Specifications
Devices store device transport keys in a keystore database in flash memory. The keystore database prevents an attacker
from copying the device transport keys to a computer by trying to back up the device transport keys. An attacker cannot
extract key data from flash memory.
The BlackBerry Device Service stores device transport keys in the BlackBerry Configuration Database. To avoid
compromising the device transport keys that are stored in the BlackBerry Configuration Database, you must protect the
BlackBerry Configuration Database.
Related information
Protecting the data that the BlackBerry Device Service stores in your organization's environment, 117
Generating the device transport key for a device
When you install the BlackBerry Device Service, the setup application creates an enterprise management root certificate
and a server certificate for the BlackBerry Device Service. When a user activates a device, the device sends a CSR to the
BlackBerry Device Service. The BlackBerry Device Service uses the CSR to create a client certificate, signs the client
certificate with the enterprise management root certificate, and sends the client certificate and the enterprise
management root certificate for the BlackBerry Device Service to the device. To protect the connection between the
device and the BlackBerry Device Service during the certificate exchange, the device and the BlackBerry Device Service
create a short-lived symmetric key using the activation password and EC-SPEKE.
When the certificate exchange is complete, the device and BlackBerry Device Service establish a mutually authenticated
TLS connection using the client certificate and the server certificate. The device verifies the server certificate using the
enterprise management root certificate.
To generate the device transport key, the device and the BlackBerry Device Service use the authenticated long-term public
keys that are associated with the client certificate and with the server certificate for the BlackBerry Device Service, and
ECMQV. The ECMQV protocol occurs over the mutually authenticated TLS connection. The elliptic curve used in ECMQV is
the NIST-recommended 521-bit curve.
The BlackBerry Device Service and device do not send the device transport key over the wireless network when they
generate the device transport key or when they exchange messages.
Message keys
The BlackBerry Device Service and a device generate one or more message keys that protect the integrity of the data (for
example, short keys or large messages) that the BlackBerry Device Service and the device send between each other using
the BlackBerry Infrastructure. If a message exceeds 2 KB and consists of several data packets, the BlackBerry Device
Service and the device generate a unique message key for each data packet.
Each message key consists of random data that makes it difficult for a third party to decrypt, re-create, or duplicate the
message key.
The BlackBerry Device Service and the device do not store the message keys in persistent storage. They free the memory
that is associated with the message keys after the BlackBerry Device Service or device uses the message keys to decrypt
the message.
The device uses the pseudorandom bits retrieved from the random source on the device to generate a message key.
Security Technical Overview How devices connect to the BlackBerry Device Service
23