Manualshelf

User guide

ManualsBrandsBlackberry ManualsOtherENTERPRISE SOLUTION SECURITY - ENFORCING ENCRYPTION OF INTERNAL AND EXTERNAL FILE SYSTEMS ON DEVICES
71727374757677787980
How the BlackBerry Enterprise Solution protects a TCP/IP connection between a BlackBerry
Enterprise Server and the BlackBerry Infrastructure
After a BlackBerry® Enterprise Server and the BlackBerry® Infrastructure open an SRP connection, the BlackBerry Enterprise
Server uses a persistent TCP/IP connection to send data to the BlackBerry Infrastructure. The BlackBerry Infrastructure uses
wireless network protocols (for example, GSM® or EDGE) to send data to the BlackBerry device. The TCP/IP connection between
the BlackBerry Enterprise Server and BlackBerry Infrastructure is designed to be highly secure in the following ways:
The BlackBerry Enterprise Server deletes data traffic that it receives from any source other than the messaging server, or
from the BlackBerry device through the BlackBerry Infrastructure or BlackBerry® Desktop Software.
The BlackBerry Enterprise Server and BlackBerry device use BlackBerry transport layer encryption to encrypt the data that
they send to each other. No intermediate point decrypts and encrypts the data again.
No data traffic of any kind can occur between the BlackBerry Enterprise Server and either the wireless network or the
BlackBerry device unless the BlackBerry Enterprise Server can decrypt the data using a valid device transport key. Only the
BlackBerry Enterprise Server and BlackBerry device have the correct device transport key.
You must configure your organization’s firewall or proxy server to permit the BlackBerry Enterprise Server to start and maintain
an outgoing connection to the BlackBerry Infrastructure over TCP port 3101.
Process flow: Authenticating a BlackBerry Enterprise Server with the BlackBerry
Infrastructure
1. The BlackBerry® Enterprise Server sends a data packet that contains its unique SRP identifier to the BlackBerry®
Infrastructure to claim the SRP identifier.
2. The BlackBerry Infrastructure sends a random challenge string to the BlackBerry Enterprise Server.
3. The BlackBerry Enterprise Server sends a challenge string to the BlackBerry Infrastructure.
4. The BlackBerry Infrastructure hashes the challenge string with the SRP authentication key using HMAC with the SHA-1
algorithm. The BlackBerry Infrastructure sends the resulting 20-byte value to the BlackBerry Enterprise Server as a challenge
string.
5. The BlackBerry Enterprise Server hashes the challenge string with the SRP authentication key, and sends a challenge
response to the BlackBerry Infrastructure.
6. The BlackBerry Infrastructure performs one of the following actions:
accepts the challenge response and sends a confirmation to the BlackBerry Enterprise Server to complete the
authentication process and configure an authenticated SRP connection
rejects the challenge response
Security Technical Overview
How a BlackBerry Enterprise Server and the BlackBerry Infrastructure authenticate with each other
69