Manualshelf

User guide

ManualsBrandsBlackberry ManualsOtherENTERPRISE SOLUTION SECURITY - ENFORCING ENCRYPTION OF INTERNAL AND EXTERNAL FILE SYSTEMS ON DEVICES
21222324252627282930
If a user activates the BlackBerry device over the wireless network, the BlackBerry® Enterprise Server and BlackBerry device
negotiate to select the strongest algorithm that they both support (either AES or Triple DES) and use that algorithm to generate
a device transport key. To generate public keys for key rollover on the BlackBerry device and create a strong, cryptographically
protected connection between the BlackBerry Enterprise Server and BlackBerry device, the BlackBerry® Enterprise Solution uses
the SPEKE authentication method and the activation password for the BlackBerry device.
For more information about the SPEKE authentication method, visit http://standards.ieee.org/ to read Password-Based Public
Key Cryptography (P1363.2).
Security characteristics for generating the first device transport key
Characteristics Description
authentication and integrity The wireless activation process verifies that only a user with the correct activation
password can activate a BlackBerry® device that you associate with a BlackBerry®
Enterprise Server.
prevention of offline dictionary attacks The wireless activation process is designed so that a potentially malicious user
cannot determine a user's password by viewing the protocol packets that the
BlackBerry Enterprise Server and BlackBerry device send between each other.
prevention of online dictionary attacks The wireless activation process is designed so that the BlackBerry Enterprise Server
prevents a potentially malicious user from activating a BlackBerry device if that user
types an incorrect activation password more than five times.
long-term public keys exchanged The wireless activation process verifies that the BlackBerry Enterprise Server and
BlackBerry device can exchange the device transport key in a manner that is
designed to be highly secure when they generate a new device transport key.
Generating subsequent device transport keys for a BlackBerry device
By default, the BlackBerry® Enterprise Server and BlackBerry device generate subsequent device transport keys every 30 days.
If a pending device transport key exists and a user connects a BlackBerry device to a computer, the current device transport key
on the BlackBerry device becomes the previous device transport key and the pending device transport key becomes the current
device transport key. If no pending device transport key exists, you, the user, or the BlackBerry® Desktop Software can generate
a device transport key.
The BlackBerry Enterprise Server and BlackBerry device generate the device transport key using existing long-term public keys
and the ECMQV key exchange algorithm to negotiate a device transport key. This method is designed so that a potentially
malicious user is unable to calculate the device transport key. The BlackBerry Enterprise Server and BlackBerry device discard
the key pair after they generate the device transport key.
Security Technical Overview
Device transport keys
21