Manualshelf

User guide

ManualsBrandsBlackberry ManualsOtherENTERPRISE SOLUTION SECURITY - ENFORCING ENCRYPTION OF INTERNAL AND EXTERNAL FILE SYSTEMS ON DEVICES
21222324252627282930
c. uses the SHA-1 function to hash the 256 bits
d. generates the device transport key of the BlackBerry device using the first 128 bits of the hash
Message keys
A BlackBerry® Enterprise Server and BlackBerry device generate one or more message keys that are designed to protect the
integrity of the data (for example, short keys or large messages) that the BlackBerry Enterprise Server and BlackBerry device
send between each other. If a message exceeds 2 KB and consists of several data packets, the BlackBerry Enterprise Server and
BlackBerry device generate a unique message key for each data packet.
Each message key consists of random data that is designed to make it difficult for a third party to decrypt, re-create, or duplicate
the message key.
The message key is a type of session key. The BlackBerry Enterprise Server and BlackBerry device do not store the message keys
but they free the memory that is associated with the message keys after the BlackBerry Enterprise Server or BlackBerry device
uses the message keys to decrypt the message.
Process flow: Generating a message key on a BlackBerry Enterprise Server
A BlackBerry® Enterprise Server is designed to use the DSA PRNG function to generate a message key.
To generate a message key, the BlackBerry Enterprise Server performs the following actions:
1. retrieves random data from multiple sources for the seed, using a technique that the BlackBerry Enterprise Server derives
from the initialization function of the ARC4 encryption algorithm
2. uses the random data to reorder the contents of a 256-byte state array (also known as a 2048-bit state array)
If the Microsoft® Cryptographic API exists on the computer that hosts the BlackBerry Enterprise Server, the BlackBerry
Enterprise Server requests 512 bits of randomness from the Microsoft Cryptographic API to increase the randomness of the
data.
3. adds the 256-byte state array into the ARC4 algorithm to further randomize the 256-byte state array
4. draws 521 bytes from the 256-byte state array
The BlackBerry Enterprise Server draws an additional 9 bytes for the 256-byte state array, for a total of 521 bits (512 + 9 =
521) to make sure that the pointers before and after the generation process are not in the same place, and in case the first
few bytes of the 256-byte state array are not random.
5. uses SHA-512 to hash the 521-byte value to 64 bytes
6. uses the 64-byte value to seed the DSA PRNG function
The BlackBerry Enterprise Server stores a copy of the seed in a file. When the BlackBerry Enterprise Server restarts, it reads
the seed from the file and uses the XOR function to compare the stored seed with the new seed.
7. uses the DSA PRNG function to generate 256 pseudo-random bits for use with AES encryption and 128 pseudo-random
bits for use with Triple DES encryption
Security Technical Overview
Message keys
24