BlackBerry Enterprise Solution Security Release 4.1 Technical Overview © 2006 Research In Motion Limited. All rights reserved. www.blackberry.
BlackBerry Enterprise Solution Security Contents Wireless security....................................................................................................................................................... 4 BlackBerry Enterprise Solution security ............................................................................................................... 4 New security features....................................................................................................................
BlackBerry Enterprise Solution Security Messaging server ...............................................................................................................................................25 BlackBerry configuration database.................................................................................................................26 BlackBerry MDS Services databases ..............................................................................................................
BlackBerry Enterprise Solution Security Wireless security 4 This document describes the security features of the BlackBerry Enterprise Solution™ and provides an overview of the BlackBerry® security architecture. This document describes the security features that BlackBerry Enterprise Server version 4.1, BlackBerry Desktop Software version 4.1, and BlackBerry Device Software version 4.1 support, unless otherwise stated.
BlackBerry Enterprise Solution Security BlackBerry Enterprise Solution security 5 Concept Description BlackBerry Enterprise Solution implementation authenticity enables the message recipient to identify and trust the identity of the message sender • Require that the BlackBerry device authenticate itself to the BlackBerry Enterprise Server to prove that it knows the master encryption key before the BlackBerry Enterprise Server can exchange the unique master encryption key with, and send data to the B
BlackBerry Enterprise Solution Security BlackBerry encryption keys 6 New security features Feature Software versions supported Description protect master encryption keys on the BlackBerry device • BlackBerry Enterprise Server version 4.1 (all platforms) Encrypt the master encryption keys stored on the BlackBerry device in flash memory using 256-bit AES. support smart cards with the BlackBerry Smart Card Reader • BlackBerry Smart Card Reader version 1.
BlackBerry Enterprise Solution Security BlackBerry encryption keys 7 Master encryption key storage The BlackBerry configuration database, the messaging server, and the BlackBerry device flash memory store encryption keys, including the current BlackBerry device master encryption key (in other words, the master encryption key that the BlackBerry device currently uses to encrypt and decrypt message keys).
BlackBerry Enterprise Solution Security BlackBerry encryption keys 8 Key generation method Initial key generation Key regeneration wireless Wireless enterprise activation permits a user to remotely activate a BlackBerry device on the BlackBerry Enterprise Server without a physical network connection.
BlackBerry Enterprise Solution Security BlackBerry encryption keys Protocol Description initial key establishment protocol • The BlackBerry Enterprise Server uses this protocol during wireless enterprise activation to establish the initial master encryption key. • This protocol uses SPEKE to bootstrap from an activation password, enabling a BlackBerry device to establish long term public keys and a strong, cryptographically protected connection with a BlackBerry Enterprise Server.
BlackBerry Enterprise Solution Security BlackBerry encryption keys 5. 10 The BlackBerry Enterprise Server uses SHA512 to hash the 521-byte value to 64 bytes. 6. The BlackBerry Enterprise Server uses the 64-byte value to seed a NIST-approved DSA PRNG function. See Federal Information Processing Standard – FIPS PUB 186-2 for more information on the DSA PRNG function. The BlackBerry Enterprise Server stores a copy of the seed in a file.
BlackBerry Enterprise Solution Security BlackBerry encryption keys 11 User data encryption process on a locked BlackBerry device 1. The BlackBerry device locks. When the BlackBerry device locks for the first time after you turn on or the user turns on content protection, it uses the content protection key to automatically encrypt the bulk of its stored user and application data. 2.
BlackBerry Enterprise Solution Security BlackBerry symmetric key encryption algorithms 12 BlackBerry symmetric key encryption algorithms A symmetric key encryption algorithm is designed so that only the parties who know the secret key can decrypt the encrypted data or cipher text of the scrambled message.
BlackBerry Enterprise Solution Security BlackBerry symmetric key encryption algorithms 13 When a user sends a message from the BlackBerry device, the BlackBerry Enterprise Server does not encrypt the message when it forwards the message to the message recipient unless the user installs additional secure messaging technology on the BlackBerry device and you have enabled the BlackBerry device to use that secure messaging technology to extend the messaging security.
BlackBerry Enterprise Solution Security BlackBerry wireless messaging security 14 BlackBerry wireless messaging security The BlackBerry Enterprise Solution is designed with advanced security features to work seamlessly with existing corporate networks while enabling a user to securely send and receive messages while away from their desktop computer. Email messages remain encrypted at all points between the BlackBerry device and the BlackBerry Enterprise Server.
BlackBerry Enterprise Solution Security BlackBerry wireless messaging security 2. 15 The BlackBerry Infrastructure routes the encrypted message to the BlackBerry Enterprise Server on which the user resides. The connection from the BlackBerry Enterprise Server to the BlackBerry Infrastructure is a two-way TCP connection on port 3101. The BlackBerry Infrastructure directs messages from the BlackBerry device to this connection using the routing information in the message. 3.
BlackBerry Enterprise Solution Security Extending BlackBerry device messaging security 16 SMS and MMS messaging SMS and MMS messaging are available on some BlackBerry devices. Supported BlackBerry devices can send SMS and MMS messages over the wireless TCP/IP connection between them.
BlackBerry Enterprise Solution Security Extending BlackBerry device messaging security 17 that the BlackBerry device can decrypt messages that are encrypted using PGP. Without the PGP Support Package, the user’s BlackBerry device receives PGP protected messages as unreadable cipher text. Within the PGP Universal Server environment, the PGP Universal Server operates as a network appliance. PGP Universal Server specifies secure email policies designed by the PGP Universal Server administrator.
BlackBerry Enterprise Solution Security Extending BlackBerry device messaging security 18 If the PGP Support Package is installed on a BlackBerry device, when the BlackBerry device receives a message, the PGP message is encrypted with standard BlackBerry encryption and then decrypted, using the following process: 1. The BlackBerry Enterprise Server receives the PGP protected message. 2. The BlackBerry Enterprise Server uses standard BlackBerry encryption to encrypt the PGP data. 3.
BlackBerry Enterprise Solution Security Extending BlackBerry device messaging security 1. The BlackBerry device encrypts the message with the message recipient’s S/MIME certificate. 2. The BlackBerry device uses standard BlackBerry encryption to encrypt the S/MIME data. 3. The BlackBerry device sends the encrypted data to the BlackBerry Enterprise Server. 4. The BlackBerry Enterprise Server removes the BlackBerry standard encryption and sends the S/MIME encrypted message to the recipient.
BlackBerry Enterprise Solution Security Extending BlackBerry device messaging security 20 If a user with this feature configured on the BlackBerry device forwards or replies to an encrypted message that the BlackBerry device has received, decrypted, and decompressed, the BlackBerry Enterprise Server for IBM Lotus Domino decrypts the message before the BlackBerry device sends the message to the recipient as plain text. Lotus Notes API 7.0 requires the user’s Notes .
BlackBerry Enterprise Solution Security Protecting stored data 21 Protecting stored data Protecting stored messages on the messaging server The IBM Lotus Domino server and the Microsoft Exchange server perform all message storage and specific user data storage in their environments. In the Novell GroupWise server environment, the Post-Office Agent where a user’s messaging account resides stores messages and user data.
BlackBerry Enterprise Solution Security Protecting stored data 22 The first time that a user opens the Password Keeper on the BlackBerry device, they must create the Password Keeper master password. The Password Keeper encrypts the information (for example, application and web site passwords and data) that it stores using 256-bit AES, and uses the master password to decrypt the information when a user types the master password to gain access to the Password Keeper tool.
BlackBerry Enterprise Solution Security Protecting stored data 23 Enabling protected storage of BlackBerry device data You enable protected storage of data on the BlackBerry device by setting the Content Protection Strength IT policy rule. Choose a strength level that corresponds to the desired ECC key strength.
BlackBerry Enterprise Solution Security Protecting stored data 24 When the user unlocks the BlackBerry device after a reset, the BlackBerry device • uses the content protection key to decrypt the grand master key in flash memory • stores the decrypted grand master key in RAM again • re-establishes the wireless connection to the BlackBerry Infrastructure • resumes serial bypass • receives data from the BlackBerry Enterprise Server Cleaning the BlackBerry device memory By default, the BlackBerry d
BlackBerry Enterprise Solution Security BlackBerry architecture component security 25 BlackBerry architecture component security The BlackBerry Enterprise Server consists of services that provide functionality and components that monitor services and processes, route, compress, and encrypt data, and communicate with the BlackBerry Infrastructure over the wireless network.
BlackBerry Enterprise Solution Security BlackBerry architecture component security 26 messaging server continues to receive, deliver, and store all corporate email messages, while the BlackBerry Enterprise Server acts as a conduit to transfer these messages to and from the BlackBerry device. BlackBerry configuration database The BlackBerry services that do not connect to the messaging server directly access the configuration information that a SQL database (the BlackBerry configuration database) stores.
BlackBerry Enterprise Solution Security BlackBerry architecture component security Configuration option Recommendations limit the privilege level of Microsoft SQL Server Windows services • use the Microsoft SQL Server Enterprise Manager • 27 Associate each service with a Windows account from which the service derives its security context.
BlackBerry Enterprise Solution Security Protecting the BlackBerry Infrastructure connections 28 Changing the BlackBerry configuration database If you move the BlackBerry device to a BlackBerry Enterprise Server that uses a different BlackBerry configuration database, you or a user must erase all user and application data, the BlackBerry device master encryption key, and the IT policy public key from the BlackBerry device.
BlackBerry Enterprise Solution Security Protecting the BlackBerry Infrastructure connections 29 SRP action Description exchange configuration information between the BlackBerry Enterprise Server and the BlackBerry Infrastructure The BlackBerry Enterprise Server is designed to send a basic information packet to the BlackBerry Infrastructure immediately following the initial SRP authentication process.
BlackBerry Enterprise Solution Security Protecting the BlackBerry Infrastructure connections 30 Step Action Description 6 The BlackBerry Infrastructure sends an acceptance to the BlackBerry Enterprise Server. When the BlackBerry Infrastructure accepts the challenge response, it sends a final confirmation to the BlackBerry Enterprise Server to complete the authentication process and set up an authenticated SRP connection between the BlackBerry Infrastructure and the BlackBerry Enterprise Server.
BlackBerry Enterprise Solution Security Protecting the BlackBerry Infrastructure connections 31 from an activation password to establish a shared master encryption key that enables strong authentication between them. After the BlackBerry device successfully activates on the BlackBerry Enterprise Server, the BlackBerry device no longer requires the activation password. The user (or another user) cannot reuse that password to activate another BlackBerry device.
BlackBerry Enterprise Solution Security Protecting the BlackBerry Infrastructure connections 32 TCP/IP connection The TCP/IP connection from the BlackBerry Enterprise Server to the BlackBerry Router is designed to be secure in the following ways: Security measure Description The BlackBerry Enterprise Server sends outbound traffic to the BlackBerry device only through the authenticated connection to the BlackBerry Infrastructure.
BlackBerry Enterprise Solution Security Protecting the BlackBerry Infrastructure connections 33 Messaging server to desktop email program connection You can encrypt the BlackBerry device data in transit between the messaging server and the user’s desktop email program.
BlackBerry Enterprise Solution Security Authenticating a user 34 HTTPS protocol BlackBerry MDS encryption method Description proxy mode TLS/SSL Sun® JSSE 1.4.1 cipher suite components • The connection service sets up the proxy mode TLS/SSL connection on behalf of the BlackBerry device.
BlackBerry Enterprise Solution Security Authenticating a user 35 If the user intends to activate their BlackBerry device wirelessly, they must contact you for a temporary activation password that the BlackBerry device uses to establish the master encryption key. You can set the BlackBerry device activation password and communicate it to the user.
BlackBerry Enterprise Solution Security Controlling BlackBerry devices 5. • format of the binding information (currently, a version byte with a value of 0) • type of smart card (for the Common Access Card, this string is “GSA CAC”) • name of a Java class required by the smart card code • unique 64-bit identifier that the smart card provides • smart card label that the smart card provides (for example, “GRAHAM.JOHN.
BlackBerry Enterprise Solution Security Controlling BlackBerry devices • typing a string, which simultaneously turns on a rule and provides the parameters for its use • selecting a predefined permitted value to assign to a rule 37 You cannot use all rules to configure the behavior of all BlackBerry device types. See the Policy Reference Guide for more information. The BlackBerry Manager groups the rules by common properties or by application.
BlackBerry Enterprise Solution Security Controlling BlackBerry devices • 38 Restrict device resources available to third-party applications See the Policy Reference Guide for more information. Controlling BlackBerry device access to the BlackBerry Enterprise Server Turn on the Enterprise Service Policy to control which BlackBerry devices can connect to the BlackBerry Enterprise Server.
BlackBerry Enterprise Solution Security Controlling BlackBerry devices 39 Protecting third-party applications on the BlackBerry device Java-based BlackBerry devices are designed to provide an open platform for third-party application development. Using BlackBerry MDS Studio™ and the BlackBerry Java Development Environment (JDE), the BlackBerry Enterprise Solution enables software developers to create wireless enterprise applications.
BlackBerry Enterprise Solution Security Protecting lost, stolen, or replaced BlackBerry devices 40 BlackBerry JDE security method Description application control • By default, MIDlets (applications that use standard MIDP and CLDC APIs only) cannot write to memory on a BlackBerry device, access the memory of other applications, or access the persistent data of another MIDlet application.
BlackBerry Enterprise Solution Security Protecting lost, stolen, or replaced BlackBerry devices 41 Erasing data from BlackBerry device memory and making the BlackBerry device unavailable The BlackBerry device erases its user and application data when any of the following events occur: • The user clicks Wipe Device (in the Security options) on the BlackBerry device. • The user types the password incorrectly more times than the Set Maximum Password Attempts IT policy rule allows.
BlackBerry Enterprise Solution Security Related resources 42 Related resources Resource Information BlackBerry Enterprise Server Feature and Technical Overview • BlackBerry Enterprise Server architecture BlackBerry Enterprise Server Installation Guide • network environment settings • messaging and collaboration environment settings • database environment settings • generating and changing master encryption keys • enabling encryption • managing security BlackBerry Enterprise Solution Secu
BlackBerry Enterprise Solution Security Related resources 43 Resource Information PGP Support Package User Guide Supplement • installing the PGP Support Package • managing PGP keys on the BlackBerry device • setting PGP options for digitally signing and encrypting messages • S/MIME security and encryption • managing S/MIME certificates on the BlackBerry device and desktop computer • installing the S/MIME Support Package • managing certificates on the BlackBerry device and desktop computer
BlackBerry Enterprise Solution Security Appendix A: RIM Cryptographic Application Programming Interface 44 Appendix A: RIM Cryptographic Application Programming Interface The RIM Crypto API on the BlackBerry device and in the BlackBerry JDE provides developers with a toolkit of cryptographic algorithms and support tools that they can use to create secure applications for business connectivity.
BlackBerry Enterprise Solution Security Appendix A: RIM Cryptographic Application Programming Interface 45 Key agreement schemes Algorithm Key length (bits) Type DH 512 to 4096 discrete logarithm KEA 1024 discrete logarithm ECDH 160 to 571 (EC) discrete logarithm ECMQV 160 to 571 (EC) discrete logarithm Signature schemes Algorithm Key length (bits) Type DSA 512 to 1024 discrete logarithm RSA using PKCS#1 (version 1.5 and 2.0) 512 to 4096 integer factorization RSA using ANSI X9.
BlackBerry Enterprise Solution Security Appendix B: TLS and WTLS standards that the RIM Crypto API supports 46 Appendix B: TLS and WTLS standards that the RIM Crypto API supports The TLS and WTLS protocol cipher suite components that the RIM Crypto API supports apply only to WTLS and handheld (direct) mode TLS/SSL on the BlackBerry device.
BlackBerry Enterprise Solution Security Appendix B: TLS and WTLS standards that the RIM Crypto API supports Symmetric algorithms that the RIM Crypto API supports Direct mode SSL Direct mode TLS WTLS RC4 40 RC4 40 RC5 40 DES 40 RC4 56 RC5 56 DES RC4 128 RC5 64 Triple DES DES 40 RC5 RC4 128 DES RC5 128 Triple DES DES 40 AES 128 DES AES 256 Triple DES RC4 128 Hash algorithms that the RIM Crypto API supports Direct mode SSL Direct mode TLS WTLS MD5 MD5 SHA SHA1 SHA1 SHA 40 SHA
BlackBerry Enterprise Solution Security Appendix C: Previous version of wired master encryption key generation 48 Appendix C: Previous version of wired master encryption key generation Each time a BlackBerry Enterprise Server or BlackBerry Desktop Software version earlier than 4.0 calls the master encryption key generation function, the C language srand function is seeded with the current time to generate a seed for the C language rand function.
BlackBerry Enterprise Solution Security Appendix D: BlackBerry device wipe process 49 Appendix D: BlackBerry device wipe process A BlackBerry device wipe is designed to delete and overwrite the BlackBerry device memory using the following process: 1. The BlackBerry device sets a Device Under Attack flag in the NV store.
BlackBerry Enterprise Solution Security Appendix D: BlackBerry device wipe process 3. Writes 0xCC to each byte (0x1100 11002). 4. Clears all bytes to 0xFF (1111 11112). 5. Writes 0x55 to each byte (0x0101 01012). 6. Clears all bytes to 0xFF (1111 11112). 7. Writes 0xAA to each byte (0x1010 10102). 8. Clears all bytes to 0xFF (1111 11112). www.blackberry.
BlackBerry Enterprise Solution Security Appendix E: Ephemeral AES encryption key derivation process 51 Appendix E: Ephemeral AES encryption key derivation process The BlackBerry device uses an ephemeral 256-bit AES encryption key to encrypt the content protection key and the ECC private key. The BlackBerry device derives the ephemeral 256-bit AES encryption key from the BlackBerry device password using the following process: 1.
BlackBerry Enterprise Solution Security 52 Part number: SWD_X_BES(EN)-179.002 ©2006 Research In Motion Limited. All Rights Reserved. The BlackBerry and RIM families of related marks, images, and symbols are the exclusive properties of Research In Motion Limited. RIM, Research In Motion, “Always On, Always Connected”, the “envelope in motion” symbol, and BlackBerry are registered with the U.S. Patent and Trademark Office and may be pending or registered in other countries.
