Manualshelf

User guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL
21222324252627282930
Principal encryption keys
When you or a user turns on content protection for device transport keys, a BlackBerry device generates a principal
encryption key and stores it in flash memory. The device uses the principal encryption key to encrypt the device transport
keys that are stored on the device in flash memory and the PIN encryption key that is specific to your organization. The
device encrypts the principal encryption key using the content protection key. When the device receives data that the
device transport key encrypts while the device is locked, the device uses the principal encryption key to decrypt the device
transport key that is in flash memory.
Data flow: Generating a principal encryption key
When you or a user turns on content protection for device transport keys on a BlackBerry device for the first time, the
device performs the following actions:
1. generates a principal encryption key, which is an AES-256 encryption key
2. stores the decrypted principal encryption key in RAM
3. uses the existing content protection key to encrypt the principal encryption key
4. stores the encrypted principal encryption key in flash memory
When the device locks, the device uses the decrypted principal encryption key to encrypt the device transport keys that are
stored in the flash memory of the device.
PIN encryption keys
The PIN encryption key is a Triple DES 168-bit key that a BlackBerry device uses to encrypt PIN messages that it sends to
other devices and to authenticate and decrypt PIN messages that it receives from other devices. If a
BlackBerry device
user knows the PIN of another device, the user can send a PIN message to the device. Unlike an email message that a user
sends to an email address, a PIN message bypasses the BlackBerry Enterprise Server and your organization's network.
By default, each device uses the same global PIN encryption key, which Research In Motion adds to the device during the
manufacturing process. The global PIN encryption key permits every device to authenticate and decrypt every PIN
message that the device receives. Because all devices share the same global PIN encryption key, there is a limit to how
effectively PIN messages are encrypted. PIN messages are not considered as confidential as email messages that are sent
from the
BlackBerry Enterprise Server, which use BlackBerry transport layer encryption. Encryption using the global PIN
encryption key is sometimes referred to as "scrambling".
If the security policies of your organization require additional confidentiality for PIN messages, you can generate a PIN
encryption key that is specific to your organization or configure S/MIME encryption or PGP encryption for PIN messages.
Security Technical Overview Keys on a device
29