Manualshelf

User guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL
111112113114115116117118119120
computer. To protect the cryptographic services data, the device encrypts the cryptographic services data using a
BlackBerry services key.
The device stores the BlackBerry services key in the NV store in flash memory. Neither the user nor third-party applications
can access the location in the NV store where the device stores the BlackBerry services key. If you or a user turns on
content protection, the device also encrypts the BlackBerry services key using the content protection key.
After the device encrypts the cryptographic services data, the BlackBerry Desktop Manager or BlackBerry Application Web
Loader backs up the encrypted cryptographic services data to a database and stores the database on the user’s computer
as an .ipd file.
When the update process completes, the BlackBerry Desktop Manager or BlackBerry Application Web Loader restores the
cryptographic services data to the device. Only the device that encrypted the cryptographic services data can decrypt the
cryptographic services data. The device can decrypt the cryptographic services data only once. The device deletes the
BlackBerry services key from the NV store after the device decrypts the cryptographic services data.
The BlackBerry Enterprise Solution does not back up or restore cryptographic services data except during the BlackBerry
Device Software
update process from an update web site. When the user backs up or restores device data by selecting the
backup and restore options in the BlackBerry Desktop Manager, the back up and restore processes do not access
cryptographic services data.
Data flow: Generating a BlackBerry services key that
protects cryptographic services data
The BlackBerry device uses an ephemeral AES-256 encryption key (called the BlackBerry services key) to encrypt the
cryptographic services data. To generate the BlackBerry services key, the device performs the following actions:
1. generates a random password from a random source of 32 bytes
2. generates a random salt from a random source of 8 bytes
3. concatenates the salt, password, and salt again into a byte array (for example, Salt|Password|Salt)
4. hashes the byte array using SHA-256
5. stores the resulting hash in a byte array that is called a key
(key) =
SHA256(Salt|Password|Salt)
6. hashes the key 18 more times and stores the result in a key each time
For example, for i=0 to 18, the device performs the following actions:
(key) = SHA256(key)
i++
done
The final hash creates the BlackBerry services key.
7. stores the BlackBerry services key in a location of the NV store that third-party applications and the user cannot access
Security Technical Overview Protecting BlackBerry Device Software updates
114