Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

Reply
Highlighted
Trusted Contributor
Posts: 112
Registered: ‎09-23-2008
My Device: Z30 BES 10
My Carrier: AT&T

Anybody get Their BB to send SMIME using AES not Triple DES

I am running a 9810 Torch OS 7 and have not upgraded to BB10 because I do not want to "email" my SMIME private key to get it on my BB. I use the Desktop Manager to sync my private key onto my BB Torch. Hopefully the Link Software will deliver that capability in the future.

 

My Torch is able to read SMIME email sent from Outlook 2013 using AES 256 (so I know my BB can read AES 256)  but it will only send (or reply back) using Triple DES. Under Options/Security/SMIME if you do not have Triple DES selected you get the following message when trying to send SMIME email:

 

"Not all of your recipients support your allowed content ciphers. Please select one of the following supported ciphers:

 

Do not send

 

RC2 (128-bit)

 

Triple DES"

 

I have checked with the engineer who runs the BES server and he has told me that the BES server says I can use AES 256. But again, if I do not have Triple DES selected on my BB settings, I cannot send SMIME due to the above message. 

 

I also know Oultook 2013 is using AES 256 - so I do not understand why I can't send email using AES 256 which is better than Triple DES which is described as "adequate" in regard to security.

 

Has anybody been able to send SMIME email from a BB using AES as opposed to Triple DES?

 

Trusted Contributor
Posts: 112
Registered: ‎09-23-2008
My Device: Z30 BES 10
My Carrier: AT&T

Re: Anybody get Their BB to send SMIME using AES not Triple DES

This problem is also coming from Outlook 2013/2010. You can send/receive SMIME in AES 256 only to yourself.... as soon as you send to another person it defaults to DES3 even if Outlook Trust Settings are configured to use AES 256. 

 

So it appears Blackberry, Microsoft Outlook as well as iPhone, when using SMIME, you get DES3.

 

I believe you can change Outlook using the Outlook Customization Tool.

 

Nobody has said if BB can send/receive in anything other than DES3.

 

 

 

 

New Member
Posts: 1
Registered: ‎03-04-2015
My Device: Passport BES12
My Carrier: Vodafone

Re: Anybody get Their BB to send SMIME using AES not Triple DES

Hi, 

 

What BES version are you using and do you have the AES256 only option selected in the SMIME settings within the Email profile? 

For outlook 2013 please make sure you have the AES and SHA256 option selected in the Trustcenter. 

 

We have this working unfortunatley only with AES-128, as Blackberry does not look in the Active Directory attributes (as is now common) to determine the Encryption. Blackberry chose to depend on the S/MIME Capabilities option within the certificate it's self ( RFC4262) which you can add within a Windows PKI on the SMIME template. Unfortunaly company's like Symantec and other Certificate issuers do not support this so if public certificates are important to you only AES-128 can be used. Also just to note if you sent a AES256 encryped email to a BB user and this is the first contact the users have the reply from the BB user will also default to AES-128 which to me is a fault in programming.

 

 

Trusted Contributor
Posts: 112
Registered: ‎09-23-2008
My Device: Z30 BES 10
My Carrier: AT&T

Re: Anybody get Their BB to send SMIME using AES not Triple DES

[ Edited ]

I never got BES5 to send anything other than DES3. I believe on the server the settings were "all" - not just AES 256. So maybe that was the problem...

 

I am now on BES12 and in the process of seeing what it can do...

 

As for Outlook - the trust center settings are all correct but it will only send/receive AES 256 to yourself - when sending to others it rolls back to DES3. This is a known issue and on on Tech forums for Microsoft with no answer except to use OWA with the SMIME control installed (apparently then you can get AES 256.) I have not tried that myself though...

 

Glad to hear you were able to get Outlook 2013 to send/receive AES 128 as well as BES 5. Nice!