Table of Contents
Advertisement
BlackBerry Enterprise Solution
Appendix J: RSA SecurID software token tokencode generation process
1.
An administrator uses the RSA Authentication Manager to import the seed in the form of a soft token file in
.asc format into the software token database.
2.
The administrator uses the RSA Authentication Manager to issue the software token file in .sdtid format.
Optionally, the administrator can
•
allow the user to choose whether to set the software token PIN or have the system automatically
generate and send a PIN to the user's BlackBerry device, or require the user to set the software token
PIN the first time that the user tries to complete two-factor authentication on the BlackBerry device
•
bind the seed to a specific BlackBerry device PIN
•
set a password to encrypt the .sdtid file seed
Note: Standard BlackBerry encryption is designed to protect the seed when the BlackBerry Enterprise
Server sends it over the transport layer.
3. The BlackBerry Enterprise Server administrator sets the .sdtid file seed for the BlackBerry device in the
BlackBerry Manager.
If required, the BlackBerry Enterprise Server administrator types the password to decrypt the seed for use on
the BlackBerry device.
4. The BlackBerry Enterprise Server stores the .sdtid file seed in the BlackBerry Configuration Database.
5. The BlackBerry Enterprise Server pushes the .sdtid file seed (and the password, if the administrator set one)
to the BlackBerry device during activation of the BlackBerry device and, thereafter, if the administrator
changes the .sdtid file seed for the BlackBerry device.
The BlackBerry device uses RIM-proprietary protocols that are designed to be secure to perform all
communication necessary to obtain the seed on behalf of the RSA SecurID Library.
6. The BlackBerry device imports the .sdtid file seed.
If the administrator set a password in the RSA Authentication Manager to encrypt the .sdtid file seed, the
BlackBerry device uses the password to decrypt the .sdtid file seed automatically.
If the administrator set the .sdtid file seed to bind to a specific BlackBerry device PIN, only that specific
BlackBerry device can import the seed successfully.
7.
The BlackBerry device stores the .sdtid file seed in flash memory.
8. The BlackBerry device imports a copy of the .sdtid file seed into the RSA SecurID Library on the BlackBerry
device.
9. Once each minute, the RSA SecurID library authenticates with the RSA authentication server and initializes
the software token algorithm.
10. Each time the BlackBerry device user tries to establish a WLAN or VPN connection that requires two-factor
authentication, the BlackBerry device uses the initialized algorithm to combine the .sdtid file seed with
random data items based on the BlackBerry device clock and to generate a new software token tokencode.
Appendix K: Process for content protection initialization
When the BlackBerry Enterprise Server administrator sets the Content Protection Strength IT policy rule to turn
on content protection for a BlackBerry device, the following actions occur.
1.
The BlackBerry Enterprise Server performs the following actions:
•
picks b randomly
•
calculates B = bP
•
stores b in the BlackBerry configuration database
2.
The BlackBerry Enterprise Server sends B to the BlackBerry device in the IT policy.
3. The BlackBerry device receives B and verifies that B is a valid public key.
©
2009 Research In Motion Limited. All rights reserved.
www.blackberry.com
88
Advertisement
Table of Contents
