Manualshelf

User guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL
61626364656667686970
To make content protection optional or to prevent an administrator or a user from turning on content protection for a device
that is running BlackBerry Device Software 6.0 or later, you can use the Content Protection Usage IT policy rule.
After you or a user configures content protection, a device uses the ECC private key to decrypt an email message that it
received when it was locked. The longer the ECC private key, the more time the device requires to decrypt messages. You
must choose a strength level that optimizes the encryption strength or that optimizes the decryption process.
The device uses the device password to generate an ephemeral key that the device uses to encrypt the content protection
key and ECC private key. If you change the content protection strength to Stronger so that the device uses a 283-bit ECC
private key, you can consider changing the Minimum Password Length IT policy rule to enforce a minimum password
length of 12 characters for the device password. If you change the content protection strength to Strongest so that the
device uses a 571-bit ECC private key, you can consider changing the
Minimum Password Length IT policy rule to enforce a
minimum password length of 21 characters for the device password. These password lengths maximize the encryption
strength that the longer ECC private keys are designed to provide. A shorter password length produces a weaker ephemeral
key.
Data flow: Encrypting user data on a locked device
When a BlackBerry device locks for the first time after you or a user turns on content protection, the device performs the
following actions:
1. uses the content protection key to automatically encrypt the bulk of its stored user data and application data
2. frees the device memory that is associated with the decrypted content protection key and the decrypted ECC private
key that is stored in RAM
3. uses the ECC public key to encrypt data that it receives
Data flow: Decrypting user data on an unlocked device
1. A user types the correct BlackBerry device password to unlock a device.
2. The device performs the following actions:
a uses the password to derive the ephemeral key
b uses the ephemeral key to decrypt the encrypted content protection key and ECC private key that are stored in flash
memory
c stores the decrypted content protection key and ECC private key in RAM
d uses the decrypted content protection key to decrypt the user data when the user tries to access user data (for
example, an email message) that the device received and encrypted while it was locked
e uses the decrypted ECC private key to decrypt the user data and access the ECC-encrypted items (for example, the
message body, subject, or recipient) when the user tries to access user data that the device encrypted while it was
locked
When the device opens ECC-128 encrypted items (usually less than 40 messages), the device uses the ECC private key to
decrypt the ECC-encrypted items. The device re-encrypts the items with the content protection key the next time that the
Security Technical Overview Protecting data on a device
65