Installation guide
BlackBerry Enterprise Solution 37
Protecting the BlackBerry Enterprise Solution connections
The BlackBerry Enterprise Server is designed to communicate with the BlackBerry Infrastructure using SRP
authentication to establish a connection to the wireless network. The BlackBerry Enterprise Server contacts the
BlackBerry Infrastructure to establish an initial connection using SRP.
The BlackBerry Enterprise Server and the BlackBerry Infrastructure perform an authentication handshake when
they attempt to establish a connection. If the authentication fails, they do not establish a connection. If a
BlackBerry Enterprise Server uses the same unique SRP authentication key and unique SRP ID to connect to (and
then disconnect from) the BlackBerry Infrastructure five times in one minute, the BlackBerry Infrastructure
disables that SRP ID to prevent a malicious user using the same SRP ID (for example, to try to create a Denial of
Service condition).
After the BlackBerry Enterprise Server and the BlackBerry Infrastructure establish an initial connection over the
Internet, the BlackBerry Enterprise Server uses a persistent TCP/IP connection to send data to the BlackBerry
Infrastructure. The BlackBerry Infrastructure uses standard protocols to send data to the BlackBerry device.
A BlackBerry device can bypass SRP connectivity and authentication by using the BlackBerry Router to connect
directly to the BlackBerry Enterprise Server. The BlackBerry Enterprise Server can communicate with the
BlackBerry Router using a combination of the SRP and BlackBerry Router authentication protocols.
SRP authentication
SRP is designed to perform the following actions when the BlackBerry Enterprise Server and BlackBerry
Infrastructure establish an authenticated connection and subsequently transfer data between one another over
the wireless network:
• authenticate the BlackBerry Infrastructure to the BlackBerry Enterprise Server and the BlackBerry
Enterprise Server to the BlackBerry Infrastructure
• exchange configuration information between the BlackBerry Enterprise Server and the BlackBerry
Infrastructure
The BlackBerry Infrastructure and the BlackBerry Enterprise Server authenticate with each other before they can
transfer data. The authentication handshake sequence depends on a shared secret encryption key (the SRP
authentication key) on both the BlackBerry Enterprise Server and the BlackBerry Infrastructure. If at any point in
the authentication handshake sequence the authentication fails, SRP terminates the connection.
The BlackBerry Enterprise Server is designed to send a basic information packet to the BlackBerry Infrastructure
immediately following the initial SRP authentication process. The packet format is designed to be recognizable
to both the BlackBerry Enterprise Server and the BlackBerry Infrastructure, enabling both sides to set the
parameters of the SRP implementation dynamically.
To support backward compatibility with older versions of the BlackBerry Enterprise Server, which terminate the
SRP connection if they receive unrecognized packets, the BlackBerry Infrastructure does not send basic
information packets to the BlackBerry Enterprise Server until the BlackBerry Enterprise Server has sent a packet
of the same format to the BlackBerry Infrastructure.
SRP authentication process
Step Action Description
1 The BlackBerry Enterprise
Server sends its SRP ID, or UID,
to the BlackBerry
Infrastructure.
The BlackBerry Enterprise Server sends a packet to the BlackBerry
Infrastructure to claim its own UID.
2 The BlackBerry Infrastructure
sends a challenge string to the
BlackBerry Enterprise Server.
The BlackBerry Infrastructure sends a random challenge string to
the BlackBerry Enterprise Server.
www.blackberry.com