Installation guide
BlackBerry Enterprise Solution 40
For more information about the BlackBerry Router protocol and the authentication process, see “Masking
operation process that the AES implementation uses when content protection is turned on” on page 77.
Authentication during wireless enterprise activation
Wireless enterprise activation enables a BlackBerry device user to activate a supported BlackBerry device on the
BlackBerry Enterprise Server without a physical connection to a computer. The BlackBerry Enterprise Server
administrator can use wireless enterprise activation to implement a large number of BlackBerry devices
remotely.
Wireless enterprise activation produces a master encryption key that authenticates a BlackBerry device user and
secures the communication between the BlackBerry Enterprise Server and the BlackBerry device. The BlackBerry
Enterprise Server and the BlackBerry device use an initial key establishment protocol that uses SPEKE to
initialize a key generation process using an activation password to establish a shared master encryption key that
enables strong authentication between them.
After the BlackBerry device successfully activates on the BlackBerry Enterprise Server, the BlackBerry device no
longer requires the activation password. The BlackBerry device user (or another user) cannot reuse that
password to activate another BlackBerry device.
Authentication process used during wireless enterprise activation
Step Action Description
1 A BlackBerry device user initiates the
wireless enterprise activation process.
The user opens the enterprise activation application on
the BlackBerry device and types their work email
address and the activation password that the
BlackBerry Enterprise Server administrator
communicated to them.
2 The BlackBerry device sends an activation
request to the BlackBerry Infrastructure.
The BlackBerry device sends an activation request to
the BlackBerry Infrastructure using standard BlackBerry
protocols. The BlackBerry Infrastructure uses SMTP to
send an activation message to the BlackBerry device
user’s email account. This activation message contains
BlackBerry device routing information and public keys.
3 The BlackBerry Enterprise Server sends an
activation response to the BlackBerry
device.
The BlackBerry Enterprise Server sends the BlackBerry
device an activation response that contains BlackBerry
Enterprise Server routing information and public keys.
4 The BlackBerry Enterprise Server and the
BlackBerry device establish and verify the
shared master encryption key.
The BlackBerry Enterprise Server and the BlackBerry
device use the initial key establishment protocol to
establish a master encryption key. The BlackBerry
Enterprise Server and the BlackBerry device verify the
master encryption key with each other. If the BlackBerry
Enterprise Server and the BlackBerry device mutually
confirm the correct master encryption key, the
activation proceeds, and the BlackBerry Enterprise
Server and the BlackBerry device use the master
encryption key to encrypt further communication
between one another.
5 The BlackBerry Enterprise Server sends
service books to the BlackBerry device.
The BlackBerry Enterprise Server sends the appropriate
service books to the BlackBerry device. The BlackBerry
device user can now send messages from and receive
messages on the BlackBerry device.
www.blackberry.com