Manualshelf

User guide

ManualsBrandsBlackberry ManualsOtherENTERPRISE SOLUTION SECURITY - ENFORCING ENCRYPTION OF INTERNAL AND EXTERNAL FILE SYSTEMS ON DEVICES
919293949596979899100
Item Description
S/MIME private key When a user sends a signed email message or signed PIN message from a BlackBerry
device, the BlackBerry device hashes the message using SHA-1, SHA-256,
SHA-384, SHA-512, or MD5. The BlackBerry device then uses the S/MIME private
key of the user to digitally sign the message hash.
When a user receives an encrypted email message or encrypted PIN message on a
BlackBerry device, the BlackBerry device uses the private key of the user to decrypt
the message. The BlackBerry device stores the private key.
Retrieving S/MIME certificates and checking certificate status
The S/MIME Support Package for BlackBerry® smartphones is designed so that the BlackBerry device and the certificate
synchronization tool of the BlackBerry® Desktop Manager can perform the following actions:
use LDAP, LDAPS, or DSML to search for and retrieve S/MIME certificates of recipients from LDAP servers or DSML certificate
servers
use OCSP to check the revocation status of S/MIME certificates
retrieve the revocation status of S/MIME certificates from a certificate revocation list
S/MIME encryption algorithms
When you turn on S/MIME encryption, the default value of the S/MIME Allowed Content Ciphers IT policy rule specifies that a
BlackBerry® device can use any of the following encryption algorithms to encrypt messages: AES-256, AES-192, AES-128,
CAST-128, RC2-128, or Triple DES. By default, the BlackBerry device cannot use the RC2-64 algorithm and RC2-40 algorithm to
encrypt S/MIME messages. You can change the value of the S/MIME Allowed Content Ciphers IT policy rule to use a subset of
the encryption algorithms if your organization’s security policies require it.
If a BlackBerry device user wants to send an email message to a recipient that the user previously received an email message
from, the BlackBerry device is designed to store the encryption algorithms that the recipient’s email application can support, and
use one of those encryption algorithms. By default, if the BlackBerry device cannot determine the encryption algorithms that the
recipient’s email application can support, the BlackBerry device encrypts the email message using Triple DES.
You can use the Weak Digest Algorithms IT policy rule to specify the algorithms that your organization considers to be weak. The
BlackBerry device uses the list of weak algorithms in the Weak Digest Algorithms IT policy rule when the BlackBerry device verifies
the following information:
An S/MIME-enabled application did not use a weak algorithm to generate the digital signatures on the email messages
that the BlackBerry device receives.
The certificate chains for the certificates that an S/MIME-enabled application used to digitally sign email messages that
the BlackBerry device receives do not contain hash values generated using a weak algorithm.
Security Technical Overview
Extending messaging security using S/MIME encryption
89