Table of Contents
Advertisement
BlackBerry Enterprise Solution
3. The BlackBerry device uses the ephemeral key to decrypt the encrypted content protection key and the
encrypted ECC private key in flash memory.
4. The BlackBerry device stores the decrypted content protection key and the decrypted ECC private key in
RAM.
5. If the BlackBerry device user attempts to access user data that the BlackBerry device encrypted while it was
unlocked, the BlackBerry device uses the decrypted content protection key to decrypt the user data.
6. If a BlackBerry device user attempts to access user data (for example, opens a message) that the BlackBerry
device encrypted while it was locked, the BlackBerry device uses the decrypted ECC private key to decrypt
the user data and access the ECC-encrypted items (for example, message bodies, subjects, or recipients).
7.
When the BlackBerry device has opened 128 ECC-encrypted items (typically, less than 40 messages), the
BlackBerry device uses the ECC private key to decrypt the ECC-encrypted items and then re-encrypts them
with the content protection key the next time that the BlackBerry device locks. If the re-encryption process
is incomplete when the BlackBerry device user next unlocks the BlackBerry device, the BlackBerry device
resumes re-encryption when it locks again.
Grand master keys
When the BlackBerry Enterprise Server administrator turns on content protection of master encryption keys, the
BlackBerry device uses a grand master key to encrypt the master encryption keys stored on the BlackBerry
device in flash memory. When the BlackBerry device receives data encrypted with a master encryption key while
it is locked, it uses the grand master key to decrypt the required master encryption key in flash memory and
receive the data.
For more information, see "Protected storage of master encryption keys on a locked BlackBerry device" on page
31.
Process for generating grand master keys
When the BlackBerry Enterprise Server administrator turns on content protection of master encryption keys on
the BlackBerry device for the first time, the following process occurs:
1.
The BlackBerry device generates the grand master key, a 256 bit AES encryption key.
2.
The BlackBerry device stores the decrypted grand master key in RAM.
3. The BlackBerry device uses the existing content protection key to encrypt the grand master key.
4. The BlackBerry device stores the encrypted grand master key in flash memory.
5. The BlackBerry device uses the decrypted grand master key to encrypt the master encryption keys stored in
BlackBerry device flash memory.
BlackBerry symmetric key encryption algorithms
A symmetric key encryption algorithm is designed so that only the parties who know the secret key can decrypt
the encrypted data or cipher text of the scrambled message.
The BlackBerry Enterprise Solution uses a symmetric key encryption algorithm to protect all data that the
BlackBerry device sends or receives, while the data is in transit between the BlackBerry device and the
BlackBerry Enterprise Server. This standard BlackBerry encryption, which is designed to provide strong security,
verifies that a BlackBerry message remains protected in transit to the BlackBerry Enterprise Server while the
message data is outside your organization's firewall.
www.blackberry.com
15
Advertisement
Table of Contents
