Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL Overview page 50

BlackBerry Enterprise Solution
Organizations that use WEP as their preliminary security method to moderately limit access to their enterprise
Wi-Fi network might also use a VPN to provide data confidentiality by authenticating and encrypting access to
their core enterprise network, if they are concerned about security.
Using IEEE 802.11i to protect connections to enterprise Wi-Fi networks
IEEE 802.11i defines an enhanced security protocol to protect Wi-Fi networks. It uses the IEEE 802.1X standard
for authentication and key management. The IEEE 802.1x standard defines a generic authentication framework
that enterprise Wi-Fi network client devices and wired or wireless networks can use to authenticate with each
other to permit or prevent the enterprise Wi-Fi network client devices accessing the network. IEEE 802.11i
specifies two Wi-Fi network access control methods: one based on PSKs and one based on IEEE 802.1x, which
uses EAP protocols for authentication.
Authentication method
Using IEEE 802.11i with PSK
Using the IEEE 802.11i with
IEEE 802.1X authentication
www.blackberry.com
Description
Small office and home environments
where it is not feasible to set up a
server-based authentication
infrastructure might use IEEE 802.1x
with the PSK method. The access
point and the wireless client use a
PSK (also known as a passphrase) to
mutually derive link layer encryption
keys. The PSK method uses TKIP or
AES-CCMP algorithms to secure
enterprise Wi-Fi network
communications, but it relies on a
single, shared passphrase of up to
256 bits in length for access control.
All access points and wireless clients
must know the passphrase.
An IEEE 802.1x framework can use
EAP methods to provide
authentication. LEAP, PEAP, EAP-TLS,
EAP-TTLS, EAP-SIM, and EAP-FAST
authentication methods are designed
to provide mutual authentication
between the supported Wi-Fi enabled
BlackBerry device and the enterprise
Wi-Fi network.
Wi-Fi enabled BlackBerry device
implementation
The supported Wi-Fi enabled BlackBerry
device implementation of PSK is
compatible with the WPA-Personal and
WPA2-Personal specifications. The
BlackBerry Enterprise Server
administrator can set the passphrase
and distribute it to the supported Wi-Fi
enabled BlackBerry device using the
WLAN Preshared Key IT policy rule.
To act as a WLAN supplicant device, the
supported Wi-Fi enabled BlackBerry
device implements WLAN
authentication processes that use EAP
methods as specified in RFC 3748 and
meet the requirements of RFC 4017.
Supported Wi-Fi enabled BlackBerry
devices are designed to use EAP
methods (EAP-TLS, EAP-TTLS, EAP-
FAST, and PEAP) to mutually
authenticate to WLAN networks, as
specified in the WPA™-Enterprise and
WPA2™-Enterprise specification, which
use credentials to provide mutual
authentication:
When the supported Wi-Fi enabled
BlackBerry device sends EAPoL
messages, it uses the encryption and
message integrity protection specified
by the EAP method. When the
BlackBerry device transmits EAPoL-Key
messages it uses either RC4 or AES
algorithms to provide message integrity
and encryption.
50