BlackBerry Enterprise Solution Security Version 4.1.0 Technical Overview © 2006 Research In Motion Limited. All rights reserved. www.blackberry.
BlackBerry Enterprise Solution Security Contents Wireless security....................................................................................................................................................... 4 BlackBerry Enterprise Solution security ............................................................................................................... 4 New security features....................................................................................................................
BlackBerry Enterprise Solution Security Messaging server ...............................................................................................................................................26 BlackBerry configuration database.................................................................................................................26 BlackBerry MDS Services databases ..............................................................................................................
BlackBerry Enterprise Solution Security Wireless security 4 This document describes the security features of the BlackBerry® Enterprise Solution and provides an overview of the BlackBerry security architecture. This document describes the security features that BlackBerry Enterprise Server version 4.1 or later, BlackBerry Desktop Software version 4.1 or later, and BlackBerry Device Software version 4.1 or later support, unless otherwise stated.
BlackBerry Enterprise Solution Security BlackBerry Enterprise Solution security 5 Concept Description BlackBerry Enterprise Solution implementation authenticity enables the message recipient to identify and trust the identity of the message sender • Require that the BlackBerry device authenticate itself to the BlackBerry Enterprise Server to prove that it knows the master encryption key before the BlackBerry Enterprise Server can exchange the unique master encryption key with, and send data to the B
BlackBerry Enterprise Solution Security BlackBerry encryption keys 6 New security features Feature Software versions supported Description protect master encryption keys on the BlackBerry device • BlackBerry Enterprise Server version 4.1 (all platforms) • Java™ based BlackBerry devices that are running BlackBerry device software version 4.1 or later Encrypt the master encryption keys stored on the BlackBerry device in flash memory using 256-bit AES.
BlackBerry Enterprise Solution Security BlackBerry encryption keys 7 Master encryption key storage The BlackBerry configuration database, the messaging server, and the BlackBerry device flash memory store encryption keys, including the current BlackBerry device master encryption key (in other words, the master encryption key that the BlackBerry device currently uses to encrypt and decrypt message keys).
BlackBerry Enterprise Solution Security BlackBerry encryption keys 8 Key generation method Initial key generation Key regeneration wireless Wireless enterprise activation permits a user to remotely activate a BlackBerry device on the BlackBerry Enterprise Server without a physical network connection.
BlackBerry Enterprise Solution Security BlackBerry encryption keys Protocol Description initial key establishment protocol • The BlackBerry Enterprise Server uses this protocol during wireless enterprise activation to establish the initial master encryption key. • This protocol uses SPEKE to bootstrap from an activation password, enabling a BlackBerry device to establish long term public keys and a strong, cryptographically protected connection with a BlackBerry Enterprise Server.
BlackBerry Enterprise Solution Security BlackBerry encryption keys 5. 10 The BlackBerry Enterprise Server uses SHA512 to hash the 521-byte value to 64 bytes. 6. The BlackBerry Enterprise Server uses the 64-byte value to seed a NIST-approved DSA PRNG function. See Federal Information Processing Standard – FIPS PUB 186-2 for more information on the DSA PRNG function. The BlackBerry Enterprise Server stores a copy of the seed in a file.
BlackBerry Enterprise Solution Security BlackBerry encryption keys 11 User data encryption process on a locked BlackBerry device 1. The BlackBerry device locks. When the BlackBerry device locks for the first time after you turn on or the user turns on content protection, it uses the content protection key to automatically encrypt the bulk of its stored user and application data. 2.
BlackBerry Enterprise Solution Security BlackBerry symmetric key encryption algorithms 12 BlackBerry symmetric key encryption algorithms A symmetric key encryption algorithm is designed so that only the parties who know the secret key can decrypt the encrypted data or cipher text of the scrambled message.
BlackBerry Enterprise Solution Security BlackBerry symmetric key encryption algorithms 13 When a user sends a message from the BlackBerry device, the BlackBerry Enterprise Server does not encrypt the message when it forwards the message to the message recipient unless the user installs additional secure messaging technology on the BlackBerry device and you have enabled the BlackBerry device to use that secure messaging technology to extend the messaging security.
BlackBerry Enterprise Solution Security BlackBerry wireless messaging security 14 BlackBerry wireless messaging security The BlackBerry Enterprise Solution is designed with advanced security features to work seamlessly with existing corporate networks while enabling a user to securely send and receive messages while away from their desktop computer. Email messages remain encrypted at all points between the BlackBerry device and the BlackBerry Enterprise Server.
BlackBerry Enterprise Solution Security BlackBerry wireless messaging security 2. 15 The BlackBerry Infrastructure routes the encrypted message to the BlackBerry Enterprise Server on which the user resides. The connection from the BlackBerry Enterprise Server to the BlackBerry Infrastructure is a two-way TCP connection on port 3101. The BlackBerry Infrastructure directs messages from the BlackBerry device to this connection using the routing information in the message. 3.
BlackBerry Enterprise Solution Security Extending BlackBerry device messaging security 16 SMS and MMS messaging SMS and MMS messaging are available on some BlackBerry devices. Supported BlackBerry devices can send SMS and MMS messages over the wireless TCP/IP connection between them. The BlackBerry device does not encrypt SMS and MMS messages.
BlackBerry Enterprise Solution Security Extending BlackBerry device messaging security 17 The PGP Support Package includes tools for obtaining PGP keys and transferring them to the BlackBerry device so that BlackBerry devices with the PGP Support Package installed can decrypt PGP protected messages and users can read the decrypted messages on their BlackBerry devices. Users can digitally sign, encrypt, and send PGP protected messages from their BlackBerry devices.
BlackBerry Enterprise Solution Security Extending BlackBerry device messaging security 18 3. The BlackBerry device sends the encrypted message to the BlackBerry Enterprise Server. 4. The BlackBerry Enterprise Server removes the standard BlackBerry encryption and sends the PGP encrypted message to the recipient.
BlackBerry Enterprise Solution Security Extending BlackBerry device messaging security 19 PKI component support The S/MIME Support Package is designed to support the following PKI components: • LDAP: The BlackBerry device and the Certificate Synchronization Manager use LDAP to search for and download certificates. • OCSP: The BlackBerry device and the Certificate Synchronization Manager use OCSP to check the revocation status of a certificate on demand.
BlackBerry Enterprise Solution Security Extending BlackBerry device messaging security 20 S/MIME certificates When a user sends an encrypted message from the BlackBerry device, the BlackBerry device uses the S/MIME certificate of the message recipient to encrypt the message. When a BlackBerry device user receives a signed message, the BlackBerry device uses the S/MIME certificate of the message sender to verify the message signature.
BlackBerry Enterprise Solution Security Protecting stored data • the BlackBerry Enterprise Server restarts • the password times out (the default expiration timeout is 24 hours) 21 The encrypted Notes .id password remains stored in the BlackBerry Enterprise Server for IBM Lotus Domino messaging agent memory cache. The BlackBerry device deletes the Notes .
BlackBerry Enterprise Solution Security Protecting stored data 22 IT policy signing and storage on the BlackBerry device An IT policy is a collection of one or more IT policy rules. An IT Admin command is a function that you can send wirelessly to immediately control access to or change ownership information on the BlackBerry device.
BlackBerry Enterprise Solution Security Protecting stored data BlackBerry device application User data calendar • subject • location • organizer • attendees • notes included in the appointment or meeting request • title • information included in the body of the note • subject • information included in the body of the task contacts • all information except the title and category AutoText • all text that automatically replaces the text a user types BlackBerry Browser • content tha
BlackBerry Enterprise Solution Security Protecting stored data 24 Enabling protected storage of master encryption keys on a locked BlackBerry device You enable protected storage of master encryption keys on the BlackBerry device by setting the Force Content Protection of Master Keys IT policy rule. When you turn on content protection of master encryption keys, the BlackBerry device uses the same ECC key strength that it uses to encrypt user and application data when encrypting the master encryption keys.
BlackBerry Enterprise Solution Security BlackBerry architecture component security 25 Configuring memory cleaning Users can configure the memory cleaner program to run when their BlackBerry devices are holstered or when their BlackBerry devices remain idle for a configured period of time. Users can also manually run the memory cleaner program on their BlackBerry devices or run specific registered memory cleaners in the BlackBerry device Security options.
BlackBerry Enterprise Solution Security BlackBerry architecture component security 26 See the BlackBerry Enterprise Server Feature and Technical Overview for more information on the BlackBerry Enterprise Server architecture. BlackBerry Infrastructure The BlackBerry Infrastructure is designed to communicate with the BlackBerry Enterprise Server using a RIMproprietary protocol called Server Routing Protocol (SRP). SRP is a point-to-point protocol that runs over TCP/IP.
BlackBerry Enterprise Solution Security BlackBerry architecture component security Configuration option Recommendations shield your Microsoft SQL Server installation from Internet-based attacks • 27 Require Windows Authentication Mode for connections to Microsoft SQL Server to restrict connections to Microsoft Windows® user and domain user accounts and enable credentials delegation. Note: Windows Authentication Mode eliminates the need to store passwords on the client side.
BlackBerry Enterprise Solution Security Protecting the BlackBerry Infrastructure connections Configuration option Recommendations delete unsecured, old setup files • audit connections to the Microsoft SQL Server • At a minimum, log failed connection attempts to the Microsoft SQL Server and review the log regularly. • When possible, save log files to a different hard drive than the one on which data files are stored.
BlackBerry Enterprise Solution Security Protecting the BlackBerry Infrastructure connections 29 A BlackBerry device can bypass SRP connectivity and authentication by using the BlackBerry Router to connect directly to the BlackBerry Enterprise Server. The BlackBerry Enterprise Server can communicate with the BlackBerry Router using a combination of the SRP and BlackBerry Router authentication protocols.
BlackBerry Enterprise Solution Security Protecting the BlackBerry Infrastructure connections 30 Step Action Description 3 The BlackBerry Enterprise Server sends a challenge string to the BlackBerry Infrastructure. When the BlackBerry Enterprise Server receives the BlackBerry Infrastructure challenge string, it sends a challenge string to the BlackBerry Infrastructure. 4 The BlackBerry Infrastructure sends a challenge response to the BlackBerry Enterprise Server.
BlackBerry Enterprise Solution Security Protecting the BlackBerry Infrastructure connections Step Action Description 2 The BlackBerry Router authenticates the BlackBerry device. The BlackBerry Router uses its unique authentication protocol to verify that the BlackBerry device has the correct master encryption key. The value of the master encryption key that the BlackBerry device and the BlackBerry Enterprise Server share is not available to the BlackBerry Router.
BlackBerry Enterprise Solution Security Protecting the BlackBerry Infrastructure connections 32 Step Action Description 4 The BlackBerry Enterprise Server and the BlackBerry device establish and verify the shared master encryption key. The BlackBerry Enterprise Server and the BlackBerry device use the initial key establishment protocol to establish a master encryption key. The BlackBerry Enterprise Server and the BlackBerry device verify the master encryption key with each other.
BlackBerry Enterprise Solution Security Protecting the BlackBerry Infrastructure connections 33 Security measure Description The BlackBerry Enterprise Solution encrypts data traffic over TCP/IP. • Data remains encrypted with standard BlackBerry encryption from the BlackBerry Enterprise Server to the BlackBerry device or from the BlackBerry device to the BlackBerry Enterprise Server. There is no intermediate point at which the data is decrypted and encrypted again.
BlackBerry Enterprise Solution Security Protecting the BlackBerry Infrastructure connections 34 Messaging server Data traffic encryption method Microsoft Exchange • The BlackBerry Enterprise Server and the Microsoft Exchange Server communicate using the same Microsoft Exchange server RPC. • A user can use 128-bit encryption to encrypt RPC communication over the MAPI connection between the Microsoft Exchange Server and Microsoft Outlook.
BlackBerry Enterprise Solution Security Authenticating a user 35 HTTPS protocol BlackBerry MDS encryption method Description handheld mode TLS/SSL TLS and WTLS key establishment algorithms, symmetric ciphers and hash algorithms that the RIM Crypto API currently supports on the BlackBerry device • The BlackBerry device uses handheld (direct) mode TLS/SSL to encrypt data for the entire connection between the BlackBerry device and the content server.
BlackBerry Enterprise Solution Security Authenticating a user • 36 what they know (their smart card password). The BlackBerry Smart Card Reader integrates smart card use with the BlackBerry Enterprise Solution, enabling a user to authenticate with their smart card to login to certain Bluetooth-enabled BlackBerry devices.
BlackBerry Enterprise Solution Security Controlling BlackBerry devices 37 If the BlackBerry device is running either BlackBerry Device Software version 3.6 or earlier with the S/MIME Support Package version 4.0 or later installed or BlackBerry Device Software version 4.0 or later (S/MIME Support Package optional), the user can also view smart card information in the BlackBerry device Security Options.
BlackBerry Enterprise Solution Security Controlling BlackBerry devices 38 You can add a new IT policy rule to, remove a new IT policy rule from, or change the assigned value of a new IT policy rule in an IT policy the same way that you change a standard IT policy rule in an IT policy. The BlackBerry Manager groups the IT policy rules by common properties or by application. Most IT policy rules are intended to be assigned to more than one BlackBerry device.
BlackBerry Enterprise Solution Security Controlling BlackBerry devices • 39 Restrict device resources available to third-party applications See the Policy Reference Guide for more information. Controlling BlackBerry device access to the BlackBerry Enterprise Server Turn on the Enterprise Service Policy to control which BlackBerry devices can connect to the BlackBerry Enterprise Server.
BlackBerry Enterprise Solution Security Controlling BlackBerry devices 40 Protecting the BlackBerry device against malware Java-based BlackBerry devices are designed to provide an open platform for third-party wireless enterprise application development. Using BlackBerry MDS Studio™ and the BlackBerry Java Development Environment (JDE), the BlackBerry Enterprise Solution enables software developers to create third-party applications for BlackBerry devices.
BlackBerry Enterprise Solution Security Controlling BlackBerry devices 41 BlackBerry Enterprise Solution security method Description code signing • RIM controls the use of APIs that include sensitive packages, classes, or methods to prevent unauthorized, malicious applications from accessing data on the BlackBerry device.
BlackBerry Enterprise Solution Security Protecting lost, stolen, or replaced BlackBerry devices BlackBerry Enterprise Solution security method Description using application control policy rules The BlackBerry Enterprise Server application control policy rules are designed to enable you to permit or prevent the installation of specific third-party applications on the BlackBerry device and to limit the permissions of third-party applications that have obtained a digital signature from RIM’s signing authori
BlackBerry Enterprise Solution Security Protecting lost, stolen, or replaced BlackBerry devices 43 Erasing data from BlackBerry device memory and making the BlackBerry device unavailable The BlackBerry device erases its user and application data when any of the following events occur: • The user clicks Wipe Device (in the Security options) on the BlackBerry device. • The user types the password incorrectly more times than the Set Maximum Password Attempts IT policy rule allows.
BlackBerry Enterprise Solution Security Related resources 44 Related resources Resource Information BlackBerry Enterprise Server Feature and Technical Overview • BlackBerry Enterprise Server architecture BlackBerry Enterprise Server Installation Guide • network environment settings • messaging and collaboration environment settings • database environment settings • generating and changing master encryption keys • enabling encryption • managing security BlackBerry Enterprise Solution Secu
BlackBerry Enterprise Solution Security Related resources 45 Resource Information PGP Support Package User Guide Supplement • installing the PGP Support Package • managing PGP keys on the BlackBerry device • setting PGP options for digitally signing and encrypting messages • S/MIME security and encryption • managing S/MIME certificates on the BlackBerry device and desktop computer • installing the S/MIME Support Package • managing certificates on the BlackBerry device and desktop computer
BlackBerry Enterprise Solution Security Appendix A: RIM Cryptographic Application Programming Interface 46 Appendix A: RIM Cryptographic Application Programming Interface The RIM Crypto API on the BlackBerry device and in the BlackBerry JDE provides developers with a toolkit of cryptographic algorithms and support tools that they can use to create secure applications for business connectivity.
BlackBerry Enterprise Solution Security Appendix A: RIM Cryptographic Application Programming Interface 47 Key agreement schemes Algorithm Key length (bits) Type DH 512 to 4096 discrete logarithm KEA 1024 discrete logarithm ECDH 160 to 571 (EC) discrete logarithm ECMQV 160 to 571 (EC) discrete logarithm Signature schemes Algorithm Key length (bits) Type DSA 512 to 1024 discrete logarithm RSA using PKCS#1 (version 1.5 and 2.0) 512 to 4096 integer factorization RSA using ANSI X9.
BlackBerry Enterprise Solution Security Appendix B: TLS and WTLS standards that the RIM Crypto API supports 48 Appendix B: TLS and WTLS standards that the RIM Crypto API supports The TLS and WTLS protocol cipher suite components that the RIM Crypto API supports apply only to WTLS and handheld (direct) mode TLS/SSL on the BlackBerry device.
BlackBerry Enterprise Solution Security Appendix B: TLS and WTLS standards that the RIM Crypto API supports Symmetric algorithms that the RIM Crypto API supports Direct mode SSL Direct mode TLS WTLS RC4 40 RC4 40 RC5 40 DES 40 RC4 56 RC5 56 DES RC4 128 RC5 64 Triple DES DES 40 RC5 RC4 128 DES RC5 128 Triple DES DES 40 AES 128 DES AES 256 Triple DES RC4 128 Hash algorithms that the RIM Crypto API supports Direct mode SSL Direct mode TLS WTLS MD5 MD5 SHA SHA1 SHA1 SHA 40 SHA
BlackBerry Enterprise Solution Security Appendix C: Previous version of wired master encryption key generation 50 Appendix C: Previous version of wired master encryption key generation Each time a BlackBerry Enterprise Server or BlackBerry Desktop Software version earlier than 4.0 calls the master encryption key generation function, the C language srand function is seeded with the current time to generate a seed for the C language rand function.
BlackBerry Enterprise Solution Security Appendix D: BlackBerry device wipe process 51 Appendix D: BlackBerry device wipe process A BlackBerry device wipe is designed to delete and overwrite the BlackBerry device memory using the following process: 1. The BlackBerry device sets a Device Under Attack flag in the NV store.
BlackBerry Enterprise Solution Security Appendix D: BlackBerry device wipe process 3. Writes 0xCC to each byte (0x1100 11002). 4. Clears all bytes to 0xFF (1111 11112). 5. Writes 0x55 to each byte (0x0101 01012). 6. Clears all bytes to 0xFF (1111 11112). 7. Writes 0xAA to each byte (0x1010 10102). 8. Clears all bytes to 0xFF (1111 11112). www.blackberry.
BlackBerry Enterprise Solution Security Appendix E: Ephemeral AES encryption key derivation process 53 Appendix E: Ephemeral AES encryption key derivation process The BlackBerry device uses an ephemeral 256-bit AES encryption key to encrypt the content protection key and the ECC private key. The BlackBerry device derives the ephemeral 256-bit AES encryption key from the BlackBerry device password using the following process: 1.
BlackBerry Enterprise Solution Security 54 Part number: 7121119version2 ©2006 Research In Motion Limited. All Rights Reserved. The BlackBerry and RIM families of related marks, images, and symbols are the exclusive properties of Research In Motion Limited. RIM, Research In Motion, “Always On, Always Connected”, the “envelope in motion” symbol, and BlackBerry are registered with the U.S. Patent and Trademark Office and may be pending or registered in other countries.
