User guide
Process flow: Turning on content protection using a BlackBerry Enterprise Server
You can turn on content protection using a BlackBerry® Enterprise Server when you configure the Content Protection Strength
IT policy rule.
1. The BlackBerry Enterprise Server performs the following actions:
a. selects b randomly
b. calculates B = bP
c. stores b in the BlackBerry Configuration Database
d. sends B in the IT policy to the BlackBerry device
2. The BlackBerry device performs the following actions:
a. verifies that B is a valid public key
b. selects d randomly
c. calculates D = dP
d. stores D in flash memory
e. calculates K = dB
f. uses K to encrypt the current BlackBerry device password
g. uses the encrypted BlackBerry device password to encrypt the content protection key
h. permanently deletes d and K
When the BlackBerry device permanently deletes d, the BlackBerry device is designed so that a potentially malicious user cannot
use the data that remains on the BlackBerry device to recover K. Only the BlackBerry Enterprise Server knows b and can recalculate
K = dB = dbP = bD if it is provided with d.
Process flow: Generating a content protection key on a BlackBerry device
When you or a user turns on content protection on the BlackBerry® device for the first time, the BlackBerry device performs the
following actions:
1. uses a DSA PRNG function to randomly generate a content protection key
2. generates an ECC key pair with a bit length that you or the user determines
3. prompts the user to type the BlackBerry device password
4. derives an ephemeral key that uses AES-256 encryption from the BlackBerry device password, using PKCS #5
5. uses the ephemeral key to encrypt the content protection key and ECC private key
6. stores the encrypted content protection key, encrypted ECC private key, and ECC public key in flash memory
Security Technical Overview
Content protection keys
26