Table of Contents
Advertisement
BlackBerry Enterprise Solution
S/MIME encryption
If the S/MIME Support Package for BlackBerry devices exists on a BlackBerry device, when the BlackBerry device
user sends a message, the BlackBerry device encrypts the message using the following process:
1.
The BlackBerry device encrypts the message with the S/MIME certificate of the message recipient or a
shared password. When the BlackBerry device user types the shared password to encrypt or decrypt the
S/MIME-protected message, the BlackBerry device combines the password with random bytes to generate a
new encryption key.
2.
The BlackBerry device uses standard BlackBerry encryption to encrypt the S/MIME-encrypted message.
3. The BlackBerry device sends the encrypted data to the BlackBerry Enterprise Server.
4. The BlackBerry Enterprise Server removes the standard BlackBerry encryption and sends the S/MIME-
encrypted message to the recipient.
If the S/MIME Support Package for BlackBerry devices exists on a BlackBerry device, when the user receives a
message on the BlackBerry device, the BlackBerry device decrypts the message using the following process:
1.
The BlackBerry Enterprise Server receives the S/MIME-protected message.
2.
If the message is signed-only or weakly encrypted, the BlackBerry Enterprise Server encrypts the message a
second time with S/MIME encryption if the BlackBerry Enterprise Server administrator has turned on this
option using the BlackBerry Manager.
3. The BlackBerry Enterprise Server uses standard BlackBerry encryption to encrypt the S/MIME data.
4. The BlackBerry Enterprise Server sends the encrypted message to the BlackBerry device.
5. The BlackBerry device removes the standard BlackBerry encryption and stores the S/MIME-encrypted
message.
6. When the BlackBerry device user opens the message on the BlackBerry device, the BlackBerry device
decrypts the S/MIME-encrypted message and renders the message contents. If the message is encrypted
with a shared password, the BlackBerry device user types the shared password to encrypt or decrypt the
S/MIME-protected message.
S/MIME encryption algorithms
The BlackBerry device is designed to support the use of a strong algorithm for S/MIME encryption. When the
BlackBerry Enterprise Server administrator turn on S/MIME encryption on the BlackBerry Enterprise Server, the
S/MIME Allowed Content Ciphers IT policy rule default setting specifies that the BlackBerry device can use any
of the supported algorithms (other than the two weakest RC2 algorithms, RC2 (64-bit) and RC2 (40-bit)) to
encrypt S/MIME messages.
The BlackBerry Enterprise Server administrator can use the Weak Digest Algorithms IT policy rule to specify
algorithms that BlackBerry devices consider weak. The BlackBerry device uses the list of weak digest algorithms
when verifying that the digital signatures on messages that the BlackBerry device receives are not generated
using a weak hash digest. The BlackBerry device uses the list of weak digest algorithms when verifying that the
certificate chains for the certificates used to sign messages that the BlackBerry device receives do not contain
hashes generated using a weak digest.
The BlackBerry Enterprise Server administrator can set the S/MIME Allowed Content Ciphers IT policy rule to
allow the BlackBerry device to encrypt S/MIME messages using any of AES (256-bit), AES (192-bit), AES (128-
bit), CAST (128-bit), RC2 (128-bit), Triple DES, RC2 (64-bit), and RC2 (40-bit).
If the BlackBerry device has previously received a message from the intended recipient, the BlackBerry device is
designed to recall which content ciphers the recipient can support, and use one of those ciphers. The BlackBerry
device encrypts the message using Triple DES by default if it does not know the decryption capabilities of the
recipient.
www.blackberry.com
25
Advertisement
Table of Contents
