thank you all for your responses.
we have the BES installed. I will try to update today the blackberry terminal
with the SMIME pkg and come back to you soon as possible.
regards
e ----
De : Julien Lemoine <corkhaakon@gmail.com>
À : security-basics@securityfocus.com
Cc : listbounce@securityfocus.com
Envoyé le : Jeudi, 18 Octobre 2007, 10h18mn 08s
Objet : Re: Email encryption with Blackberry
Hi all,
I'm confronted to this problem now, because we have an internal PKI, and
created certificates are principally used to encrypt emails. And since
several weeks, some people in my service use Blackberry. So, when we
sent them encrypted emails, they can't read them.
Moreover, we don't have the BES license in our enterprise, so these
users can't download the Blackberry S/MIME pack.
The only solution we have found is to use a tool provided by izecom
(www.izecom.com/blackberry). This tool in its lite version (freeware)
permits to read encrypted emails and verify signed emails. The
commercial one permits to encrypt emails. This tool must be downloaded
directly from the Blackberry.
But before install it seems the Blackberry must be update with the
latest versions (for the associated operator), because some encryption
libraries are missing in the original installation.
To do that, go to
http://na.blackberry.com/eng/support/downloads/downloads_sites.jsp
I hope this solution can help you.
Julien
P.S.: Sorry if there is some mistakes, I don't really speak English
fluent. ;-)
gjgowey@tmo.blackberry.net a écrit :
What I'm saying is that the blackberry functions as a client slaved to the
server. It does not have the smtp engine onboard. The mail portion is
handled via the server/gateway and the transaction is handled between the
client and the server over a 3DES encrypted link.
The s/mime crypto (according to the rim tech) is not happening on the BB, but
on the server/gateway. This actually makes sense in that BB's are designed
for corporate environments which may be exchange based, lotus based, or
something else and not necessarily smtp. The s/mime crypto may be happening
at the server level and the cert can very well be provided to the server by
the device for processing of the message.
The ssl part of my message was a bit of a separate topic.
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message-----
From: "Roger A. Grimes" <roger@banneretcs.com>
Date: Sun, 14 Oct 2007 09:53:37
To:<gjgowey@tmo.blackberry.net>,"soul"
<soul1273@yahoo.fr>,<security-basics@securityfocus.com>
Subject: RE: Email encryption with Blackberry
You're mixing up crypto here. SSL isn't used in S/MIME. 3DES is
symmetric encryption and may be used in S/MIME, but not in the way you
are talking about it.
Maybe that's your confusion. Do you want SSL (to protect email) to a
gateway product; or S/MIME to protect email from end-user to end-user
endpoint?
And if the BES server gets the cert (for S/MIME), there would be no need
to copy the cert from the desktop to the Blackberry device.
You're mixing up your crypto.
Roger
*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist
*CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger_grimes@infoworld.com or roger@banneretcs.com
*Author of Windows Vista Security: Securing Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*****************************************************************
-----Original Message-----
From: gjgowey@tmo.blackberry.net [mailto:gjgowey@tmo.blackberry.net]
Sent: Saturday, October 13, 2007 8:02 PM
To: Roger A. Grimes; soul; security-basics@securityfocus.com
Subject: Re: Email encryption with Blackberry
I agree with you about what s/mime is, but the blackberry's themselves
are not the actual smtp engines. They're just a point to point pipe to
the actual smtp engine (blackberry.net, bes, desktop client, etc.). The
only on board crypto is for talking to the gateway (3DES - I think) and
websites (ssl). However, if you flip through the configuration menus in
the blackberry you can push ssl processing to be completely handled by
the gateway. That said, it's possible that the blackberry tech was
correct since the server could cache the cert on first receipt.
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message-----
From: "Roger A. Grimes" <roger@banneretcs.com>
Date: Sat, 13 Oct 2007 19:47:26
To:<gjgowey@tmo.blackberry.net>,"soul"
<soul1273@yahoo.fr>,<security-basics@securityfocus.com>
Subject: RE: Email encryption with Blackberry
The one install I performed this on did have a BES server, but I'm
fairly confident of how the desktop S/MIME product works. No software
was required to be installed on the server. It was all client-side.
Before the S/MIME packages were installed on the user's desktop, their
Blackberries could receive signed and encrypted messages. They could see
the signed messages as if the signed portion was stripped off, but the
encrypted ones would not displays saying they were encrypted. Then we
used the S/MIME support package and it just copies the S/MIME keys out
of Windows/Outlook and puts them on the phone.
It's a little dubious to believe that any true encryption information or
encryption keys would be stored on the BES server. S/MIME is endpoint to
endpoint. Encryption and decryption of messages is 100% done on the
endpoint. Otherwise it wouldn't be S/MIME. The only way I could see
the BES server being involved is in trust path verification or
revocation checking, but I didn't see the Blackberries being nearly that
sophisticated.
I just got through doing a multi-week project involving Blackberries and
S/MIME, so it's fairly fresh in my mind. With that said, I'm not a
Blackberry expert...so trust what RIM says more.
Still, I'd call back and question. The tech support may have been right
in that you needed a BES server to pull it off (or maybe for licensing
reasons)...but not for the reasons they stated. We never installed certs
to the BES server.
Roger
*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist
*CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger_grimes@infoworld.com or roger@banneretcs.com
*Author of Windows Vista Security: Securing Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*****************************************************************
-----Original Message-----
From: gjgowey@tmo.blackberry.net [mailto:gjgowey@tmo.blackberry.net]
Sent: Saturday, October 13, 2007 6:09 PM
To: Roger A. Grimes; soul; security-basics@securityfocus.com
Subject: Re: Email encryption with Blackberry
I'm curious. This is a far different response than I got from rim when
I talked to them on the phone. They said to me that I couldn't use the
s/mime solution from them because it required a bes server and that the
crypto actually took place on the bes server and not the phone.
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message-----
From: "Roger A. Grimes" <roger@banneretcs.com>
Date: Sat, 13 Oct 2007 14:11:03
To:<gjgowey@tmo.blackberry.net>,"soul"
<soul1273@yahoo.fr>,<security-basics@securityfocus.com>
Subject: RE: Email encryption with Blackberry
Yes, you can use S/MIME with Blackberries. You have to obtain the RIM
S/MIME Package, which is an add-in to the regular RIM desktop client.
Then you MUST connect your Blackberry to the desktop with a physical
cable (serial, USB, etc.). The S/MIME package downloads the installed
S/MIME keys from desktop/laptop computer to your Blackberry where they
can be used to read and encrypt/sign email in the Blackberries.
Unfortunately, creating encrypted email on the Blackberry isn't super
easy, but at least your end-users can read encrypted email easily.
You'll need to make sure that any the S/MIME keys needed (including the
public keys from others) are installed on the desktop before sync'ing
the S/MIME Package to the Blackberry, so it can transfer the keys. And
if an new public key is sent to the user, they'll have to re-sync to get
the new key.
Also, you must have a Blackberry model capable of supporting S/MIME,
which the most current models do.
Roger
*******************************************************************
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger@banneretcs.com or rogrim@microsoft.com
*Author of Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*******************************************************************
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of gjgowey@tmo.blackberry.net
Sent: Thursday, October 11, 2007 2:49 AM
To: soul; listbounce@securityfocus.com;
security-basics@securityfocus.com
Subject: Re: Email encryption with Blackberry
I can't give any definitie answers about the rim s/mime product, but I
can note a few things. I have a thawte freemail cert and my blackberry
can import the cert without problem. The steps are to get the cert from
thawte on the desktop, export it to file, and use the blackberry desktop
to push the cert onto the blackberry.
Now I can't tell you anything further than that since I don't have the
s/mime product, but I know that much works. I'm imagining though that
the next few steps from there to make that cert work with s/mime
probably aren't that many.
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message-----
From: soul <soul1273@yahoo.fr>
Date: Thu, 11 Oct 2007 06:39:40
To:listbounce@securityfocus.com, security-basics@securityfocus.com
Cc:gjgowey@tmo.blackberry.net
Subject: Email encryption with Blackberry
Hi all
We are trying to implement an email encryption solution for our users.
Our environment is Microsoft Exchange and Oulook 2003 client. the Top
management use Balcberry.
We chosed the Verisign Digital IDs certificate to encrypt ans sign email
with S/MIME in outlook 2003.
We want now to enable email encryption on the Blackberry using the same
Verisign certificates.
Is this possible? and how to do it? can the Balckberry email client use
the certificate to encrypt the email?
Thank you.
Soul
________________________________________________________________________
_____
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo!
Mail
______________________________________________________________________________
Stockage illimité de vos mails avec Yahoo! Mail. Changez aujourd'hui de mail !
