Table of Contents
Advertisement
BlackBerry Enterprise Solution
S/MIME certificates
When a BlackBerry device user sends an encrypted message from the BlackBerry device, the BlackBerry device
uses the S/MIME certificate of the message recipient to encrypt the message.
When a BlackBerry device user receives a signed message, the BlackBerry device uses the S/MIME certificate of
the message sender to verify the message signature.
S/MIME private keys
When a BlackBerry device user sends a signed message from the BlackBerry device, the BlackBerry device
hashes the message using SHA-1, SHA-256, SHA-384, SHA-512, or MD5, and then uses the S/MIME private key
of the BlackBerry device user to digitally sign the message hash.
When a BlackBerry device user receives an encrypted message, the BlackBerry device uses the private key of the
user to decrypt the message.
For more information, see the S/MIME Support Package for BlackBerry Devices Security Technical Overview.
Decrypting and reading messages on the BlackBerry device using Lotus Notes API 7.0
In BlackBerry® Enterprise Server Version 4.1 or later for IBM® Lotus® Domino® with IBM® Lotus Notes® API
Version 7.0, by default, BlackBerry devices can decrypt IBM Lotus Notes encrypted messages and S/MIME-
encrypted messages. In BlackBerry Enterprise Server Version 4.1 or later for IBM Lotus Domino in an IBM Lotus
Domino environment, the BlackBerry Enterprise Server supports using the AES algorithm with the master
encryption key of the BlackBerry device to encrypt the Notes ID file and password and store them in the
BlackBerry Enterprise Server for IBM Lotus Domino messaging agent memory.
When BlackBerry device users forward or reply to IBM Lotus Notes encrypted messages or S/MIME-encrypted
messages that the BlackBerry devices decrypted, the BlackBerry devices send the messages to the recipients as
plain text.
The BlackBerry Enterprise Server administrator can configure the default BlackBerry device behaviour in the
following ways:
•
use the Disable Notes Native Encryption Forward And Reply IT policy rule to prevent BlackBerry device
users from forwarding and replying to IBM Lotus Notes encrypted messages on their BlackBerry devices
•
use the Notes Native Encryption Password Timeout IT policy rule to specify the maximum length of time (in
minutes) that the BlackBerry device stores the IBM Lotus Notes .id password that the user types
Process for decrypting IBM Lotus Notes and S/MIME messages
If a BlackBerry device user sets support for reading IBM Lotus Notes and S/MIME-encrypted messages on the
BlackBerry device, when the BlackBerry device user receives an IBM Lotus Notes or S/MIME-encrypted message,
the BlackBerry Enterprise Server for IBM Lotus Domino decrypts the message using the following process:
1.
A BlackBerry device user receives an IBM Lotus Notes and S/MIME-encrypted message.
2.
The BlackBerry Enterprise Server for IBM Lotus Domino messaging agent decrypts the BlackBerry device
user's cached Notes .id password and uses the decrypted password to decrypt the message.
If the BlackBerry Enterprise Server for IBM Lotus Domino messaging agent does not have the Notes .id
password, the BlackBerry device user must select More, More All, or Open Attachment to pull the decrypted
message to the BlackBerry device.
3. The BlackBerry Enterprise Server deletes the decrypted Notes .id password from memory. The encrypted
Notes .id password remains cached.
4. The BlackBerry Enterprise Server pushes the decrypted message to the BlackBerry device, where the user
can read the message.
www.blackberry.com
26
Advertisement
Table of Contents
