Manualshelf

Installation guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL
11121314151617181920
BlackBerry Enterprise Solution Security
BlackBerry encryption keys 11
User data encryption process on a locked BlackBerry device
1. The BlackBerry device locks. When the BlackBerry device locks for the first time after you turn on or the user
turns on content protection, it uses the content protection key to automatically encrypt the bulk of its stored
user and application data.
2. The BlackBerry device frees the memory associated with the decrypted content protection key and the
decrypted ECC private key stored in RAM.
3. The locked BlackBerry device uses the ECC public key to encrypt data that it receives.
User data decryption process on an unlocked BlackBerry device
1. A user types the correct BlackBerry device password to unlock the BlackBerry device.
2. The BlackBerry device uses the BlackBerry device password to derive the ephemeral 256 bit AES encryption
key again.
3. The BlackBerry device uses the ephemeral key to decrypt the encrypted content protection key and the
encrypted ECC private key in flash memory.
4. The BlackBerry device stores the decrypted content protection key and the decrypted ECC private key in
RAM.
5. If a user attempts to access user data (for example, opens a message) that the BlackBerry device encrypted
while it was locked, the BlackBerry device uses the decrypted ECC private key to decrypt the user data and
access the ECC-encrypted items (for example, message bodies, subjects, or recipients).
6. When the BlackBerry device has opened 128 ECC-encrypted items (typically, less than 40 messages), the
BlackBerry device uses the ECC private key to decrypt the ECC-encrypted items and then re-encrypts them
with the content protection key the next time that the BlackBerry device locks. If the re-encryption process
is incomplete when a user next unlocks the BlackBerry device, the BlackBerry device resumes re-encryption
when it locks again.
7. The BlackBerry device uses the content protection key to decrypt the user data that the content protection
key encrypted.
Grand master key
When you turn on content protection of master encryption keys, the BlackBerry device uses a grand master key
to encrypt the master encryption keys stored on the BlackBerry device in flash memory. When the BlackBerry
device receives data encrypted with a master encryption key while it is locked, it uses the grand master key to
decrypt the required master encryption key in flash memory and receive the data.
See “Protected storage of master encryption keys on a locked BlackBerry device” on page 23 for more
information.
Grand master key generation process
When you turn on content protection of master encryption keys on the BlackBerry device for the first time, the
following process occurs:
1. The BlackBerry device generates the grand master key, a 256 bit AES encryption key.
2. The BlackBerry device stores the decrypted grand master key in RAM.
3. The BlackBerry device uses the existing content protection key to encrypt the grand master key.
4. The BlackBerry device stores the encrypted grand master key in flash memory.
5. The BlackBerry device uses the encrypted grand master key to encrypt the master encryption keys stored in
BlackBerry device flash memory.
www.blackberry.com