User guide
BlackBerry Smart Card Reader Security 21
Appendix C: Application layer protocol encryption and authentication
By default, each packet that the BlackBerry device or computer and the BlackBerry Smart Card Reader send
between them is authenticated and encrypted using the following methods:
• authenticated with HMAC using the negotiated SHA algorithm
• encrypted with AES of the negotiated key size using CBC mode
Anatomy of an application layer protocol formatted packet
The connection key protocol establishes a shared connection key CK from which the BlackBerry device or
computer and the BlackBerry Smart Card Reader derive the four session keys that they use on the application
layer to protect the data that they send between them.
Connection session key Value Description
KeySendEnc SHA 256( CK || S1 ) the AES 256 key that the BlackBerry device, the
computer, or the BlackBerry Smart Card Reader
generates to encrypt the data that it sends to the other
party over the application layer
KeyRecEnc SHA 256( CK || S2 ) the AES 256 key that the BlackBerry device, the
computer, or the BlackBerry Smart Card Reader
generates to decrypt the data that it receives from the
other party over the application layer
KeySendAuth SHA 256( CK || S3 ) the HMAC authentication key that the BlackBerry device,
the computer, or the BlackBerry Smart Card Reader
generates to authenticate the data that it sends to the
other party over the application layer
KeyRecAuth SHA 256( CK || S4 ) the HMAC authentication key that the BlackBerry device,
the computer, or the BlackBerry Smart Card Reader
generates to authenticate the data that it receives from
the other party over the application layer
Note: S1, S2, S3, and S4 are hard-coded strings that the BlackBerry device or computer and the BlackBerry Smart
Card Reader use in the key derivation to prevent calculating session keys that are the same as each other.
www.blackberry.com