Indian Govt. has asked RIM (maker of the BlackBerry smartphone) to provide access to the data going through its servers for intelligence purposes and it appears that BlackBerry has accepted the demands. Due to the lack of understanding of encryption on the part of Indian media, misleading and ambiguous reports have been published on the same. This blog post is an effort to clarify the same.
BlackBerry and Encryption
BlackBerry has two types of customers
1) Enterprise Customers
2) Normal Customers
For enterprise customers, a single secret key cryptography across the enterprise is used and this key is known only to enterprises. (roughly, the equivalent of saying that all enterprise employees have a copy of the key to the main gate of the office and no one except the office staff has the key). Given the current state of encryption technology, no one can “read” the actual(plain text) messages without getting hold of the key. So, any end-to-end encrypted communication cannot be deciphered by a third party(including RIM).
“RIM was also asked to give access to its algorithms so that security agencies here could decrypt messages.”[ET]
Now, this kind of reporting is a pure pig-shit and ignorance of technology on the part of the media. Even if the government knows the algorithm, it will not be of any use. In fact, for that matter, the source code of most encryption algorithms is publicly known. The power of encryption lies not in the algorithm but in the key which is used by the algorithm to generate encrypted text from plain text.
Interestingly, it seems that for normal customers, messages are sent from handset to server in an encrypted format (I believe it should be using public-key cryptography) using the sender’s key. De-encrypted at the server and re-encrypted for the receiver. So, the traditional approach of eavesdropping fails in this case. The only way to access “data” is through servers. That is what, I believe the Indian government(and a lot of other governments) is trying to get access to.
Is BlackBerry a “low-hanging fruit”
Well, there are two problems with this approach
1) Too much hue and cry
Given the hue and cry the government has created in the name of security, no terrorist is ever going to use BlackBerry anymore. Also, if they are adamant, they can always ask their Pakistani/Middle-east funders to establish some dummy enterprise and all of them become enterprise customers of the service and hence, “un-interceptable” again.
2) Current state of the smartphone market.
What if someone implements an android/iPhone app to do encryption on-the-fly between communicating parties? In fact, there are algorithms where even the key can be established over the wiretapped channel rendering the rest of communication encrypted, so even, after listening to initial communication, it becomes impossible to decipher the rest].
What it actually means (in my opinion)
Given the track record of the government in wiretapping for political purposes. I see no reason, why the government is irked at un-interceptable phones.
- It is being planned that a similar restriction will be put on Google(for Gmail) and Skype.
I believe even if the government is planning to do something of this sort, any announcement of this type defeats the [honest part of] intent.
- Rather than going ahead with blind wire-tapping which will obviously fail as encrypted communication becomes more pervasive and the mammoth amount of data which is too much to be handled manually, so probably, NTRO should try a newer approach (perhaps pattern-based identification of terrorists)
Note: This article is factually correct to the best of my knowledge.
I might be lacking understanding but not a will to understand, so in case, there is a factual mistake or a logical flaw, please do point that out in the comments.