User guide

Data flow: Turning on content protection using a

BlackBerry Enterprise Server

You can turn on content protection using a BlackBerry Enterprise Server when you configure the Content Protection

Strength IT policy rule.

1. The BlackBerry Enterprise Server performs the following actions:

a selects b randomly

b calculates B = bP

c stores b in the BlackBerry Configuration Database

d sends B in the IT policy to the BlackBerry device

2. The device performs the following actions:

a verifies that B is a valid public key

b selects d randomly

c calculates D = dP

d stores D in flash memory

e calculates K = dB

f uses K to encrypt the current device password

g uses the encrypted device password to encrypt the content protection key

h permanently deletes d and K

When the device permanently deletes d, the device is designed so that a potentially malicious user cannot use the data

that remains on the device to recover

K. Only the BlackBerry Enterprise Server knows b and can recalculate

K = dB = dbP = bD if the BlackBerry Enterprise Server is provided with D. The BlackBerry Enterprise Solution uses K when it

resets the device password when content protection is turned on.

Data flow: Generating a content protection key on a

device

When you or a BlackBerry device user turns on content protection on the device for the first time, the device performs the

following actions:

1. Uses a DRBG function to generate a content protection key (if the device is not operating in FIPS mode, the device uses

a DSA PRNG function)

2. Generates an ECC key pair with a bit length that you or the user determines

Security Technical Overview Keys on a device