Manualshelf

Installation guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL
12345678910
BlackBerry Enterprise Solution Security
BlackBerry encryption keys 10
5. The BlackBerry Enterprise Server uses SHA512 to hash the 521-byte value to 64 bytes.
6. The BlackBerry Enterprise Server uses the 64-byte value to seed a NIST-approved DSA PRNG function. See
Federal Information Processing Standard – FIPS PUB 186-2 for more information on the DSA PRNG
function.
The BlackBerry Enterprise Server stores a copy of the seed in a file. When the BlackBerry Enterprise Server
restarts, it reads the seed from the file and uses the XOR function to compare the stored seed with the new
seed.
7. The DSA PRNG function generates 128 pseudo-random bits for use with Triple DES and 256 pseudo-random
bits for use with AES.
8. The BlackBerry Enterprise Server uses the pseudo-random bits with the appropriate algorithm to generate
the message key.
Content protection key
When you turn on or the user turns on content protection on the BlackBerry device, the BlackBerry device
generates encryption keys, including the content protection key, that are designed to encrypt the user data on
the BlackBerry device in the following scenarios:
Scenario Encryption process
BlackBerry device is locked The BlackBerry device frees the memory that it associates with the content
protection key and the ECC private key that it stores in RAM. The BlackBerry
device then uses the ECC public key, an asymmetric key, to encrypt new user
data that it receives.
BlackBerry device is unlocked The BlackBerry device decrypts the content protection key and the ECC
private key in flash memory. The BlackBerry device then uses the ECC private
key and the content protection key to decrypt user data on the BlackBerry
device.
See “Protected storage of user data on a locked BlackBerry device” on page 22 for more information.
Content protection key generation process
When you turn on or the user turns on content protection of data for the first time, the following process occurs:
1. The BlackBerry device uses the NIST-approved DSA PRNG to randomly generate the content protection key,
a semi-permanent 256 bit AES encryption key.
2. The BlackBerry device generates an ECC key pair.
3. The BlackBerry device prompts the user to type their BlackBerry device password.
4. The BlackBerry device derives an ephemeral 256 bit AES encryption key from the BlackBerry device
password, in accordance with PKCS #5 (the password-based cryptography standard). See “Appendix E:
Ephemeral AES encryption key derivation process” on page 53 for more information.
5. The BlackBerry device uses the ephemeral key to encrypt the content protection key and the ECC private
key.
6. The BlackBerry device stores the encrypted content protection key, the encrypted ECC private key, and the
ECC public key in flash memory.
Note: If the user changes their BlackBerry device password, the BlackBerry device uses the new password to
derive a new ephemeral key and uses the new ephemeral key to re-encrypt the encrypted versions of the
content protection key and the ECC private key in flash memory.
www.blackberry.com