Appendix E: Process For Deriving Encryption Keys That Protect The Keys Used With Content Protection - Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL Overview

BlackBerry Enterprise Solution
Appendix E: Process for deriving encryption keys that protect the keys used
with content protection
The BlackBerry device uses an ephemeral 256-bit AES encryption key to encrypt the content protection key and
the ECC private key. The BlackBerry device derives the ephemeral 256-bit AES encryption key from the
BlackBerry device password using the following process:
1. The BlackBerry device selects a 64-bit salt (random data to mix with the BlackBerry device password). This
is intended to keep two identical passwords from turning into the same key.
2. The BlackBerry device concatenates the salt, the password, and the salt again into a byte array
(Salt|Password|Salt).
3. The BlackBerry device hashes the byte array with SHA-256.
4. The BlackBerry device stores the resulting hash in a byte array called a key.
(key) = SHA256(Salt|Password|Salt)
5. The BlackBerry device hashes (key) 18 more times. It stores the result into (key) each time. For example, for
i=0 to 18, the BlackBerry device does the following:
6. The final hash creates the ephemeral key.
For more information, see the RSA Security –PKCS #5.
©
2009 Research In Motion Limited. All rights reserved.
(key) = SHA256(key)
i++
done
www.blackberry.com
77