Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL Overview page 10

BlackBerry Enterprise Solution
memory can also retain previous and pending master encryption keys. It is critical to protect the BlackBerry
Configuration Database and the platform-specific master encryption key storage location on the messaging
server. For more information, see "Messaging server to computer email application connection" on page 41 and
"Protecting the BlackBerry Configuration Database" on page 34.
Key storage on the BlackBerry device
On the BlackBerry device, the shared key is stored in a database in flash memory (the key store). This key storage
method is designed to prevent an attacker from extracting the key data from flash memory successfully by
backing up the data from the BlackBerry device onto a computer.
Key state Description
previous key(s) The master encryption key(s) that the BlackBerry device used before the current key was
generated.
The BlackBerry device stores multiple previous keys in flash memory for 7 days, the
maximum amount of time that the BlackBerry Enterprise Server queues a pending
message for delivery, in case the BlackBerry device user creates a new key on the
BlackBerry device multiple times while messages are still queued on the BlackBerry
Enterprise Server.
The messaging server and the BlackBerry Configuration Database store only the most
recent previous key.
pending key The master encryption key that the BlackBerry Enterprise Server administrator
generates in the BlackBerry Manager to replace the current master encryption key.
Only the messaging server and the BlackBerry Configuration Database store the
pending key. The BlackBerry Desktop Software sends the pending key to the BlackBerry
device when the BlackBerry device user connects the BlackBerry device to the computer.
The current key then becomes the new previous key, and the pending key becomes the
new current key.
How the messaging server storage location stores the master encryption keys
The Microsoft Exchange server stores the master encryption keys in a hidden folder named
BlackBerryHandheldInfo within a root folder of the BlackBerry device user's computer email application mailbox.
The BlackBerryHandheldInfo folder stores the following data:
•
a message of class RIM.BlackBerry.Handheld.Config containing the BlackBerry device user's configuration
information, including the master encryption key data
•
the master encryption keys in binary form with tags that indicate their state: 0x6002 (pending), 0x6003
(current), and 0x6004 (previous)
The IBM Lotus Domino server stores the master encryption keys in a database named BlackBerryProfiles.nsf that
contains configuration information for every BlackBerry device user within the /Data directory. The BlackBerry
Profiles database stores an account record containing the field RIMCurrentEncryptionKeyText, which stores the
master encryption keys in alphanumeric representation of a hexadecimal string, for every BlackBerry device user.
How master encryption keys are generated
Both the BlackBerry Enterprise Server administrator and a BlackBerry device user can generate and regenerate
master encryption keys. By default, the BlackBerry Enterprise Server sends a request to the BlackBerry Desktop
Software every 31 days to prompt users to regenerate the master encryption key on their BlackBerry devices. If
the user sets the Generate keys manually option in the BlackBerry Desktop Manager, the BlackBerry Enterprise
Server still sends a key regeneration request to the BlackBerry Desktop Software automatically.
www.blackberry.com
10