Blackberry PRD-09695-004 - SMART Card Reader Overview
Security technical overview
Hide thumbs
Also See for PRD-09695-004 - SMART Card Reader:
- Product manual (50 pages) ,
- Getting started manual (44 pages) ,
- Manual (28 pages)
Table of Contents
Subscribe to Our Youtube Channel
Related Manuals for Blackberry PRD-09695-004 - SMART Card Reader
Summary of Contents for Blackberry PRD-09695-004 - SMART Card Reader
- Page 1 BlackBerry Smart Card Reader Version 2.0 Security Technical Overview...
-
Page 2: Table Of Contents
Opening an encrypted and authenticated connection to the BlackBerry Smart Card Reader .......14 Secure pairing PIN ...............................14 Performing the Bluetooth pairing process and the secure pairing process on a BlackBerry device..15 Performing the Bluetooth pairing process and the secure pairing process on a computer ......15 Reconnecting to a BlackBerry device or computer automatically..............15... - Page 3 BlackBerry Smart Card Reader shared cryptosystem parameters..............25 Examples of attacks that the BlackBerry Smart Card Reader security protocols are designed to prevent ..26 Eavesdropping ..............................26 Impersonating a BlackBerry device or computer.....................26 Man-in-the-middle attack ..........................26 Offline attack...............................26 Offline dictionary attack............................. 27 Online dictionary attack.............................
-
Page 4: Blackberry Smart Card Reader
The S/MIME Support Package for BlackBerry smartphones supports smart card use and includes tools that users can use to download certificates and transfer them to the BlackBerry device for use with the S/MIME Support Package for BlackBerry smartphones. -
Page 5: New In This Release
Proximity authentication does not require the user to have a smart card. two-factor content protection Two-factor content protection requires a BlackBerry device password, a smart card, and an authentication certificate that is stored on a BlackBerry device to protect the content protection key. configuration of a secure pairing You can configure the length of a secure pairing PIN and use alphanumeric characters in the secure pairing PIN. -
Page 6: System Requirements
System requirements The BlackBerry® Smart Card Reader supports the following software and BlackBerry devices: BlackBerry Enterprise Server software Computer BlackBerry devices • • Java® based Bluetooth enabled BlackBerry® Enterprise Server Windows® XP SP2 or SP3 (32- BlackBerry devices that run version 4.0 SP2 and later for... -
Page 7: System Architecture
System architecture The BlackBerry® Smart Card Reader is designed to connect to a Bluetooth® enabled BlackBerry device and a Bluetooth enabled computer. The BlackBerry Smart Card Reader supports using certificates that a PKI generates with a BlackBerry device. The BlackBerry Smart Card Reader cannot communicate with the BlackBerry® Enterprise Server directly. When the BlackBerry device pushes an IT policy to the BlackBerry Smart Card Reader, the BlackBerry Smart Card Reader preserves the BlackBerry Enterprise Server signature on the IT policy. -
Page 8: Blackberry Enterprise Solution Security
BlackBerry Enterprise Solution security The BlackBerry® Enterprise Solution is designed to encrypt data that is in transit at all points between a BlackBerry device and the BlackBerry® Enterprise Server to help protect your organization from data loss or alteration. Only the BlackBerry Enterprise Server and the BlackBerry device can decrypt the data that they send between each other. -
Page 9: Restricting Bluetooth Technology On A Bluetooth Enabled Computer
Bluetooth drivers (and a personal area networking device, optionally) for that wireless adaptor. To prevent a user who does not have administrator privileges and external Bluetooth devices other than the BlackBerry® Smart Card Reader from using the Bluetooth technology installed on the computer, you can restrict the availability of the Bluetooth technology on the computer. -
Page 10: Blackberry Smart Card Reader Security
BlackBerry Smart Card Reader security The BlackBerry® Smart Card Reader is designed to prevent offline and online dictionary attacks using the following security methods. Security method Description authentication of The BlackBerry Smart Card Reader uses processes designed to perform the following... -
Page 11: Control Bluetooth Connections From Third-Party Applications
Using the BlackBerry® Enterprise Server version 4.0 and later, you can configure IT policy rules and application policy rules to control how third-party applications use the BlackBerry® Smart Card Reader to connect to a Bluetooth enabled BlackBerry device. -
Page 12: Managing The Blackberry Smart Card Reader
You can configure application control policy rules so that all Bluetooth profiles are unavailable for applications by default and then turn on the Bluetooth Serial Port Profile for the BlackBerry Smart Card Reader driver only. In this configuration, only the necessary applications are allowed to use the BlackBerry Smart Card Reader driver. - Page 13 Maximum Smart Card Not Present This rule specifies the maximum time, in seconds, after a user removes Timeout the smart card from the BlackBerry Smart Card Reader that the secure pairing information is deleted from a BlackBerry device and the BlackBerry Smart Card Reader.
-
Page 14: Opening An Encrypted And Authenticated Connection To The Blackberry Smart Card Reader
The BlackBerry Smart Card Reader also uses the Disable Radio When Cradled IT policy rule, which controls whether the wireless adapter is turned off when the BlackBerry device is connected to USB peripherals. If you change this rule to Yes, the Bluetooth wireless adaptor of the BlackBerry Smart Card Reader is turned off whenever the BlackBerry Smart Card Reader is connected to a computer using a USB connection. -
Page 15: Performing The Bluetooth Pairing Process And The Secure Pairing Process On A Blackberry Device
Smart Card Reader options screen on a BlackBerry device. If the user is running BlackBerry® Device Software version 4.0 and later on the BlackBerry device, the user can start the secure pairing process by trying an action on the BlackBerry device that requires the smart card (for example, importing certificates, signing or decrypting a message, or turning on two-factor authentication). -
Page 16: Connection Key Establishment Protocol Used In The Secure Pairing Process
4. The BlackBerry Smart Card Reader creates a list of all the algorithms that it supports and sends the supported algorithms list to the BlackBerry device or computer. 5. The BlackBerry device or computer searches the list for a match with one of its own supported algorithms. - Page 17 Each run of the connection key establishment protocol uses a unique, random, ephemeral key pair to create the new connection key. The BlackBerry Smart Card Reader discards the ephemeral key pair after generating the connection key. Even if the ephemeral private keys from a particular protocol run using the ECDH algorithm are compromised, the connection keys from other runs of the same protocol remain uncompromised.
-
Page 18: Encrypting And Authenticating Data On The Application Layer
You can configure the Force Smart Card Two-Factor Authentication IT policy rule to require that a user uses a smart card to authenticate with a BlackBerry® device. If you do not force the user to use a smart card to authenticate with the BlackBerry device, the user can turn on or turn off two-factor authentication with the smart card by changing the User Authenticator field in the Security options on the BlackBerry device. -
Page 19: Configuring Two-Factor Authentication On A Computer
Unbinding the smart card from a BlackBerry device When you or a user start the process that permits a BlackBerry® device to permanently deletes its stored user and application data, the BlackBerry device deletes the smart card binding information from its NV store. When the process completes, a user can authenticate with the BlackBerry device using a new smart card. -
Page 20: Proximity Authentication
BlackBerry device password. Proximity authentication does not require the user to use a smart card. By default, if you or a user turns on proximity authentication and the user does not move the BlackBerry Smart Card Reader within Bluetooth technology range, the user can unlock the BlackBerry device using the BlackBerry device password. -
Page 21: Process Flow: Protecting The Content Encryption Key Using Two-Factor Content Protection
Content Protection Usage IT policy rule. After you or a user turns on two-factor content protection, to unlock the BlackBerry device, a user must type the BlackBerry device password and the smart card PIN on the login screen in the appropriate fields. -
Page 22: Blackberry Smart Card Reader Supported Algorithms
256-bit Random Curve (EC256R1) • 160-bit Random Curve (EC160R1) The initial key establishment protocol is designed to negotiate to use the 521-bit Random Curve (EC521R1) algorithm unless the BlackBerry® device or the computer requires a different algorithm. • encryption AES-256 (default) •... -
Page 23: Connection Key Establishment Protocol Errors
During the connection key establishment protocol process, if an error occurs on the BlackBerry® device, the computer, or the BlackBerry® Smart Card Reader, that party sends an error code to the other party negotiating the connection key. The following errors might occur: •... -
Page 24: Application Layer Protocol Encryption And Authentication
The connection key protocol opens a shared connection key CK from which the BlackBerry device or computer and the BlackBerry Smart Card Reader derive the four session keys that they use on the application layer to protect the data that they send between them. -
Page 25: Blackberry Smart Card Reader Shared Cryptosystem Parameters
BlackBerry Smart Card Reader shared cryptosystem parameters The BlackBerry® Smart Card Reader and a BlackBerry device or computer with the BlackBerry Smart Card Reader software and drivers installed are designed to share the following cryptosystem parameters. Parameter Description E(Fq) This parameter is the NIST-approved 521-bit random elliptic curve over Fq, which has a cofactor of The initial establishment key protocol performs all mathematical operations in the group E(Fq). -
Page 26: Examples Of Attacks That The Blackberry Smart Card Reader Security Protocols Are Designed To Prevent
Offline attack An offline attack occurs when a user with malicious intent tries to send X = xP, instead of xS to the BlackBerry® Smart Card Reader. The user with malicious intent might try this when the user with malicious intent does not know the secure pairing PIN. -
Page 27: Offline Dictionary Attack
X as the point at infinity, then K is the point at infinity regardless of what the BlackBerry Smart Card Reader chose for Y. By checking that X is not at the point of infinity, 1, or –1, the BlackBerry Smart Card Reader security... -
Page 28: Smart Card Binding Information
Smart card binding information When you or a user turns on two-factor authentication on a BlackBerry® device, the BlackBerry device binds to the installed smart card automatically by storing the following smart card binding information in a special BlackBerry device NV store location that is inaccessible to a user: •... -
Page 29: Blackberry Smart Card Reader Reset Process
IT policy from the BlackBerry Smart Card Reader The BlackBerry Smart Card Reader unbinds the IT policy by deleting the IT policy public key from the NV store so that it can receive a new IT policy and digitally signed IT policy public key from a BlackBerry® Enterprise Server. The... -
Page 30: Related Resources
BlackBerry® device and the BlackBerry® Enterprise Server or organization LAN • managing security settings for all BlackBerry devices • protecting data that is in transit between the BlackBerry device and the BlackBerry Enterprise Server • understanding the algorithms provided by the RIM Cryptographic API •... -
Page 31: Glossary
Glossary Advanced Encryption Standard application programming interface cipher block chaining ECDH Elliptic Curve Diffie-Hellman HMAC keyed-hash message authentication code local area network light-emitting diode NIST National Institute of Standards and Technology nonvolatile personal identification number Public Key Infrastructure S/MIME Secure Multipurpose Internet Mail Extensions Secure Hash Algorithm SPEKE Simple Password-authenticated Exponential Key Exchange... -
Page 32: Provide Feedback
Provide feedback To provide feedback on this deliverable, visit www.blackberry.com/docsfeedback. -
Page 33: Legal Notice
Document ID: 25979072 version 3 ©2009 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research In Motion®, SureType®, SurePress™ and related trademarks, names, and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world. - Page 34 RIM. Certain features outlined in this documentation require a minimum version of BlackBerry® Enterprise Server, BlackBerry® Desktop Software, and/or BlackBerry® Device Software.
Need help?
Do you have a question about the PRD-09695-004 - SMART Card Reader and is the answer not in the manual?
Questions and answers