Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL Overview page 53

BlackBerry Enterprise Solution
The BlackBerry Smart Card Reader integrates smart card use with the BlackBerry Enterprise Solution, enabling
BlackBerry device users to authenticate with their smart cards to login to certain Bluetooth enabled BlackBerry
devices.
The BlackBerry Smart Card Reader
•
creates a reliable two-factor authentication environment for granting BlackBerry device users access to
BlackBerry and PKI applications
•
is designed to enable the wireless digital signing and encryption of wireless email messages using the
S/MIME Support Package for BlackBerry devices
•
stores all encryption keys in RAM only and never writes the keys to flash memory
For more information, see the BlackBerry Smart Card Reader Security Technical Overview.
Binding the smart card to the BlackBerry device
If a user has a smart card authenticator, smart card driver, and smart card reader driver installed on their
BlackBerry device, either the BlackBerry Enterprise Server administrator or that user can initiate two-factor
authentication on the BlackBerry device to bind the BlackBerry device to the installed smart card. After the
BlackBerry device binds to the smart card, it requires that smart card to authenticate the user.
The BlackBerry Enterprise Server administrator can set the Force Smart Card Two-Factor Authentication IT policy
rule in the BlackBerry Manager to require that a user authenticates with the BlackBerry device using a smart
card. If the BlackBerry Enterprise Server administrator does not force the user to authenticate with the
BlackBerry device using a smart card, the user can turn two-factor authentication on and off with their smart
card by setting the User Authenticator field in the BlackBerry device Security Options.
When the BlackBerry Enterprise Server administrator or the user enables two-factor authentication, the following
events occur:
1. The BlackBerry device locks.
2. When a user tries to unlock the BlackBerry device, the BlackBerry device prompts the user to type the
BlackBerry device password. If the user has not yet set a BlackBerry device password, the BlackBerry device
forces them to set one.
3. The BlackBerry device prompts the user to type the user authenticator (smart card) password to turn on
two-factor authentication with the installed smart card.
4. The BlackBerry device binds to the installed smart card automatically by storing the following smart card
binding information in a special BlackBerry device NV store location that is inaccessible to a user:
•
the name of a Java class that the BlackBerry Smart Card Reader requires
•
the binding information format
•
the smart card type
Note: For the Common Access Card, this string is "GSA CAC".
•
the name of a Java class that the smart card code requires
•
a unique 64-bit identifier that the smart card provides
•
a smart card label that the smart card provides (for example, "GRAHAM.JOHN.1234567890")
5. The BlackBerry device pushes the current IT policy to the BlackBerry Smart Card Reader.
Confirming that the BlackBerry device is bound to the correct smart card
After a user turns on two-factor authentication, whenever the BlackBerry device prompts the user to insert the
smart card into the BlackBerry Smart Card Reader, the BlackBerry device prompt indicates the label and the card
type of the correct (bound) smart card. If the BlackBerry device is running BlackBerry Device Software Version
3.6 with either the S/MIME Support Package Version 1.5 for BlackBerry devices installed or no S/MIME Support
www.blackberry.com
53