User guide

ephemeral key to re-encrypt the versions of the content protection key and ECC private key that are in flash memory.

For more information about the DSA PRNG function, see Federal Information Processing Standard - FIPS PUB 186-2. For more

information about PKCS #5, visit www.rsa.com to see PKCS #5: Password-Based Cryptography Standard.

Process flow: Deriving an ephemeral key that protects a content protection key and ECC

private key

A BlackBerry® device uses an ephemeral key to encrypt a content protection key and ECC private key. The BlackBerry device

To derive an ephemeral key, the BlackBerry device performs the following actions:

1. selects a 64-bit salt (which is random data that the BlackBerry device mixes with the BlackBerry device password)

The salt prevents two identical passwords from turning into the same key.

2. concatenates the salt, password, and salt again into a byte array (for example, Salt|Password|Salt)

The final hash creates the ephemeral key.

For more information, visit www.rsa.com to see PKCS #5: Password-Based Cryptography Standard.

Principal encryption keys

When you or a user turns on content protection for device transport keys, a BlackBerry® device generates a principal encryption

key and stores it in flash memory. The BlackBerry device uses the principal encryption key to encrypt the device transport keys

that are stored on the BlackBerry device in flash memory and the PIN encryption key that is specific to your organization. The

BlackBerry device encrypts the principal encryption key using the content protection key. When the BlackBerry device receives