked at uninterceptable phones.

Suggestions

  1. It is being planned that a similar restriction will be put on Google (for Gmail) and Skype.
    I believe even if government is planning to do something of this sort, any announcement of this type defeats the [honest part of] intent.
  2. Rather than going ahead with blind wire-tapping which will obviously fail as encrypted communication becomes more pervasive and the mammoth amount of data which is too much to be handled manually, so probably, NTRO should try a newer approaches (perhaps pattern-based identification of terrorists)