Installation guide
BlackBerry Enterprise Solution 25
4. The BlackBerry Enterprise Server removes the standard BlackBerry encryption and sends the S/MIME-
encrypted message to the recipient.
If the S/MIME Support Package for BlackBerry devices exists on a BlackBerry device, when the user receives a
message on the BlackBerry device, the BlackBerry device decrypts the message using the following process:
1. The BlackBerry Enterprise Server receives the S/MIME-protected message.
2. If the message is signed-only or weakly encrypted, the BlackBerry Enterprise Server encrypts the message a
second time with S/MIME encryption if the BlackBerry Enterprise Server administrator has turned on this
option using the BlackBerry Manager.
3. The BlackBerry Enterprise Server uses standard BlackBerry encryption to encrypt the S/MIME data.
4. The BlackBerry Enterprise Server sends the encrypted message to the BlackBerry device.
5. The BlackBerry device removes the standard BlackBerry encryption and stores the S/MIME-encrypted
message.
6. When the BlackBerry device user opens the message on the BlackBerry device, the BlackBerry device
decrypts the S/MIME-encrypted message and renders the message contents.
S/MIME encryption algorithms
The BlackBerry device is designed to support the use of a strong algorithm for S/MIME encryption. When the
BlackBerry Enterprise Server administrator turns on S/MIME encryption on the BlackBerry Enterprise Server, the
S/MIME Allowed Content Ciphers IT policy rule default setting specifies that the BlackBerry device can use any
of the supported algorithms (other than the two weakest RC2 algorithms, RC2 (64-bit) and RC2 (40-bit)) to
encrypt S/MIME messages.
The BlackBerry Enterprise Server administrator can use the Weak Digest Algorithms IT policy rule to specify
algorithms that BlackBerry devices consider weak. The BlackBerry device uses the list of weak digest algorithms
when verifying that the digital signatures on messages that the BlackBerry device receives are not generated
using a weak hash digest. The BlackBerry device uses the list of weak digest algorithms when verifying that the
certificate chains for the certificates used to sign messages that the BlackBerry device receives do not contain
hashes generated using a weak digest.
The BlackBerry Enterprise Server administrator can set the S/MIME Allowed Content Ciphers IT policy rule to
allow the BlackBerry device to encrypt S/MIME messages using any of AES (256-bit), AES (192-bit), AES (128-
bit), CAST (128-bit), RC2 (128-bit), Triple DES, RC2 (64-bit), and RC2 (40-bit).
If the BlackBerry device has previously received a message from the intended recipient, the BlackBerry device is
designed to recall which content ciphers the recipient can support, and use one of those ciphers. The BlackBerry
device encrypts the message using Triple DES by default if it does not know the decryption capabilities of the
recipient.
S/MIME certificates
When a BlackBerry device user sends an encrypted message from the BlackBerry device, the BlackBerry device
uses the S/MIME certificate of the message recipient to encrypt the message.
When a BlackBerry device user receives a signed message, the BlackBerry device uses the S/MIME certificate of
the message sender to verify the message signature.
S/MIME private keys
When a BlackBerry device user sends a signed message from the BlackBerry device, the BlackBerry device
hashes the message using SHA-1, SHA-256, SHA-384, SHA-512, or MD5, and then uses the S/MIME private key
of the BlackBerry device user to digitally sign the message hash.
When a BlackBerry device user receives an encrypted message, the BlackBerry device uses the private key of the
user to decrypt the message.
For more information, see the S/MIME Support Package for BlackBerry Devices Security Technical Overview.
www.blackberry.com