User guide
BlackBerry Smart Card Reader Security 16
The connection key establishment protocol can stop at any point if an error occurs. See “Appendix B:
Connection key establishment protocol errors” on page 20 for more information.
yer
e the secure pairing
lication layer by keys
t
data by default, but they can negotiate different algorithms
ackBerry Smart Card Reader goes outside of a sufficient wireless
d Reader technology” on
ard driver, and smart card reader driver installed on their
t user can start the two-factor authentication process on the
You can set the Force Smart Card Two-Factor Authentication IT policy rule in the BlackBerry Manager to require
o not force the user to
e BlackBerry device, the BlackBerry device prompts the user to type the
lackBerry device
4.
the installed smart card.
designed to be inaccessible to the user.
1. et set a
Encrypting and authenticating data on the application la
When the BlackBerry device or computer and the BlackBerry Smart Card Reader complet
process, all data that they send between them is encrypted and authenticated on the app
that they derive from the shared connection key. See “Appendix C: Application layer protocol encryption and
authentication” on page 21 for more information.
The BlackBerry device or computer and the BlackBerry Smart Card Reader use AES 256 in CBC mode to encryp
the data and keyed HMAC with SHA 512 to protect
during the initial key establishment protocol.
The keys protect the data on the application layer throughout the entire connection. A lost or closed connection
occurs if either the BlackBerry device or the Bl
coverage area or if the BlackBerry device wireless transceiver or the computer’s Bluetooth transceiver turns off
for any reason. When a Bluetooth connection closes, if the BlackBerry device or computer’s Bluetooth connection
to the BlackBerry Smart Card Reader is lost, the parties must renegotiate the keys.
You can set the Maximum Connection Heartbeat Period IT policy rule to control when the Bluetooth connection
closes based on the secure heartbeat settings. See “Managing BlackBerry Smart Car
page 10 for more information on setting this IT policy rule.
Using two-factor authentication
If a user has a smart card authenticator module, smart c
BlackBerry device or computer, either you or tha
BlackBerry device or computer to bind the BlackBerry device or computer to the installed smart card. After the
BlackBerry device or computer binds to the smart card, it requires that smart card to authenticate the user.
Turning on two-factor authentication on the BlackBerry device
that a user authenticates with the BlackBerry device using a smart card. If you d
authenticate with the BlackBerry device using a smart card, the user can turn two-factor authentication on and
off with their smart card by setting the User Authenticator field in the BlackBerry device Security Options.
When you turn on two-factor authentication on the BlackBerry device, the following events occur:
1. The BlackBerry device locks.
2. The BlackBerry device pushes the current IT policy to the BlackBerry Smart Card Reader.
3. When a user tries to unlock th
BlackBerry device password. If the user has not yet set a BlackBerry device password, the B
forces the user to set a password.
The BlackBerry device prompts the user to type the user authenticator password (the smart card PIN) to turn
on two-factor authentication with
5. The BlackBerry device binds to the installed smart card automatically by storing the smart card binding
information in a BlackBerry device NV store location that is
When a user turns on two-factor authentication on the BlackBerry device, the following events occur:
The BlackBerry device prompts the user to type the BlackBerry device password. If the user has not y
BlackBerry device password, the BlackBerry device forces the user to set a password.
2. The BlackBerry device prompts the user to type the user authenticator password (the smart card PIN) to turn
on two-factor authentication with the installed smart card.
www.blackberry.com