Table of Contents
Advertisement
BlackBerry Enterprise Solution
SRP authentication
SRP is designed to perform the following actions when the BlackBerry Enterprise Server and BlackBerry
Infrastructure establish an authenticated connection and subsequently transfer data between one another over
the wireless network:
•
authenticate the BlackBerry Infrastructure to the BlackBerry Enterprise Server and the BlackBerry
Enterprise Server to the BlackBerry Infrastructure
•
exchange configuration information between the BlackBerry Enterprise Server and the BlackBerry
Infrastructure
The BlackBerry Infrastructure and the BlackBerry Enterprise Server authenticate with each other before they can
transfer data. The authentication handshake sequence depends on a shared secret encryption key (the SRP
authentication key) on both the BlackBerry Enterprise Server and the BlackBerry Infrastructure. If at any point in
the authentication handshake sequence the authentication fails, SRP terminates the connection.
The BlackBerry Enterprise Server is designed to send a basic information packet to the BlackBerry Infrastructure
immediately following the initial SRP authentication process. The packet format is designed to be recognizable
to both the BlackBerry Enterprise Server and the BlackBerry Infrastructure, enabling both sides to set the
parameters of the SRP implementation dynamically.
To support backward compatibility with older versions of the BlackBerry Enterprise Server, which terminate the
SRP connection if they receive unrecognized packets, the BlackBerry Infrastructure does not send basic
information packets to the BlackBerry Enterprise Server until the BlackBerry Enterprise Server has sent a packet
of the same format to the BlackBerry Infrastructure.
SRP authentication process
Step
Action
1
The BlackBerry Enterprise
Server sends its SRP ID, or UID,
to the BlackBerry
Infrastructure.
2
The BlackBerry Infrastructure
sends a challenge string to the
BlackBerry Enterprise Server.
3
The BlackBerry Enterprise
Server sends a challenge string
to the BlackBerry
Infrastructure.
4
The BlackBerry Infrastructure
sends a challenge response to
the BlackBerry Enterprise
Server.
5
The BlackBerry Enterprise
Server sends a challenge
response to the BlackBerry
Infrastructure.
www.blackberry.com
Description
The BlackBerry Enterprise Server sends a packet to the BlackBerry
Infrastructure to claim its own UID.
The BlackBerry Infrastructure sends a random challenge string to
the BlackBerry Enterprise Server.
When the BlackBerry Enterprise Server receives the BlackBerry
Infrastructure challenge string, it sends a challenge string to the
BlackBerry Infrastructure.
The BlackBerry Infrastructure hashes the BlackBerry Enterprise
Server challenge string with the SRP authentication key, a 20-byte
shared secret encryption key, using the keyed HMAC with SHA-1.
The BlackBerry Infrastructure sends the resulting 20-byte value
back to the BlackBerry Enterprise Server.
The BlackBerry Enterprise Server responds to the BlackBerry
Infrastructure challenge string by hashing the challenge with the
shared SRP authentication key.
37
Advertisement
Table of Contents
