Encrypting And Authenticating Data On The Application Layer; Two-Factor Authentication; Turning On Two-Factor Authentication On A Blackberry Device - Blackberry PRD-09695-004 - SMART Card Reader Overview

For more information about variables used in this process, see "BlackBerry Smart Card Reader shared cryptosystem
parameters".
The connection key establishment protocol can stop at any point if an error occurs. For more information, see
"Connection key establishment protocol errors".

Encrypting and authenticating data on the application layer

When a BlackBerry® device or a computer and the BlackBerry® Smart Card Reader complete the secure pairing
process, all data that they send between them is encrypted and authenticated on the application layer by keys that
they derive from the shared connection key. By default, the BlackBerry device or computer and the BlackBerry Smart
Card Reader use AES 256 in CBC mode to encrypt the data and keyed HMAC with SHA-512 to protect data, but they
can negotiate different algorithms during the initial key establishment protocol.
The keys protect the data on the application layer throughout the entire connection. A lost or closed connection
occurs if either the BlackBerry device or the BlackBerry Smart Card Reader goes outside of the Bluetooth®
technology range or if the BlackBerry device wireless adapter or the computer's Bluetooth adapter turns off for any
reason. When a Bluetooth connection closes, if the BlackBerry device or computer's Bluetooth connection to the
BlackBerry Smart Card Reader is lost, they must renegotiate the keys.
You can configure the Maximum Connection Heartbeat Period IT policy rule to control when the Bluetooth
connection closes based on the secure heartbeat settings. For more information about configuring this IT policy rule,
see "Managing the BlackBerry Smart Card Reader".
For more information, see "Application layer protocol encryption and authentication".

Two-factor authentication

If a user has a smart card authenticator module, smart card driver, and smart card reader driver installed on a
BlackBerry® device or computer, you or the user can start the process for two-factor authentication on the
BlackBerry device or computer. The process is designed to bind the BlackBerry device or computer to the installed
smart card. After the BlackBerry device or computer binds to the smart card, it requires that smart card to
authenticate the user.

Turning on two-factor authentication on a BlackBerry device

You can configure the Force Smart Card Two-Factor Authentication IT policy rule to require that a user uses a smart
card to authenticate with a BlackBerry® device. If you do not force the user to use a smart card to authenticate with
the BlackBerry device, the user can turn on or turn off two-factor authentication with the smart card by changing the
User Authenticator field in the Security options on the BlackBerry device.
When you turn on two-factor authentication on the BlackBerry device, the following events occur:
•
The BlackBerry device locks.
•
The BlackBerry device pushes the current IT policy to the BlackBerry® Smart Card Reader.
•
When a user tries to unlock the BlackBerry device, the BlackBerry device prompts the user to type the
BlackBerry device password. If the user has not yet set a BlackBerry device password, the BlackBerry device
forces the user to set a password.
•
The BlackBerry device prompts the user to type the smart card password to turn on two-factor
authentication with the installed smart card.
•
The BlackBerry device binds to the installed smart card automatically by storing the smart card binding
information in a BlackBerry device NV store, which is designed to be inaccessible to the user.
When a user turns on two-factor authentication on the BlackBerry device, the following events occur:
•
The BlackBerry device prompts the user to type the BlackBerry device password. If the user has not yet
configured a BlackBerry device password, the BlackBerry device forces the user to set a password.
•
The BlackBerry device prompts the user to type the smart card password to turn on two-factor
authentication with the installed smart card.
18