Blackberry PlayBook Security Technical Overview
Hide thumbs
Also See for PlayBook:
- User manual (105 pages) ,
- Ui manuallines (39 pages) ,
- Specifications (21 pages)
Table of Contents
Advertisement
Quick Links
Download this manual
See also:
User Manual
Advertisement
Table of Contents
Related Manuals for Blackberry PlayBook
Summary of Contents for Blackberry PlayBook
- Page 1 BlackBerry PlayBook Tablet Version: 1.0 Security Technical Overview...
- Page 2 Published: 2011-09-08 SWD-1674396-0316050254-001...
-
Page 3: Table Of Contents
Generating a BlackBerry Bridge pairing key during the BlackBerry Bridge pairing process......Process flow: Generating a BlackBerry Bridge pairing key................ Connecting a tablet to a smartphone that is activated on the BlackBerry Enterprise Server or BlackBerry Internet Service..............................Process flow: Generating a BlackBerry Bridge work key................ - Page 4 Signature scheme algorithms........................... Key agreement schemes........................... Cryptographic protocols........................... Cryptographic APIs............................VPN cryptographic support..........................Wi-Fi cryptographic support..........................9 Attacks that the BlackBerry Bridge pairing process is designed to prevent............. Brute-force attack............................. Online dictionary attack............................ Eavesdropping..............................Impersonating a smartphone........................... Man-in-the-middle attack..........................Small subgroup attack............................
- Page 5 12 Legal notice...............................
-
Page 6: Revision History
Opening an encrypted and authenticated connection between a tablet and smartphone • The BlackBerry Bridge pairing key • Connecting a tablet to a smartphone that is activated on the BlackBerry Enterprise Server or BlackBerry Internet Service • Reconnecting a tablet to a smartphone •... - Page 7 Security Technical Overview Revision history Date Description • Using the tablet password • The tablet file system • Using the smartphone password to help protect access to the tablet • Deleting data from the tablet memory • Symmetric encryption algorithms 4 April 2011 Initial version...
-
Page 8: Tablet Security Features
Protection of the user spaces that The BlackBerry Tablet OS runs each process in a user space on the tablet. applications run in To help protect a user space, the BlackBerry Tablet OS is designed to evaluate the requests that processes make for memory outside of the user space. -
Page 9: System Requirements: Tablet
Item Requirement BlackBerry Enterprise Server version To use IT policy rules to control settings for the BlackBerry Bridge and BlackBerry PlayBook tablet, your organization's environment must include BlackBerry Enterprise Server 4.0 or later and the IT policy rules included in KB26294 imported into the BlackBerry Enterprise Server. -
Page 10: Opening An Encrypted And Authenticated Connection Between A Tablet And Smartphone
To start the pairing processes, the user can add a smartphone in the Paired Device options on the tablet or in the BlackBerry Bridge application on the device. If the BlackBerry PlayBook tablet user presses and holds the power key to reset the tablet, the tablet erases the BlackBerry Bridge work key from memory. -
Page 11: The Blackberry Bridge Pairing Key
The smartphone prompts the user each time a Bluetooth device tries to connect to the smartphone. The BlackBerry Bridge pairing key The first time that a BlackBerry PlayBook tablet connects to a BlackBerry smartphone, the tablet connects with the smartphone using Bluetooth technology and generates a BlackBerry Bridge pairing key. The BlackBerry Bridge pairing key is designed to protect data as it travels between the tablet and smartphone. -
Page 12: Process Flow: Generating An Initial Pairing Key
Related topics Cryptosystem parameters that the BlackBerry Bridge pairing process uses to generate an initial pairing key, 11 Process flow: Generating an initial pairing key The BlackBerry smartphone sends an initial echo of the value 0xC1F34151520CC9C2 to the BlackBerry PlayBook tablet to confirm that a Bluetooth connection to the tablet exists and to verify that the smartphone and tablet both understand the protocol. -
Page 13: Cryptosystem Parameters That The Blackberry Bridge Pairing Process Uses To Generate An Initial Pairing Key
The tablet and smartphone use the initial pairing key to generate a BlackBerry Bridge pairing key. The BlackBerry Bridge pairing key is used to encrypt and authenticate the data that the tablet and smartphone send between each other. -
Page 14: Process Flow: Generating A Blackberry Bridge Pairing Key
Generating a BlackBerry Bridge pairing key during the BlackBerry Bridge pairing process uses a unique, random, ephemeral key pair to create the new BlackBerry Bridge pairing key. The tablet discards the ephemeral key pair after generating the BlackBerry Bridge pairing key. Even if the ephemeral private keys from a specific protocol run of the ECDH algorithm are compromised, the BlackBerry Bridge pairing keys from other runs of the same protocol remain uncompromised. -
Page 15: Connecting A Tablet To A Smartphone That Is Activated On The Blackberry Enterprise Server Or Blackberry Internet Service
If a tablet connects to a smartphone that was activated on the BlackBerry Internet Service only, then the data that the smartphone stores on the tablet is considered personal data. Personal data that is stored on the tablet is not encrypted. -
Page 16: Bluetooth Security Features On The Tablet And Smartphone
Bluetooth technology on the tablet and smartphone. You can use the BlackBerry Enterprise Server to set IT policy rules in the Bluetooth policy group that are designed to control the behaviour of Bluetooth enabled smartphones. For more information about the IT policy rules, see the BlackBerry Enterprise Server Policy Reference Guide. -
Page 17: Using It Policy Rules To Manage Bluetooth Technology On Smartphones
Using IT policy rules to manage Bluetooth technology on smartphones You can use the BlackBerry Enterprise Server to set IT policy rules that are designed to control the behaviour of Bluetooth enabled BlackBerry smartphones. For example, you can configure the following IT policy rules in the Bluetooth policy group to manage Bluetooth settings on smartphones. -
Page 18: Specifying Bluetooth Connections That Third-Party Applications Can Access
Bluetooth profiles unavailable for applications by default and to turn on the Bluetooth Serial Port Profile for the BlackBerry PlayBook tablet driver only. If you configure these settings, only specific applications are allowed to use the tablet driver. -
Page 19: Bluetooth Profiles That The Tablet Supports
• Are Local Connections Allowed Bluetooth profiles that the tablet supports A BlackBerry PlayBook tablet uses Bluetooth profiles to communicate with BlackBerry smartphones and other types of Bluetooth enabled devices. The tablet supports the following Bluetooth profiles. Profile Description... -
Page 20: Securing Tablets In Your Organization's Environment For Work Use
These security features are not available when the user connects the tablet to a smartphone that is activated on the BlackBerry Internet Service. If the user connects the tablet to a smartphone that is activated on a BlackBerry Internet Service, the tablet specifies that all data and applications on the tablet are for personal use. -
Page 21: How A Tablet Protects Work Data
How a tablet protects work data The BlackBerry PlayBook tablet is designed to prevent work data from persisting in flash memory in cleartext form. When the tablet is connected to a BlackBerry smartphone, the tablet caches work data locally in the work file system. -
Page 22: What Happens When A User Updates Or Creates Work Files On A Tablet
Applications on a BlackBerry PlayBook tablet can run in work mode, personal mode, or both, depending on the metadata that is associated with them. By default, all applications on the tablet run in personal mode. After a BlackBerry PlayBook tablet user connects a tablet to a BlackBerry smartphone that is activated on a BlackBerry Enterprise Server, an application can run in work mode. -
Page 23: Comparison Of Work Applications And Personal Applications
Document viewers such as Documents To Go or Adobe Reader • Files application The tablet permits the following applications to run in personal mode only: • Applications that a BlackBerry PlayBook tablet user downloads and installs on the tablet • Browser • Maps application •... -
Page 24: Access Rights For Work Data And Personal Data That The Blackberry Tablet Os Grants To Applications
A BlackBerry PlayBook tablet user can access the Bridge Browser on the tablet by clicking the Bridge Browser icon on the BlackBerry Bridge panel. By default, when a user clicks a link in a work application (for example, a link in work email messages, work calendar entries, the contact list, tasks, memos, or BlackBerry Messenger messages), the tablet opens the link in personal mode using the browser. -
Page 25: Running The Files Application In Work Mode
• No Wi-Fi connection is available. To open a link using the Bridge Browser, the tablet must be able to access the BlackBerry MDS Connection Service. Running the Files application in work mode When a BlackBerry PlayBook tablet runs the Files application in work mode, a BlackBerry PlayBook tablet user can access the files that are stored on the media card that is inserted in the BlackBerry smartphone. -
Page 26: Connecting A Tablet To An Enterprise Wi-Fi Network
The tablet can automatically distinguish between work data and personal data if a smartphone that is activated on a BlackBerry Enterprise Server connects to the tablet and treats all data that the smartphone sends as work data. For more information about configuring a smartphone to distinguish... -
Page 27: The Blackberry Tablet Os
BlackBerry Tablet OS starts and if the integrity test detects damage to the kernel, the tablet does not start. The BlackBerry Tablet OS is designed to be resilient. The kernel is designed isolate a process in its user space if it stops responding and to restart the process without negatively affecting other processes. -
Page 28: How The Blackberry Tablet Os Uses Sandboxing To Protect Application Data
If a process tries to access memory outside of its sandbox without approval from the BlackBerry Tablet OS, the BlackBerry Tablet OS is designed to end the process, reclaim all of the memory that the process is using, and restart the process without negatively affecting other processes. -
Page 29: How The Tablet Verifies The Boot Rom Code
ROM code. When a BlackBerry PlayBook tablet user turns on a tablet, it runs internal ROM code that reads the boot ROM from memory and verifies the digital signature of the boot ROM code using the RSA public key. If the verification process completes, the boot ROM is permitted to run on the tablet. -
Page 30: Protecting User Information
If you permit a user to connect a tablet to a smartphone that is associated with a BlackBerry Enterprise Server, you can use IT policy rules to control the password security level on the smartphone and tablet. If you send the Specify new device password and lock device IT administration command to the smartphone, the tablet requires the user to provide the new smartphone password when the tablet accesses any smartphone data. -
Page 31: Deleting Data From The Tablet Memory
BlackBerry Bridge work key and the Bluetooth connection to the tablet closes. The tablet locks all work applications and deletes its copy of the BlackBerry Bridge work key, which is stored only in RAM. - Page 32 (in hours), to the smartphone. The maximum delay is 168 hours (7 days). • You click the Remove user data from current device option in the BlackBerry Administration Service after you connect the smartphone to the BlackBerry Administration Service. This option deletes all data and applications...
-
Page 33: Cryptographic Algorithms, Codes, Protocols, And Apis That The Tablet Supports
Security Technical Overview Cryptographic algorithms, codes, protocols, and APIs that the tablet supports Cryptographic algorithms, codes, protocols, and APIs that the tablet supports The BlackBerry PlayBook tablet supports the following types of cryptographic algorithms, codes, protocols, and APIs: • Symmetric encryption algorithms •... -
Page 34: Hash Algorithms
Security Technical Overview Hash algorithms Hash algorithms Algorithm Digest size (in bits) MDC-2 RIPEMD-160 SHA-1 SHA-2 224, 256, 384, 512 Message authentication codes Codes Use with Key length (in bits) AES-XCBC-MAC — HMAC HMAC SHA-1 HMAC RIPEMD-160 Signature scheme algorithms Algorithm Key length (in bits) Type... -
Page 35: Cryptographic Protocols
Security Technical Overview Cryptographic protocols Cryptographic protocols • • • IPSec • • • WPA2 Cryptographic APIs • libeap • libipsec • PF-Key • Security Builder® Crypto™-C • OpenSSL VPN cryptographic support Authentication IKE IPSec Protocol IKE IPSec cipher IKE IPSec hash IKE PRF types DH group... - Page 36 Security Technical Overview Wi-Fi cryptographic support Cryptographic protocol Encryption protocol EAP outer method EAP inner method WPA2 TKIP, CCMP (AES) PEAP, EAP-TTLS, EAP-FAST, MSCHAPv2, EAP-GTC EAP-TLS...
-
Page 37: Attacks That The Blackberry Bridge Pairing Process Is Designed To Prevent
BlackBerry PlayBook tablet and BlackBerry smartphone. The goal of the potentially malicious user is to determine the BlackBerry Bridge pairing key on the tablet and smartphone and then use the key to decrypt the data that the tablet and smartphone send between each other. -
Page 38: Impersonating A Smartphone
BlackBerry PlayBook tablet and BlackBerry smartphone to generate BlackBerry Bridge pairing keys from a small subset of keys. If the BlackBerry Bridge pairing key is generated from a small subset of keys, it is easier for the potentially malicious user to guess the BlackBerry Bridge pairing key. -
Page 39: Glossary
Security Technical Overview Glossary Glossary Advanced Encryption Standard AES-CCMP Advanced Encryption Standard Counter Mode CBCMAC Protocol AES-XCBC-MAC Advanced Encryption Standard extended cipher block chaining message authentication code application programming interface CAST Carlisle Adams Stafford Tavares cipher block chaining cipher feedback Counter Data Encryption Standard Diffie-Hellman... - Page 40 IPsec Internet Protocol Security IT policy An IT policy consists of various IT policy rules that control the security features and behavior of BlackBerry smartphones, BlackBerry PlayBook tablets, the BlackBerry Desktop Software, and the BlackBerryWeb Desktop Manager. IT policy rule An IT policy rule permits you to customize and control the actions that BlackBerry smartphones, BlackBerry PlayBook tablets, the BlackBerry Desktop Software, and the BlackBerry Web Desktop Manager can perform.
- Page 41 Security Technical Overview Glossary output feedback PEAP Protected Extensible Authentication Protocol Perfect Forward Secrecy Public Key Infrastructure pre-shared key RACE Research and Development in Advanced Communications Technologies in Europe Rivest's Cipher Request for Comments RIM signing authority system The RIM signing authority system is used by third-party developers to cryptographically sign their applications. RIPEMD RACE Integrity Primitives Evaluation Message Digest Secure Hash Algorithm...
- Page 42 Security Technical Overview Glossary Transport Layer Security Triple DES Triple Data Encryption Standard virtual private network Wireless Application Protocol Wired Equivalent Privacy Wi-Fi Protected Access Xor-Encrypt-Xor XEX-based Tweaked CodeBook mode with CipherText Stealing...
-
Page 43: Provide Feedback
Security Technical Overview Provide feedback Provide feedback To provide feedback on this deliverable, visit www.blackberry.com/docsfeedback. -
Page 44: Legal Notice
Legal notice Legal notice ©2012 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research In Motion®, and related trademarks, names, and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world. - Page 45 Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry® Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with RIM's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights.
- Page 46 Security Technical Overview Legal notice Certain features outlined in this documentation require a minimum version of BlackBerry® Enterprise Server, BlackBerry® Desktop Software, and/or BlackBerry® Device Software. The terms of use of any RIM product or service are set out in a separate license or other agreement with RIM applicable thereto.
Need help?
Do you have a question about the PlayBook and is the answer not in the manual?
Questions and answers