Manualshelf

User guide

ManualsBrandsBlackberry ManualsOtherENTERPRISE SOLUTION SECURITY - ENFORCING ENCRYPTION OF INTERNAL AND EXTERNAL FILE SYSTEMS ON DEVICES
51525354555657585960
Resetting a BlackBerry device password when content protection is turned
on
If you or a user turns on content protection for a BlackBerry® device that is running BlackBerry® Device Software version 4.3 or
later, you can reset the BlackBerry device password using a BlackBerry® Enterprise Server version 4.1 SP5 or later. The BlackBerry®
Enterprise Solution uses the remote password reset cryptographic protocol to reset the BlackBerry device password when content
protection is turned on. The BlackBerry device does not prompt the user for the old BlackBerry device password.
The remote password reset cryptographic protocol is designed to provide the following features:
permit the BlackBerry device to encrypt the content protection key again with the new password, without the old password
being available
prevent a hardware-based attack on the BlackBerry device from recovering the content protection key without knowing
either the BlackBerry device password or the IT policy private key that the BlackBerry Enterprise Server generates for the
BlackBerry device
prevent the BlackBerry Enterprise Server from accessing any data that a potentially malicious user could use to recover the
content protection key
To reset the BlackBerry device password, you send the Specify new device password and lock device IT administration command
to the BlackBerry device. You should send the IT administration command to a content-protected BlackBerry device that is in
the possession of the BlackBerry device user only. If you send the IT administration command to a BlackBerry device that is in
the possession of a potentially malicious user, that user can use a hardware-based attack to recover the key pair that the BlackBerry
device created when it received the IT policy. The potentially malicious user can use the key pair to decrypt all the data on the
BlackBerry device.
Process flow: Resetting a BlackBerry device password when content protection is turned on
The process flow is designed so that the BlackBerry® Enterprise Server cannot reconstruct the encryption key at a later time.
The BlackBerry Enterprise Server performs the following actions when you send the Specify new device password and lock device
IT administration command to a BlackBerry device when content protection is turned on:
1. generates an encryption key using the IT policy public key and the NIST recommended 521-bit elliptic curve over a prime field
2. encrypts the content protection key using the encryption key and the new BlackBerry device password (which is also
encrypted)
3. sends the data required to reconstruct the encryption key to the BlackBerry device
Cryptosystem parameters that the remote password reset cryptographic protocol uses
The BlackBerry® Enterprise Server and BlackBerry device are designed to share the following cryptosystem parameters when
they use the remote password reset cryptographic protocol.
Security Technical Overview
Resetting a BlackBerry device password when content protection is turned on
49