Encrypting And Authenticating Data On The Application Layer; Using Two-Factor Authentication; Turning On Two-Factor Authentication On The Blackberry Device - Blackberry PRD-09695-004 - SMART Card Reader Manual

BlackBerry Smart Card Reader

Encrypting and authenticating data on the application layer

When the BlackBerry device or computer and the BlackBerry Smart Card Reader complete the secure pairing
process, all data that they send between them is encrypted and authenticated on the application layer by keys
that they derive from the shared connection key. See "Appendix C: Application layer protocol encryption and
authentication" on page 22 for more information.
The BlackBerry device or computer and the BlackBerry Smart Card Reader use AES 256 in CBC mode to encrypt
the data and keyed HMAC with SHA-512 to protect data by default, but they can negotiate different algorithms
during the initial key establishment protocol.
The keys protect the data on the application layer throughout the entire connection. A lost or closed connection
occurs if either the BlackBerry device or the BlackBerry Smart Card Reader goes outside of a sufficient wireless
coverage area or if the BlackBerry device wireless transceiver or the computer's Bluetooth adaptor turns off for
any reason. When a Bluetooth connection closes, if the BlackBerry device or computer's Bluetooth connection to
the BlackBerry Smart Card Reader is lost, the parties must renegotiate the keys.
You can set the Maximum Connection Heartbeat Period IT policy rule to control when the Bluetooth connection
closes based on the secure heartbeat settings. See "Managing BlackBerry Smart Card Reader technology" on
page 10 for more information about setting this IT policy rule.

Using two-factor authentication

If a user has a smart card authenticator module, smart card driver, and smart card reader driver installed on their
BlackBerry device or computer, either you or that user can start the process for two-factor authentication on the
BlackBerry device or computer. The process is designed to bind the BlackBerry device or computer to the
installed smart card. After the BlackBerry device or computer binds to the smart card, it requires that smart card
to authenticate the user.

Turning on two-factor authentication on the BlackBerry device

You can set the Force Smart Card Two-Factor Authentication IT policy rule in the BlackBerry Manager to require
that a user authenticates with the BlackBerry device using a smart card. If you do not force the user to
authenticate with the BlackBerry device using a smart card, the user can turn on or turn off two-factor
authentication with the smart card by setting the User Authenticator field in the BlackBerry device Security
Options.
When you turn on two-factor authentication on the BlackBerry device, the following events occur:
1. The BlackBerry device locks.
2. The BlackBerry device pushes the current IT policy to the BlackBerry Smart Card Reader.
3. When a user tries to unlock the BlackBerry device, the BlackBerry device prompts the user to type the
BlackBerry device password. If the user has not yet set a BlackBerry device password, the BlackBerry device
forces the user to set a password.
4. The BlackBerry device prompts the user to type the smart card password to turn on two-factor
authentication with the installed smart card.
5. The BlackBerry device binds to the installed smart card automatically by storing the smart card binding
information in a BlackBerry device NV store location, which is designed to be inaccessible to the user.
When a user turns on two-factor authentication on the BlackBerry device, the following events occur:
1. The BlackBerry device prompts the user to type the BlackBerry device password. If the user has not yet set a
BlackBerry device password, the BlackBerry device forces the user to set a password.
2. The BlackBerry device prompts the user to type the smart card password to turn on two-factor
authentication with the installed smart card.
3. The BlackBerry device binds to the installed smart card automatically by storing the smart card binding
information in a BlackBerry device NV store location, which is designed to be inaccessible to the user.
www.blackberry.com
17