Manualshelf

User guide

ManualsBrandsBlackberry ManualsOtherENTERPRISE SOLUTION SECURITY - ENFORCING ENCRYPTION OF INTERNAL AND EXTERNAL FILE SYSTEMS ON DEVICES
61626364656667686970
The BlackBerry MDS security protocol uses a session key to authenticate data that the BlackBerry device sends to the BlackBerry
MDS Integration Service. The BlackBerry device and BlackBerry MDS Integration Service share the same session key. The session
key is stored in the BlackBerry Configuration Database. The BlackBerry MDS security protocol uses AES-128 in CBC mode with
PKCS #5 padding to encrypt the session key using the database access key of the database server. The BlackBerry MDS security
protocol also uses AES-128 in CBC mode with PKCS #5 padding to encrypt and decrypt data that the BlackBerry device and
BlackBerry MDS Integration Service send between each other using the session key.
Using SSL to connect to web services
The BlackBerry® MDS Integration Service uses a certificate to permit client authentication between the BlackBerry MDS
Integration Service and web services. By default, the BlackBerry MDS Integration Service generates a self-signed certificate when
it starts after the BlackBerry MDS Integration Service installation process completes or when it cannot locate a certificate in the
BlackBerry MDS Integration Service key store. You can replace the self-signed certificate with a signed certificate if the security
policies in your organization require it.
If the BlackBerry MDS Integration Service must use SSL to connect to web services, you must export the certificate to the web
services to authenticate communication with the web services. If a BlackBerry® MDS Runtime Application must use SSL to connect
to web services, you can configure the BlackBerry® Enterprise Server to verify that the certificate chain for the certificate is strong
enough. You can use the Weak Digest Algorithms IT policy rule to identify algorithms that the BlackBerry device and BlackBerry
Enterprise Server should consider to be weak. After you configure authentication between the BlackBerry MDS Integration Service
and web services, you can configure the BlackBerry device to install only BlackBerry MDS Runtime Applications that use SSL.
For more information, see the BlackBerry Enterprise Server Administration Guide.
Process flow: Registering a BlackBerry device with a BlackBerry MDS Integration Service
1. A BlackBerry® device performs the following actions:
generates an AES-128 session key
uses RSA-1024 with PKCS #1 padding to encrypt the AES session key
sends the AES-128 session key to the BlackBerry MDS Integration Service
stores the AES-128 session key in flash memory
2. The BlackBerry MDS security protocol on the BlackBerry MDS Integration Service uses AES-128 in CBC mode with PKCS
#5 padding to encrypt a AES-128 session key using an AES-128 database access key.
3. The BlackBerry MDS Integration Service stores the encrypted AES-128 session key in the BlackBerry MDS Integration Service
database and stores the AES-128 database access key in the database key store.
4. The BlackBerry MDS security protocol on the BlackBerry MDS Integration Service and BlackBerry device uses HMAC with
a SHA-1 hash function and the 128-bit shared secret key to authenticate data that the BlackBerry device and BlackBerry
MDS Integration Service send between each other.
Security Technical Overview
Authenticating data that a BlackBerry device sends to the BlackBerry MDS Integration Service
65