Manualshelf

User guide

ManualsBrandsBlackberry ManualsOtherENTERPRISE SOLUTION SECURITY - ENFORCING ENCRYPTION OF INTERNAL AND EXTERNAL FILE SYSTEMS ON DEVICES
41424344454647484950
The BlackBerry device uses the BlackBerry device password to generate an ephemeral key that the BlackBerry device uses to
encrypt the content protection key and the ECC private key. If you change the content protection strength to Stronger so that
the BlackBerry device uses a 283-bit ECC private key, you can consider changing the Minimum Password Length IT policy rule
to enforce a minimum password length of 12 characters for the BlackBerry device password. If you change the content protection
strength to Strongest so that the BlackBerry device uses a 571-bit ECC private key, you can consider changing the Minimum
Password Length IT policy rule to enforce a minimum password length of 21 characters for the BlackBerry device password. These
password lengths maximize the encryption strength that the longer ECC private keys are designed to provide. A smaller password
length produces a weaker ephemeral key.
Process flow: Encrypting user data on a locked BlackBerry device
When a BlackBerry® device locks for the first time after you or a user turns on content protection, the BlackBerry device performs
the following actions:
1. uses the content protection key to automatically encrypt the bulk of its stored user data and application data
2. frees the BlackBerry device memory that is associated with the decrypted content protection key and the decrypted ECC
private key that is stored in RAM
3. uses the ECC public key to encrypt data that it receives
Process flow: Decrypting user data on an unlocked BlackBerry device
1. A user types the correct BlackBerry® device password to unlock a BlackBerry device.
2. The BlackBerry device performs the following actions:
a. uses the password to derive the ephemeral key
b. uses the ephemeral key to decrypt the encrypted content protection key and ECC private key that are stored in flash
memory
c. stores the decrypted content protection key and ECC private key in RAM
d. uses the decrypted content protection key to decrypt the user data when the user tries to access user data (for example,
an email message) that the BlackBerry device received and encrypted while it was locked
e. uses the decrypted ECC private key to decrypt the user data and access the ECC-encrypted items (for example, the
message body, subject, or recipient) when the user tries to access user data that the BlackBerry device encrypted while
it was locked
When the BlackBerry device opens ECC-128 encrypted items (usually less than 40 messages), the BlackBerry device uses the
ECC private key to decrypt the ECC-encrypted items. The BlackBerry device re-encrypts the items with the content protection
key the next time that the BlackBerry device locks. If the BlackBerry device does not complete the re-encryption process before
the user unlocks the BlackBerry device, the BlackBerry device resumes re-encryption when it locks again.
Security Technical Overview
Encrypting user data on a locked BlackBerry device
47