Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL Overview page 11

BlackBerry Enterprise Solution
Key generation method
desktop based (wired)
wireless
Computer based process for generating master encryption keys
In BlackBerry Desktop Software Version 4.0 or later, the master encryption key generation function uses the
current time as the seed for the C language srand function. The master encryption key generation function then
gathers entropy (randomness) using the following process:
1. When prompted by the BlackBerry Desktop Software, the BlackBerry device user moves the mouse. The
BlackBerry Desktop Software master encryption key generation function examines the lowest 12 bits of the x
and y coordinates of the new mouse location. If the bits are different from the previous sample, the
BlackBerry Desktop Software stores them, generating 3 bytes of randomness. If the bits are the same as the
previous sample, no sample is taken.
2. The BlackBerry Desktop Software master encryption key generation function waits for a random interval
between 50 and 150 milliseconds, and then continues to sample in the same way until it gathers 384 bytes.
3. The BlackBerry Desktop Software retrieves 384 bytes of randomness from the MSCAPI, for a total of 768
bytes.
4. The BlackBerry Desktop Software hashes the 384 bytes of randomness from the BlackBerry device user's
mouse coordinates and the 384 bytes of randomness from the MSCAPI with SHA-512 to produce 512 bits of
data. The BlackBerry Desktop Software frees the memory associated with the unused bits.
5. The BlackBerry Desktop Software uses the first 256 bits if it is generating the master encryption key using
AES encryption or the first 128 bits if it is generating the master encryption key using Triple DES encryption.
The BlackBerry Desktop Software discards any unused bits.
BlackBerry Enterprise Server versions earlier than 4.0 use a different desktop based master encryption key
generation process. For more information, see "Appendix C: Previous version of wired master encryption key
generation" on page 74.
www.blackberry.com
Initial key generation
When a BlackBerry device user connects
the BlackBerry device to the computer for
the first time, the BlackBerry Desktop
Software creates the master encryption
key and sends it to the BlackBerry device
and the messaging server.
Wireless enterprise activation permits a
BlackBerry device user to remotely
activate a BlackBerry device on the
BlackBerry Enterprise Server without a
physical network connection. During the
wireless enterprise activation, the
BlackBerry Enterprise Server and the
BlackBerry device negotiate to select the
strongest algorithm that they both
support and use that algorithm to
generate the master encryption key.
Note: For more information, see
"Authentication during wireless
enterprise activation" on page 39.
Key regeneration
When the BlackBerry device user
subsequently connects the
BlackBerry device to the computer,
the user can initiate regeneration of
the master encryption key. The
BlackBerry Desktop Software creates
the master encryption key and sends
it to the BlackBerry device and the
messaging server.
On the BlackBerry device, a user can
request a new master encryption
key. The BlackBerry device sends the
key regeneration request to the
BlackBerry Enterprise Server over the
wireless network.
In the BlackBerry Manager, the
BlackBerry Enterprise Server
administrator can initiate
regeneration of a master encryption
key for a BlackBerry device.
11