Control Bluetooth Connections From Third-Party Applications - Blackberry PRD-09695-004 - SMART Card Reader Overview

Security method
code signing
random number
generation
For more information, see "BlackBerry Smart Card Reader reset process".

Control Bluetooth connections from third-party applications

Application control is designed to limit the use of Bluetooth® technology (and the Bluetooth profiles) to specific,
permitted third-party applications. Using the BlackBerry® Enterprise Server version 4.0 and later, you can configure
IT policy rules and application policy rules to control how third-party applications use the BlackBerry® Smart Card
Reader to connect to a Bluetooth enabled BlackBerry device.
Use application control policy rules to control the following behavior on the BlackBerry device:
•
permit or prevent a user from downloading third-party applications
•
define the features (for example, the email application, the phone application, and the BlackBerry device
key store) that third-party applications can access
•
define the types of connections that a third-party application can open (for example, opening network
connections inside the firewall)
•
send third-party applications to the BlackBerry device over the wireless network
Description
Before a user can run a permitted third-party application that uses the controlled
APIs on the BlackBerry device, the Research In Motion signing authority system
must use public key cryptography to authorize and authenticate the application
code.
The BlackBerry Smart Card Reader uses code signing to prevent the user from
loading third-party code onto the BlackBerry Smart Card Reader. When RIM
manufactures the BlackBerry Smart Card Reader, it installs a public key into the
secure boot ROM of the BlackBerry Smart Card Reader and uses the corresponding
private key to sign the BlackBerry Smart Card Reader operating system. When RIM
loads an operating system and BlackBerry Java® Virtual Machine onto the
BlackBerry Smart Card Reader, the boot ROM verifies the signature on the loaded
operating system. If the boot ROM determines that the signature is not valid, it
rejects the operating system.
See the BlackBerry Enterprise Solution Security Technical Overview for more
information about code signing.
In the BlackBerry Smart Card Reader, the following sources of entropy seed the
random number generator:
•
RIM manufactures each BlackBerry Smart Card Reader with a random 64-byte
value (a seed). This provides the BlackBerry Smart Card Reader with entropy
before the wireless adapter is turned on.
•
When the initial key establishment protocol generates the device transport key
and the connection key establishment protocol generates the connection key
that the BlackBerry device or computer and the BlackBerry Smart Card Reader
use to send data between them, the BlackBerry device or computer and the
BlackBerry Smart Card Reader use SHA-512 to hash all the data packets that
they send and receive between them and add the hashed data packets to the
entropy pool.
•
Each time the BlackBerry device or computer and the BlackBerry Smart Card
Reader negotiate keys during the initial key establishment protocol and the
connection key establishment protocol, the BlackBerry device or computer
sends a 64-byte seed to the BlackBerry Smart Card Reader. The BlackBerry
Smart Card Reader adds this value to its random source.
See the BlackBerry Enterprise Solution Security Technical Overview for more
information about the process for random number generation on the BlackBerry
device.
11