BlackBerry Smart Card Reader Security Version 1.5 Technical Overview © 2006 Research In Motion Limited. All rights reserved. www.blackberry.
BlackBerry Smart Card Reader Security Contents BlackBerry Smart Card Reader .............................................................................................................................. 4 Authenticating a user using a smart card........................................................................................................ 4 Integrating a smart card with existing secure messaging technology....................................................... 4 New in this release ...............
BlackBerry Smart Card Reader Security Online dictionary attack ...................................................................................................................................24 Small subgroup attack.......................................................................................................................................24 Appendix F: Smart card binding information ....................................................................................................
BlackBerry Smart Card Reader Security 4 This document describes the security features that the BlackBerry® Smart Card Reader Version 1.5 and the BlackBerry Enterprise Server Version 4.0.2 or later (with the correct IT policy template) support, unless otherwise stated. See the documentation for earlier software versions of the BlackBerry Smart Card Reader and the BlackBerry Enterprise Server to determine if an earlier version supports a specific feature.
BlackBerry Smart Card Reader Security 5 New in this release Feature Description BlackBerry Smart Card Reader connections to Bluetooth enabled computers • The BlackBerry Smart Card Reader supports connections to Bluetooth enabled computers that have the BlackBerry Smart Card Reader driver and a supported smart card driver installed.
BlackBerry Smart Card Reader Security 6 Bluetooth enabled BlackBerry devices BlackBerry devices that use Bluetooth wireless technology are designed to establish a wireless connection with other Bluetooth enabled devices, such as a hands-free car kit or a wireless headset, that are within an approximate 10-meter range of these BlackBerry devices.
BlackBerry Smart Card Reader Security 7 Bluetooth security measures on the BlackBerry Smart Card Reader The following default security methods on the BlackBerry Smart Card Reader enhance the existing protection of the Bluetooth wireless technology on Bluetooth enabled BlackBerry devices.
BlackBerry Smart Card Reader Security 8 BlackBerry Smart Card Reader security The BlackBerry Smart Card Reader is designed to provide strong authentication to prevent offline and online dictionary attacks using the following security methods by default.
BlackBerry Smart Card Reader Security 9 Security method Description Code signing Before you or a user can run a permitted third-party application that uses the controlled APIs on the BlackBerry device, the Research In Motion (RIM) signing authority system must use public key cryptography to authorize and authenticate the application code. The BlackBerry Smart Card Reader uses code signing to prevent users from loading third-party code onto the BlackBerry Smart Card Reader.
BlackBerry Smart Card Reader Security 10 Managing third-party application Bluetooth connections to the BlackBerry Smart Card Reader Application control is designed to limit the use of Bluetooth wireless technology (and the Bluetooth profiles) to specific, permitted third-party applications. Using the BlackBerry Enterprise Server Version 4.
BlackBerry Smart Card Reader Security 11 IT policy rule Recommended use Lock on Smart Card Removal Specify whether or not the BlackBerry device locks when the user removes the smart card from a supported smart card reader or disconnects a supported smart card reader from the BlackBerry device. Warning: Not all smart card reader drivers support smart card removal detection.
BlackBerry Smart Card Reader Security 12 IT policy rule Recommended use Maximum Number of BlackBerry Transactions Specify the maximum number of transactions (smart card–related operations) that the BlackBerry device and the BlackBerry Smart Card Reader can send and receive before the secure pairing information is removed from the BlackBerry device.
BlackBerry Smart Card Reader Security • 13 the connection key establishment protocol creates a shared connection key on the BlackBerry device or computer and the BlackBerry Smart Card Reader that the BlackBerry device or computer and the BlackBerry Smart Card Reader use to send data between them The user must perform a Bluetooth pairing once only but must perform a secure pairing each time that the BlackBerry device or computer removes the secure pairing information.
BlackBerry Smart Card Reader Security 7. The BlackBerry device or computer processes the list to search for a match with one of its own supported algorithms. • If a match is not available, the BlackBerry device or computer sends an error to the BlackBerry Smart Card Reader and stops processing the list. If a match exists, the BlackBerry device or computer begins the key establishment by sending a pairing request using the selected algorithms and a 64-byte seed to the BlackBerry Smart Card Reader. • 8.
BlackBerry Smart Card Reader Security 15 connection key establishment protocol uses a unique, random, ephemeral key pair to create the new connection key. The BlackBerry Smart Card Reader discards the ephemeral key pair after establishing the connection key. Even if the ephemeral private keys from a particular protocol run using the ECDH algorithm are compromised, the connection keys from other runs of the same protocol remain uncompromised. Connection key establishment protocol process 1.
BlackBerry Smart Card Reader Security 16 The connection key establishment protocol can stop at any point if an error occurs. See “Appendix B: Connection key establishment protocol errors” on page 20 for more information.
BlackBerry Smart Card Reader Security 3. 17 The BlackBerry device binds to the installed smart card automatically by storing the smart card binding information in a BlackBerry device NV store location that is designed to be inaccessible to the user. See “Appendix F: Smart card binding information” on page 25 for more information.
BlackBerry Smart Card Reader Security 18 Related resources Resource Information BlackBerry Enterprise Solution Security Technical Overview • preventing the decryption of information at an intermediate point between the BlackBerry device and the BlackBerry Enterprise Server or organization LAN • managing security settings for all BlackBerry devices • protecting data in transit between the BlackBerry device and the BlackBerry Enterprise Server • understanding the algorithms provided by the RIM cry
BlackBerry Smart Card Reader Security Appendix A: BlackBerry Smart Card Reader supported algorithms Algorithm type Algorithm elliptic curve (default) • 571-bit Koblitz Curve (EC571K1) • 521-bit Random Curve (EC521R1)* • 283-bit Koblitz Curve (EC283K1) • 256-bit Random Curve (EC256R1) • 160-bit Random Curve (EC160R1) • AES 256* • AES 128 • SHA 512* • SHA 256* • SHA 1 encryption hash *The initial key establishment protocol is designed to negotiate to use the algorithm indicated unles
BlackBerry Smart Card Reader Security 20 Appendix B: Connection key establishment protocol errors During the connection key establishment protocol process, if an error occurs on the BlackBerry device, the computer, or the BlackBerry Smart Card Reader, that party sends an error code to the other party negotiating the connection key.
BlackBerry Smart Card Reader Security 21 Appendix C: Application layer protocol encryption and authentication By default, each packet that the BlackBerry device or computer and the BlackBerry Smart Card Reader send between them is authenticated and encrypted using the following methods: • authenticated with HMAC using the negotiated SHA algorithm • encrypted with AES of the negotiated key size using CBC mode Anatomy of an application layer protocol formatted packet The connection key protocol establis
BlackBerry Smart Card Reader Security Appendix D: BlackBerry Smart Card Reader shared cryptosystem parameters The BlackBerry Smart Card Reader and the BlackBerry device or computer with the BlackBerry Smart Card Reader software and drivers installed are designed to share the following cryptosystem parameters.
BlackBerry Smart Card Reader Security 23 Appendix E: Examples of attacks that the BlackBerry Smart Card Reader security protocols are designed to prevent Eavesdropping An eavesdropping event occurs when the attacker listens to the communication between the BlackBerry Smart Card Reader and the BlackBerry device or computer. The goal of the attacker is to determine the shared master encryption key on the BlackBerry Smart Card Reader and the BlackBerry device or computer, given only xS and yS.
BlackBerry Smart Card Reader Security 24 The connection key establishment protocol is designed to use SPEKE to prevent a man-in-the-middle attack through the use of the secure pairing key. Offline attack An offline attack occurs when the attacker attempts to send X = xP, instead of xS to the BlackBerry Smart Card Reader. An attacker might attempt this because the attacker does not know the secure pairing key.
BlackBerry Smart Card Reader Security 25 Appendix F: Smart card binding information When you or a user turns on two-factor authentication on the BlackBerry device, the BlackBerry device binds to the installed smart card automatically by storing the following smart card binding information in a special BlackBerry device NV store location that is inaccessible to a user.
BlackBerry Smart Card Reader Security 26 Appendix G: BlackBerry Smart Card Reader reset process When a user resets a BlackBerry Smart Card Reader, the BlackBerry Smart Card Reader performs the following actions: • backs up the Bluetooth pairing key for the currently connected BlackBerry device, if applicable Note: After the user resets the BlackBerry Smart Card Reader, a BlackBerry device can perform the Bluetooth pairing process and the secure paring process to connect to the BlackBerry Smart Card Reade
BlackBerry Smart Card Reader Security 27 Part number: 9027650 Version 4 ©2006 Research In Motion Limited. All Rights Reserved. The BlackBerry and RIM families of related marks, images, and symbols are the exclusive properties of Research In Motion Limited. RIM, Research In Motion, “Always On, Always Connected”, the “envelope in motion” symbol, and BlackBerry are registered with the U.S. Patent and Trademark Office and may be pending or registered in other countries.
