User guide
BlackBerry Smart Card Reader Security 13
• the connection key establishment protocol creates a shared connection key on the BlackBerry device or
computer and the BlackBerry Smart Card Reader that the BlackBerry device or computer and the BlackBerry
Smart Card Reader use to send data between them
The user must perform a Bluetooth pairing once only but must perform a secure pairing each time that the
BlackBerry device or computer removes the secure pairing information. You can control when the BlackBerry
device or computer removes the secure pairing information using BlackBerry Enterprise Server
IT policy rules for
the BlackBerry Smart Card Reader.
Performing the Bluetooth pairing process and the secure pairing process on the BlackBerry
device
The user can start the Bluetooth pairing process and the secure pairing process automatically by clicking
Connect on the BlackBerry Smart Card Reader options screen on the BlackBerry device. If the user is running
BlackBerry Device Software Version 4.0 or later on the BlackBerry device, the user can start the secure pairing
process by attempting an action on the BlackBerry device that requires the smart card (for example, importing
certificates, signing or decrypting a message, or turning on two-factor authentication). If the user is running
BlackBerry Device Software Version 4.0.2 or later on the BlackBerry device, attempting an action on the
BlackBerry device that requires the smart card can also start the Bluetooth pairing process.
See the BlackBerry Smart Card Reader Getting Started Guide for more information.
Performing the Bluetooth pairing process and the secure pairing process on the computer
The user must connect to the BlackBerry Smart Card Reader from the BlackBerry Smart Card Reader Options
dialog on the computer manually to start the Bluetooth pairing process. When the Bluetooth pairing is
established, the computer automatically prompts the user to perform the secure pairing process.
See the BlackBerry Smart Card Reader Getting Started Guide for more information.
Initial key establishment protocol used in the secure pairing process
The initial key establishment protocol uses the ECDH algorithm to negotiate numerous algorithms for use in
subsequent secure pairing key and connection key exchanges, including the following algorithms:
• the elliptic curve used by future ECDH exchanges (The initial key establishment protocol is designed to
negotiate to use 521-bit Random Curve.)
• the encryption algorithm and hash algorithms used by the encryption and authentication processes on the
application layer (The initial key establishment protocol is designed to negotiate to use AES 256 and SHA
256 for application layer encryption and authentication, and SHA 512 for IT policy authentication.)
See “Appendix A: BlackBerry Smart Card Reader supported algorithms” on page 19 for more information.
Initial key establishment protocol process
1. The BlackBerry device or computer sends an initial echo of the value 0xC1F34151520CC9C2 to the
BlackBerry Smart Card Reader to confirm that a Bluetooth connection to the BlackBerry Smart Card Reader
exists and to verify that both sides understand the protocol.
2. The BlackBerry Smart Card Reader receives the initial echo and replies with an echo transmission of the
same value.
3. The BlackBerry device or computer receives the echo.
4. The BlackBerry device or computer asks the BlackBerry Smart Card Reader for a list of supported
algorithms.
5. The BlackBerry Smart Card Reader creates a list of all of the algorithms that it supports.
6. The BlackBerry Smart Card Reader sends the supported algorithms list to the BlackBerry device or
computer.
www.blackberry.com