Manualshelf

User guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL
31323334353637383940
How the BlackBerry Enterprise Solution uses AES to
encrypt data
By default, when a BlackBerry device supports AES, the BlackBerry Enterprise Solution uses AES for BlackBerry transport
layer encryption. The BlackBerry Enterprise Solution uses AES in CBC mode to generate the message keys and device
transport keys. The keys consist of 256 bits of data.
BlackBerry Enterprise Server version 4.0 or later, BlackBerry Device Software version 4.0 or later, and BlackBerry Desktop
Software version 4.0 or later support AES.
For more information about how the BlackBerry Enterprise Server uses AES for BlackBerry transport layer encryption to
communicate with devices, visit www.blackberry.com/support to read article KB05429.
How a device uses the AES algorithm to help protect user data and keys
The BlackBerry device implementation of the AES algorithm is designed to help protect user data and keys (such as the
device transport key and ephemeral key) from traditional attacks and side-channel attacks.
A traditional attack tries to exploit data that a cryptographic system stores or transmits. The potentially malicious user tries
to determine the key or the plain-text data by exploiting a weakness in the design of the cryptographic algorithm or
protocol.
The potentially malicious user uses a side-channel attack to try to exploit the physical properties of the device
implementation of the AES algorithm using power analysis (for example, SPA and DPA) and electromagnetic analysis (for
example, SEMA and DEMA). A potentially malicious user tries to determine the keys that the device uses by measuring and
analyzing the power consumption or the electromagnetic radiation that the device emits during cryptographic operations.
The device uses a masking operation, table splitting, and a random mask application to help protect the keys and plain-text
data against side-channel attacks at all points during the encryption and decryption operations.
Data flow: Running a masking operation during the first AES calculation when
content protection is turned on
During the first AES calculation, the BlackBerry device performs the following actions if you or a user turned on content
protection:
1. runs a masking operation by performing the following actions:
a creates a mask table (M), where each table entry is a random value
b creates a masked version of the S-Box table (S') that is used within AES
c periodically and randomly changes the order of all table entries
2. runs the result of step 1 as the input through both M and S'
3. combines the output of step 2 from M and S'
4. deletes the mask and produces the AES output
Security Technical Overview Encrypting data that the BlackBerry Enterprise Server and a device send to each other
32