Version: 5.
Published: 2014-01-17 SWD-20140117135425071
Contents 1 New in this release..........................................................................................................................10 2 Overview........................................................................................................................................ 11 BlackBerry Enterprise Solution security..............................................................................................................................
Using IT administration commands to protect a lost or stolen device................................................................................... 42 Data flow: Sending the Specify new device password and lock device IT administration command when content protection is turned on ................................................................................................................................................43 Managing device access to the BlackBerry Enterprise Server.......................
Encrypting the device transport key on a locked device.......................................................................................................66 What happens when a user resets a device after you turn on content protection for the device transport key ................ 66 Resetting a device password when content protection is turned on.....................................................................................
How a BlackBerry Enterprise Server and the BlackBerry Infrastructure authenticate with each other...................................89 What happens when a BlackBerry Enterprise Server and the BlackBerry Infrastructure open an initial connection ....... 90 How the BlackBerry Enterprise Solution protects a TCP/IP connection between a BlackBerry Enterprise Server and the BlackBerry Infrastructure....................................................................................................................
Battery power requirements for BlackBerry Device Software updates over the wireless network .................................112 Data flow: Preparing to send a BlackBerry Device Software update over the wireless network..................................... 112 How a device validates a BlackBerry Device Software update over the wireless network............................................. 113 Updating the BlackBerry Device Software from an update web site .....................................................
Data flow: Turning on two-factor content protection................................................................................................... 134 Unbinding a smart card from a device.............................................................................................................................. 135 Protecting Bluetooth connections on a device..................................................................................................................
Specifying the resources that applications can access on a device.................................................................................... 162 Using application control policy rules to control the resources that applications can access on a smartphone............. 162 How code signing controls the resources that applications can access on a smartphone............................................ 166 Permitting an application to encode data on a smartphone...........................................
Security Technical Overview New in this release New in this release 1 The table lists the updated security features for the BlackBerry Enterprise Server 5.0 SP4 that are described in this document.
Security Technical Overview Overview Overview 2 BlackBerry Enterprise Solution security The BlackBerry Enterprise Solution consists of various products and components that are designed to extend your organization’s communication methods to BlackBerry devices. The BlackBerry Enterprise Solution is designed to help protect data that is in transit at all points between a device and the BlackBerry Enterprise Server.
Security Technical Overview Overview Security features of the BlackBerry Enterprise Solution Feature Description data protection The BlackBerry Enterprise Solution is designed to protect data that is in transit between the BlackBerry Enterprise Server and a BlackBerry device and data that is in transit between your organization’s messaging server and the email application on a user’s computer.
Security Technical Overview Overview Architecture: BlackBerry Enterprise Solution The BlackBerry Enterprise Solution consists of various components that permit you to extend your organization’s communication methods to BlackBerry devices.
Security Technical Overview Overview Component Description BlackBerry Administration Service The BlackBerry Administration Service is a BlackBerry Enterprise Server component that connects to the BlackBerry Configuration Database. You can use the BlackBerry Administration Service to manage BlackBerry Enterprise Server components, user accounts, and features for a device.
Security Technical Overview Overview Component Description BlackBerry Attachment Service The BlackBerry Attachment Service is a BlackBerry Enterprise Server component that converts supported message attachments into a format that the user can view on a device. BlackBerry Collaboration Service The BlackBerry Collaboration Service is a BlackBerry Enterprise Server component that provides a connection between your organization's instant messaging server and the collaboration client on a device.
Security Technical Overview Component Overview Description BlackBerry Enterprise Server uses the connection to send email messages inside your organization's firewall. BlackBerry Infrastructure The BlackBerry Infrastructure is designed to manage the wireless transport of messages between the wireless network and a device. BlackBerry Internet Service The BlackBerry Internet Service provides a subscriber with messaging service and access to Internet content on a device.
Security Technical Overview Overview Component Description BlackBerry Router The BlackBerry Router is a BlackBerry Enterprise Server component that connects to the wireless network to send data to and from a device. The BlackBerry Router also sends data over your organization's network to a device that is connected to a computer that hosts the BlackBerry Device Manager.
Security Technical Overview Keys on a device Keys on a device 3 The BlackBerry Enterprise Solution generates keys that are designed to protect the data that is stored on a BlackBerry device and the data that the device and BlackBerry Enterprise Server send between each other.
Security Technical Overview Keys on a device Key Description content protection key The content protection key encrypts user data on the device when the device is locked. device transport key The device transport key encrypts the message keys. ECC private key The ECC private key decrypts data when the user unlocks the device. ECC public key The ECC public key encrypts the stored data that the device receives when the device is locked.
Security Technical Overview Keys on a device Device transport keys The device transport key encrypts the message keys that help protect the data sent between a BlackBerry Enterprise Server and BlackBerry device. The BlackBerry Enterprise Server and device generate the device transport key when a user activates the BlackBerry device.
Security Technical Overview State Keys on a device Description The messaging server and BlackBerry Configuration Database store the previous device transport key that the BlackBerry Enterprise Server and device used most recently. A potentially malicious user cannot use the previous device transport key to learn the currrent device transport key. The BlackBerry Enterprise Server and device discard the key pair after they generate the device transport key.
Security Technical Overview • Keys on a device device transport keys in binary form with tags that indicate whether the status of the device transport keys is pending (0x6002 tag), current (0x6003 tag), or previous (0x6004 tag) Where the BlackBerry Enterprise Server stores device transport keys in an IBM Domino environment In an IBM Domino environment, the BlackBerry Enterprise Server stores the device transport keys in a Domino database that is named BlackBerryProfiles.nsf.
Security Technical Overview Keys on a device Characteristics Description long-term public keys exchanged The wireless activation process verifies that the BlackBerry Enterprise Server and device can exchange the device transport key in a manner that is designed to be highly secure when they generate a new device transport key.
Security Technical Overview Keys on a device A user can also generate a device transport key using the BlackBerry Desktop Manager. By default, the BlackBerry Enterprise Server sends a request to the BlackBerry Desktop Manager every 30 days to prompt the user to generate a new device transport key on the device, even if the user chooses to generate the device transport key manually using the BlackBerry Desktop Manager.
Security Technical Overview Keys on a device Each message key consists of random data that is designed to make it difficult for a third party to decrypt, re-create, or duplicate the message key. The BlackBerry Enterprise Server and device do not store the message keys but they free the memory that is associated with the message keys after the BlackBerry Enterprise Server or device uses the message keys to decrypt the message.
Security Technical Overview Keys on a device 1. Retrieves random data from multiple sources to generate the seed using a technique that the device derives from the initialization function of the ARC4 encryption algorithm 2. Uses the random data to reorder the contents of a 256-byte state array (also known as a 2048-bit state array) 3. Adds the 256-byte state array into the ARC4 encryption algorithm to further randomize the 256-byte state array 4.
Security Technical Overview Keys on a device Data flow: Turning on content protection using a BlackBerry Enterprise Server You can turn on content protection using a BlackBerry Enterprise Server when you configure the Content Protection Strength IT policy rule. 1. The BlackBerry Enterprise Server performs the following actions: a selects b randomly b calculates B = bP c stores b in the BlackBerry Configuration Database d sends B in the IT policy to the BlackBerry device 2.
Security Technical Overview Keys on a device 3. Prompts the user to type the device password 4. Derives an ephemeral 256-bit AES encryption key from the device password, using PKCS #5 5. Uses the ephemeral key to encrypt the content protection key and ECC private key 6. Stores the encrypted content protection key, encrypted ECC private key, and ECC public key in flash memory The content protection key is a semi-permanent 256-bit AES encryption key.
Security Technical Overview Keys on a device Principal encryption keys When you or a user turns on content protection for device transport keys, a BlackBerry device generates a principal encryption key and stores it in flash memory. The device uses the principal encryption key to encrypt the device transport keys that are stored on the device in flash memory and the PIN encryption key that is specific to your organization. The device encrypts the principal encryption key using the content protection key.
Security Technical Overview Keys on a device A device that has a PIN encryption key that is specific to your organization can perform the following actions: • can only encrypt PIN messages sent to other devices on your organization's network that use the same PIN encryption key • can only decrypt PIN messages that are sent from devices that use the global PIN encryption key or PIN messages from other devices on your organization's network that use the same PIN encryption key • cannot decrypt PIN mess
Security Technical Overview Encrypting data that the BlackBerry Enterprise Server and a device send to each other Encrypting data that the BlackBerry Enterprise Server and a device send to each other 4 To encrypt data that is in transit between the BlackBerry Enterprise Server and a BlackBerry device in your organization, the BlackBerry Enterprise Solution uses BlackBerry transport layer encryption.
Security Technical Overview Encrypting data that the BlackBerry Enterprise Server and a device send to each other How the BlackBerry Enterprise Solution uses AES to encrypt data By default, when a BlackBerry device supports AES, the BlackBerry Enterprise Solution uses AES for BlackBerry transport layer encryption. The BlackBerry Enterprise Solution uses AES in CBC mode to generate the message keys and device transport keys. The keys consist of 256 bits of data. BlackBerry Enterprise Server version 4.
Security Technical Overview Encrypting data that the BlackBerry Enterprise Server and a device send to each other Data flow: Running a masking operation during subsequent AES calculations when content protection is turned on A BlackBerry device performs the following actions: 1. performs the masking operation by periodically and randomly permuting all table entries in every calculation 2. runs the input through both M and S' 3. combines the output from M and S' 4.
Security Technical Overview Encrypting data that the BlackBerry Enterprise Server and a device send to each other All versions of the BlackBerry Enterprise Server, BlackBerry Device Software, and BlackBerry Desktop Software support Triple DES. For more information about Triple DES, see Federal Information Processing Standard - FIPS PUB 81 [3]. Data flow: Sending an email message to a device using BlackBerry transport layer encryption 1. A sender sends an email message to a BlackBerry device user. 2.
Security Technical Overview Encrypting data that the BlackBerry Enterprise Server and a device send to each other Data flow: Sending an email message from a device using BlackBerry transport layer encryption 1. A sender sends an email message from a BlackBerry device to a recipient. 2.
Security Technical Overview Managing BlackBerry Enterprise Solution security Managing BlackBerry Enterprise Solution security 5 Using an IT policy to manage BlackBerry Enterprise Solution security You can use an IT policy to control and manage BlackBerry devices, the BlackBerry Desktop Software, and the BlackBerry Web Desktop Manager in your organization's environment. An IT policy consists of multiple IT policy rules that manage the security and behavior of the BlackBerry Enterprise Solution.
Security Technical Overview Managing BlackBerry Enterprise Solution security Preconfigured IT policy Description Default This policy includes all the standard IT policy rules that are set on the BlackBerry Enterprise Server. Individual-Liable Devices Similar to the Default IT policy, this policy prevents BlackBerry device users from accessing organizer data from within the social networking applications on their BlackBerry devices.
Security Technical Overview Managing BlackBerry Enterprise Solution security Using IT policy rules to manage BlackBerry Enterprise Solution security You can use IT policy rules to customize and control the actions that the BlackBerry Enterprise Solution can perform. To use an IT policy rule on a BlackBerry device, you must verify that the BlackBerry Device Software version supports the IT policy rule.
Security Technical Overview Method Managing BlackBerry Enterprise Solution security Description Apply one IT policy to the user account The BlackBerry Enterprise Server applies one of the group IT policies to the user account. You specify rankings for the available IT policies using the BlackBerry Administration Service and the BlackBerry Enterprise Server applies the IT policy with the highest ranking. If you upgrade to BlackBerry Enterprise Server 5.
Security Technical Overview Managing BlackBerry Enterprise Solution security Scenario Rule A user account belongs to multiple groups. You assign multiple IT policies to the groups but do not assign an IT policy to the user account. The BlackBerry Enterprise Server applies the IT policy that you ranked the highest in the BlackBerry Administration Service to the user account.
Security Technical Overview Managing BlackBerry Enterprise Solution security Scenario Rule rule as blank (which means that it uses the default value of Yes). You assign the second group IT policy B, which has the Allow Browser IT policy rule set to No. You ranked IT policy A higher than IT policy B in the BlackBerry Administration Service.
Security Technical Overview Best practice Managing BlackBerry Enterprise Solution security Description notify the user that you turned on the ability of the device to report its location to the BlackBerry Enterprise Server. Using IT administration commands to protect a lost or stolen device The BlackBerry Enterprise Server includes IT administration commands that you can send over the wireless network to protect sensitive data on a BlackBerry device.
Security Technical Overview IT administration command Managing BlackBerry Enterprise Solution security Description You can send this command to a device that you want to distribute to another user in your organization, or to a device that is lost and that the user might not recover. You can also specify whether you want to delete or disable a user account from the BlackBerry Enterprise Server after the device deletes all user information and application data.
Security Technical Overview f Managing BlackBerry Enterprise Solution security permanently deletes K 5.
Security Technical Overview Managing BlackBerry Enterprise Solution security Using a segmented network to help prevent the spread of malware To help prevent the spread of malware in your organization’s network, you can use firewalls to divide your organization’s network or LAN into segments to create a segmented network. Each segment can manage the network traffic for a specific BlackBerry Enterprise Server component.
Security Technical Overview Managing BlackBerry Enterprise Solution security Configuring the IT Policy Viewer icon on a device The IT policy viewer permits a BlackBerry device user to view IT policy rules that were configured for a BlackBerry device that is running BlackBerry Device Software 6.0 or later. Only devices that you activate on a BlackBerry Enterprise Server include the IT policy viewer.
Security Technical Overview Device storage space Device storage space 6 The BlackBerry device storage space consists of various sections that store BlackBerry device user data and sensitive information such as encryption keys. Third-party applications on a device cannot write to or access the sections that store sensitive information. The following sections are a part of the device storage space.
Security Technical Overview Device storage space Changing when a device cleans the device memory By default, the memory cleaner application runs on a BlackBerry device when the device is inactive for a specified period of time. You or a BlackBerry device user can change when the memory cleaner application runs when any the following conditions exist: • The user synchronizes the device with a computer. • The user locks the device. • The device locks after it is inactive for a specified period of time.
Security Technical Overview Device storage space When a device overwrites data in the device memory A BlackBerry device continually runs the memory cleaner application during the based garbage collection process to overwrite data in the device memory that the device no longer uses. The device runs the garbage collection process when any of the following conditions exist: • You or a device user turns on content protection for the device.
Security Technical Overview Device storage space • if you reset the device to the factory default settings, the IT policy that is stored on the device • if a user selects the Include third party applications option or the User Installation Application option on the device, all third-party applications and application data If you or a user turned on content protection, the device uses a memory-scrub process to overwrite the application storage on the device and built-in media storage.
Security Technical Overview Device storage space IT policy rule Description Secure Wipe Delay After IT Policy Received This rule specifies the length of time (in hours) after a device receives an IT policy update or the Delete all device data and remove device IT administration command before the device deletes all BlackBerry device user data. Secure Wipe Delay After Lock This rule specifies the length of time (in hours) after a device locks before the device deletes all user data.
Security Technical Overview Device storage space The device can bind to another BlackBerry Enterprise Server at a later time. The device does not use the memory-scrub process to overwrite the IT policy public key because it is not a protected or hidden value. 4. If applicable, deletes authentication information from the NV store For example, the device deletes the binding information for the smart card. The device can bind to another smart card at a later time. 5.
Security Technical Overview Device storage space 3. writes 0xCC to each byte (1100 11002) 4. writes all bytes to 0x00 (0000 00002) 5. writes 0x55 to each byte (0101 01012) 6. writes all bytes to 0x00 (0000 00002) 7. writes 0xAA to each byte (1010 10102) Scrubbing the flash memory on a device when deleting all device data For a BlackBerry device that is running BlackBerry Device Software version 4.
Security Technical Overview Securing devices in your organization’s environment for personal use and work use Securing devices in your organization’s environment for personal use and work use 7 Your organization might want to permit BlackBerry device users to use BlackBerry devices for both personal use and work use.
Security Technical Overview Securing devices in your organization’s environment for personal use and work use data, you must configure the "Is access to the corporate data API allowed" application control policy rule. The device checks this rule to determine which applications can access work data.
Security Technical Overview Securing devices in your organization’s environment for personal use and work use Data and applications that a device classifies for personal use A BlackBerry device classifies the following data and applications for personal use: • email messages and attachments that a BlackBerry device user sends from any email account (for example, a personal email account) except for the work email account • contacts that the device synchronizes with personal email accounts (for example,
Security Technical Overview Securing devices in your organization’s environment for personal use and work use Preventing a user from pasting work data into a personal application To help prevent a BlackBerry device user from pasting work data into a personal application, you can set the Enable Separation of Work Content IT policy rule to Yes so that the following guidelines apply to the user: • a user can cut, copy, and paste work data from a work application to another work application • a user cannot
Security Technical Overview Securing devices in your organization’s environment for personal use and work use Prevent a user from using the work contact list in personal email accounts and personal calendars By default, a BlackBerry device does not prevent a BlackBerry device user from using personal email accounts or personal calendars to send email messages or calendar appointments to email addresses in the work contact list.
Security Technical Overview Securing devices in your organization’s environment for personal use and work use data and personal data on a computer using the BlackBerry Desktop Software and BlackBerry Web Desktop Manager. The user can restore the data to the device that the user backed up after the BlackBerry Device Software is updated or when issues occur that require the user to restore the information.
Security Technical Overview Securing devices in your organization’s environment for personal use and work use require that a personal device remove only work data when the device receives the Delete only the organization data and remove device IT administrative command over the wireless network. All personal data remains on the device. A BlackBerry device user cannot use the device or make emergency calls while the device deletes the work data.
Security Technical Overview Securing devices in your organization’s environment for personal use and work use Data flow: Deleting only work data from a device When you delete only work data from a BlackBerry device using the Delete all organizational device data IT administration command, the device performs the following actions: 1.
Security Technical Overview Securing devices in your organization’s environment for personal use and work use Managing third-party applications on a smartphone that a user uses for personal purposes By default, a BlackBerry smartphone classifies all applications as work applications that can access work data.
Security Technical Overview Securing devices in your organization’s environment for personal use and work use prevent add-on applications such as Facebook for BlackBerry smartphones and MySpace for BlackBerry smartphones from accessing the work calendar and work contact list. The Enable Separation of Work Content IT policy rule has some effect on add-on applications.
Security Technical Overview Protecting data on a device Protecting data on a device 8 Encrypting user data on a locked device If you or a BlackBerry device user turns on content protection, you or the user can configure a locked device to encrypt stored user data and data that the locked device receives. When you or a user turns on content protection, a locked device is designed to use AES-256 encryption to encrypt stored data and an ECC public key to encrypt data that the locked device receives.
Security Technical Overview Protecting data on a device To make content protection optional or to prevent an administrator or a user from turning on content protection for a device that is running BlackBerry Device Software 6.0 or later, you can use the Content Protection Usage IT policy rule. After you or a user configures content protection, a device uses the ECC private key to decrypt an email message that it received when it was locked.
Security Technical Overview Protecting data on a device device locks. If the device does not complete the re-encryption process before the user unlocks the device, the device resumes re-encryption when it locks again. Encrypting the device transport key on a locked device If you turn on content protection for device transport keys, a BlackBerry device uses the principal encryption key to encrypt the device transport keys that are stored in flash memory.
Security Technical Overview • connects to the BlackBerry Infrastructure • resumes serial bypass connections • receives data from the BlackBerry Enterprise Server Protecting data on a device Resetting a device password when content protection is turned on If you or a BlackBerry device user turns on content protection for a BlackBerry device that is running BlackBerry Device Software version 4.3 or later, you can reset the device password using a BlackBerry Enterprise Server version 4.1 SP5 or later.
Security Technical Overview Protecting data on a device Cryptosystem parameters that the remote password reset cryptographic protocol uses The BlackBerry Enterprise Server and BlackBerry device are designed to share the following cryptosystem parameters when they use the remote password reset cryptographic protocol. Uppercase parameters represent elliptic curve points. Lowercase parameters represent scalars. The elliptic curve group operations are additive.
Security Technical Overview Protecting data on a device The first time that the user opens the password keeper on the device, the user must create the password keeper password. The password keeper encrypts the information that it stores using AES-256 encryption, and uses the password keeper password to decrypt the information when the user types the password keeper password. The device deletes all device data if a user types the password keeper password incorrectly 10 times.
Security Technical Overview Protecting data on a device To generate an encryption key, the BlackBerry device performs the following actions: 1. generates an AES-256 encryption key 2. stores the encryption key in the NV store in RAM on the BlackBerry device 3. XORs the AES-256 encryption key with another AES-256 encryption key that is encrypted with a password to generate the encryption key for the media card 4. encrypts the encryption key for the media card using the AES-256 encryption key 5.
Security Technical Overview Protecting data on a device How a device protects its operating system and the BlackBerry Device Software Each time a user turns on a BlackBerry device, specific components on the device automatically check the authenticity of the device operating system and the integrity of the BlackBerry Device Software.
Security Technical Overview Protecting the data that the BlackBerry Enterprise Server stores in your organization's environment Protecting the data that the BlackBerry Enterprise Server stores in your organization's environment 9 Where the BlackBerry Enterprise Server stores messages and user data in the messaging environment The BlackBerry Enterprise Server stores the messages and user data for a BlackBerry device in the messaging environment so that the BlackBerry Enterprise Server can maintain a conn
Security Technical Overview Protecting the data that the BlackBerry Enterprise Server stores in your organization's environment Messaging environment Storage location Microsoft Exchange The BlackBerry Enterprise Server stores user data in hidden folders in the Microsoft Exchange mailbox for the user. Novell GroupWise The BlackBerry Enterprise Server stores user data in the POA where the user account is located.
Security Technical Overview Protecting the data that the BlackBerry Enterprise Server stores in your organization's environment Best practice Delete unsecured, old setup files. Description • At a minimum, write failed connection attempts to the Microsoft SQL Server log file and review the log file regularly. • When possible, save log files to a different hard disk drive than the one that the data files are stored on.
Security Technical Overview Protecting the data that the BlackBerry Enterprise Server stores in your organization's environment Best practice Use Microsoft SQL Server Management Studio. Description • Use NTFS for the Microsoft SQL Server because it is more stable and recoverable than FAT file systems, and NTFS permits security options such as file and directory ACLs and EFS. • Do not change the permissions that the Microsoft SQL Server specifies during the Microsoft SQL Server installation process.
Security Technical Overview Protecting the data that the BlackBerry Enterprise Server stores in your organization's environment A device stores the digitally signed IT policy and the IT policy public key in the NV store in flash memory. When the device stores the IT policy and IT policy public key, the device binds the IT policy to itself so that the device can use the IT policy to control its behavior.
Security Technical Overview Protecting communication with a device Protecting communication with a device 10 Opening a direct connection between a device and a BlackBerry Router A BlackBerry device can use the BlackBerry Router protocol to bypass the SRP-authenticated connection to the BlackBerry Infrastructure and open a direct connection to a BlackBerry Router.
Security Technical Overview • Protecting communication with a device A device can provide all email messaging services and data services using the BlackBerry Router protocol except for activation over the wireless network. After a user starts the activation process over the wireless network, the user can connect the device to a computer that hosts the BlackBerry Device Manager to complete the activation process.
Security Technical Overview Protecting communication with a device To perform either of these impersonation attacks, the potentially malicious user must send the device transport key value (also known as s) to the BlackBerry Enterprise Server or device, which requires the potentially malicious user to solve the discrete log problem to determine s or the hash of s.
Security Technical Overview c Protecting communication with a device sends RD and KeyID to the BlackBerry Enterprise Server 4. The BlackBerry Enterprise Server performs the following actions: a calculates that as RD approaches the point at infinity, RD is random b selects a random value rB , where 1 < rB < p - 1 and calculates RB = rBP c if RD = RB , calculates another value of RB d selects a random value eD , where 1 < eD < p - 1 e sends RB , eD , and KeyID to the device 5.
Security Technical Overview Protecting communication with a device yBP + eBRB ≠ hP • The BlackBerry Router does not accept the connection request if the BlackBerry Router calculates the following: yBP + eBRB ≠ yDP + eDRD • The BlackBerry Enterprise Server does not accept the connection request if the BlackBerry Enterprise Server calculates the following: yDP + eDRD ≠ hP • The BlackBerry Router stores RD , RB , yDP + eDRD , eD , and eB if the device accepts yB . 10.
Security Technical Overview Protecting communication with a device 4. The BlackBerry Router performs one of the following actions: • The BlackBerry Router closes the authenticated connection to the BlackBerry device on behalf of the BlackBerry Enterprise Server if the BlackBerry Router accepts yC.
Security Technical Overview Protecting communication with a device Best practice: Protecting plain text messages that a device sends over the wireless network Plain text messages include SMS text messages, MMS messages, and PIN messages. A BlackBerry device can send SMS text messages and MMS messages over a wireless TCP/IP connection.
Security Technical Overview Best practice Protecting communication with a device Description To apply this best practice, you can use the Firewall Block Incoming Messages IT policy rule. Require a user to verify whether the user wants to send a message. Consider configuring the device so that the user must verify whether the user wants to send an email message, SMS text message, MMS message, or PIN message. To apply this best practice, you can use the Confirm on Send IT policy rule.
Security Technical Overview Protecting communication with a device Protecting HTTP connections from a device to content servers and application servers using HTTPS If a third-party application on a BlackBerry device can access servers on the Internet, you can configure the BlackBerry MDS Connection Service to use HTTPS to provide additional authentication and security for the connection. The device supports HTTPS in proxy mode using a proxy server or in direct mode using TLS.
Security Technical Overview Protecting communication with a device Warning message Description Weak Crypto Algorithm Your organization considers the algorithm that is used in the certificate chain to be weak. Permitting TLS connections to websites that use invalid certificates If a BlackBerry device user visits a website that presents an invalid certificate, the BlackBerry device displays a warning message to indicate that the security of the connection cannot be verified.
Security Technical Overview Protecting communication with a device • Stop: the user should select this option if the user wants to close the connection between the device and the website. • Details: the user should select this option if the user wants to see more information about why the certificate is invalid. When the user selects Details, the device shows information about the invalid certificate and indicates that the policy does not permit the connection.
Security Technical Overview Protecting communication with a device BlackBerry Enterprise Server. When the BlackBerry Infrastructure becomes available again, the BlackBerry Enterprise Server resends messages that it did not receive acknowledgment packets for.
Security Technical Overview Protecting communications in your organization's environment Protecting communications in your organization's environment 11 How a BlackBerry Enterprise Server and the BlackBerry Infrastructure authenticate with each other The BlackBerry Infrastructure and BlackBerry Enterprise Server must authenticate with each other before they can transfer data. The BlackBerry Enterprise Server uses SRP to authenticate with and connect to the BlackBerry Infrastructure.
Security Technical Overview Protecting communications in your organization's environment What happens when a BlackBerry Enterprise Server and the BlackBerry Infrastructure open an initial connection After a BlackBerry Enterprise Server and the BlackBerry Infrastructure open an initial connection over the Internet, the BlackBerry Enterprise Server is designed to send a basic information packet to the BlackBerry Infrastructure immediately.
Security Technical Overview Protecting communications in your organization's environment Data flow: Authenticating a BlackBerry Enterprise Server with the BlackBerry Infrastructure 1. The BlackBerry Enterprise Server sends a data packet that contains its unique SRP identifier to the BlackBerry Infrastructure to claim the SRP identifier. 2. The BlackBerry Infrastructure sends a random challenge string to the BlackBerry Enterprise Server. 3.
Security Technical Overview Messaging server Protecting communications in your organization's environment Description A user who activates a BlackBerry device when the device is connected to a computer can encrypt data that is in transit between the Domino server and a Notes Inbox. For more information, see the online help for Domino.
Security Technical Overview Protecting communications in your organization's environment Synchronization Service, and BlackBerry MVS share a communication password. The BlackBerry Messaging Agent and BlackBerry Dispatcher share a different communication password. The communication passwords are designed to prevent a potentially malicious user from viewing data that the BlackBerry Enterprise Server components and the BlackBerry MVS send to each other.
Security Technical Overview Protecting communications in your organization's environment a uses a shared secret password (also known as the communication password) and the ECDH protocol with a 521-bit curve to create a device transport key b uses the device transport key to create two encryption keys and two HMAC-SHA-256 keys c uses one encryption key and one HMAC key to encrypt and authenticate data that BlackBerry Desktop Software version 4.
Security Technical Overview Protecting communications in your organization's environment environment and authenticate and authorize users. The Kerberos protocol is designed to permit the BlackBerry MDS Connection Service to verify user accounts in Microsoft Active Directory. Constrained delegation is designed to limit the resources that the BlackBerry MDS Connection Service can provide authenticated users access to.
Security Technical Overview Protecting communications in your organization's environment How the BlackBerry MDS Connection Service uses Kerberos to help protect your organization's resources BlackBerry MDS Connection Service integrated authentication is designed to use the Kerberos protocol and constrained delegation to authenticate BlackBerry device users in your organization’s network in a highly secure manner.
Security Technical Overview Protecting communications in your organization's environment 1. The BlackBerry device user navigates to a resource on your organization’s intranet or on a file share (for example, a web page or shared file) using the BlackBerry Browser or Files application on the BlackBerry device. 2. The device encrypts and compresses an HTTP request for the resource and sends the encrypted HTTP request to the BlackBerry Router using BlackBerry transport layer encryption. 3.
Security Technical Overview Protecting communications in your organization's environment Protecting your organization’s resources when you configure BlackBerry Administration Service single sign-on You can configure the BlackBerry Administration Service so that administrators or BlackBerry Web Desktop Manager users must log in to the BlackBerry Administration Service console or BlackBerry Web Desktop Manager using Microsoft Active Directory authentication.
Security Technical Overview Protecting communications in your organization's environment Component Description BlackBerry Administration Service The BlackBerry Administration Service permits you to manage the BlackBerry Domain, which includes BlackBerry Enterprise Server components, user accounts, and features for BlackBerry device administration. domain controller A domain controller is a server that authenticates and authorizes Windows users and Windows servers with a Windows domain.
Security Technical Overview Protecting communications in your organization's environment Kerberos services. The Kerberos keys permit the BlackBerry Administration Service to verify the Kerberos service tickets that browsers send during single sign-on.
Security Technical Overview Protecting communications in your organization's environment 3. The browser retrieves the TGT of the administrator or user from the ticket cache on the computer that the administrator or user is using. The browser uses the TGT to request the service ticket for the BlackBerry Administration Service web server (which is named HTTP/) from the domain controller. 4.
Security Technical Overview Activating a device Activating a device 12 When a user activates a BlackBerry device, the BlackBerry Enterprise Solution authenticates the user and associates the device with a BlackBerry Enterprise Server. During the activation process, the BlackBerry Enterprise Solution generates a device transport key.
Security Technical Overview Activating a device Data flow: Activating a device over the wireless network 1. A user opens the activation application on the BlackBerry device, and types the appropriate email address and activation password. 2. The device sends an activation request to the BlackBerry Infrastructure using standard BlackBerry protocols. The BlackBerry Infrastructure uses SMTP to send an activation message to the user’s email account.
Security Technical Overview Managing certificates on a device Managing certificates on a device 13 Purpose of certificates on a device A certificate is a digital document that binds the identity and public key of a certificate subject. Each certificate has a corresponding private key that is stored separately. A certification authority signs the certificate to verify that it can be trusted.
Security Technical Overview Managing certificates on a device Configuring BlackBerry devices to enroll certificates over the wireless network You can configure the BlackBerry Enterprise Server to permit BlackBerry devices to enroll certificates that the devices can use with any PKI-enabled application or process.
Security Technical Overview • Custom Microsoft Certificate Authority Certificate Template • Distinguished Name Components • Key Algorithm • Key Length • Microsoft Certificate Authority Certificate Template • RSA Certificate Authority Certificate ID • RSA Jurisdiction ID Managing certificates on a device A certificate enrollment process does not delete the existing certificate from the device key store or notify the certification authority that the certificate is no longer in use.
Security Technical Overview Managing certificates on a device Data flow: Enrolling a certificate when the certification authority approves certificate requests automatically After a BlackBerry device receives an IT policy that includes a certification authority profile, the enrollment process can start automatically, or you can instruct a user to start it. This process flow assumes that the certification authority in your organization's environment is a Microsoft enterprise certification authority. 1.
Security Technical Overview Managing certificates on a device a verifies the certificate by checking whether the public key matches the public key that is stored in the BlackBerry Configuration Database b sends the certificate to the device over the wireless network 14. The device adds the certificate and private key to the key store.
Security Technical Overview b Managing certificates on a device after the certification authority administrator approves the certificate request, issues the certificate, and sends the certificate to the user in an email message 12.
Security Technical Overview Managing certificates on a device 9. The BlackBerry MDS Connection Service sends a status update to the device and sends the certificate request to the certification authority that is associated with the name of the certification authority profile. 10.
Security Technical Overview Protecting BlackBerry Device Software updates Protecting BlackBerry Device Software updates 14 Protecting BlackBerry Device Software updates over the wireless network You can update the BlackBerry Device Software on a BlackBerry device over the wireless network. You can use the BlackBerry Administration Service to search for updates that match the device and wireless service provider, and send the updates.
Security Technical Overview Protecting BlackBerry Device Software updates How the BlackBerry Enterprise Solution protects BlackBerry Device Software updates over the wireless network using IT policies and content protection The default values for the Default IT policy determine that only the BlackBerry Enterprise Server can send available updates and request a BlackBerry device to update the BlackBerry Device Software.
Security Technical Overview Protecting BlackBerry Device Software updates How a device validates a BlackBerry Device Software update over the wireless network When a BlackBerry device receives a BlackBerry Device Software update from the BlackBerry Infrastructure, it verifies that the ECDSA key uses a public key that is shared by all devices that support BlackBerry Device Software updates over the wireless network. The device verifies the digital signature on the ECDSA key using a stored root certificate.
Security Technical Overview Protecting BlackBerry Device Software updates computer. To protect the cryptographic services data, the device encrypts the cryptographic services data using a BlackBerry services key. The device stores the BlackBerry services key in the NV store in flash memory. Neither the user nor third-party applications can access the location in the NV store where the device stores the BlackBerry services key.
Security Technical Overview Protecting BlackBerry Device Software updates Data flow: Backing up cryptographic services data using the BlackBerry Desktop Manager 1. A user connects a BlackBerry device to the BlackBerry Desktop Manager and selects the option to update the BlackBerry Device Software. 2. The BlackBerry Desktop Manager determines that cryptographic services data require backup during the update process. It sends the device a command to encrypt the cryptographic services data. 3.
Security Technical Overview Extending messaging security to a device Extending messaging security to a device 15 If your organization's messaging environment supports highly secure messaging technology such as PGP encryption or S/ MIME encryption, you can configure the BlackBerry Enterprise Solution to encrypt a message using PGP encryption or S/ MIME encryption so that the message remains encrypted when the BlackBerry Enterprise Server forwards the message to the email applications of recipients.
Security Technical Overview Extending messaging security to a device PGP public keys and PGP private keys The PGP Support Package for BlackBerry smartphones uses public key cryptography with PGP public keys and PGP private keys. Key Description PGP public key The PGP Support Package for BlackBerry smartphones uses the PGP public key of the recipient to encrypt outgoing email messages and the PGP public key of the sender to verify digital signatures on incoming email messages.
Security Technical Overview Extending messaging security to a device Encryption algorithms that the device supports for PGP encryption When you turn on PGP encryption, the default value of the PGP Allowed Content Ciphers IT policy rule specifies that a BlackBerry device can use any of the following encryption algorithms to encrypt email messages and PIN messages: AES-256, AES-192, AES-128, CAST-128, or Triple DES-168.
Security Technical Overview d Extending messaging security to a device sends the message that is encrypted using BlackBerry transport layer encryption and PGP encryption to the BlackBerry Enterprise Server 2. The BlackBerry Enterprise Server removes the BlackBerry transport layer encryption and sends the PGP encrypted message to the recipient.
Security Technical Overview Extending messaging security to a device Extending messaging security using S/MIME encryption You can extend messaging security for the BlackBerry Enterprise Solution and permit a BlackBerry device user to send and receive S/MIME-protected email messages and S/MIME-protected PIN messages on a BlackBerry device.
Security Technical Overview Extending messaging security to a device Item Description S/MIME certificate When a user sends an email message or PIN message from a BlackBerry device, the device uses the S/MIME certificate of the recipient to encrypt the message. When a user receives a signed email message or signed PIN message on a device, the device uses the S/MIME certificate of the sender to verify the message signature.
Security Technical Overview Extending messaging security to a device • An S/MIME-enabled application did not use a weak algorithm to generate the digital signatures on the email messages that the device receives. • The certificate chains for the certificates that an S/MIME-enabled application used to digitally sign email messages that the device receives do not contain hash values generated using a weak algorithm.
Security Technical Overview Extending messaging security to a device 3. The recipient decrypts the S/MIME-encrypted message using the S/MIME private key or a password that the sender provides. Data flow: Receiving an S/MIME-encrypted email message If a recipient installs the S/MIME Support Package for BlackBerry smartphones, the BlackBerry device decrypts incoming email messages. 1.
Security Technical Overview Extending messaging security to a device Extending messaging security using IBM Notes encryption By default, if your organization's environment includes IBM Notes API version 7.0 or later and either BlackBerry Enterprise Server version 4.1 or later for IBM Domino or the BlackBerry Enterprise Server Express for IBM Domino 5.0 SP2 or later, a BlackBerry device can decrypt messages that are encrypted using Notes encryption.
Security Technical Overview Extending messaging security to a device How the BlackBerry Messaging Agent protects the password for an IBM Notes .id file After a user imports an IBM Notes .id file and the password for the Notes .id file to the user's message database, the BlackBerry Messaging Agent encrypts the Notes .id file and password in the BlackBerry Messaging Agent memory cache using AES encryption and the device transport key. The BlackBerry Messaging Agent deletes the Notes .
Security Technical Overview Extending messaging security to a device 4. The BlackBerry Messaging Agent on the BlackBerry Enterprise Server decrypts the cached password for the Notes .id file and validates the password that the device sent. If the BlackBerry Messaging Agent can verify the password, the BlackBerry Messaging Agent uses the password to encrypt the message using Notes encryption. 5.
Security Technical Overview Extending messaging security to a device Extending messaging security for attachments The BlackBerry Enterprise Server supports attachments in PGP protected messages and S/MIME-protected messages. It also permits a BlackBerry device user to view encrypted attachments on a BlackBerry device. For PGP protected messages, the device supports OpenPGP format and PGP/MIME format. For S/MIME-protected messages, the device supports Triple DES, AES-128, AES-192 or AES-256.
Security Technical Overview Extending messaging security to a device Data flow: Viewing an attachment that is encrypted using S/MIME encryption, PGP/MIME encryption, or OpenPGP encryption 1. The BlackBerry device sends the message key and a request for the attachment data to the BlackBerry Enterprise Server. 2. The BlackBerry Enterprise Server uses the message key to decrypt the email message and access the attachment data that corresponds to the data in the attachment header.
Security Technical Overview c Extending messaging security to a device Sends the email message to the BlackBerry Enterprise Server 3. The BlackBerry Enterprise Server sends the email to the recipient's inbox. Data flow: Forwarding an S/MIME-protected email message that contains attachments that are not located on a device On a BlackBerry device that is running BlackBerry 7 or later in a Microsoft Exchange environment, you can use the S/MIME Attachment Support IT policy rule.
Security Technical Overview 130 Extending messaging security to a device c Appends all of the attachments from the original message, any new message attachments, and the original message body to the new message d If the user indicates that the new message must be signed, sends a Message Signature Request to the device, waits for a reply from the device, and adds the signature into the message e If the user indicates that the new message must be encrypted, encrypts the full message f Sends the mess
Security Technical Overview Configuring two-factor authentication and protecting Bluetooth connections Configuring two-factor authentication and protecting Bluetooth connections 16 BlackBerry Smart Card Reader The BlackBerry Smart Card Reader is an accessory that, when used in proximity to a Bluetooth enabled BlackBerry device or a Bluetooth enabled computer, permits a user to authenticate with a smart card and log in to the BlackBerry device or computer.
Security Technical Overview Configuring two-factor authentication and protecting Bluetooth connections • unlock the BlackBerry device and access BlackBerry services and PKI applications using two-factor authentication • digitally sign and encrypt email messages and PIN messages using S/MIME encryption when the user installs the S/ MIME Support Package for BlackBerry smartphones on the BlackBerry device • decrypt S/MIME-encrypted email messages and PIN messages • import certificates that are stored
Security Technical Overview Configuring two-factor authentication and protecting Bluetooth connections If the device is running BlackBerry Device Software version 3.6, the smart card information that the device displays when it prompts the user to insert the smart card into the BlackBerry Smart Card Reader is the only indication that a smart card is bound to the device. If the device is running BlackBerry Device Software version 4.
Security Technical Overview Configuring two-factor authentication and protecting Bluetooth connections The User Authenticator API permits a developer to add a field to the password dialog box on the BlackBerry device for the authentication method. You can create as many two-factor authentication methods as the security policies of your organization require. BlackBerry Device Software versions 5.0 and later support the User Authenticator API.
Security Technical Overview Configuring two-factor authentication and protecting Bluetooth connections d stores the encrypted content protection key and encrypted ECC private keys in the device memory e generates a 256-bit pseudorandom number f computes the SHA-256 hash of the pseudorandom number and uses it to encrypt the symmetric key for the smart card authenticator, and stores the symmetric key for the smart card authenticator in the device memory g encrypts the pseudorandom number using the pu
Security Technical Overview Configuring two-factor authentication and protecting Bluetooth connections Protecting Bluetooth connections on a device Bluetooth wireless technology permits a Bluetooth enabled BlackBerry device to open a wireless connection with other Bluetooth devices that are within a 10-meter range (for example, a hands-free car kit or wireless headset).
Security Technical Overview Wi-Fi enabled devices Wi-Fi enabled devices 17 Wi-Fi enabled BlackBerry devices permit users with qualifying data plans to access BlackBerry services over a mobile network, Wi-Fi network, or both networks simultaneously. When users can access a mobile network and Wi-Fi network simulaneously, users can perform multiple tasks over both networks.
Security Technical Overview Type Wi-Fi enabled devices Description permit VPN connections through the firewall. You can configure a home Wi-Fi network with layer 2 security and password authentication. You must configure BlackBerry devices to support the authentication that the home Wi-Fi network requires. A home Wi-Fi network permits users to access all BlackBerry services from Wi-Fi enabled BlackBerry devices using the BlackBerry Infrastructure.
Security Technical Overview Feature Wi-Fi enabled devices Description You can verify with your organization's wireless service provider that your organization's service plan supports access to BlackBerry services over a Wi-Fi connection. Encrypted communication over the WiFi network Devices support multiple security methods that are designed to encrypt communication over the enterprise Wi-Fi network between the device and wireless access points or a network firewall on the enterprise Wi-Fi network.
Security Technical Overview Wi-Fi enabled devices Protecting a connection between a Wi-Fi enabled device and an enterprise Wi-Fi network A Wi-Fi enabled BlackBerry device is designed to connect to enterprise Wi-Fi networks that use the IEEE® 802.11® standard. The IEEE 802.11i standard uses the IEEE 802.1X standard for authentication and key management to protect enterprise Wi-Fi networks. The IEEE 802.11i standard specifies that organizations must use the PSK protocol or the IEEE 802.
Security Technical Overview Wi-Fi enabled devices How an SSL connection between a Wi-Fi enabled device and the BlackBerry Infrastructure protects data An SSL connection between a Wi-Fi enabled BlackBerry device and the BlackBerry Infrastructure is designed to provide the same protection that an SRP connection between the BlackBerry Enterprise Server and BlackBerry Infrastructure provides.
Security Technical Overview • SSL_DHE_RSA_WITH_DES_CBC_SHA • SSL_DH_anon_WITH_RC4_128_MD5 • SSL_DHE_DSS_WITH_DES_CBC_SHA • SSL_RSA_WITH_DES_CBC_SHA • SSL_DH_anon_WITH_3DES_EDE_CBC_SHA • SSL_RSA_EXPORT_WITH_RC4_40_MD5 • SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA • SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA • SSL_RSA_EXPORT_WITH_DES40_CBC_SHA • SSL_DH_anon_WITH_DES_CBC_SHA • SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 • SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA The device supports the following cipher suites
Security Technical Overview • TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA • TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA • TLS_DH_anon_WITH_DES_CBC_SHA • TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 • TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA Wi-Fi enabled devices Managing how a device connects to an enterprise Wi-Fi network To manage how a Wi-Fi enabled BlackBerry device connects to an enterprise Wi-Fi network, you can use IT administration commands, IT policy rules, and configuratio
Security Technical Overview Wi-Fi enabled devices Using a VPN with a device If your organization’s environment includes VPNs, such as an IPSec VPN, you can configure a Wi-Fi enabled BlackBerry device to authenticate with the VPN so that it can access your organization's network. A VPN provides an encrypted tunnel between a device and your organization’s network. A VPN solution consists of a VPN client on the device and a VPN concentrator.
Security Technical Overview Wi-Fi enabled devices Using a segmented network to reduce the spread of malware on an enterprise Wi-Fi network that uses a VPN When a Wi-Fi enabled BlackBerry device connects to an enterprise Wi-Fi network that uses a VPN, the device might permit the VPN concentrator to send data directly to a BlackBerry Enterprise Server over your organization's network. The VPN concentrator sends data over port 4101.
Security Technical Overview UI setting VPN1 Powe r Wi-Fi enabled devices Cisco VPN 3000 Series Concentr ator XAuth Credential: Enable Extended Authentication X VPN Firewall Brick Secure Nortel Computi Symante NetScree Networks ng c Raptor n Contivity Sidewind Firewall er X X X Gateway Auth (PKI): Client Certificate X X X X Gateway Auth (PKI): CA Certificate X X X X DNS Config: Dynamically determine DNS X X X X X X External Network: Subnet IP address 1 X External Network: Subne
Security Technical Overview Wi-Fi enabled devices Supported configurations for the Cisco VPN 3000 Series Concentrator The following table describes the configurations that BlackBerry 7.1 supports for the Cisco VPN 3000 Series Concentrator.
Security Technical Overview Wi-Fi enabled devices Configuration setting Configuration 1 Configuration 2 Gateway Credential (PSK): Password (Group Password) X X Configuration 3 Configuration 4 XAuth Credential (PSK): Username X X XAuth Credential (PSK): Password X X XAuth Credential: Enable Extended Authentication X X Gateway Auth (PKI): Client Certificate X X Gateway Auth (PKI): CA Certificate X X DNS Config: Dynamically determine DNS X X X X IKE: DH Group Group 1, 2, 5 Group
Security Technical Overview Wi-Fi enabled devices Configuration setting Configuration 1 Configuration 2 Gateway Credential (PSK): Password (Group Password) X X XAuth Credential (PSK): Username X XAuth Credential (PSK): Password X XAuth Credential: Enable Extended Authentication X DNS Config: Dynamically determine DNS X X IKE: DH Group Group 1 Group 1, 2, 5 IKE: Cipher 3DES DES, 3DES, AES128, AES192, AES256 IKE: Hash HMAC MD5 HMAC MD5, HMAC SHA1 IPSec: Crypto and Hash Suite 3DES-MD
Security Technical Overview Wi-Fi enabled devices Configuration setting Configuration 1 IKE: Cipher 3DES IKE: Hash HMAC MD5 IPSec: Crypto and Hash Suite 3DES-MD5 NAT timeout Default Supported configurations for Nortel Networks Contivity The following table describes the configurations that BlackBerry 7.1 supports for Nortel Networks Contivity.
Security Technical Overview Wi-Fi enabled devices Wi-Fi network or Wi-Fi hotspot. After the BlackBerry device connects to the enterprise Wi-Fi network or Wi-Fi hotspot, the user can browse to an HTML login page for a web site that permits the enterprise Wi-Fi network or Wi-Fi hotspot to authenticate with the BlackBerry device before the BlackBerry device can access the web site.
Security Technical Overview Wi-Fi enabled devices Data flow: Generating a token code for a software token 1. An RSA administrator uses the RSA Authentication Manager to import a seed as a soft token file in .asc format to a software token database and issue the software token file in .sdtid format.
Security Technical Overview Wi-Fi enabled devices Layer 2 security methods that a device supports You can configure a Wi-Fi enabled BlackBerry device to use security methods for layer 2 (also known as the IEEE 802.11 link layer) so that the device can authenticate with a wireless access point and the device and access point can encrypt data that they send between each other.
Security Technical Overview Wi-Fi enabled devices For more information about configuring WEP encryption, see the BlackBerry Enterprise Server Administration Guide. WPA authentication The IEEE 802.1X standard specifies the WPA protocol as an access control method for work Wi-Fi networks. You can also use WPA authentication in small-office environments and home environments where you cannot configure server-based authentication.
Security Technical Overview IEEE 802.1X standard IEEE 802.1X standard 18 The IEEE 802.1X standard defines a generic authentication framework that a Wi-Fi enabled BlackBerry device and an enterprise Wi-Fi network can use for authentication. The EAP framework that the IEEE 802.1X standard uses for authentication is specified in RFC3748. The device supports EAP authentication methods that meet the requirements of RFC4017.
Security Technical Overview IEEE 802.1X standard Data flow: Authenticating a Wi-Fi enabled device with a work Wi-Fi network using the IEEE 802.1X standard If you configured a wireless access point to use the IEEE 802.1X standard, the access point permits communication using EAP authentication only. This process flow assumes that you configured a Wi-Fi enabled BlackBerry device to use an EAP authentication method to communicate with the access point. 1.
Security Technical Overview IEEE 802.1X standard EAP authentication methods that a Wi-Fi enabled device supports LEAP authentication LEAP authentication is designed to improve WEP authentication. You can use LEAP authentication to authenticate a Wi-Fi enabled BlackBerry device with a work Wi-Fi network, generate WEP encryption keys that are unique to the device, and configure the work Wi-Fi network to update the WEP encryption keys automatically during a session with the device.
Security Technical Overview IEEE 802.1X standard The device supports EAP-TLS authentication when the authentication server and client use certificates that meet specific requirements for authentication. To configure EAP-TLS authentication, you must install a client certificate and a root certificate on the device that corresponds to the certificate of the authentication server. For more information, see the BlackBerry Enterprise Server Administration Guide.
Security Technical Overview IEEE 802.1X standard Encryption keys that a Wi-Fi enabled device supports for use with layer 2 security methods A Wi-Fi enabled BlackBerry device supports AES-CCMP encryption keys, TKIP encryption keys, and WEP encryption keys.
Security Technical Overview IEEE 802.1X standard Using certificates with PEAP authentication, EAP-TLS authentication, or EAP-TTLS authentication If your organization uses PEAP authentication, EAP-TLS authentication, or EAP-TTLS authentication to protect the wireless access points for your organization’s work Wi-Fi network, a Wi-Fi enabled BlackBerry device must authenticate mutually with an access point using an authentication server.
Security Technical Overview Controlling applications on a device Controlling applications on a device 19 Creating an application for a smartphone An application developer can create an application for BlackBerry smartphones using a variety of developer tools.
Security Technical Overview Controlling applications on a device For more information about using IT policy rules, visit www.blackberry.com/go/serverdocs to see the BlackBerry Enterprise Server Policy Reference Guide. Specifying the resources that applications can access on a device You can specify which applications a BlackBerry device user can download and install on a BlackBerry device and the resources on the device that the applications can access.
Security Technical Overview Controlling applications on a device "Not permitted", a game that is installed on a smartphone may not be able to send high scores back to a central server since the game is not permitted to access the Internet. You can assign application control policies to software configurations so that the BlackBerry Enterprise Server limits the permitted application behavior to a subset of user accounts that it trusts.
Security Technical Overview Permission Internet Wi-Fi Controlling applications on a device Category Connections Default setting • Prompt (BlackBerry Device Software 6.0 and earlier) • Allow (BlackBerry 7 and later) • Prompt (BlackBerry Device Software 6.0 and earlier) Description A user can set whether applications can access the Internet through a wireless service provider (for example, using a direct Internet connection or WAP gateway).
Security Technical Overview Controlling applications on a device Permission Category Default setting Description Recording Interactions Prompt A user can set whether applications can take screen shots of the smartphone screen or use other applications on the smartphone to take pictures or recordings. Security Timer Reset Interactions Deny A user can set whether applications can reset the duration that the smartphone remains unlocked after the user stops using it.
Security Technical Overview Controlling applications on a device Application permissions for applications that users install as trusted applications on a smartphone Some applications that a user installs on a BlackBerry smartphone prompt the user to install the application as a trusted application.
Security Technical Overview Controlling applications on a device Permitting an application to encode data on a smartphone A developer can use the Transcoder API to create an encoding scheme for data that a BlackBerry Enterprise Server and BlackBerry smartphone send between each other. The Transcoder API is part of the BlackBerry Java SDK.
Security Technical Overview Controlling applications on a device Removing add-on applications from a device You can create a software configuration to remove all add-on applications that are preloaded on a BlackBerry device. You can create an allowed list of applications by creating a software configuration and setting the disposition for unlisted applications to Disallowed.
Security Technical Overview • Controlling applications on a device Prompt user: the device displays a message that provides the user with the option to Allow or Deny the application's request to access NFC features on the device. The user can set the Near Field Communication permission to Prompt or Deny in the Application Management options on the device. For descriptions of application control policy rules, see the BlackBerry Enterprise Server Policy Reference Guide.
Security Technical Overview RIM Cryptographic API RIM Cryptographic API 20 The RIM Cryptographic API that is on a BlackBerry device and in the BlackBerry Java Development Environment consists of a Java interface that includes an encryption algorithm, a key agreement scheme, a signature scheme algorithm, a key generation algorithm, a message authentication code, cipher suites, a message digest, and a hash code.
Security Technical Overview RIM Cryptographic API Algorithm Key length (bits) RC5 0 to 2040 Skipjack 80 Triple DES 112 and 168 Stream encryption algorithms that the RIM Cryptographic API supports The RIM Cryptographic API supports the ARC4 algorithm, with an unlimited key length, as the symmetric stream encryption algorithm. The RIM Cryptographic API supports the ECIES algorithm, with an unlimited key length (160 bits to 571 bits for seeding), as the asymmetric stream encryption algorithm.
Security Technical Overview RIM Cryptographic API Algorithm Key length (bits) Type ECDH 160 to 571 (Elliptic Curve) discrete logarithm ECMQV 160 to 571 (Elliptic Curve) discrete logarithm KEA 1024 discrete logarithm Signature scheme algorithms that the RIM Cryptographic API supports If the signature scheme algorithm that a developer wants to use is the RSA algorithm using ANSI X9.31, ANSI X9.
Security Technical Overview RIM Cryptographic API Message authentication codes that the RIM Cryptographic API supports Code Key length (bits) CBC-MAC variable (block cipher key length) HMAC variable Message digest codes that the RIM Cryptographic API supports Code Digest length (bits) MD2 128 MD4 128 MD5 128 RIPEMD 128, 160 SHA 160, 224, 256, 384, 512 TLS and WTLS protocols that the RIM Cryptographic API supports The RIM Cryptographic API supports the cipher suite components for the TLS
Security Technical Overview RIM Cryptographic API Cipher suites for the key establishment algorithm that the RIM Cryptographic API supports Direct mode SSL Direct mode TLS WTLS DH_anon DH_anon RSA _768, DH_anon, DH_anon_512, DH_anon_768 DH_anon_EXPORT DH_anon_EXPORT RSA_anon_512 DHE_DSS DHE_DSS RSA_512 DHE_DSS_EXPORT DHE_DSS_EXPORT RSA_anon_768 RSA RSA RSA RSA_EXPORT RSA_EXPORT RSA_anon Symmetric algorithms that the RIM Cryptographic API supports Direct mode SSL Direct mode TLS WTLS
Security Technical Overview RIM Cryptographic API Hash algorithms that the RIM Cryptographic API supports Direct mode SSL Direct mode TLS WTLS MD5 MD5 SHA SHA-1 SHA-1 SHA-40, SHA-80, MD5, MD5-40, MD5-80 Limitations of RIM Cryptographic API support for cipher suites for the key establishment algorithm The RIM Cryptographic API implementation of the TLS protocol and WTLS protocol supports the use of the RSA public key algorithm, DSA public key algorithm, and Diffie-Hellman key exchange algorithm, w
Security Technical Overview Related resources Related resources 21 Resource Information BlackBerry Enterprise Server Feature and Technical Overview • understanding BlackBerry Enterprise Server architecture BlackBerry Enterprise Server Installation Guide • understanding system requirements • performing preinstallation tasks • installing the BlackBerry Enterprise Server • generating and changing device transport keys • configuring extended messaging encryption • managing security • prot
Security Technical Overview Related resources Resource Information BlackBerry Java Development Environment Development Guide • using controlled APIs • using code signatures BlackBerry Smart Card Reader Security • Technical Overview Enforcing Encryption of Internal and External File Systems on BlackBerry Devices Technical Overview Erasing File Systems on BlackBerry Devices Technical Overview PGP Support Package for BlackBerry Devices Security Technical Overview Protecting the BlackBerry Device Pl
Security Technical Overview Resource www.blackberry.
Security Technical Overview Glossary Glossary 22 3GPP Third Generation Partnership Project Advanced Security SD card An Advanced Security SD card is a media card that complies with the Advanced Security SD Extension Specification that the SD Association developed. BlackBerry devices support only microSD cards that use the MCEX security system.
Security Technical Overview Glossary BlackBerry MVS BlackBerry Mobile Voice System BlackBerry transport layer encryption BlackBerry transport layer encryption (formerly known as standard BlackBerry encryption) uses a symmetric key encryption algorithm to help protect data that is in transit between a BlackBerry device and the BlackBerry® Enterprise Server when the data is outside an organization's firewall.
Security Technical Overview Glossary DRBG deterministic random bit generator DSA Digital Signature Algorithm DSML Directory Service Markup Language DSML-enabled server A BlackBerry device uses a DSML-enabled server to search for and download certificates.
Security Technical Overview Glossary flash memory The flash memory is an internal file system on a BlackBerry device that stores application data and user data. GAN generic access network GANC generic access network controller global PIN encryption key The global PIN encryption key is a key that is added to all BlackBerry devices during the manufacturing process. The global PIN encryption key permits devices to encrypt, decrypt, and authenticate PIN messages that are exchanged between devices.
Security Technical Overview Glossary IT policy public key The IT policy public key is a key that a BlackBerry device uses to authenticate the IT policy that the BlackBerry Enterprise Server sends. IT policy rule An IT policy rule permits you to customize and control the actions that BlackBerry smartphones, BlackBerry PlayBook tablets, the BlackBerry Desktop Software, and the BlackBerry Web Desktop Manager can perform.
Security Technical Overview Glossary OAEP Optimal Asymmetric Encryption Padding OCSP Online Certificate Status Protocol OFB output feedback PAC proxy auto-configuration PBX Private Branch Exchange PEAP Protected Extensible Authentication Protocol PFS Perfect Forward Secrecy persistent store in flash memory The persistent store in flash memory stores data for a BlackBerry device. By default, third-party applications cannot access the persistent store.
Security Technical Overview Glossary S/MIME Secure Multipurpose Internet Mail Extensions SEMA Simple Electromagnetic Analysis SHA Secure Hash Algorithm SIM Subscriber Identity Module SMS Short Message Service SMTP Simple Mail Transfer Protocol SPA Simple Power Analysis SPEKE Simple Password-authenticated Exponential Key Exchange SRP Server Routing Protocol SRP authentication SRP authentication is an authentication method that the BlackBerry Enterprise Server and BlackBerry Infrastructur
Security Technical Overview WTLS 186 Glossary Wireless Transport Layer Security
Security Technical Overview Legal notice Legal notice 23 ©2014 BlackBerry. All rights reserved. BlackBerry® and related trademarks, names, and logos are the property of BlackBerry Limited and are registered and/or used in the U.S. and countries around the world. 3GPP is a trademark of European Telecommunications Standards Institute (ETSI). Bluetooth is a trademark of Bluetooth SIG. ANSI is a trademark of the American National Standards Institute.
Security Technical Overview Legal notice QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE.
Security Technical Overview Legal notice Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired.
