Table of Contents
Advertisement
BlackBerry Enterprise Solution
Process for generating master encryption keys over the wireless network
To establish and manage master encryption keys over the wireless network, the BlackBerry Enterprise Server
uses the initial key establishment protocol and the key rollover protocol. Both protocols provide strong
authentication: only a BlackBerry device with a valid work email address and an activation password can initiate
wireless enterprise activation and master encryption key generation.
Protocol
initial key establishment
protocol
key rollover protocol
For more information about the wireless master encryption key generation protocols, see "Authentication during
wireless enterprise activation" on page 39.
Message keys
The BlackBerry Enterprise Server and the BlackBerry device generate one or more message keys, which are
designed to protect the integrity of data such as short keys or large messages, for each message that they send.
If a message contains several datagrams and exceeds 2 KB, the BlackBerry Enterprise Server and the BlackBerry
device generate a unique message key for each datagram.
Each message key is comprised of random information, which makes it difficult for a third party to decrypt, re-
create, or duplicate the key.
The message key is a session key; the BlackBerry device does not store the message key persistently but frees
the memory associated with it after using it in the decryption process.
Process for generating message keys on the BlackBerry Enterprise Server
The BlackBerry Enterprise Server is designed to seed a DSA PRNG function to generate a message key using the
following process:
1.
The BlackBerry Enterprise Server obtains random data from multiple sources for the seed, using a technique
derived from the initialization function of the ARC4 encryption algorithm.
2.
The BlackBerry Enterprise Server uses the random data to permute the contents of a 256-byte (2048-bit)
state array.
www.blackberry.com
Description
•
The BlackBerry Enterprise Server uses this protocol during wireless
enterprise activation to establish the initial master encryption key.
•
This protocol uses SPEKE to initialize a key generation process using an
activation password, enabling a BlackBerry device to establish long term
public keys and a strong, cryptographically protected connection with a
BlackBerry Enterprise Server.
•
The BlackBerry device and the BlackBerry Enterprise Server use this protocol
to regenerate a master encryption key, based on the existing master
encryption key. When a BlackBerry device user physically connects the
BlackBerry device to the computer, if a pending key exists, the current master
encryption key on the BlackBerry device becomes a previous key and the
pending key replaces the current key. If no pending key exists, the
BlackBerry Desktop Software creates a new master encryption key for the
user.
•
This protocol generates the master encryption key using existing long-term
public keys and the ECMQV algorithm to negotiate a common key in such a
way that an unauthorized party cannot calculate the same key.
•
This protocol achieves perfect forward secrecy. The new master encryption
key is independent of the previous key. Knowledge of the previous master
encryption key does not permit an attacker to learn the new master
encryption key.
12
Advertisement
Table of Contents
