BlackBerry denies using backdoor-enabled encryption code

Posted on by

BlackBerry Ltd. is denying it uses a flawed encryption algorithm in any of its products, although the company will support the encryption in some cases if a customer chooses to use it.

On Monday, the Globe and Mail reported about an encryption algorithm that, despite being shown by security researchers to have a back door that could render the encryption useless, was still officially blessed by government agencies in the U.S. and Canada to protect sensitive government information. The algorithm, called Dual_EC, was included for more than six years on the Cryptographic Module Validation Program a joint effort by the U.S. National Institute of Standards and Technology and the Communications Security Establishment Canada.

Video: BlackBerry loses $4.4-billion

Because it was officially blessed by the agencies, the algorithm was implemented by dozens of technology companies. According to an NIST document, one of those companies is BlackBerry, which owns the Mississauga security firm that first patented the ideas behind Dual_EC.

However. BlackBerry denies the flawed algorithm is used in the companys products.

In a statement to the Globe and Mail on Monday, a BlackBerry spokeswoman said: BlackBerry does not use the Dual EC DRBG algorithm in our products. We work closely with certification authorities around the world to validate the security of our products, and remain confident in the superiority of our mobile platform for customers using our device and enterprise server technology. BlackBerry public statements and principles have long underscored that there is no back door to our platform. Our customers can rest assured that BlackBerry mobile security remains the best available solution to protect their mobile communications.

Asked how that statement squares with a CMVP document that shows BlackBerry implemented Dual_EC encryption in several instances, the company sent a second statement later in the day:

It is presented in the CMVP documents because [this particular] algorithm is supported within the VPN client and can be made available. However, BlackBerrys default configuration does not require a VPN. If customers deploy a VPN, it may include the algorithm, which we do support. The configuration and choice of the VPN is left to the customers discretion. Dual EC DRBG is not supported by the BlackBerry encryption schemes used to protect data at rest or in transit using BlackBerrys proven secure data transport protocols.

A Virtual Private Network is way to extend a private network (for example, a companys internal intranet) across a wider network, such as the Internet. In effect, the BlackBerry statement appears to indicate that, should a BlackBerry customer choose to use Dual_EC encryption on such a network while running BlackBerry devices and services, the companys technology will support it.

In 2005, researchers at a Mississauga technology company called Certicom filed a patent application for an encryption algorithm that relies on the mathematical concept of elliptic curves. In the patent filings, the researchers noted that a feature of the algorithm allows anyone with a certain key to bypass the encryption listing law enforcement agents as a group that may be interested in such functionality.

See the original post here:

BlackBerry denies using backdoor-enabled encryption code

Related Posts
This entry was posted in $1$s. Bookmark the permalink.