Security Basics mailing list archives
RE: Email encryption with Blackberry
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Sun, 14 Oct 2007 09:53:37 -0400
You're mixing up crypto here. SSL isn't used in S/MIME. 3DES is symmetric encryption and may be used in S/MIME, but not in the way you are talking about it. Maybe that's your confusion. Do you want SSL (to protect email) to a gateway product; or S/MIME to protect email from end-user to end-user endpoint? And if the BES server gets the cert (for S/MIME), there would be no need to copy the cert from the desktop to the Blackberry device. You're mixing up your crypto. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada... *email: roger_grimes () infoworld com or roger () banneretcs com *Author of Windows Vista Security: Securing Vista Against Malicious Attacks (Wiley) *http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470 101555 ***************************************************************** -----Original Message----- From: gjgowey () tmo blackberry net [mailto:gjgowey () tmo blackberry net] Sent: Saturday, October 13, 2007 8:02 PM To: Roger A. Grimes; soul; security-basics () securityfocus com Subject: Re: Email encryption with Blackberry I agree with you about what s/mime is, but the blackberry's themselves are not the actual smtp engines. They're just a point to point pipe to the actual smtp engine (blackberry.net, bes, desktop client, etc.). The only on board crypto is for talking to the gateway (3DES - I think) and websites (ssl). However, if you flip through the configuration menus in the blackberry you can push ssl processing to be completely handled by the gateway. That said, it's possible that the blackberry tech was correct since the server could cache the cert on first receipt. Geoff Sent from my BlackBerry wireless handheld. -----Original Message----- From: "Roger A. Grimes" <roger () banneretcs com> Date: Sat, 13 Oct 2007 19:47:26 To:<gjgowey () tmo blackberry net>,"soul" <soul1273 () yahoo fr>,<security-basics () securityfocus com> Subject: RE: Email encryption with Blackberry The one install I performed this on did have a BES server, but I'm fairly confident of how the desktop S/MIME product works. No software was required to be installed on the server. It was all client-side. Before the S/MIME packages were installed on the user's desktop, their Blackberries could receive signed and encrypted messages. They could see the signed messages as if the signed portion was stripped off, but the encrypted ones would not displays saying they were encrypted. Then we used the S/MIME support package and it just copies the S/MIME keys out of Windows/Outlook and puts them on the phone. It's a little dubious to believe that any true encryption information or encryption keys would be stored on the BES server. S/MIME is endpoint to endpoint. Encryption and decryption of messages is 100% done on the endpoint. Otherwise it wouldn't be S/MIME. The only way I could see the BES server being involved is in trust path verification or revocation checking, but I didn't see the Blackberries being nearly that sophisticated. I just got through doing a multi-week project involving Blackberries and S/MIME, so it's fairly fresh in my mind. With that said, I'm not a Blackberry expert...so trust what RIM says more. Still, I'd call back and question. The tech support may have been right in that you needed a BES server to pull it off (or maybe for licensing reasons)...but not for the reasons they stated. We never installed certs to the BES server. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada... *email: roger_grimes () infoworld com or roger () banneretcs com *Author of Windows Vista Security: Securing Vista Against Malicious Attacks (Wiley) *http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470 101555 ***************************************************************** -----Original Message----- From: gjgowey () tmo blackberry net [mailto:gjgowey () tmo blackberry net] Sent: Saturday, October 13, 2007 6:09 PM To: Roger A. Grimes; soul; security-basics () securityfocus com Subject: Re: Email encryption with Blackberry I'm curious. This is a far different response than I got from rim when I talked to them on the phone. They said to me that I couldn't use the s/mime solution from them because it required a bes server and that the crypto actually took place on the bes server and not the phone. Geoff Sent from my BlackBerry wireless handheld. -----Original Message----- From: "Roger A. Grimes" <roger () banneretcs com> Date: Sat, 13 Oct 2007 14:11:03 To:<gjgowey () tmo blackberry net>,"soul" <soul1273 () yahoo fr>,<security-basics () securityfocus com> Subject: RE: Email encryption with Blackberry Yes, you can use S/MIME with Blackberries. You have to obtain the RIM S/MIME Package, which is an add-in to the regular RIM desktop client. Then you MUST connect your Blackberry to the desktop with a physical cable (serial, USB, etc.). The S/MIME package downloads the installed S/MIME keys from desktop/laptop computer to your Blackberry where they can be used to read and encrypt/sign email in the Blackberries. Unfortunately, creating encrypted email on the Blackberry isn't super easy, but at least your end-users can read encrypted email easily. You'll need to make sure that any the S/MIME keys needed (including the public keys from others) are installed on the desktop before sync'ing the S/MIME Package to the Blackberry, so it can transfer the keys. And if an new public key is sent to the user, they'll have to re-sync to get the new key. Also, you must have a Blackberry model capable of supporting S/MIME, which the most current models do. Roger ******************************************************************* *Roger A. Grimes, Senior Security Consultant *Microsoft Application Consulting and Engineering (ACE) Services *http://blogs.msdn.com/ace_team/default.aspx *CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada... *email: roger () banneretcs com or rogrim () microsoft com *Author of Windows Vista Security: Security Vista Against Malicious Attacks (Wiley) *http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470 101555 ******************************************************************* -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of gjgowey () tmo blackberry net Sent: Thursday, October 11, 2007 2:49 AM To: soul; listbounce () securityfocus com; security-basics () securityfocus com Subject: Re: Email encryption with Blackberry I can't give any definitie answers about the rim s/mime product, but I can note a few things. I have a thawte freemail cert and my blackberry can import the cert without problem. The steps are to get the cert from thawte on the desktop, export it to file, and use the blackberry desktop to push the cert onto the blackberry. Now I can't tell you anything further than that since I don't have the s/mime product, but I know that much works. I'm imagining though that the next few steps from there to make that cert work with s/mime probably aren't that many. Geoff Sent from my BlackBerry wireless handheld. -----Original Message----- From: soul <soul1273 () yahoo fr> Date: Thu, 11 Oct 2007 06:39:40 To:listbounce () securityfocus com, security-basics () securityfocus com Cc:gjgowey () tmo blackberry net Subject: Email encryption with Blackberry Hi all We are trying to implement an email encryption solution for our users. Our environment is Microsoft Exchange and Oulook 2003 client. the Top management use Balcberry. We chosed the Verisign Digital IDs certificate to encrypt ans sign email with S/MIME in outlook 2003. We want now to enable email encryption on the Blackberry using the same Verisign certificates. Is this possible? and how to do it? can the Balckberry email client use the certificate to encrypt the email? Thank you. Soul ________________________________________________________________________ _____ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
Current thread:
- Email encryption with Blackberry soul (Oct 11)
- Re: Email encryption with Blackberry gjgowey (Oct 11)
- RE: Email encryption with Blackberry Roger A. Grimes (Oct 15)
- Re: Email encryption with Blackberry gjgowey (Oct 15)
- RE: Email encryption with Blackberry Roger A. Grimes (Oct 15)
- Re: Email encryption with Blackberry gjgowey (Oct 15)
- RE: Email encryption with Blackberry Roger A. Grimes (Oct 15)
- Re: Email encryption with Blackberry gjgowey (Oct 15)
- Re: Email encryption with Blackberry Julien Lemoine (Oct 18)
- RE: Email encryption with Blackberry Roger A. Grimes (Oct 15)
- Re: Email encryption with Blackberry gjgowey (Oct 11)