User guide
Cryptosystem parameters that the remote password reset cryptographic
protocol uses
The BlackBerry Enterprise Server and BlackBerry device are designed to share the following cryptosystem parameters
when they use the remote password reset cryptographic protocol.
Uppercase parameters represent elliptic curve points. Lowercase parameters represent scalars. The elliptic curve group
operations are additive.
Parameter Description
E(Fq) This parameter represents the NIST approved 521-bit random elliptic curve over Fq,
which has a cofactor of 1.
Fq This parameter represents a finite field of prime order q.
P This parameter represents a point of E that generates a prime subgroup of E(Fq) of
order p.
B = bP This parameter represents the long-term IT policy public key and IT policy private key
pair that the BlackBerry Enterprise Server generates for the BlackBerry device. The
BlackBerry Enterprise Server stores b in the BlackBerry Configuration Database and
sends B to the BlackBerry device in the IT policy.
D = dP This parameter represents the key pair that the BlackBerry device creates when it
receives B. The BlackBerry device stores D, but it deletes d to prevent a hardware-
based attack from recovering d and B and then calculating K = dB.
K = dB This parameter represents the encryption key that the BlackBerry device uses to
encrypt the content protection key.
r This parameter represents a short-term random number that the BlackBerry device
stores in RAM.
D' = rD This parameter represents a blinded version of D.
K' = bD' = brD = rK This parameter represents a blinded version of K.
Protecting passwords that a device stores
A BlackBerry device user can use the password keeper to store all passwords that the user uses to access applications and
web sites from a BlackBerry device. The password keeper is designed to protect the passwords with a password keeper
password. The user is required to remember only the password keeper password.
Security Technical Overview Protecting data on a device
68