Manualshelf

User guide

ManualsBrandsBlackberry ManualsOtherENTERPRISE SOLUTION SECURITY - ENFORCING ENCRYPTION OF INTERNAL AND EXTERNAL FILE SYSTEMS ON DEVICES
61626364656667686970
Closing a direct connection between a BlackBerry device and BlackBerry Router
If a user disconnects a BlackBerry® device from a computer that hosts the BlackBerry® Device Manager, closes the BlackBerry
Device Manager, or disconnects the BlackBerry device from an enterprise Wi-Fi® network, the BlackBerry device restores the
connection to the BlackBerry® Infrastructure over the wireless network automatically. The BlackBerry® Enterprise Server and
BlackBerry Router use the BlackBerry Router protocol to close the authenticated connection to the BlackBerry device. The
BlackBerry Router protocol is designed to permit only an authenticated party to close the connection. The BlackBerry Router
uses a single execution of the Schnorr identification scheme to authenticate the close command that the BlackBerry Enterprise
Server sends to the BlackBerry Router.
Impersonation attacks that the BlackBerry Router protocol is designed to prevent
The BlackBerry® Router protocol is designed to prevent a potentially malicious user from impersonating a BlackBerry device or
a BlackBerry® Enterprise Server.
To impersonate the BlackBerry device, the potentially malicious user sends messages to the BlackBerry Enterprise Server so that
the BlackBerry Enterprise Server believes it is communicating with the BlackBerry device. To impersonate the BlackBerry
Enterprise Server, the potentially malicious user sends messages to the BlackBerry device so that the BlackBerry device believes
it is communicating with the BlackBerry Enterprise Server.
To perform either of these impersonation attacks, the potentially malicious user must send the device transport key value (also
known as s) to the BlackBerry Enterprise Server or BlackBerry device, which requires the potentially malicious user to solve the
discrete log problem to determine s or the hash of s.
How the BlackBerry Router protocol uses the Schnorr identification scheme to open an
authenticated connection
The implementation of the Schnorr identification scheme in the BlackBerry® Router protocol uses a group of large prime order,
which is the additive group of elliptic curve points for a prime p.
The BlackBerry Router protocol is designed to perform the following actions:
use the NIST recommended 521-bit elliptic curve group
verify that the points supplied by the parties involved in the communication are members of the elliptic curve group
verify that R
D
does not equal R
B
, to prevent the recovery of h by a potentially malicious user
verify that e does not equal 0, to prevent the recovery of h by a potentially malicious user
verify that R does not equal the point at infinity, to verify that R is a valid public key
verify that R does not equal the point at infinity, to verify that R is a valid public key
reset any corrupted data that it finds to a random value so that the BlackBerry Router protocol can proceed past the point
that it detects corrupted data
Security Technical Overview
Opening a direct connection between a BlackBerry device and a BlackBerry Router
59