Manualshelf

User guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL
61626364656667686970
connects to the BlackBerry Infrastructure
resumes serial bypass connections
receives data from the BlackBerry Enterprise Server
Resetting a device password when content
protection is turned on
If you or a BlackBerry device user turns on content protection for a BlackBerry device that is running BlackBerry Device
Software version 4.3 or later, you can reset the device password using a BlackBerry Enterprise Server version 4.1 SP5 or
later. The BlackBerry Enterprise Solution uses the remote password reset cryptographic protocol to reset the device
password when content protection is turned on. The device does not prompt the user for the old device password.
The remote password reset cryptographic protocol is designed to provide the following features:
permit the device to encrypt the content protection key again with the new password, without the old password being
available
prevent a hardware-based attack on the device from recovering the content protection key without knowing either the
device password or the IT policy private key that the
BlackBerry Enterprise Server generates for the device
prevent the BlackBerry Enterprise Server from accessing any data that a potentially malicious user could use to recover
the content protection key
To reset the device password, you send the Specify new device password and lock device IT administration command to
the device. You should send the IT administration command to a content-protected device that is in the possession of the
user only. If you send the IT administration command to a device that is in the possession of a potentially malicious user,
that user can use a hardware-based attack to recover the key pair that the device created when it received the IT policy.
The potentially malicious user can use the key pair to decrypt all the data on the device.
Data flow: Resetting a device password when content
protection is turned on
The process flow is designed so that the BlackBerry Enterprise Server cannot reconstruct the encryption key at a later time.
The BlackBerry Enterprise Server performs the following actions when you send the Specify new device password and lock
device IT administration command to a
BlackBerry device when content protection is turned on:
1. generates an encryption key using the IT policy public key and the NIST recommended 521-bit elliptic curve over a
prime field
2. encrypts the content protection key using the encryption key and the new device password (which is also encrypted)
3. sends the data required to reconstruct the encryption key to the device
Security Technical Overview Protecting data on a device
67