Installation guide
BlackBerry Enterprise Solution Security
Extending BlackBerry device messaging security 19
PKI component support
The S/MIME Support Package is designed to support the following PKI components:
• LDAP: The BlackBerry device and the Certificate Synchronization Manager use LDAP to search for and
download certificates.
• OCSP: The BlackBerry device and the Certificate Synchronization Manager use OCSP to check the
revocation status of a certificate on demand.
• CRL: The BlackBerry device and the Certificate Synchronization Manager obtain the most recent revocation
status of certificates, which is published at a frequency set on the CA server, from a CRL.
S/MIME encryption
If the S/MIME Support Package exists on a BlackBerry device, when the BlackBerry device user sends a message,
the BlackBerry device encrypts the message once with S/MIME encryption and once with standard BlackBerry
encryption using the following process:
1. The BlackBerry device encrypts the message with the S/MIME certificate of the message recipient.
2. The BlackBerry device uses standard BlackBerry encryption to encrypt the S/MIME encrypted message.
3. The BlackBerry device sends the encrypted data to the BlackBerry Enterprise Server.
4. The BlackBerry Enterprise Server removes the BlackBerry standard encryption and sends the S/MIME
encrypted message to the recipient.
If the S/MIME Support Package exists on a BlackBerry device, when the user receives a message on the
BlackBerry device, the BlackBerry device encrypts the S/MIME message with standard BlackBerry encryption
and then decrypts the message using the following process:
1. The BlackBerry Enterprise Server receives the S/MIME protected message.
2. If the message is signed-only or weakly encrypted, the BlackBerry Enterprise Server encrypts the message a
second time with S/MIME encryption if you have turned on this option using the BlackBerry Manager.
3. The BlackBerry Enterprise Server uses standard BlackBerry encryption to encrypt the S/MIME data.
4. The BlackBerry Enterprise Server sends the encrypted message to the BlackBerry device.
5. The BlackBerry device removes the BlackBerry standard encryption and stores the S/MIME encrypted
message.
6. When the user opens the message on the BlackBerry device, the BlackBerry device decrypts the S/MIME
encrypted message and renders the message contents.
S/MIME encryption algorithms
The BlackBerry device is designed to support using a strong algorithm for S/MIME encryption. When you turn on
S/MIME encryption on the BlackBerry Enterprise Server, the S/MIME Allowed Content Ciphers IT policy rule
default setting specifies that the BlackBerry device can use any of the supported algorithms (other than the two
weakest RC2 algorithms, RC2 (64-bit) and RC2 (40-bit)) to encrypt S/MIME messages.
You can set the S/MIME Allowed Content Ciphers IT policy rule to encrypt S/MIME messages using any of AES
(256-bit), AES (192-bit), AES (128-bit), CAST (128-bit), RC2 (128-bit), Triple DES, RC2 (64-bit), and RC2 (40-bit).
If the BlackBerry device has previously received a message from the intended recipient, the BlackBerry device is
designed to recall which content ciphers the recipient can support, and use one of those ciphers. The BlackBerry
device encrypts the message using Triple DES by default if it does not know the decryption capabilities of the
recipient.
www.blackberry.com