Installation guide
BlackBerry Enterprise Solution Security
BlackBerry encryption keys 8
Key generation method Initial key generation Key regeneration
wireless Wireless enterprise activation permits a
user to remotely activate a BlackBerry
device on the BlackBerry Enterprise
Server without a physical network
connection. During the wireless
enterprise activation, the BlackBerry
Enterprise Server and the BlackBerry
device negotiate to select the strongest
algorithm that they both support and use
that algorithm to generate the master
encryption key.
Note: See “Wireless enterprise activation
authentication” on page 31 for more
information.
On the BlackBerry device, a user can
request a new master encryption
key. The BlackBerry device sends the
key regeneration request to the
BlackBerry Enterprise Server
wirelessly.
In the BlackBerry Manager, you can
initiate regeneration of a master
encryption key for a BlackBerry
device.
Desktop-based master encryption key generation process
In BlackBerry Desktop Software version 4.0 or later, the master encryption key generation function uses the
current time as the seed for the C language srand function. The master encryption key generation function then
gathers entropy (randomness) using the following process:
1. When prompted by the BlackBerry Desktop Software, the user moves the mouse. The ARC4 encryption
algorithm examines the lowest 12 bits of the x and y axes of the new mouse location. If the bits are different
from the previous sample, the BlackBerry Desktop Software stores them, generating 3 bytes of randomness.
If the bits are the same as the previous sample, no sample is taken.
2. The ARC4 encryption algorithm sleeps for a random interval between 50 and 150 milliseconds, and then
samples again.
3. The ARC4 encryption algorithm loops until it gathers 384 bytes.
4. The BlackBerry Desktop Software retrieves 384 bytes of randomness from the MSCAPI, for a total of 768
bytes.
5. The BlackBerry Desktop Software hashes the 384 bytes of randomness from the ARC4 encryption algorithm
and the 384 bytes of randomness from the MSCAPI with SHA512 to produce 512 bits of data. The BlackBerry
Desktop Software frees the memory associated with the unused bits.
6. The BlackBerry Desktop Software uses the first 256 bits with AES encryption and the first 128 bits with
Triple DES encryption to generate the master encryption key. The BlackBerry Desktop Software discards any
unused bits.
BlackBerry Enterprise Server software versions earlier than 4.0 use a different desktop-based master encryption
key generation process. See “Appendix C: Previous version of wired master encryption key generation” on page
50 for more information.
Wireless master encryption key generation process
To establish and manage master encryption keys wirelessly, the BlackBerry Enterprise Server uses the initial key
establishment protocol and the key rollover protocol. Both protocols provide strong authentication: only a
BlackBerry device with a valid corporate email address and an activation password can initiate wireless
enterprise activation and master encryption key generation.
www.blackberry.com