Installation guide
BlackBerry Enterprise Solution 76
Appendix E: Ephemeral AES encryption key derivation process
The BlackBerry device uses an ephemeral 256-bit AES encryption key to encrypt the content protection key and
the ECC private key. The BlackBerry device derives the ephemeral 256-bit AES encryption key from the
BlackBerry device password using the following process:
1. The BlackBerry device selects a 64-bit salt (random data to mix with the BlackBerry device password). This
is intended to keep two identical passwords from turning into the same key.
2. The BlackBerry device concatenates the salt, the password, and the salt again into a byte array
(Salt|Password|Salt).
3. The BlackBerry device hashes the byte array with SHA-256.
4. The BlackBerry device stores the resulting hash in a byte array called a key.
(key) = SHA256(Salt|Password|Salt)
5. The BlackBerry device hashes (key) 18 more times. It stores the result into (key) each time. For example, for
i=0 to 18, the BlackBerry device does the following:
(key) = SHA256(key)
i++
done
6. The final hash creates the ephemeral key.
For more information, see the RSA Security –PKCS #5.
©
2008 Research In Motion Limited. All rights
reserved.
www.blackberry.com