Installation guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL

BlackBerry Enterprise Solution Security

Protecting stored data 23

BlackBerry device application User data

calendar

• subject

• location

• organizer

• attendees

• notes included in the appointment or meeting request

MemoPad

• title

• information included in the body of the note

tasks

• subject

• information included in the body of the task

contacts

• all information except the title and category

AutoText

• all text that automatically replaces the text a user types

BlackBerry Browser

• content that web sites or third-party applications push to the

BlackBerry device

• web sites that the user saves on the BlackBerry device

• browser cache

Enabling protected storage of BlackBerry device data

You enable protected storage of data on the BlackBerry device by setting the Content Protection Strength IT

policy rule. Choose a strength level that corresponds to the desired ECC key strength.

If a user turns on content protection on the BlackBerry device, in the BlackBerry device Security options), the

BlackBerry device sets the content protection strength to level 0 (to use a 160-bit ECC key strength) by default.

When the content-protected BlackBerry device decrypts a message that it received while locked, the BlackBerry

device uses the ECC private key in the decryption operation. The longer the ECC key, the more time the ECC

decryption operation adds to the BlackBerry device decryption process. Choose a content protection strength

level that optimizes either the ECC encryption strength or the decryption time.

If you set the content protection strength to level 1 (to use a 283-bit ECC key) or to level 2 (to use a 571-bit ECC

key), RIM recommends that you set the Minimum Password Length IT policy rule to enforce a minimum

BlackBerry device password length of 12 characters or 21 characters, respectively. These password lengths

maximize the encryption strength that the longer ECC keys are designed to provide. The BlackBerry device uses

the BlackBerry device password to generate the ephemeral 256-bit AES encryption key that the BlackBerry

device uses to encrypt the content protection key and the ECC private key. A weak password produces a weak

ephemeral key.

See “Content protection key generation process” on page 10 for more information.

Protected storage of master encryption keys on a locked BlackBerry device

If you turn on content protection of master encryption keys, the BlackBerry device uses the grand master key to

encrypt the master encryption keys stored in flash memory and stores the decrypted grand master key in RAM.

When you, the user, or a configured password timeout locks the BlackBerry device, the wireless radio remains on

and the BlackBerry device does not free the memory associated with the grand master key. When the BlackBerry

device receives data encrypted with a master encryption key while it is locked, it uses the decrypted grand

master key to decrypt the required master encryption key in flash memory and receive the data.

See “Grand master key generation process” on page 11 for more information.