User guide

BlackBerry Smart Card Reader Security 4

This document describes the security features that the BlackBerry® Smart Card Reader Version 1.5 and the

BlackBerry Enterprise Server Version 4.0.2 or later (with the correct IT policy template) support, unless otherwise

stated. See the documentation for earlier software versions of the BlackBerry Smart Card Reader and the

BlackBerry Enterprise Server to determine if an earlier version supports a specific feature.

See the BlackBerry Enterprise Solution Security Acronym Glossary for the full terms substituted by the acronyms

in this document.

BlackBerry Smart Card Reader

The BlackBerry Smart Card Reader for BlackBerry devices is an accessory that, when used in proximity to certain

Bluetooth® enabled BlackBerry devices and computers, integrates smart card use with the BlackBerry Enterprise

Solution™, enabling users to authenticate with their smart cards to log in to Bluetooth enabled BlackBerry

devices and computers.

The BlackBerry Smart Card Reader

• is designed to communicate over the wireless network with Bluetooth wireless technology version 1.1 or

later–enabled BlackBerry devices and computers using the AES 256 encryption method (by default) on the

application layer

• creates a reliable two-factor authentication environment for granting users access to BlackBerry and PKI

applications

• is designed to enable the wireless digital signing and encryption of wireless email messages sent from the

BlackBerry device using the S/MIME Support Package

• stores all encryption keys in RAM only and never writes the keys to flash memory

Authenticating a user using a smart card

The BlackBerry Smart Card Reader allows you to use two-factor authentication, using a smart card, to require

users to prove their identity to the BlackBerry device or computer by two factors:

• what they have (the smart card)

• what they know (their smart card password)

Integrating a smart card with existing secure messaging technology

In addition to standard BlackBerry encryption, you can enable secure messaging technology to offer an

additional layer of security between the sender and recipient of an email or PIN message. The S/MIME Support

Package is designed to enable BlackBerry device users who are already sending and receiving S/MIME messages

using their desktop email applications to send and receive S/MIME protected messages using their BlackBerry

devices. Users can sign, encrypt, and send S/MIME messages from their BlackBerry devices. The Blackberry

device can decrypt received messages that are encrypted using S/MIME to be read on the BlackBerry device.

Users might require a smart card authenticator module and must have a smart card driver and the BlackBerry

Smart Card Reader driver installed on their Bluetooth enabled BlackBerry devices to perform a Bluetooth pairing

followed by a secure pairing with their BlackBerry Smart Card Readers. The S/MIME Support Package supports

smart card use and includes tools for obtaining certificates and transferring them to the BlackBerry device for

use with the S/MIME Support Package.

After the BlackBerry device and the BlackBerry Smart Card Reader establish a secure pairing, you can set the

S/MIME Force Smartcard Use IT policy rule to require the use of the smart card to sign, encrypt, or sign and

encrypt S/MIME-protected messages on the BlackBerry device.