Table of Contents
Advertisement
BlackBerry Enterprise Solution
BlackBerry MDS connections
A BlackBerry device user can use the BlackBerry Browser and third-party Java applications on the BlackBerry
device to access the Internet and your organization's intranet and to accept and respond to push requests from
BlackBerry Enterprise Server push applications. The BlackBerry MDS uses standard Internet protocols such as
HTTP and TCP/IP to access data on the Internet or your organization's intranet, and a RIM proprietary
BlackBerry MDS Services security protocol to protect messages that the BlackBerry device sends using the
BlackBerry MDS Services. The BlackBerry device uses standard BlackBerry encryption to protect your
organization's applications and online and Internet data that a user receives on the BlackBerry device.
Requiring secure HTTP connections to the BlackBerry device
The BlackBerry MDS Integration Service installation process generates a self-signed certificate. You can replace
the self-signed certificate with a signed certificate. The BlackBerry MDS Integration Service certificate permits
client authentication between the BlackBerry MDS Integration Service and external web services hosts. The
BlackBerry MDS Integration Service stores the certificate in its key store.
If your organization's BlackBerry Enterprise Solution uses SSL to communicate with external web servers, you
must export the BlackBerry MDS Integration Service certificate to those servers to establish authenticated
communication with web services. If you use the Weak Digest Algorithms IT policy rule to specify algorithms that
BlackBerry devices consider weak, when BlackBerry devices use SSL to connect to external web servers, the
BlackBerry Enterprise Server uses the list of weak digest algorithms when verifying that the certificate chains for
the certificates that BlackBerry devices use with the SSL protocol are strong enough.
Using a secure connection to push BlackBerry MDS Studio Applications to BlackBerry devices
After the system administrator configures authentication between the BlackBerry MDS Services and web
services, the BlackBerry Enterprise Server administrator can permit BlackBerry devices to install the BlackBerry®
MDS Studio Applications that use SSL web services only.
BlackBerry MDS Services security protocol
To authenticate the source and protect the integrity of each BlackBerry MDS message, the BlackBerry MDS
Services security protocol generates a MAC for each BlackBerry MDS message that the BlackBerry device and
the BlackBerry MDS Services send between them. To protect the confidentiality of each BlackBerry MDS
message, the BlackBerry MDS Services security protocol encrypts and decrypts data that the BlackBerry device
and the BlackBerry MDS Services send between them.
Registering the BlackBerry device securely with the BlackBerry MDS Integration Service
1.
The BlackBerry device generates the 128-bit AES session key.
2.
The BlackBerry device uses 1024-bit RSA with PKCS #1 padding to encrypt the AES session key before
sending it to the BlackBerry MDS Services server and storing it in the BlackBerry device flash memory.
3. The BlackBerry MDS Services security protocol uses 128-bit AES in CBC mode with PKCS #5 padding to
encrypt a 128-bit AES session key using a 128-bit AES database access key.
4. The BlackBerry MDS Services server stores the encrypted 128-bit AES session key in the BlackBerry MDS
Services database and stores the 128-bit AES database access key in the database key store.
5. The BlackBerry MDS Services security protocol uses HMAC with a SHA-1 hash function, in combination with
the 128-bit shared secret key, to authenticate data that a BlackBerry device and the BlackBerry MDS
Services send between them.
6. The BlackBerry MDS Services security protocol uses 128-bit AES in CBC mode with PKCS #5 padding to
encrypt and decrypt data that a BlackBerry device and the BlackBerry MDS Services send between them.
www.blackberry.com
43
Advertisement
Table of Contents
