Installation guide
BlackBerry Enterprise Solution 45
HTTPS
protocol
BlackBerry MDS encryption method Description
Handheld
mode TLS/SSL
TLS and WTLS key establishment
algorithms, symmetric ciphers and
hash algorithms that the RIM Crypto
API currently supports on the
BlackBerry device
• The BlackBerry device uses handheld (direct)
mode TLS/SSL to encrypt data for the entire
connection between the BlackBerry device
and the content server.
• Data traffic over the wireless network remains
encrypted and is not decrypted at the
Connection Service.
• Use handheld mode TLS/SSL when only the
endpoints of the transaction are trusted (for
example, with banking services).
Note: BlackBerry devices with BlackBerry Device
Software Version 3.6.1 or later support BlackBerry
device handheld mode TLS/SSL connections.
Using two-factor authentication to protect connections to enterprise Wi-Fi networks
The RSA SecurID Library on supported BlackBerry devices allows those BlackBerry devices to periodically
generate software token tokencodes. The BlackBerry device combines the tokencode with a software token PIN
that the BlackBerry device user provides as a prefix string to the tokencode to create a passcode for use with a
two-factor authentication process on the BlackBerry device. When the BlackBerry device user tries to establish a
WLAN or VPN connection that requires two-factor authentication on the BlackBerry device, the BlackBerry
device prompts the BlackBerry device user to type the software token PIN and submit the current tokencode to
create the two-factor authentication passcode.
How the BlackBerry device generates the software token for use with two-factor authentication
The BlackBerry device imports and uses random data called a seed to initialize the RSA SecurID software token
algorithm. The algorithm generates the RSA SecurID software token tokencode on the BlackBerry device. When
the BlackBerry device imports the .sdtid file seed into the RSA SecurID Library, the RSA SecurID Library randomly
generates a password that the RSA SecurID Library uses to encrypt the .sdtid file seed
The RSA SecurID Library can decrypt the .sdtid file seed using an optional password if the administrator uses the
RSA Authentication Manager Version 6.1 or later to set the password to issue an encrypted .sdtid file seed to the
BlackBerry device user. The RSA SecurID Library uses code signing to prevent third party applications from
altering or reading the information that it stores on the BlackBerry device.
For more information on how the BlackBerry device generates software token tokencodes, see “Appendix J: RSA
SecurID software token tokencode generation process” on page 87.
How the BlackBerry Enterprise Solution authenticates requests for wireless software
upgrades
The BlackBerry Enterprise Server and the BlackBerry device encrypt all communication between them, including
wireless software upgrade communication, using standard BlackBerry encryption.
The BlackBerry device uses digital signature validation to authenticate the following types of wireless software
upgrade communication:
• control messages that the BlackBerry device receives from the BlackBerry Infrastructure or the BlackBerry
Provisioning System administration site that requests the wireless software upgrade
• upgrade instructions that the BlackBerry device requests and receives from the BlackBerry Infrastructure or
the BlackBerry Provisioning System administration site sending the wireless BlackBerry Device Software
upgrade
www.blackberry.com