Table of Contents
Advertisement
BlackBerry Enterprise Solution
Item
third-party application data
Enabling protected storage of BlackBerry device data
The BlackBerry Enterprise Server administrator enables protected storage of data on the BlackBerry device by
setting the Content Protection Strength IT policy rule. Choose a strength level that corresponds to the desired
ECC key strength.
If a BlackBerry device user turns on content protection on the BlackBerry device, in the BlackBerry device
Security Options, the BlackBerry device user can set the content protection strength to the same levels that the
BlackBerry Enterprise Server administrator can set using the IT policy rule.
When the content-protected BlackBerry device decrypts a message that it received while locked, the BlackBerry
device uses the ECC private key in the decryption operation. The longer the ECC key, the more time the ECC
decryption operation adds to the BlackBerry device decryption process. Choose a content protection strength
level that optimizes either the ECC encryption strength or the decryption time.
If the BlackBerry Enterprise Server administrator sets the content protection strength to Stronger (to use a 283-
bit ECC key) or to Strongest (to use a 571-bit ECC key), consider setting the Minimum Password Length IT policy
rule to enforce a minimum BlackBerry device password length of 12 characters or 21 characters, respectively.
These password lengths maximize the encryption strength that the longer ECC keys are designed to provide. The
BlackBerry device uses the BlackBerry device password to generate the ephemeral 256-bit AES encryption key
that the BlackBerry device uses to encrypt the content protection key and the ECC private key. A weak password
produces a weak ephemeral key.
For more information, see "Process for generating content protection keys" on page 14.
Protected storage of master encryption keys on a locked BlackBerry device
If the BlackBerry Enterprise Server administrator turns on content protection of master encryption keys, the
BlackBerry device uses the grand master key to encrypt the master encryption keys stored in flash memory and
encrypts the grand master key using the content protection key. When the BlackBerry device receives data
encrypted with a master encryption key while it is locked, it uses the decrypted grand master key to decrypt the
required master encryption key in flash memory, and uses the decrypted master encryption key to decrypt and
receive the data.
The BlackBerry device stores the decrypted master encryption keys and the decrypted grand master key in RAM
only. When the BlackBerry Enterprise Server administrator, the BlackBerry device user, or a set password timeout
locks the BlackBerry device, the wireless transceiver remains on and the BlackBerry device does not clear the
RAM associated with these keys. The BlackBerry device is designed to prevent the decrypted grand master keys
and the decrypted master encryption keys from appearing in flash memory.
For more information, see "Process for generating grand master keys" on page 15.
Enabling protected storage of master encryption keys on a locked BlackBerry device
The BlackBerry Enterprise Server administrator enables protected storage of master encryption keys on the
BlackBerry device by setting the Force Content Protection of Master Keys IT policy rule. When the BlackBerry
Enterprise Server administrator turns on content protection of master encryption keys, the BlackBerry device
uses the same ECC key strength that it uses to encrypt BlackBerry device user and application data when
encrypting the master encryption keys. For more information, see "Enabling protected storage of BlackBerry
device data" on page 31.
Protected storage of master encryption keys on a BlackBerry device during a reset
If the BlackBerry Enterprise Server administrator turns on content protection of master encryption keys, during a
BlackBerry device reset the BlackBerry device
www.blackberry.com
Description
all data associated with third-party applications that are installed on the
BlackBerry device
31
Advertisement
Table of Contents
