Manualshelf

User guide

ManualsBrandsBlackberry ManualsOtherENTERPRISE SOLUTION SECURITY - ENFORCING ENCRYPTION OF INTERNAL AND EXTERNAL FILE SYSTEMS ON DEVICES
21222324252627282930
8. uses the pseudo-random bits with AES encryption or Triple DES encryption to generate the message key
For more information about the DSA PRNG function, see Federal Information Processing Standard - FIPS PUB 186-2.
Process flow: Generating a message key on a BlackBerry device
A BlackBerry® device is designed to use the DSA PRNG function to generate a message key.
To generate a message key, the BlackBerry device performs the following actions:
1. retrieves random data from multiple sources to generate the seed using a technique that the BlackBerry device derives from
the initialization function of the ARC4 encryption algorithm
2. uses the random data to reorder the contents of a 256-byte state array (also known as a 2048-bit state array)
3. adds the 256-byte state array into the ARC4 encryption algorithm to further randomize the 256-byte state array
4. draws 521 bytes from the ARC4 state array
The BlackBerry device draws an additional 9 bytes for the 256-byte state array, for a total of 521 bytes (512 + 9 = 521) to
make sure that the pointers before and after the call are not in the same place, and in case the first few bytes of the ARC4
state array are not random.
5. uses SHA-512 to hash the 521-byte value to 64 bytes
6. uses the 64-byte value to seed the DSA PRNG function
The BlackBerry device stores a copy of the seed in a file. When the BlackBerry device restarts, it reads the seed from the file
and uses the XOR function to compare the stored seed with the new seed.
7. uses the DSA PRNG function to generate 128 pseudo-random bits for use with Triple DES encryption and 256 pseudo-
random bits for use with AES encryption
8. uses the pseudo-random bits with Triple DES encryption or AES encryption to generate the message key
For more information about the DSA PRNG function, see Federal Information Processing Standard - FIPS PUB 186-2.
Content protection keys
When you or a user turns on content protection for a BlackBerry® device, the BlackBerry device generates a content protection
key. The content protection key is designed to encrypt user data on the BlackBerry device when it is locked.
When the BlackBerry device is locked, an encryption process begins. The BlackBerry device frees the memory that it associates
with the content protection key and ECC private key that it stores in RAM. The BlackBerry device then uses the ECC public key
to encrypt new data that it receives.
When a user unlocks a BlackBerry device, the BlackBerry device decrypts the content protection key and ECC private key in flash
memory. When the user wants to view data, the BlackBerry device uses the content protection key or ECC private key to decrypt
the data before the BlackBerry device displays it. An unlocked BlackBerry device uses the content protection key to encrypt new
data that the user types or adds to the BlackBerry device, or that the BlackBerry device receives.
Security Technical Overview
Content protection keys
25