BlackBerry Enterprise Solution Version: 5.
SWD-847262-1028044248-001
Contents 1 Overview....................................................................................................................................................................................... BlackBerry Enterprise Solution security....................................................................................................................................... Security features of the BlackBerry Enterprise Solution..............................................................................
Using IT policy rules to manage BlackBerry Enterprise Solution security....................................................................... Sending an IT policy over the wireless network.................................................................................................................. Using IT administration commands to protect a lost or stolen BlackBerry device.................................................................
Process flow: Generating an encryption key for a media card......................................................................................... How the BlackBerry Attachment Service protects data on a BlackBerry device..................................................................... Best practice: Protecting the BlackBerry Attachment Service..........................................................................................
What happens to data that is not delivered because a BlackBerry device is not available on the wireless network .................................................................................................................................................................................................. 10 Protecting BlackBerry Enterprise Solution communications in your organization's environment.................................
Updating the BlackBerry Device Software from an update web site....................................................................................... Protecting cryptographic services data when updating the BlackBerry Device Software from an update web site ..................................................................................................................................................................................................
Creating two-factor authentication methods..................................................................................................................... 98 Two-factor content protection...................................................................................................................................................... 99 Unbinding a smart card from a BlackBerry device.....................................................................................................................
EAP authentication methods that a Wi-Fi enabled BlackBerry device supports..................................................................... LEAP authentication............................................................................................................................................................... PEAP authentication..............................................................................................................................................................
21 Glossary......................................................................................................................................................................................... 127 22 Provide feedback......................................................................................................................................................................... 139 23 Legal notice.....................................................................................................
Overview Security Technical Overview Overview 1 BlackBerry Enterprise Solution security The BlackBerry® Enterprise Solution consists of various products and components that are designed to extend your organization’s communication methods to BlackBerry devices. The BlackBerry Enterprise Solution is designed to protect data that is in transit at all points between a BlackBerry device and BlackBerry® Enterprise Server.
Security features of the BlackBerry Enterprise Solution Security Technical Overview Security features of the BlackBerry Enterprise Solution Feature Description data protection The BlackBerry® Enterprise Solution is designed to protect data that is in transit between the BlackBerry® Enterprise Server and a BlackBerry device and data that is in transit between your organization’s messaging server and the email application on the user’s computer.
Security Technical Overview Architecture: BlackBerry Enterprise Solution Architecture: BlackBerry Enterprise Solution The BlackBerry® Enterprise Solution consists of various components that permit you to extend your organization’s communication methods to BlackBerry devices.
Architecture: BlackBerry Enterprise Solution Security Technical Overview Component Description BlackBerry Administration Service The BlackBerry Administration Service is a BlackBerry® Enterprise Server component that connects to the BlackBerry Configuration Database. You can use the BlackBerry Administration Service to manage BlackBerry Enterprise Server components, user accounts, and features for a BlackBerry device.
Architecture: BlackBerry Enterprise Solution Security Technical Overview Component Description BlackBerry Device Software The BlackBerry Device Software consists of applications on a BlackBerry device that permit the user to send and receive email messages, PIN messages, and text messages; manage calendar entries; and so on. The BlackBerry Dispatcher is a BlackBerry Enterprise Server component that compresses and encrypts all data that a BlackBerry device sends and receives.
Architecture: BlackBerry Enterprise Solution Security Technical Overview Component Description BlackBerry® MDS Studio The BlackBerry MDS Studio can be used by your organization's developers to create BlackBerry MDS Runtime Applications and to publish the applications to the BlackBerry MDS Application Repository.
Architecture: BlackBerry Enterprise Solution Security Technical Overview Component Description BlackBerry® Smart Card Reader The BlackBerry Smart Card Reader controls access to your organization's sensitive communications using Bluetooth® technology and the latest encryption technologies. The BlackBerry Smart Card Reader permits an organization to use two-factor authentication.
New in this release Security Technical Overview New in this release 2 This document describes the security features that the BlackBerry® Enterprise Server version 5.0 SP1, BlackBerry® Desktop Software version 5.0, BlackBerry® Device Software version 5.0, and BlackBerry® Smart Card Reader version 2.0 support, unless otherwise stated.
Keys on a BlackBerry device Security Technical Overview Keys on a BlackBerry device 3 The BlackBerry® Enterprise Solution generates keys that are designed to protect the data that is stored on a BlackBerry device and the data that the BlackBerry device and BlackBerry® Enterprise Server send between each other. Key Description content protection key The content protection key encrypts user data on the BlackBerry device when the BlackBerry device is locked.
Device transport keys Security Technical Overview Key Description ECC public key The ECC public key encrypts the stored data that the BlackBerry device receives when the BlackBerry device is locked. The ephemeral key encrypts the ECC public key, ECC private key, and content protection key on the BlackBerry device. The PIN encryption key scrambles PIN messages.
Device transport keys Security Technical Overview State Description pending A pending device transport key is the device transport key that the BlackBerry Enterprise Solution generates to replace the current device transport key. If the user generates the device transport key using the BlackBerry® Desktop Software, the BlackBerry Desktop Software sends the pending device transport key to the BlackBerry device when the user connects the BlackBerry device to the computer.
Device transport keys Security Technical Overview A BlackBerry device stores the device transport keys in a key store database in flash memory. The key store database is designed to prevent a potentially malicious user from copying the device transport keys to a computer by trying to back up the device transport keys. A potentially malicious user cannot extract key data from flash memory.
Device transport keys Security Technical Overview If a user activates the BlackBerry device over the wireless network, the BlackBerry® Enterprise Server and BlackBerry device negotiate to select the strongest algorithm that they both support (either AES or Triple DES) and use that algorithm to generate a device transport key.
Device transport keys Security Technical Overview For more information about the ECMQV key exchange algorithm, see NIST: Special Publication 800-56: Recommendation on Key Establishment schemes, Draft 2.0 and the Guide to Elliptic Curve Cryptography.
Security Technical Overview Device transport keys To generate the device transport key, the BlackBerry Desktop Software performs the following actions: 1. 2. 3. 4. 5. 6. 7. 8. prompts the user to move the cursor uses the srand function of the C programming language to examine the lowest 12 bits of the x and y co-ordinates of the new cursor location If the bits are different from the previous sample, the BlackBerry Desktop Software stores the bits, which generates 3 bytes of randomness.
Security Technical Overview c. d. Message keys uses the SHA-1 function to hash the 256 bits generates the device transport key of the BlackBerry device using the first 128 bits of the hash Message keys A BlackBerry® Enterprise Server and BlackBerry device generate one or more message keys that are designed to protect the integrity of the data (for example, short keys or large messages) that the BlackBerry Enterprise Server and BlackBerry device send between each other.
Security Technical Overview 8. Content protection keys uses the pseudo-random bits with AES encryption or Triple DES encryption to generate the message key For more information about the DSA PRNG function, see Federal Information Processing Standard - FIPS PUB 186-2. Process flow: Generating a message key on a BlackBerry device A BlackBerry® device is designed to use the DSA PRNG function to generate a message key. To generate a message key, the BlackBerry device performs the following actions: 1. 2.
Security Technical Overview Content protection keys Process flow: Turning on content protection using a BlackBerry Enterprise Server You can turn on content protection using a BlackBerry® Enterprise Server when you configure the Content Protection Strength IT policy rule. 1. The BlackBerry Enterprise Server performs the following actions: a. selects b randomly b. calculates B = bP c. stores b in the BlackBerry Configuration Database d. sends B in the IT policy to the BlackBerry device 2.
Security Technical Overview Principal encryption keys The content protection key is a semi-permanent key that uses AES-256 encryption. If the user changes the BlackBerry device password, the BlackBerry device uses the new password to derive a new ephemeral key. The BlackBerry device uses the new ephemeral key to re-encrypt the versions of the content protection key and ECC private key that are in flash memory.
Security Technical Overview PIN encryption keys Process flow: Generating a principal encryption key When you or a user turns on content protection for device transport keys on a BlackBerry® device for the first time, the BlackBerry device performs the following actions: 1. generates a principal encryption key, which is an AES-256 encryption key 2. stores the decrypted principal encryption key in RAM 3. uses the existing content protection key to encrypt the principal encryption key 4.
Security Technical Overview Encrypting data that the BlackBerry Enterprise Server and a BlackBerry device send to each other Encrypting data that the BlackBerry Enterprise Server and a BlackBerry device send to each other 4 To encrypt data that is in transit between the BlackBerry® Enterprise Server and a BlackBerry device in your organization, the BlackBerry® Enterprise Solution uses BlackBerry transport layer encryption.
Security Technical Overview Algorithms that the BlackBerry Enterprise Solution uses to encrypt data A traditional attack tries to exploit data that a cryptographic system stores or transmits. The potentially malicious user tries to determine the key or the plain-text data by exploiting a weakness in the design of the cryptographic algorithm or protocol.
Security Technical Overview Process flow: Sending an email message to a BlackBerry device using BlackBerry transport layer encryption The BlackBerry device masks the round keys with random values and any S-Box masks that the AES algorithm requires to work. Round keys are subkeys that the key schedule calculates for each round of encryption.
Security Technical Overview b. c. d. Process flow: Sending an email message from a BlackBerry device using BlackBerry transport layer encryption decrypts the email message using the message key decompresses the email message displays the email message to the user Process flow: Sending an email message from a BlackBerry device using BlackBerry transport layer encryption 1. 2. A sender sends an email message from a BlackBerry® device to a recipient.
Security Technical Overview Managing BlackBerry Enterprise Solution security Managing BlackBerry Enterprise Solution security 5 Using an IT policy to manage BlackBerry Enterprise Solution security You can use an IT policy to control a BlackBerry® device, a BlackBerry enabled device, the BlackBerry® Desktop Software, and the BlackBerry® Web Desktop Manager in your organization's environment.
Using IT administration commands to protect a lost or stolen BlackBerry device Security Technical Overview Sending an IT policy over the wireless network If your organization's environment includes C++ based BlackBerry® devices that are running BlackBerry® Device Software version 2.5 or later or Java® based BlackBerry devices that are running BlackBerry Device Software version 3.
Using IT administration commands to protect a lost or stolen BlackBerry device Security Technical Overview IT administration command Description • • require the BlackBerry device to return to its factory default settings when it receives this command specify whether to permit the BlackBerry device user to stop permanently deleting data from the BlackBerry device and making the BlackBerry device unavailable during the delay period You can send this command to a BlackBerry device that you want to distrib
Security Technical Overview e. f. 5. Managing BlackBerry device access to the BlackBerry Enterprise Server uses K to decrypt the content protection key permanently deletes K The BlackBerry device performs the following actions: a. selects d randomly b. calculates D = dP c. stores D in flash memory d. calculates K = dB e. uses K to encrypt the new BlackBerry device password f.
Security Technical Overview Using a segmented network architecture to prevent the spread of malware Using a segmented network architecture to prevent the spread of malware To help prevent the spread of malware in your organization’s network, you can use firewalls to divide your organization’s network or LAN into segments and create a segmented network architecture. Each segment can manage the network traffic for a specific BlackBerry® Enterprise Solution component.
Security Technical Overview Best practice: Controlling which applications can use the GPS feature on a BlackBerry device Best practice Description Control which application on the BlackBerry device can use the GPS feature. Consider preventing a third-party application or preloaded BlackBerry Application from accessing the global position of the BlackBerry device. Control when the BlackBerry device reports its location to the BlackBerry® Enterprise Server.
BlackBerry device memory Security Technical Overview BlackBerry device memory 6 The BlackBerry® device memory consists of various sections that store user data and sensitive information such as keys. Thirdparty applications on a BlackBerry device cannot write to or access the sections that store sensitive information. Section Description flash memory The flash memory is a file system that is internal to the BlackBerry device. The flash memory stores application data and user data.
Security Technical Overview When a BlackBerry device overwrites data in the BlackBerry device memory To change when the memory cleaner application runs, you can use IT policies or the BlackBerry device user can turn on or turn off the memory cleaner application in the Security options on the BlackBerry device.
Security Technical Overview Deleting all device data from the BlackBerry device memory Deleting all device data from the BlackBerry device memory A BlackBerry® device is designed to permanently delete the following data from the NV store, flash memory, and on-board device memory: • all user data • any references to your organization’s PIN encryption key • any references to the device transport key • if applicable, authentication information (for example, the binding information of the smart card) • IT pol
Deleting all device data from the BlackBerry device memory Security Technical Overview • You click the Remove user data from current device option in the BlackBerry Administration Service after you connect the BlackBerry device to the BlackBerry Administration Service. This option deletes all data and applications from the BlackBerry device even if service books do not exist on the BlackBerry device.
Security Technical Overview Scrubbing the memory of a BlackBerry device when deleting all BlackBerry device data Process flow: Deleting all device data from a BlackBerry device The following actions occur when you or a user delete all device data. 1. The BlackBerry® device adds a Device Under Attack flag to the NV store.
Security Technical Overview Scrubbing the memory of a BlackBerry device when deleting all BlackBerry device data Scrubbing the BlackBerry device heap in RAM when deleting all BlackBerry device data To overwrite the BlackBerry® device heap that is in RAM for a BlackBerry device when content protection is turned on, the BlackBerry device changes the state of each bit four times. The memory scrub process for a BlackBerry device performs the following actions: 1. writes 0x33 to each byte (0011 00112) 2.
Security Technical Overview Scrubbing the memory of a BlackBerry device when deleting all BlackBerry device data Scrubbing the user files on a BlackBerry device when deleting all BlackBerry device data If a BlackBerry® device supports a partition of flash memory to store files that a user saved to the on-board device memory and you or a user turned on content protection, the memory scrub process overwrites that section of the BlackBerry device memory by writing a single character before the memory scrub p
Security Technical Overview Protecting data on a BlackBerry device Protecting data on a BlackBerry device 7 Encrypting user data on a locked BlackBerry device If you or a BlackBerry® device user turns on content protection, you or the user can configure a locked BlackBerry device to encrypt stored user data and data that the locked BlackBerry device receives.
Security Technical Overview Encrypting user data on a locked BlackBerry device The BlackBerry device uses the BlackBerry device password to generate an ephemeral key that the BlackBerry device uses to encrypt the content protection key and the ECC private key.
Security Technical Overview Encrypting the device transport key on a locked BlackBerry device Encrypting the device transport key on a locked BlackBerry device If you turn on content protection for device transport keys, a BlackBerry® device uses the principal encryption key to encrypt the device transport keys that are stored in flash memory. The BlackBerry device encrypts the principal encryption key using the content protection key.
Security Technical Overview Resetting a BlackBerry device password when content protection is turned on Resetting a BlackBerry device password when content protection is turned on If you or a user turns on content protection for a BlackBerry® device that is running BlackBerry® Device Software version 4.3 or later, you can reset the BlackBerry device password using a BlackBerry® Enterprise Server version 4.1 SP5 or later.
Protecting passwords that a BlackBerry device stores Security Technical Overview Uppercase parameters represent elliptic curve points. Lowercase parameters represent scalars. The elliptic curve group operations are additive. Parameter Description E(Fq) This parameter represents the NIST approved 521-bit random elliptic curve over Fq, which has a cofactor of 1. This parameter represents a finite field of prime order q.
Security Technical Overview • • Protecting data that a BlackBerry device stores on a media card generate random passwords that are designed to improve password strength copy passwords and paste them into an application or password prompt for a web site Protecting data that a BlackBerry device stores on a media card To protect the data that a BlackBerry® device stores on a media card, you can configure the External File System Encryption Level IT policy rule, or a user can configure the corresponding opt
Security Technical Overview How the BlackBerry Attachment Service protects data on a BlackBerry device How the BlackBerry Attachment Service protects data on a BlackBerry device A BlackBerry® device uses the BlackBerry Attachment Service to process an attachment in an email message or calendar entry so that the user can view the attachment on the BlackBerry device.
Security Technical Overview How a BlackBerry device authenticates the boot ROM code and binds the BlackBerry device processor when the BlackBerry device turns on code for a BlackBerry device during the manufacturing process, uses an RSA® public key to sign the boot ROM code. The processor is configured during the manufacturing process to store information that the processor can use to verify the digital signature of the boot ROM code.
Security Technical Overview Protecting the data that the BlackBerry Enterprise Solution stores in your organization's environment Protecting the data that the BlackBerry Enterprise Solution stores in your organization's environment 8 Where the BlackBerry Enterprise Server stores messages and user data in the messaging environment The BlackBerry® Enterprise Server stores the messages and user data for a BlackBerry device in the messaging environment so that the BlackBerry Enterprise Server can maintain a
Data that the BlackBerry Configuration Database stores Security Technical Overview • • • • • • • name of each BlackBerry® Enterprise Server unique SRP authentication keys and unique SRP IDs, or UIDs, that each BlackBerry Enterprise Server uses in the SRP authentication process to open a connection to the wireless network IT policy private keys of the IT policy key pairs that the BlackBerry Enterprise Server generates for each BlackBerry device PIN of each BlackBerry device read-only copies of each device
Data that the BlackBerry Configuration Database stores Security Technical Overview Best practice Description Microsoft SQL Server permits the sa account and, in some cases, other user accounts to access operating system calls based on the security context of the account that runs the Microsoft SQL Server service.
How the BlackBerry Enterprise Solution protects IT policies Security Technical Overview Best practice Description • • Use Microsoft SQL Server Management Studio to change the account that is associated with a Microsoft SQL Server service, if required. Microsoft SQL Server Management Studio configures the appropriate permissions on the files and registry keys that the Microsoft SQL Server uses.
Security Technical Overview Protecting communication with a BlackBerry device Protecting communication with a BlackBerry device 9 Opening a direct connection between a BlackBerry device and a BlackBerry Router A BlackBerry® Router and a BlackBerry device can use the BlackBerry Router protocol to bypass the SRP authenticated connection to the BlackBerry® Infrastructure and open a direct connection to each other.
Security Technical Overview Opening a direct connection between a BlackBerry device and a BlackBerry Router Closing a direct connection between a BlackBerry device and BlackBerry Router If a user disconnects a BlackBerry® device from a computer that hosts the BlackBerry® Device Manager, closes the BlackBerry Device Manager, or disconnects the BlackBerry device from an enterprise Wi-Fi® network, the BlackBerry device restores the connection to the BlackBerry® Infrastructure over the wireless network automa
Security Technical Overview Opening a direct connection between a BlackBerry device and a BlackBerry Router Because the BlackBerry Router protocol can proceed past the point that it detects corrupted data, the BlackBerry Router protocol is unsuccessful at completion only. This measure is designed to prevent various timing attacks. Process flow: Using the BlackBerry Router protocol to close an authenticated connection 1. 2. 3. 4. The BlackBerry® Enterprise Server performs the following actions: a.
Security Technical Overview b. 3. 4. 5. 6. 7. sends RD and a device transport key identifier (KeyID) to the BlackBerry Enterprise Server The BlackBerry Router performs the following actions: a. observes the data that the BlackBerry device sends and verifies that the value RD is not the point at infinity b. if RD is the point at infinity, the BlackBerry Router configures RD to a random value c.
Security Technical Overview d. 9. sends yB to the BlackBerry device One of the following actions occurs: • The BlackBerry Enterprise Server and BlackBerry device open an authenticated connection to each other if the BlackBerry device accepts yB.
Best practice: Protecting unsecured wireless messaging on the BlackBerry device Security Technical Overview Best practice: Protecting unsecured wireless messaging on the BlackBerry device Unsecured wireless messaging includes SMS text messages, MMS messages, and PIN messages. A BlackBerry® device can send SMS text messages and MMS messages over a wireless TCP/IP connection.
Security Technical Overview How the BlackBerry Enterprise Solution protects connections between a BlackBerry device and the Internet or intranet Best practice Description Require a user to verify whether the user Consider configuring the BlackBerry device so that the user must verify whether wants to send a message. the user wants to send an email message, SMS text message, MMS message, or PIN message. Turn off unsecured messaging on the BlackBerry device.
Security Technical Overview Authenticating data that a BlackBerry device sends to the BlackBerry MDS Integration Service The BlackBerry MDS security protocol uses a session key to authenticate data that the BlackBerry device sends to the BlackBerry MDS Integration Service. The BlackBerry device and BlackBerry MDS Integration Service share the same session key. The session key is stored in the BlackBerry Configuration Database.
Security Technical Overview How a BlackBerry device protects a connection to a WAP gateway The BlackBerry MDS security protocol uses AES-128 in CBC mode with PKCS #5 padding to encrypt and decrypt data that a BlackBerry device and BlackBerry MDS Integration Service send between each other. How a BlackBerry device protects a connection to a WAP gateway BlackBerry® Device Software versions 3.
Security Technical Overview What happens to data that is not delivered to a BlackBerry device What happens to data that is not delivered to a BlackBerry device What happens to data that is not delivered because the connection between a BlackBerry Enterprise Server and the BlackBerry Infrastructure closes Ten minutes after the connection between a BlackBerry® Enterprise Server and the BlackBerry® Infrastructure closes, the BlackBerry Infrastructure notifies the sender’s BlackBerry device and deletes the me
Security Technical Overview Protecting BlackBerry Enterprise Solution communications in your organization's environment Protecting BlackBerry Enterprise Solution communications in your organization's environment 10 How a BlackBerry Enterprise Server and the BlackBerry Infrastructure authenticate with each other The BlackBerry® Infrastructure and BlackBerry® Enterprise Server must authenticate with each other before they can transfer data.
Security Technical Overview How a BlackBerry Enterprise Server and the BlackBerry Infrastructure authenticate with each other How the BlackBerry Enterprise Solution protects a TCP/IP connection between a BlackBerry Enterprise Server and the BlackBerry Infrastructure After a BlackBerry® Enterprise Server and the BlackBerry® Infrastructure open an SRP connection, the BlackBerry Enterprise Server uses a persistent TCP/IP connection to send data to the BlackBerry Infrastructure.
Security Technical Overview How a BlackBerry Enterprise Server and messaging server protect a connection to each other If the BlackBerry Infrastructure rejects the challenge response, the authentication process is not successful. The BlackBerry Infrastructure and BlackBerry Enterprise Server close the SRP connection.
Security Technical Overview Messaging server How the BlackBerry Enterprise Server components and the BlackBerry MVS protect communication Description The BlackBerry Enterprise Server connects to a user’s mailbox in a highly secure manner using the trusted application key. The Novell GroupWise server verifies the trusted application key and permits the BlackBerry Enterprise Server to open a connection to the Novell GroupWise database for the user.
Security Technical Overview How the BlackBerry Collaboration Service protects the connections between the BlackBerry Collaboration Service and instant messaging server Process flow: Authenticating the application loader tool or Roxio Media Manager with the BlackBerry Desktop Software using the BlackBerry inter-process protocol 1. 2. The application loader tool of the BlackBerry® Desktop Software or Roxio® Media Manager opens a connection to BlackBerry Desktop Software version 4.2 or later.
Security Technical Overview Activating a BlackBerry device Activating a BlackBerry device 11 When a user activates a BlackBerry® device, the BlackBerry® Enterprise Solution authenticates the user and associates the BlackBerry device with a BlackBerry® Enterprise Server. During the activation process, the BlackBerry Enterprise Solution generates a device transport key.
Security Technical Overview 4. 5. Process flow: Activating a BlackBerry device over the wireless network The BlackBerry Enterprise Server and BlackBerry device use the initial key establishment protocol to generate a device transport key and verify it. If the BlackBerry Enterprise Server and BlackBerry device mutually verify the device transport key, the activation process proceeds.
Security Technical Overview Enrolling certificates on a BlackBerry device over the wireless network Enrolling certificates on a BlackBerry device over the wireless network 12 You can configure the BlackBerry® Enterprise Server to permit a BlackBerry device to enroll certificates over the wireless network.
Security Technical Overview Process flow: Enrolling a certificate when a certification authority administrator approves certificate requests 9. The BlackBerry Enterprise Server sends the certificate chain to the BlackBerry device. 10. The BlackBerry MDS Connection Service sends a status update to the BlackBerry device and sends the certificate request to the certification authority that is associated with the profile ID. 11.
Security Technical Overview Process flow: Enrolling a certificate using an RSA certification authority 9. The BlackBerry Enterprise Server sends the certificate chain to the BlackBerry device. 10. The BlackBerry MDS Connection Service sends a status update to the BlackBerry device and sends the certification request to the certification authority that is associated with the profile ID. 11. The certification authority performs the following actions: a.
Security Technical Overview Process flow: Enrolling a certificate using an RSA certification authority 8. 9. The BlackBerry Enterprise Server sends the certificate chain to the BlackBerry device. The BlackBerry MDS Connection Service sends a status update to the BlackBerry device and sends the certificate request to the certification authority that is associated with the name of the certification authority profile. 10. The certification authority performs the following actions: a.
Security Technical Overview Protecting BlackBerry Device Software updates Protecting BlackBerry Device Software updates 13 Protecting BlackBerry Device Software updates over the wireless network You can update the BlackBerry® Device Software on a BlackBerry device over the wireless network. You can use the BlackBerry Administration Service to search for updates that match the BlackBerry device and wireless service provider, and send the updates.
Security Technical Overview • • Updating the BlackBerry Device Software from an update web site requires the user to type the BlackBerry device password before the BlackBerry Device Software update process can back up or restore user data requires the BlackBerry device to encrypt stored user data during the BlackBerry Device Software update process Battery power requirements for BlackBerry Device Software updates over the wireless network The battery power level on a BlackBerry® device must be 50% or gr
Security Technical Overview Updating the BlackBerry Device Software from an update web site During the update process, a BlackBerry device activates itself automatically over the wireless network so that the user can use a computer that is outside your organization’s network to update the BlackBerry Device Software.
Security Technical Overview Updating the BlackBerry Device Software from an update web site Process flow: Generating a BlackBerry services key that protects cryptographic services data The BlackBerry® device uses an ephemeral AES-256 encryption key (called the BlackBerry services key) to encrypt the cryptographic services data. To generate the BlackBerry services key, the BlackBerry device performs the following actions: 1. 2. 3. 4. 5.
Security Technical Overview Updating the BlackBerry Device Software from an update web site Process flow: Restoring cryptographic services data using the BlackBerry Desktop Manager or BlackBerry Application Web Loader 1. 2. 3. 4. After the update process completes, the BlackBerry® Desktop Manager or BlackBerry Application Web Loader determines that cryptographic services data must be restored to the BlackBerry device.
Security Technical Overview Extending messaging security to a BlackBerry device Extending messaging security to a BlackBerry device 14 If your organization's messaging environment supports highly secure messaging technology such as PGP® encryption or S/MIME encryption, you can configure the BlackBerry® Enterprise Solution to encrypt a message using PGP encryption or S/MIME encryption so that the message remains encrypted when the BlackBerry® Enterprise Server forwards the message to the email applicatio
Extending messaging security using PGP encryption Security Technical Overview Key Description PGP public key The PGP Support Package for BlackBerry smartphones uses the PGP public key of the recipient to encrypt outgoing email messages and the PGP public key of the sender to verify digital signatures on incoming email messages. PGP private key The PGP public key is designed so that recipients and senders can distribute and access the key without compromising it.
Security Technical Overview Extending messaging security using PGP encryption The PGP public key of the recipient indicates which encryption algorithm the recipient’s email application supports, and the BlackBerry device is designed to use that encryption algorithm. By default, if the PGP public key of the recipient does not include a list of encryption algorithms, the BlackBerry device encrypts the email message or PIN message using Triple DES.
Security Technical Overview Extending messaging security using S/MIME encryption Process flow: Receiving a PGP encrypted message If a recipient installs the PGP® Support Package for BlackBerry® smartphones on a BlackBerry device, the BlackBerry device decrypts incoming PGP encrypted messages. 1. 2. 3. A sender uses the PGP technology on the email application to encrypt an email message using the PGP public key of the recipient. The BlackBerry® Enterprise Server performs the following actions: a.
Extending messaging security using S/MIME encryption Security Technical Overview The BlackBerry device user uses the S/MIME private key to decrypt S/MIME-protected messages on the BlackBerry device and to sign, encrypt, and send S/MIME-protected messages from the BlackBerry device.
Extending messaging security using S/MIME encryption Security Technical Overview Item Description S/MIME private key When a user sends a signed email message or signed PIN message from a BlackBerry device, the BlackBerry device hashes the message using SHA-1, SHA-256, SHA-384, SHA-512, or MD5. The BlackBerry device then uses the S/MIME private key of the user to digitally sign the message hash.
Security Technical Overview Extending messaging security using S/MIME encryption Process flow: Sending an email message using S/MIME encryption If a sender installs the S/MIME Support Package for BlackBerry® smartphones on a BlackBerry device, the BlackBerry device encrypts outgoing email messages. 1. The BlackBerry device performs the following actions: a.
Security Technical Overview Extending messaging security using IBM Lotus Notes encryption Process flow: Receiving an S/MIME-encrypted email message If a recipient installs the S/MIME Support Package for BlackBerry® smartphones, the BlackBerry device decrypts incoming email messages. 1. 2. 3. 4. The sender uses the S/MIME technology on the email application to encrypt the email message using the S/MIME certificate of the recipient. The BlackBerry® Enterprise Server performs the following actions: a.
Security Technical Overview Extending messaging security using IBM Lotus Notes encryption In BlackBerry Enterprise Server version 5.0 or later and BlackBerry® Device Software version 5.0 or later, a BlackBerry device user can encrypt messages using Lotus Notes encryption. When the BlackBerry device user creates, forwards, or replies to a message, the BlackBerry device user can indicate whether the BlackBerry Enterprise Server must encrypt the message before it sends the message to the recipients.
Security Technical Overview Extending messaging security using IBM Lotus Notes encryption The BlackBerry Messaging Agent deletes the Lotus Notes .id file and the plain-text password when the BlackBerry® Enterprise Server cannot decrypt a message, when the BlackBerry Enterprise Server restarts, or when the password expires. (The default timeout value is 24 hours.) The BlackBerry Messaging Agent does not delete the encrypted password in the BlackBerry Messaging Agent memory cache.
Security Technical Overview Extending messaging security to attachments Process flow: Receiving an IBM Lotus Notes encrypted message 1. A user uses the IBM® Lotus Notes® application on the user’s computer to encrypt a message using the password for the Lotus Notes .id file. 2. The BlackBerry® Enterprise Server performs the following actions: a. retrieves the Lotus Notes encrypted message from the messaging server b.
Security Technical Overview Extending messaging security to attachments Process flow: Viewing an attachment in a PGP encrypted message or S/MIME-encrypted message The S/MIME Allowed Encrypted Attachment Mode IT policy rule or PGP® Allowed Encrypted Attachment Mode IT policy rule determines how a BlackBerry® device responds when it receives a PGP/MIME encrypted message or S/MIME-encrypted message that contains an attachment.
Security Technical Overview Configuring two-factor authentication and protecting Bluetooth connections Configuring two-factor authentication and protecting Bluetooth connections 15 BlackBerry Smart Card Reader The BlackBerry® Smart Card Reader is an accessory that, when used in proximity to a Bluetooth® enabled BlackBerry device or a Bluetooth enabled computer, permits a user to authenticate with a smart card and log in to the BlackBerry device or computer.
Security Technical Overview Two-factor authentication To control how a BlackBerry device can use an Advanced Security SD card, you can use the Force Smart Card Two-Factor Authentication IT policy rule, Force Smart Card Two Factor Challenge Response IT policy rule, or Disable Certificate or Key Import From External Memory IT policy rule.
Security Technical Overview Two-factor authentication Process flow: Turning on two-factor authentication using a smart card When you or a user turns on two-factor authentication with the BlackBerry® Smart Card Reader, the BlackBerry device performs the following actions: 1. locks 2. prompts the user to type the BlackBerry device password when the user tries to unlock the BlackBerry device 3. requires the user to specify a BlackBerry device password, if the user has not yet specified one 4.
Security Technical Overview Two-factor content protection Two-factor content protection Content protection is designed to encrypt data on a BlackBerry® device when the BlackBerry device is locked.
Security Technical Overview Protecting Bluetooth connections on a BlackBerry device Protecting Bluetooth connections on a BlackBerry device Bluetooth® wireless technology permits a Bluetooth enabled BlackBerry® device to open a wireless connection with other Bluetooth devices that are within a 10-meter range (for example, a hands-free car kit or wireless headset).
Wi-Fi enabled BlackBerry devices Security Technical Overview Wi-Fi enabled BlackBerry devices 16 Wi-Fi® enabled BlackBerry® devices permit users with qualifying data plans to access BlackBerry services over a mobile network, Wi-Fi network, or both networks simultaneously. When users can access a mobile network and Wi-Fi network simulaneously, users can perform multiple tasks over both networks.
Security features of a Wi-Fi enabled BlackBerry device Security Technical Overview Type Description home Wi-Fi networks A home Wi-Fi network uses a single access point to provide Internet access through a broadband gateway. The broadband gateway can implement NAT and permit VPN connections through the firewall. You can configure a home Wi-Fi network with layer 2 security and password authentication.
Security features of a Wi-Fi enabled BlackBerry device Security Technical Overview Feature Description BlackBerry transport layer encryption BlackBerry transport layer encryption is designed to encrypt messages that the BlackBerry device and the BlackBerry Enterprise Server send between each other after they open an authenticated connection.
Security Technical Overview Protecting a connection between a Wi-Fi enabled BlackBerry device and an enterprise Wi-Fi network Feature Description wireless software updates Wireless software updates permits users to update the BlackBerry® Device Software without using the BlackBerry® Desktop Manager or first downloading the software update to a computer.
Security Technical Overview How a Wi-Fi enabled BlackBerry device can connect to the BlackBerry Infrastructure How an SSL connection between a Wi-Fi enabled BlackBerry device and the BlackBerry Infrastructure protects data An SSL connection between a Wi-Fi® enabled BlackBerry® device and the BlackBerry® Infrastructure is designed to provide the same protection that an SRP connection between the BlackBerry® Enterprise Server and BlackBerry Infrastructure provides.
Security Technical Overview • • • • • • • • SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA The BlackBerry device supports the following cipher suites, in order, when it opens TLS connections: • TLS_DHE_RSA_WITH_AES_128_CBC_SHA • TLS_DHE_DSS_WITH_AES_128_CBC_SHA • TLS_RSA_WITH_AES
Security Technical Overview Managing how a BlackBerry device connects to an enterprise Wi-Fi network Managing how a BlackBerry device connects to an enterprise Wi-Fi network To manage how a Wi-Fi® enabled BlackBerry® device connects to an enterprise Wi-Fi network, you can use IT administration commands, IT policy rules, and configuration settings. You can turn on or turn off Wi-Fi access for the BlackBerry device in BlackBerry® Enterprise Server version 4.
Security Technical Overview Using a VPN with a Wi-Fi enabled BlackBerry device After you configure a VPN, the BlackBerry device can use a layer 2 security method to connect to the enterprise Wi-Fi network, and use the VPN to provide authentication with the enterprise Wi-Fi network. In this scenario, you can configure the enterprise Wi-Fi network as an untrusted network, and specify that only a VPN concentrator can connect to the enterprise Wi-Fi network.
Security Technical Overview Using a captive portal to connect to an enterprise Wi-Fi network or Wi-Fi hotspot Using a captive portal to connect to an enterprise Wi-Fi network or Wi-Fi hotspot A captive portal uses web-based authentication to permit a Wi-Fi® enabled BlackBerry® device to connect to an enterprise WiFi network or Wi-Fi hotspot. The BlackBerry device can use a captive portal to access an IP segment of the enterprise Wi-Fi network or Wi-Fi hotspot.
Security Technical Overview • • • • • 2. 3.
Security Technical Overview Layer 2 security methods that a Wi-Fi enabled BlackBerry device supports Layer 2 security methods that a Wi-Fi enabled BlackBerry device supports 17 You can configure a Wi-Fi® enabled BlackBerry® device to use security methods for layer 2 (also known as the IEEE® 802.11™ link layer) so that the BlackBerry device and a wireless access point can encrypt data that they send between them and authenticate the user.
Security Technical Overview PSK protocol PSK protocol The IEEE® 802.1X™ standard specifies the PSK protocol as an access control method for enterprise Wi-Fi® networks. You can also use the PSK protocol in small-office environments and home environments where it is not feasible to configure server-based authentication. To configure the PSK protocol, you must send a passphrase that matches the key or passphrase for the wireless access points to a Wi-Fi enabled BlackBerry® device.
Security Technical Overview EAP authentication methods that a Wi-Fi enabled BlackBerry device supports Process flow: Authenticating a Wi-Fi enabled BlackBerry device with an enterprise Wi-Fi network using the IEEE 802.1X standard If you configured a wireless access point to use the IEEE® 802.1X™ standard, the access point permits communication using EAP authentication only.
Security Technical Overview EAP authentication methods that a Wi-Fi enabled BlackBerry device supports PEAP authentication PEAP authentication permits a Wi-Fi® enabled BlackBerry® device to authenticate with an authentication server and access an enterprise Wi-Fi network. PEAP authentication uses TLS to create an encrypted tunnel between the BlackBerry device and the authentication server. It uses the TLS tunnel to send the authentication credentials of the BlackBerry device to the authentication server.
Security Technical Overview Encryption keys that a Wi-Fi enabled BlackBerry device supports for use with layer 2 security methods EAP-FAST authentication EAP-FAST authentication uses PAC to open a TLS connection to a Wi-Fi® enabled BlackBerry® device and verify the supplicant credentials of the BlackBerry device over the TLS connection.
Security Technical Overview • • • EAP authentication methods that a BlackBerry device supports the use of CCKM with EAP-TTLS authentication PEAP authentication PSK authentication For more information about AES-CCMP and TKIP, visit www.ieee.org/portal/site. EAP authentication methods that a BlackBerry device supports the use of CCKM with A Wi-Fi® enabled BlackBerry® device supports the use of CCKM with all supported EAP authentication methods to improve roaming between wireless access points.
Security Technical Overview Protecting a third-party application on a BlackBerry device Protecting a third-party application on a BlackBerry device 18 Creating a third-party application for a BlackBerry device A developer can create a third-party application for a Java® based BlackBerry® device using the BlackBerry® Java® Development Environment.
Security Technical Overview • Specifying the resources third-party applications can access on a BlackBerry device User Authenticator API, which permits the registration of drivers so that a user can unlock the BlackBerry device using twofactor authentication You can also use application control policy rules to specify the types of connections that the application that is running on the BlackBerry device can open (for example, local, internal, and external connections).
Security Technical Overview Permitting a third-party application to encode data on a BlackBerry device Permitting a third-party application to encode data on a BlackBerry device A developer can use the Transcoder API to create an encoding scheme for data that is sent between a BlackBerry® Enterprise Server and BlackBerry device. The Transcoder API is part of the BlackBerry® Java® Development Environment.
RIM Cryptographic API Security Technical Overview RIM Cryptographic API 19 The RIM® Cryptographic API that is on a BlackBerry® device and in the BlackBerry® Java® Development Environment consists of a Java interface that includes an encryption algorithm, a key agreement scheme, a signature scheme algorithm, a key generation algorithm, a message authentication code, cipher suites, a message digest, and a hash code.
Security Technical Overview Cryptographic algorithms and cryptographic codes that the RIM Cryptographic API supports The RIM Cryptographic API supports the ECIES algorithm, with an unlimited key length (160 bits to 571 bits for seeding), as the asymmetric stream encryption algorithm. Asymmetric encryption algorithms that the RIM Cryptographic API supports Algorithm Key length (bits) Type El Gamal RSA® raw RSA with OAEP formatting RSA with PKCS #1 formatting (versions 1.5 and 2.
TLS and WTLS protocols that the RIM Cryptographic API supports Security Technical Overview Key generation algorithms that the RIM Cryptographic API supports Algorithm Key length (bits) Type Diffie-Hellman DSA Elliptic Curve RSA® 512 to 4096 512 to 1024 160 to 571 512 to 2048 discrete logarithm discrete logarithm (Elliptic Curve) discrete logarithm integer factorization Message authentication codes that the RIM Cryptographic API supports Code Key length (bits) CBC-MAC HMAC variable (block cipher k
TLS and WTLS protocols that the RIM Cryptographic API supports Security Technical Overview Cipher suites for the key establishment algorithm that the RIM Cryptographic API supports Direct mode SSL Direct mode TLS WTLS DH_anon DH_anon DH_anon_EXPORT DHE_DSS DHE_DSS_EXPORT RSA RSA_EXPORT DH_anon_EXPORT DHE_DSS DHE_DSS_EXPORT RSA RSA_EXPORT RSA® _768, DH_anon, DH_anon_512, DH_anon_768 RSA_anon_512 RSA_512 RSA_anon_768 RSA RSA_anon Symmetric algorithms that the RIM Cryptographic API supports Direct mo
Limitations of RIM Cryptographic API support for cipher suites for the key establishment algorithm Security Technical Overview Limitations of RIM Cryptographic API support for cipher suites for the key establishment algorithm The RIM® Cryptographic API implementation of the TLS protocol and WTLS protocol supports the use of the RSA® public key algorithm, DSA public key algorithm, and Diffie-Hellman key exchange algorithm, with the following limitations.
Related resources Security Technical Overview Related resources 20 Resource Information BlackBerry Enterprise Server Feature and Technical Overview BlackBerry Enterprise Server Installation Guide • understanding BlackBerry® Enterprise Server architecture • • • understanding system requirements performing preinstallation tasks installing the BlackBerry Enterprise Server BlackBerry Enterprise Server Administration Guide • • • • generating and changing device transport keys configuring extended me
Related resources Security Technical Overview Resource Information Enforcing Encryption of Internal and External File Systems on BlackBerry Devices Technical Overview • • understanding which data items BlackBerry devices encrypt by default using encryption to protect stored files in the on-board device memory and media cards Erasing File Systems on BlackBerry Devices Technical Overview • understanding which data items are deleted from BlackBerry device memory when you or a user deletes the BlackBer
Security Technical Overview Glossary Glossary 21 3GPP Third Generation Partnership Project AES Advanced Encryption Standard AES-CCMP Advanced Encryption Standard Counter Mode CBCMAC Protocol ANSI American National Standards Institute API application programming interface ARC4 alleged RC4 (algorithm) ASCII American Standard Code for Information Interchange BlackBerry device key The BlackBerry device key is a randomly generated key that a BlackBerry device uses to encrypt data on media cards.
Security Technical Overview Glossary BlackBerry inter-process protocol encryption encrypts communication between BlackBerry® Enterprise Solution components to prevent other parties from viewing the data that the components send between each other.
Security Technical Overview Glossary code-signing keys Code-signing keys are the keys that are stored on media cards that sign files so that a user can install and run the files on a BlackBerry device. content protection Content protection protects user data on a locked BlackBerry device by encrypting the user data using the content protection key and ECC private key. content protection key The device transport key (formerly known as the master encryption key) is unique to a BlackBerry device.
Security Technical Overview EAP Extensible Authentication Protocol EAPoL Extensible Authentication Protocol over LAN EAP-FAST Extensible Authentication Protocol Flexible Authentication via Secure Tunneling EAP-GTC Extensible Authentication Protocol Generic Token Card EAP-MS-CHAP Extensible Authentication Protocol Microsoft® Challenge Handshake Authentication Protocol EAP-SIM Extensible Authentication Protocol Subscriber Identity Module EAP-TLS Extensible Authentication Protocol Transport Layer Security EAP
Security Technical Overview Glossary ECMQV Elliptic Curve Menezes-Qu-Vanstone ECNR Elliptic Curve Nyberg Rueppel EDE Encryption-Decryption-Encryption EDGE Enhanced Data Rates for Global Evolution Enterprise Service Policy The Enterprise Service Policy controls which BlackBerry devices can connect to a BlackBerry® Enterprise Server. ephemeral key The ephemeral key encrypts the ECC public key, ECC private key, and content protection key.
Security Technical Overview Glossary General Services Administration GSM Global System for Mobile communications® HMAC keyed-hash message authentication code HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol over Secure Sockets Layer IEEE Institute of Electrical and Electronics Engineers IMSI International Mobile Subscriber Identity initial key establishment protocol The initial key establishment protocol is a Research In Motion® proprietary protocol that the BlackBerry® Enterprise Soluti
Security Technical Overview Glossary IT policy rule An IT policy rule permits you to customize and control the actions that BlackBerry devices, BlackBerry enabled devices, the BlackBerry® Desktop Software, and the BlackBerry® Web Desktop Manager can perform.
Security Technical Overview Glossary MIDP Mobile Information Device Profile MMS Multimedia Messaging Service MS-CHAP Microsoft Challenge Handshake Authentication Protocol NAT network address translation NIST National Institute of Standards and Technology NTFS New Technology File System NTLM NT LAN Manager NV nonvolatile NV store The NV store is a nonvolatile store that persists in flash memory on a BlackBerry device. Only the operating system of the BlackBerry device can write to it.
Security Technical Overview Glossary PFS Perfect Forward Secrecy persistent store in flash memory The persistent store in flash memory stores data for a BlackBerry device. By default, third-party applications cannot access the persistent store. When it deletes all device data, the BlackBerry device deletes the data in the persistent store.
Security Technical Overview Glossary RFC Request for Comments RIM signing authority system The RIM® signing authority system is a collection of servers that sign the boot ROM code for a BlackBerry device during the manufacturing process.
Security Technical Overview Glossary SRP authentication SRP authentication is an authentication method that the BlackBerry® Enterprise Server and BlackBerry® Infrastructure use to authenticate with each other. SRP authentication key The SRP authentication key is a 20-byte shared encryption key that the BlackBerry® Enterprise Server and BlackBerry® Infrastructure use to authenticate with each other during SRP authentication.
Security Technical Overview WLAN wireless local area network WPA Wi-Fi Protected Access WTLS Wireless Transport Layer Security 138 Glossary
Security Technical Overview Provide feedback Provide feedback 22 To provide feedback on this deliverable, visit www.blackberry.com/docsfeedback.
Security Technical Overview Legal notice Legal notice 23 ©2009 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research In Motion®, SureType®, SurePress™ and related trademarks, names, and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world. 3GPP is a trademark of 3GPP. Bluetooth is a trademark of Bluetooth SIG. ANSI is a trademark of the American National Standards Institute.
Security Technical Overview Legal notice HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS.
Security Technical Overview Legal notice thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with RIM. Certain features outlined in this documentation require a minimum version of BlackBerry® Enterprise Server, BlackBerry® Desktop Software, and/or BlackBerry® Device Software.
