Manualshelf

Installation guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL
21222324252627282930
BlackBerry Enterprise Solution 29
external file encryption by encrypting specific files on the external memory device using AES
The external file system encryption does not apply to files that the BlackBerry device user manually
transfers to external memory (for example, from a USB mass storage device).
access control to objects on the external memory device using code signing with 1024-bit RSA
The external memory device stores encrypted copies of the file keys that the BlackBerry device is designed to use
to decrypt and encrypt files on the external memory device. The BlackBerry device is designed to use a device
key stored in the NV store in BlackBerry device RAM, a user-provided password, or both to encrypt the external
memory file keys.
The BlackBerry device is designed to permit code signing keys in the header information of the encrypted file on
the external memory device. The BlackBerry device is designed to check the code signing keys when the
BlackBerry device opens the input or output streams of the encrypted file.
The BlackBerry device, any computer platform, and other devices that use the external memory device can
modify encrypted files (for example, truncate files) on the external memory device. The BlackBerry device is not
designed to perform integrity checks on the encrypted file data.
Process for generating external memory file encryption keys
When the BlackBerry Enterprise Server administrator turns on or the BlackBerry device user turns on encryption
of external memory for the first time, the following process occurs:
1. The BlackBerry device generates a 32 byte AES encryption key.
2. The BlackBerry device stores the encryption key in the NV store in RAM on the BlackBerry device.
3. The BlackBerry device XoRs the AES key with another 32 byte AES encryption key that is encrypted using a
password to generate the external memory file encryption key (a session key).
4. The BlackBerry device encrypts the external memory file encryption key using the AES encryption key.
5. The BlackBerry device stores the encrypted external memory file encryption key on the external memory
device.
Process for encrypting files stored in external memory on the Blackberry device
When the BlackBerry device user stores a file in external memory for the first time after the BlackBerry Enterprise
Server administrator turns on or the BlackBerry device user turns on mass media storage, the BlackBerry
device decrypts the external memory file encryption key and uses it to automatically encrypt the stored file.
Protected storage of user data on a locked BlackBerry device
If content protection is turned on, BlackBerry device content is always protected with the 256-bit AES encryption
algorithm. Content protection of BlackBerry device user data is designed to perform the following actions:
use 256-bit AES to encrypt stored data when the BlackBerry device is locked
use an ECC public key to encrypt data that the BlackBerry device receives when it is locked
When the BlackBerry Enterprise Server administrator or a BlackBerry device user turns on content protection on
the BlackBerry device, the BlackBerry device uses content protection to encrypt the following user data items:
Item Description
AutoText all text that automatically replaces the text a BlackBerry device user types
BlackBerry Browser
content that web sites or third-party applications push to the
BlackBerry device
web sites that the user saves on the BlackBerry device
browser cache
www.blackberry.com