Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL Overview
  1. Manuals
  2. Brands
  3. Blackberry Manuals
  4. Software
  5. ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY...
  6. Overview
Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL Overview

Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL Overview

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
BlackBerry Enterprise Solution
Security Technical Overview
for BlackBerry Enterprise Server Version 4.1 Service Pack 6 and BlackBerry
Device Software Version 4.6
©
2009 Research In Motion Limited. All rights reserved.
www.blackberry.com

Advertisement

Table of Contents
loading

Related Manuals for Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL

Summary of Contents for Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL

  • Page 1 BlackBerry Enterprise Solution Security Technical Overview for BlackBerry Enterprise Server Version 4.1 Service Pack 6 and BlackBerry Device Software Version 4.6 © 2009 Research In Motion Limited. All rights reserved. www.blackberry.com...

  • Page 2: Table Of Contents

    PGP encryption..............................23 S/MIME Support Package for BlackBerry devices ..................24 S/MIME encryption............................25 Decrypting and reading messages on the BlackBerry device using Lotus Notes API 7.0.....26 Protecting stored data............................28 Protecting stored messages on the messaging server ................28 IT policy signing and storage on the BlackBerry device................28 Application password encryption and storage on the BlackBerry device..........28...
  • Page 3 Messaging server ...............................34 BlackBerry Configuration Database .......................34 Protecting the BlackBerry Enterprise Solution connections................36 SRP authentication ............................37 How the BlackBerry Enterprise Server and the BlackBerry Infrastructure handle undeliverable messages ................................38 BlackBerry Router protocol authentication....................38 Authentication during wireless enterprise activation .................39 TCP/IP connection..............................41...
  • Page 4 Memory scrub process for RAM on BlackBerry devices................75 Memory scrub process for flash memory on BlackBerry devices...............76 Memory scrub process for flash memory that stores user-saved files on BlackBerry devices .....76 Appendix E: Process for deriving encryption keys that protect the keys used with content protection. 77 Appendix F: Power and electromagnetic side-channel attacks and countermeasures ......
  • Page 5 Appendix H: Enterprise Wi-Fi security methods that the BlackBerry device supports ......83 EAP authentication methods that the BlackBerry device supports............83 Encryption algorithms that the BlackBerry device supports for use with layer 2 security methods ...84 EAP authentication methods and encryption algorithms with which the BlackBerry device supports the use of CCKM..............................85...

  • Page 6: Wireless Security

    To determine if a feature is supported in an earlier software version, see the documentation for earlier versions of the BlackBerry Enterprise Server, the BlackBerry Desktop Software, and the BlackBerry Device Software. For the full terms substituted by the acronyms in this document, see the BlackBerry Enterprise Solution Security Acronym Glossary. Wireless security Many enterprise organizations realize significant return on investments and productivity gains by extending access to their enterprise information to mobile employees.

  • Page 7: Blackberry Enterprise Solution Security Features

    BlackBerry Enterprise Server receives a message encrypted with the wrong master encryption key, it does not send the message to the BlackBerry device. If message failure occurs, the BlackBerry device prompts the BlackBerry device user to generate a new master encryption key.

  • Page 8: New Security Features

    BlackBerry Enterprise Solution Feature Description • control BlackBerry device and BlackBerry Send wireless commands to turn on and turn off BlackBerry Desktop Software functionality device functionality, delete information from BlackBerry devices, and lock BlackBerry devices. • Send IT policies to BlackBerry devices to customize security settings for BlackBerry device users or groups of BlackBerry device users on a BlackBerry Enterprise Server.

  • Page 9: Blackberry Encryption Keys

    The BlackBerry Enterprise Server administrator can also enable the BlackBerry device to generate and use the content protection key to encrypt BlackBerry device user data while the BlackBerry device is locked, and generate and use the grand master key to encrypt the master encryption key while the BlackBerry device is locked.
  • Page 10 Key storage on the BlackBerry device On the BlackBerry device, the shared key is stored in a database in flash memory (the key store). This key storage method is designed to prevent an attacker from extracting the key data from flash memory successfully by backing up the data from the BlackBerry device onto a computer.
  • Page 11 The BlackBerry Desktop Software frees the memory associated with the unused bits. 5. The BlackBerry Desktop Software uses the first 256 bits if it is generating the master encryption key using AES encryption or the first 128 bits if it is generating the master encryption key using Triple DES encryption.

  • Page 12: Message Keys

    Each message key is comprised of random information, which makes it difficult for a third party to decrypt, re- create, or duplicate the key. The message key is a session key; the BlackBerry device does not store the message key persistently but frees the memory associated with it after using it in the decryption process.

  • Page 13: Content Protection Keys

    DSA PRNG function, see Federal Information Processing Standard – FIPS PUB 186-2. The BlackBerry device stores a copy of the seed in a file. When the BlackBerry device restarts, it reads the seed from the file and uses the XOR function to compare the stored seed with the new seed.
  • Page 14 When the BlackBerry device is unlocked, the BlackBerry device decrypts the content protection key and the ECC private key in flash memory. The BlackBerry device then uses the ECC private key and the content protection key to decrypt user data on the BlackBerry device.

  • Page 15: Grand Master Keys

    4. The BlackBerry device stores the decrypted content protection key and the decrypted ECC private key in RAM. 5. If the BlackBerry device user attempts to access user data that the BlackBerry device encrypted while it was unlocked, the BlackBerry device uses the decrypted content protection key to decrypt the user data.
  • Page 16 4.0 or later If the BlackBerry Enterprise Server is set to permit the use of both Triple DES and AES and a BlackBerry device user is running the BlackBerry Device Software or the BlackBerry Desktop Software Version 3.7 or earlier, the BlackBerry Enterprise Solution generates that user’s BlackBerry device master encryption keys using Triple DES.

  • Page 17: Standard Blackberry Message Encryption

    BlackBerry device When a user sends a message from the BlackBerry device, the BlackBerry Enterprise Server does not encrypt the message when it forwards the message to the message recipient unless the BlackBerry device user installs...

  • Page 18: Permitting Third-Party Applications To Encode Blackberry Device Data

    BlackBerry Enterprise Server administrator must use the Security Transcoder Cod File Hashes IT policy rule to specify the .cod file for the third-party encoding scheme that the BlackBerry device permits to register as a transcoder. For more information about using the Security Transcoder Cod File Hashes IT policy rule, see the Policy Reference Guide.

  • Page 19: Sending An Email Message From The Blackberry Device

    The BlackBerry Enterprise Server is designed to maintain a constant, direct outbound TCP/IP connection to the wireless network over the Internet through the firewall on port 3101 (or 4101 in the case of a BlackBerry device that supports implementation alongside an enterprise Wi-Fi network). This constant connection enables the efficient, continuous delivery of data to and from the BlackBerry device.

  • Page 20: Pin-To-Pin Messaging

    A PIN uniquely identifies each BlackBerry device and BlackBerry enabled device on the wireless network. If a BlackBerry device user knows the PIN of another BlackBerry device, the user can send a PIN message to that BlackBerry device. Unlike an email message that the BlackBerry device user sends to an email address, a PIN message bypasses the BlackBerry Enterprise Server and your organization’s network.

  • Page 21: Text Messaging

    The BlackBerry Enterprise Server administrator can also set the Firewall Block Incoming Messages IT policy rule to limit the number of BlackBerry devices in your organization that can receive either or both of PIN messages that use organization-specific scrambling and PIN messages that use the default global scrambling.

  • Page 22: Extending Blackberry Device Messaging Security

    PIN message. Using either one of these technologies enables sender-to-recipient authentication and confidentiality, and helps maintain data integrity and privacy from the time that a BlackBerry device user sends a message from the BlackBerry device until the message recipient decodes and reads the message.

  • Page 23: Pgp Encryption

    BlackBerry device user sets on the BlackBerry device. The Connection Service uses standard protocols, such as HTTP and TCP/IP, to enable the BlackBerry device to retrieve PGP keys and PGP key status from the PGP Universal Server or an external LDAP PGP key server over the wireless network.

  • Page 24: S/Mime Support Package For Blackberry Devices

    PGP encryption algorithms The BlackBerry device is designed to support the use of a strong algorithm for PGP encryption. The PGP Allowed Content Ciphers IT policy rule default setting specifies that the BlackBerry device can use any of the supported algorithms to encrypt PGP messages.

  • Page 25: S/Mime Encryption

    BlackBerry device receives are not generated using a weak hash digest. The BlackBerry device uses the list of weak digest algorithms when verifying that the certificate chains for the certificates used to sign messages that the BlackBerry device receives do not contain hashes generated using a weak digest.

  • Page 26: Decrypting And Reading Messages On The Blackberry Device Using Lotus Notes Api 7.0

    Domino environment, the BlackBerry Enterprise Server supports using the AES algorithm with the master encryption key of the BlackBerry device to encrypt the Notes ID file and password and store them in the BlackBerry Enterprise Server for IBM Lotus Domino messaging agent memory.
  • Page 27 BlackBerry Enterprise Solution Notes .id password protection After a BlackBerry device user imports the Notes .id file and password (stored in the Notes .id file), the password • encrypted in BlackBerry device memory using AES with the BlackBerry device user’s master encryption key •...

  • Page 28: Protecting Stored Data

    BlackBerry device. The BlackBerry device stores the digitally signed IT policy and the IT policy public key in the NV store in flash memory, binding the IT policy to that particular BlackBerry device. The NV store persists in flash memory and can only be overwritten by the BlackBerry device operating system.

  • Page 29: Protected Storage Of External Memory On The Blackberry Device

    Password Keeper master password to retrieve all of their stored passwords. The first time that a BlackBerry device user opens the Password Keeper on the BlackBerry device, the user must create the Password Keeper master password. The Password Keeper encrypts the information (for example,...

  • Page 30: Protected Storage Of User Data On A Locked Blackberry Device

    Process for encrypting files stored in external memory on the BlackBerry device When the BlackBerry device user stores a file in external memory for the first time after the BlackBerry Enterprise Server administrator turns on or the BlackBerry device user turns on mass storage mode, the BlackBerry device decrypts the external memory file encryption key and uses it to automatically encrypt the stored file.

  • Page 31: Protected Storage Of Master Encryption Keys On A Locked Blackberry Device

    These password lengths maximize the encryption strength that the longer ECC keys are designed to provide. The BlackBerry device uses the BlackBerry device password to generate the ephemeral 256-bit AES encryption key that the BlackBerry device uses to encrypt the content protection key and the ECC private key. A weak password produces a weak ephemeral key.

  • Page 32: Clearing The Blackberry Device Memory

    The wireless transceiver and serial bypass are designed to be turned off while the content protection key is not available to decrypt the grand master key in flash memory. Until a user unlocks the BlackBerry device using the correct BlackBerry device password the BlackBerry device cannot receive and decrypt data.

  • Page 33: Blackberry Architecture Component Security

    Each segment of your organization’s network can contain network traffic destined for a specific component or service. For more information about placing the BlackBerry Enterprise Solution components in a network architecture that is segmented, see Placing the BlackBerry Enterprise Solution in a Segmented Network.

  • Page 34: Blackberry Infrastructure

    SRP authentication keys and unique SRP IDs, or UIDs, that each BlackBerry Enterprise Server uses in the SRP authentication process to establish a connection to the wireless network • IT policy private keys of the IT policy public and private key pair that the BlackBerry Enterprise Server generates for each BlackBerry device •...
  • Page 35 BlackBerry Enterprise Solution Configuration option Recommendations • shield your Microsoft SQL Require Windows Authentication Mode for connections to Microsoft Server installation from SQL Server to restrict connections to Microsoft® Windows® user and Internet based attacks domain user accounts and enable credentials delegation.

  • Page 36: Protecting The Blackberry Enterprise Solution Connections

    BlackBerry device user must permanently delete all BlackBerry device user and application data, the BlackBerry device master encryption key, and the IT policy public key from the BlackBerry device. For more information, see “Types of remote BlackBerry device wipes” on page 62.

  • Page 37: Srp Authentication

    The authentication handshake sequence depends on a shared secret encryption key (the SRP authentication key) on both the BlackBerry Enterprise Server and the BlackBerry Infrastructure. If at any point in the authentication handshake sequence the authentication fails, SRP terminates the connection.

  • Page 38: How The Blackberry Enterprise Server And The Blackberry Infrastructure Handle Undeliverable Messages

    How the BlackBerry Enterprise Server and the BlackBerry Infrastructure handle undeliverable messages When a party sends a message to a BlackBerry device, the BlackBerry Infrastructure might not be able to deliver the message to the BlackBerry device immediately in the following scenarios:...

  • Page 39: Authentication During Wireless Enterprise Activation

    When the authentication process used by the BlackBerry Router protocol is successful, the BlackBerry device sends data to the BlackBerry Router through the BlackBerry Device Manager or over port 4101 to an enterprise Wi-Fi network, and the BlackBerry Router sends data to the BlackBerry device through the BlackBerry Device Manager or over port 4101 to an enterprise Wi-Fi network.
  • Page 40 Enterprise Server sends the following data to the user’s BlackBerry device: • calendar entries • contacts, tasks, and memos • existing BlackBerry device options (if applicable) that the BlackBerry device backed up using automatic wireless backup. For more information, see the BlackBerry Wireless Enterprise Activation Technical Overview. www.blackberry.com...

  • Page 41: Tcp/Ip Connection

    BlackBerry Enterprise Solution TCP/IP connection The TCP/IP connection from the BlackBerry Enterprise Server to the BlackBerry Router is designed to be secure in the following ways: Security measure Description The BlackBerry Enterprise The system administrator must set your organization’s firewall or proxy to...

  • Page 42: Connections Between The Blackberry Desktop Manager And Its Components

    Connections between the BlackBerry Desktop Manager and its components The application loader tool and the media manager of the BlackBerry Desktop Manager share a secret password with the BlackBerry Desktop Manager. When the application loader tool or the media manager tool initiates a connection to the BlackBerry Desktop Software Version 4.2 or later, the BlackBerry Desktop Software uses...

  • Page 43: Blackberry Mds Connections

    BlackBerry MDS Services server and storing it in the BlackBerry device flash memory. 3. The BlackBerry MDS Services security protocol uses 128-bit AES in CBC mode with PKCS #5 padding to encrypt a 128-bit AES session key using a 128-bit AES database access key.

  • Page 44: Using Two-Factor Authentication To Protect Connections To Enterprise Wi-Fi Networks

    The BlackBerry device combines the tokencode with a software token PIN that the BlackBerry device user provides as a prefix string to the tokencode to create a passcode for use with a two-factor authentication process on the BlackBerry device. When the BlackBerry device user tries to establish a...

  • Page 45: How The Blackberry Enterprise Solution Authenticates Requests For Wireless Software Upgrades

    WAP gateway connections BlackBerry Device Software Version 3.2 SP1 or later supports WTLS, which is designed to provide an extra layer of security when connecting to a WAP gateway. WTLS requires a WAP gateway to provide standard WAP access to the Internet.

  • Page 46: Using Segmented Network Architecture To Prevent The Spread Of Malware On Your Organization's Network

    If your environment is using Microsoft Office Communicator, the BlackBerry Enterprise Server administrator can set the BlackBerry Collaboration Service to use HTTPS to encrypt data that it sends to the Microsoft CWA Server. The Microsoft CWA Server and Microsoft Live Communications Server automatically encrypt data that they send between them using TLS.

  • Page 47: Enterprise Wi-Fi Network Solution Architecture Security Features

    Wi-Fi infrastructure mode only, and to prevent Wi-Fi ad- hoc networking (peer-to-peer) connections. Supported Wi-Fi enabled BlackBerry devices on an enterprise Wi-Fi network bypass the use of SRP by using the BlackBerry Router to send data between the BlackBerry Enterprise Server and the BlackBerry device. After the...

  • Page 48: Ieee 802.1X Environment Components

    BlackBerry device supports using automatic PAC provisioning with EAP-FAST only. For more information about the security methods and encryption algorithms that the BlackBerry device supports, see “Appendix H: Enterprise Wi-Fi security methods that the BlackBerry device supports” on page 83.

  • Page 49: How The Ieee 802.1X Environment Controls Access To The Enterprise Wi-Fi Network

    Wi-Fi network, the access point and the BlackBerry device use IEEE 802.1x EAPoL-Key messages to establish the WEP, TKIP, or AES-CCMP encryption keys, depending on the EAP method that is set on the BlackBerry device. After the access point and the supported Wi-Fi enabled BlackBerry device establish encryption keys, the BlackBerry device has encrypted access to the enterprise Wi-Fi network.
  • Page 50 Wi-Fi enabled BlackBerry device implementation Using IEEE 802.11i with PSK Small office and home environments The supported Wi-Fi enabled BlackBerry where it is not feasible to set up a device implementation of PSK is server-based authentication compatible with the WPA-Personal and infrastructure might use IEEE 802.1x...

  • Page 51: Using Vpns To Protect Connections To Enterprise Wi-Fi Networks

    Wi-Fi network, supported Wi-Fi enabled BlackBerry devices must mutually authenticate with an access point through an authentication server to connect to the enterprise Wi-Fi network. The BlackBerry Enterprise Server administrator requires a certificate authority server to generate the certificates that the supported Wi-Fi enabled BlackBerry devices and the RADIUS server will store.

  • Page 52: Using Enterprise Captive Portals To Protect Connections To Enterprise Wi-Fi Networks Or Wi-Fi Hotspots

    A captive portal is a web-based authentication mechanism to permit access to an enterprise Wi-Fi network or Wi- Fi hotspot. Supported Wi-Fi enabled BlackBerry devices can use a captive portal to gain access to an IP filtered segment of the enterprise Wi-Fi network or hotspot. After using a captive portal to connect to an enterprise...
  • Page 53 The BlackBerry Enterprise Server administrator can set the Force Smart Card Two-Factor Authentication IT policy rule in the BlackBerry Manager to require that a user authenticates with the BlackBerry device using a smart card. If the BlackBerry Enterprise Server administrator does not force the user to authenticate with the BlackBerry device using a smart card, the user can turn two-factor authentication on and off with their smart card by setting the User Authenticator field in the BlackBerry device Security Options.

  • Page 54: Controlling Blackberry Devices

    The BlackBerry Manager groups the IT policy rules by common properties or by application. Most IT policy rules are intended to be assigned to more than one BlackBerry device. Some IT policy rules set a unique value and are intended to be assigned to one BlackBerry device and one user only. For more information on those IT policy rules, see the BlackBerry Enterprise Server Implementation Guide for Wireless LAN.

  • Page 55: Enforcing Blackberry Device And Blackberry Desktop Software Security

    BlackBerry Desktop Software behavior over the wireless network. By default, the BlackBerry Enterprise Server is designed to resend the IT policy to BlackBerry devices of users that are assigned to that IT policy within a short period of time after the BlackBerry Enterprise Server administrator updates the IT policy.

  • Page 56: Controlling Wireless Software Upgrades Using The Blackberry Enterprise Server

    BlackBerry Device Software upgrade packages and send them to BlackBerry devices unless you set the BES Upgrade Exclusivity flag in the OTASL IT Policy Flags IT policy rule to turn off exclusive BlackBerry Enterprise Server control of wireless software upgrade requests.

  • Page 57: Controlling Location-Based Services On The Blackberry Device

    (for example, the BlackBerry device password). BlackBerry devices that support and are enabled to use CHAP can use it to establish a Bluetooth link to the BlackBerry Desktop Software so that the BlackBerry device never sends its password over an unprotected connection.

  • Page 58: How The Blackberry Device Protects Its Operating System And The Blackberry Device Software

    RIM tool authentication server. If a tool that is running on a potentially untrusted computer tries to open a USB connection to a BlackBerry device, the BlackBerry device sends a random challenge to the computer. The RIM tool authentication server...
  • Page 59 For more information, see Protecting the BlackBerry Device Platform Against Malware. Using IT policy rules to contain malware on the BlackBerry device The BlackBerry Enterprise Server Version 4.1 SP2 or later includes IT policy rules that are designed to enable the BlackBerry Enterprise Server administrator to •...
  • Page 60 Application, it displays the certificate subject details as the code signer identity, and prompts the BlackBerry device user to accept or reject the application. The BlackBerry device does not display the code signer identity to the user, and does not install the application if any of the following conditions are true: •...

  • Page 61: Protecting Lost, Stolen, Or Replaced Blackberry Devices

    BlackBerry device from recovering the content protection key successfully without knowing either the BlackBerry device password or the IT policy private key of the IT policy public and private key pair that the BlackBerry Enterprise Server generates for the BlackBerry device •...

  • Page 62: Types Of Remote Blackberry Device Wipes

    BlackBerry device that is in the possession of the BlackBerry device user only. Sending this command to a BlackBerry device in the possession of an attacker allows an attacker that uses a hardware-based attack to recover the key pair that the BlackBerry device creates when it receives the IT policy from flash memory, and thereby decrypt all the data on the BlackBerry device.

  • Page 63: Remotely Erasing Data From Blackberry Device Memory And Making The Blackberry Device Unavailable

    Removing third-party applications during a user-initiated security wipe When the user clicks Wipe Handheld (in the Security Options) on the BlackBerry device, the user can select the Include third party applications option at the same time. If the user selects this option, when the BlackBerry device permanently deletes its stored user data during the device wipe, it will also remove all of its third-party applications and application data.

  • Page 64: Remotely Resetting A Blackberry Device To Factory Default Settings

    The BlackBerry Enterprise Server administrator can use the Remote Wipe Reset to Factory Defaults IT policy rule to require the BlackBerry device to return to factory default settings when it receives the Erase Data and Disable Handheld IT administration command over the wireless network. When the BlackBerry Enterprise Server...

  • Page 65: Unbinding The Smart Card From The Blackberry Device

    Removing third-party applications during a user-initiated security wipe When the user clicks Wipe Handheld (in the Security Options) on the BlackBerry device, the user can select the Include third party applications option at the same time. If the user selects this option, when the BlackBerry device permanently deletes its stored user data during the device wipe, it will also remove all of its third-party applications and application data.

  • Page 66: Related Resources

    BlackBerry Enterprise Server architecture Technical Overview • BlackBerry Enterprise Server Wi-Fi Implementation understanding configuration options for Supplement implementing a BlackBerry device on an enterprise Wi-Fi network • administering and troubleshooting a BlackBerry device on an enterprise Wi-Fi network • BlackBerry Enterprise Server Installation Guide network environment settings •...
  • Page 67 BlackBerry Enterprise Solution Resource Information • Enforcing Encryption of Internal and External File list of data items that BlackBerry device encrypt by Systems on BlackBerry Devices Technical default Overview • using encryption to protect stored files in internal and external memory on BlackBerry devices •...
  • Page 68 Information • S/MIME Support Package User Guide Supplement installing the S/MIME Support Package for BlackBerry devices • managing certificates on the BlackBerry device and computer • setting S/MIME options for digitally signing and encrypting messages • sending and receiving S/MIME messages •...

  • Page 69: Appendix A: Rim Crypto Api Interface

    Appendix A: RIM Crypto API Interface The RIM Crypto API on the BlackBerry device and in the BlackBerry JDE provides developers with a toolkit of cryptographic algorithms and support tools that they can use to create secure applications for business connectivity.
  • Page 70 BlackBerry Enterprise Solution Key agreement scheme algorithms Algorithm Key length (bits) Type 512 to 4096 discrete logarithm 1024 discrete logarithm ECDH 160 to 571 (EC) discrete logarithm ECMQV 160 to 571 (EC) discrete logarithm Signature scheme algorithms Algorithm Key length (bits)
  • Page 71 BlackBerry Enterprise Solution Code Digest length (bits) RIPEMD-128, 160 128, 160 www.blackberry.com...

  • Page 72: Appendix B: Tls And Wtls Standards That The Rim Crypto Api Supports

    4096 bits • elliptic curve operations: 571 bits Note: These limitations are due to computational constraints on the BlackBerry device. Key establishment algorithm cipher suites that the RIM Crypto API supports Direct mode SSL...

  • Page 73: Symmetric Algorithms That The Rim Crypto Api Supports

    BlackBerry Enterprise Solution Symmetric algorithms that the RIM Crypto API supports Direct mode SSL Direct mode TLS WTLS RC4 40 RC4 40 RC5 40 DES 40 RC4 56 RC5 56 RC4 128 RC5 64 Triple DES DES 40 RC4 128...

  • Page 74: Appendix C: Previous Version Of Wired Master Encryption Key Generation

    C language srand function is seeded with the current time to generate a seed for the C language rand function. When the user responds to the BlackBerry Desktop Software prompt by moving the mouse, the rand function is designed to generate random data based on the entropy that the mouse movement gathers.

  • Page 75: Appendix D: Blackberry Device Wipe Process

    The BlackBerry device sets a Device Under Attack flag in the NV store. If a user removes the battery or the battery power drops to zero before the BlackBerry device data wipe ends, when the BlackBerry device power is restored (in other words, a user replaces the battery), the BlackBerry device wipe process continues because the Device Under Attack flag is still present.

  • Page 76: Memory Scrub Process For Flash Memory On Blackberry Devices

    Memory scrub process for flash memory that stores user-saved files on BlackBerry devices If content protection is turned on and the BlackBerry device supports a partition of flash memory to store user- saved files using an internal memory card file system, to overwrite that section of the BlackBerry device memory...

  • Page 77: Appendix E: Process For Deriving Encryption Keys That Protect The Keys Used With Content Protection

    4. The BlackBerry device stores the resulting hash in a byte array called a key. (key) = SHA256(Salt|Password|Salt) 5. The BlackBerry device hashes (key) 18 more times. It stores the result into (key) each time. For example, for i=0 to 18, the BlackBerry device does the following:...

  • Page 78: Appendix F: Power And Electromagnetic Side-Channel Attacks And Countermeasures

    The BlackBerry device uses a masking operation, table splitting, and application of random masks to help protect the cryptographic keys and plain text data against side-channel attacks at all points during its encryption and decryption operations.
  • Page 79 BlackBerry Enterprise Solution How the AES algorithm creates S-Box tables The BlackBerry device permutes each AES S-Box entry randomly and masks each entry with a random value. How the AES algorithm calculation uses round keys The BlackBerry device masks the round keys (subkeys that the key schedule calculates for each round of encryption) with random values and any S-Box masks that the AES algorithm requires to operate.

  • Page 80: Appendix G: Blackberry Router Protocol

    BlackBerry Enterprise Solution Appendix G: BlackBerry Router protocol When the BlackBerry Enterprise Server and the BlackBerry device use the BlackBerry Router protocol to open a connection between them, the BlackBerry Router protocol is designed to use its unique authentication protocol to verify that the BlackBerry device has the correct master encryption key while preventing the BlackBerry Router from knowing the value of the master encryption key.

  • Page 81: Process Flow: Using The Blackberry Router Protocol To Open An Authenticated Connection

    KeyID, a master encryption key identifier, to the BlackBerry Enterprise Server. 4. The BlackBerry Router observes the data that the BlackBerry device sends and confirms that the value R not the point at infinity. If R is the point at infinity, the BlackBerry Router sets R to a random value.

  • Page 82: Process Flow: Using The Blackberry Router Protocol To Close An Authenticated Connection

    ≠ hP, the BlackBerry device rejects the connection If the BlackBerry device calculates that y P + e attempt. The BlackBerry Enterprise Server and the BlackBerry device do not open an authenticated connection between them. ≠ y If the BlackBerry Router calculates that y...

  • Page 83: Appendix H: Enterprise Wi-Fi Security Methods That The Blackberry Device Supports

    BlackBerry Enterprise Solution Appendix H: Enterprise Wi-Fi security methods that the BlackBerry device supports EAP authentication methods that the BlackBerry device supports The BlackBerry device supports EAP authentication methods with protected WLAN networks only. Authentication method Description BlackBerry device implementation LEAP Cisco®...

  • Page 84: Encryption Algorithms That The Blackberry Device Supports For Use With Layer 2 Security Methods

    3GPP technical specification 3GPP-TS- 23.003. The BlackBerry device can receive at least two challenges from the authentication server to provide stronger authentication. Encryption algorithms that the BlackBerry device supports for use with layer 2 security methods Protocol Description Wi-Fi enabled BlackBerry device implementation For more information about WEP, see “Requiring...

  • Page 85: Eap Authentication Methods And Encryption Algorithms With Which The Blackberry Device Supports The Use Of Cckm

    • all EAP authentication methods that the Wi-Fi enabled BlackBerry device supports • WEP and TKIP The Wi-Fi enabled BlackBerry device does not support the use of CCKM with • the Cisco CKIP encryption algorithm • the AES-CCMP encryption algorithm ©...

  • Page 86: Vpn Solution On The Wi-Fi Enabled Blackberry Device

    VPN concentrators. If the Wi-Fi enabled BlackBerry device has a VPN profile, it logs into the VPN concentrator automatically after connecting to the enterprise Wi-Fi network. To create a VPN profile, the BlackBerry Enterprise Server...
  • Page 87 BlackBerry Enterprise Solution • RSA_WITH_3DES_EDE_CBC_SHA • RSA_WITH_AES_128_CBC_SHA • RSA_WITH_AES_256_CBC_SHA • © 2009 Research In Motion Limited. All rights reserved. www.blackberry.com...

  • Page 88: Appendix J: Rsa Securid Software Token Tokencode Generation Process

    BlackBerry device can import the seed successfully. The BlackBerry device stores the .sdtid file seed in flash memory. 8. The BlackBerry device imports a copy of the .sdtid file seed into the RSA SecurID Library on the BlackBerry device. 9. Once each minute, the RSA SecurID library authenticates with the RSA authentication server and initializes the software token algorithm.

  • Page 89: Appendix L: Protocol For Resetting The Password On A Content-Protected Blackberry Device Remotely

    When the BlackBerry device permanently deletes d, the data that remains stored on the BlackBerry device is not sufficient to recover K. Only the BlackBerry Enterprise Server knows b and can recalculate K = dB = dbP = bD if given d.

  • Page 90: Protocol Process

    • verifies that D’ is a valid public key • calculates K’ = bD’ = brdP = rdB = rK (The BlackBerry Enterprise Server knows only rK, and cannot calculate K without r.) • calculates h = SHA-1( D’ ) 6.
  • Page 91 Part number: 19928313 Version 3 ©2009 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research In Motion®, SureType®, SurePress™ and related trademarks, names, and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world.
  • Page 92 FOR PORTIONS OF ANY RIM PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION. Certain features outlined in this documentation require a minimum version of BlackBerry® Enterprise Server Software, BlackBerry® Desktop Software, and/or BlackBerry® Device Software and may require additional development or Third Party Products and Services for access to corporate applications.

This manual is also suitable for:

Enterprise server 4.1

Table of Contents