Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL Overview page 14

BlackBerry Enterprise Solution
protection key, that are designed to encrypt the user data on the BlackBerry device when the BlackBerry device
is locked.
During the encryption process that begins when the BlackBerry device is locked, the BlackBerry device frees the
memory that it associates with the content protection key and the ECC private key that it stores in RAM. The
BlackBerry device then uses the ECC public key, an asymmetric key, to encrypt new BlackBerry device user data
that it receives.
When the BlackBerry device is unlocked, the BlackBerry device decrypts the content protection key and the ECC
private key in flash memory. The BlackBerry device then uses the ECC private key and the content protection key
to decrypt user data on the BlackBerry device.
For more information, see "Protected storage of user data on a locked BlackBerry device" on page 29.
Process for generating content protection keys
When the BlackBerry Enterprise Server administrator turns on or the BlackBerry device user turns on content
protection of data for the first time, the following process occurs:
1. The BlackBerry device uses the NIST-approved DSA PRNG to randomly generate the content protection key,
a semi-permanent 256 bit AES encryption key.
2. The BlackBerry device generates an ECC key pair of a bit length that the BlackBerry device user or the
BlackBerry Enterprise Server administrator determines.
3. The BlackBerry device prompts the user to type the BlackBerry device password.
4. The BlackBerry device derives an ephemeral 256 bit AES encryption key from the BlackBerry device
password, in accordance with PKCS #5 (the password based cryptography standard). For more information,
see "Appendix E: Process for deriving encryption keys that protect the keys used with content protection"
on page 77.
5. The BlackBerry device uses the ephemeral key to encrypt the content protection key and the ECC private
key.
6. The BlackBerry device stores the encrypted content protection key, the encrypted ECC private key, and the
ECC public key in flash memory.
If the BlackBerry device user changes the BlackBerry device password, the BlackBerry device uses the new
password to derive a new ephemeral key and uses the new ephemeral key to re-encrypt the encrypted
versions of the content protection key and the ECC private key in flash memory.
Process for encrypting user data on an unlocked BlackBerry device
The unlocked BlackBerry device uses the content protection key to encrypt data that the user types or otherwise
adds on the BlackBerry device, or that the BlackBerry device receives.
Process for encrypting user data on a locked BlackBerry device
1. The BlackBerry device locks. When the BlackBerry device locks for the first time after the BlackBerry
Enterprise Server administrator turns on or the BlackBerry device user turns on content protection, it uses
the content protection key to automatically encrypt the bulk of its stored user and application data.
2. The BlackBerry device frees the memory associated with the decrypted content protection key and the
decrypted ECC private key stored in RAM.
3. The locked BlackBerry device uses the ECC public key to encrypt data that it receives.
Process for decrypting user data on an unlocked BlackBerry device
1. A user types the correct BlackBerry device password to unlock the BlackBerry device.
2. The BlackBerry device uses the BlackBerry device password to derive the ephemeral 256 bit AES encryption
key again.
www.blackberry.com
14