BlackBerry Smart Card Reader Version 2.
Contents BlackBerry Smart Card Reader ................................................................................................................................ 4 Authenticating a user using a smart card .......................................................................................................... 4 Integrating a smart card with existing secure messaging technology ........................................................... 4 New in this release.............................................
BlackBerry Smart Card Reader shared cryptosystem parameters..................................................................... 25 Examples of attacks that the BlackBerry Smart Card Reader security protocols are designed to prevent ..26 Eavesdropping .....................................................................................................................................................26 Impersonating a BlackBerry device or computer...............................................................
BlackBerry Smart Card Reader The BlackBerry® Smart Card Reader is an accessory that, when used in proximity to certain Bluetooth® enabled BlackBerry devices and computers, permits users to authenticate with their smart cards and log in to Bluetooth enabled BlackBerry devices and computers. The BlackBerry Smart Card Reader is designed to perform the following actions: • communicate with Bluetooth enabled BlackBerry devices and computers using Bluetooth technology version 1.
New in this release Feature Description proximity authentication Proximity authentication is an authentication method that permits a user to unlock a BlackBerry® device using a BlackBerry device password and a BlackBerry® Smart Card Reader when the BlackBerry Smart Card Reader is located within Bluetooth® technology range of the BlackBerry device. Proximity authentication does not require the user to have a smart card.
System requirements The BlackBerry® Smart Card Reader supports the following software and BlackBerry devices: BlackBerry Enterprise Server software Computer BlackBerry devices • BlackBerry® Enterprise Server version 4.0 SP2 and later for Microsoft® Exchange (with the S/MIME IT Policy Pack imported) • Windows® XP SP2 or SP3 (32bit and 64-bit versions) with support for Bluetooth® technology turned on Java® based Bluetooth enabled BlackBerry devices that run BlackBerry® Device Software version 4.
System architecture The BlackBerry® Smart Card Reader is designed to connect to a Bluetooth® enabled BlackBerry device and a Bluetooth enabled computer. The BlackBerry Smart Card Reader supports using certificates that a PKI generates with a BlackBerry device. The BlackBerry Smart Card Reader cannot communicate with the BlackBerry® Enterprise Server directly.
BlackBerry Enterprise Solution security The BlackBerry® Enterprise Solution is designed to encrypt data that is in transit at all points between a BlackBerry device and the BlackBerry® Enterprise Server to help protect your organization from data loss or alteration. Only the BlackBerry Enterprise Server and the BlackBerry device can decrypt the data that they send between each other.
Restricting Bluetooth technology on a Bluetooth enabled computer On a Bluetooth® enabled computer, when a Bluetooth wireless adaptor exists and is turned on, the computer also installs Bluetooth drivers (and a personal area networking device, optionally) for that wireless adaptor.
BlackBerry Smart Card Reader security The BlackBerry® Smart Card Reader is designed to prevent offline and online dictionary attacks using the following security methods.
Security method Description code signing Before a user can run a permitted third-party application that uses the controlled APIs on the BlackBerry device, the Research In Motion signing authority system must use public key cryptography to authorize and authenticate the application code. The BlackBerry Smart Card Reader uses code signing to prevent the user from loading third-party code onto the BlackBerry Smart Card Reader.
• prevent third-party applications that have obtained a digital signature from the Research In Motion signing authority system from using the BlackBerry device controlled APIs to do anything other than access persistent storage of user data and communicate with other applications You can configure application control policy rules so that all Bluetooth profiles are unavailable for applications by default and then turn on the Bluetooth Serial Port Profile for the BlackBerry Smart Card Reader driver only.
IT policy rule Description Maximum Connection Heartbeat Period This rule specifies the maximum heartbeat period, in seconds. During each heartbeat period, the paired BlackBerry device or computer sends a heartbeat, which the BlackBerry Smart Card Reader acknowledges. If either side does not send or acknowledge a heartbeat in the maximum heartbeat period, the BlackBerry device or computer closes the Bluetooth connection.
IT policy rule Description Maximum PC Long Term Timeout This rule specifies the maximum time, in hours, after a computer and the BlackBerry Smart Card Reader open the secure pairing connection between them that the computer and the BlackBerry Smart Card Reader delete the secure pairing information.
Card Reader and the BlackBerry device or computer. By default, the secure pairing PIN is 8 characters long and is case-sensitive. If your organization uses BlackBerry Smart Card Reader version 2.0 and later and BlackBerry® Device Software version 5.0 and later, you can change the length of the secure pairing PIN using the Minimum PIN Entry Mode IT policy rule. BlackBerry Smart Card Reader version 2.0 and later and BlackBerry Device Software version 5.0 and later support alphanumeric characters.
4. The BlackBerry Smart Card Reader creates a list of all the algorithms that it supports and sends the supported algorithms list to the BlackBerry device or computer. 5. The BlackBerry device or computer searches the list for a match with one of its own supported algorithms. • If a match is not available, the BlackBerry device or computer sends an error to the BlackBerry Smart Card Reader and stops processing the list.
The connection key establishment protocol uses the ECDH algorithm that the initial key establishment protocol negotiates. The ECDH algorithm provides Perfect Forward Secrecy, which uses the key that protects data to prevent the protocol from deriving previous or subsequent encryption keys. Each run of the connection key establishment protocol uses a unique, random, ephemeral key pair to create the new connection key.
For more information about variables used in this process, see “BlackBerry Smart Card Reader shared cryptosystem parameters”. The connection key establishment protocol can stop at any point if an error occurs. For more information, see “Connection key establishment protocol errors”.
• The BlackBerry device binds to the installed smart card automatically by storing the smart card binding information in a BlackBerry device NV store location, which is designed to be inaccessible to the user. For more information, see “Smart card binding information”.
Proximity authentication Proximity authentication is an authentication method that permits a user to unlock a BlackBerry® device using the BlackBerry device password and the BlackBerry® Smart Card Reader within Bluetooth® technology range of the BlackBerry device. To unlock a BlackBerry device, the user moves the BlackBerry Smart Card Reader within Bluetooth technology range of the BlackBerry device, clicks the unlock button on the BlackBerry device, and types the BlackBerry device password.
factor content protection mandatory or optional, or to prevent a user from configuring it, you can use the Two-factor Content Protection Usage IT policy rule. After you or a user turns on two-factor content protection, to unlock the BlackBerry device, a user must type the BlackBerry device password and the smart card PIN on the login screen in the appropriate fields.
BlackBerry Smart Card Reader supported algorithms Algorithm type Algorithm elliptic curve (default) • 571-bit Koblitz Curve (EC571K1) • 521-bit Random Curve (EC521R1) • 283-bit Koblitz Curve (EC283K1) • 256-bit Random Curve (EC256R1) • 160-bit Random Curve (EC160R1) The initial key establishment protocol is designed to negotiate to use the 521-bit Random Curve (EC521R1) algorithm unless the BlackBerry® device or the computer requires a different algorithm.
Connection key establishment protocol errors During the connection key establishment protocol process, if an error occurs on the BlackBerry® device, the computer, or the BlackBerry® Smart Card Reader, that party sends an error code to the other party negotiating the connection key.
Application layer protocol encryption and authentication By default, each data packet that a BlackBerry® device or computer and the BlackBerry® Smart Card Reader send between them is authenticated and encrypted using the following methods: • authenticated with HMAC using the negotiated SHA algorithm • encrypted with AES of the negotiated key size using CBC mode The following diagram shows the anatomy of a data packet formatted for transmission over the application layer: The connection key protocol ope
BlackBerry Smart Card Reader shared cryptosystem parameters The BlackBerry® Smart Card Reader and a BlackBerry device or computer with the BlackBerry Smart Card Reader software and drivers installed are designed to share the following cryptosystem parameters. Parameter Description E(Fq) This parameter is the NIST-approved 521-bit random elliptic curve over Fq, which has a cofactor of 1. The initial establishment key protocol performs all mathematical operations in the group E(Fq).
Examples of attacks that the BlackBerry Smart Card Reader security protocols are designed to prevent Eavesdropping An eavesdropping event occurs when a user with malicious intent listens to the communication between the BlackBerry® Smart Card Reader and a BlackBerry device or computer. The goal of the user with malicious intent is to determine the shared device transport key on the BlackBerry Smart Card Reader and the BlackBerry device or computer, given only xS and yS.
yxS = yxzP, for some z such that S = zP. To calculate yxP from yzxP without knowledge of z corresponds to solving the discrete logarithm problem, which is computationally infeasible, for S. Offline dictionary attack An offline dictionary attack occurs when a user with malicious intent tries all possible passwords and determines the correct password.
Smart card binding information When you or a user turns on two-factor authentication on a BlackBerry® device, the BlackBerry device binds to the installed smart card automatically by storing the following smart card binding information in a special BlackBerry device NV store location that is inaccessible to a user: • the name of a Java® class that the BlackBerry® Smart Card Reader requires • the binding information format • the smart card type (for the Common Access Card, this string is “GSA CAC”) •
BlackBerry Smart Card Reader reset process When a user resets the BlackBerry® Smart Card Reader, the BlackBerry Smart Card Reader performs the following actions: • backs up the Bluetooth® encryption key for the currently connected BlackBerry device, if applicable • deletes all Bluetooth pairing information • deletes all secure pairing information • deletes all user settings • deletes the connection password • unbinds the IT policy from the BlackBerry Smart Card Reader The BlackBerry Smart Card R
Related resources Resource Information BlackBerry Enterprise Solution Security Technical Overview • preventing the decryption of information at an intermediate point between the BlackBerry® device and the BlackBerry® Enterprise Server or organization LAN • managing security settings for all BlackBerry devices • protecting data that is in transit between the BlackBerry device and the BlackBerry Enterprise Server • understanding the algorithms provided by the RIM Cryptographic API • understanding
Glossary AES Advanced Encryption Standard API application programming interface CBC cipher block chaining ECDH Elliptic Curve Diffie-Hellman HMAC keyed-hash message authentication code LAN local area network LED light-emitting diode NIST National Institute of Standards and Technology NV nonvolatile PIN personal identification number PKI Public Key Infrastructure S/MIME Secure Multipurpose Internet Mail Extensions SHA Secure Hash Algorithm SPEKE Simple Password-authenticated Exponential Key Exchange TLS Tran
Provide feedback To provide feedback on this deliverable, visit www.blackberry.com/docsfeedback.
Legal notice Document ID: 25979072 version 3 ©2009 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research In Motion®, SureType®, SurePress™ and related trademarks, names, and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world. Bluetooth is a trademark of Bluetooth SIG. Java is a trademark of Sun Microsystems, Inc. Microsoft, Windows, and Windows Vista are trademarks of Microsoft Corporation.
should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with RIM's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by RIM and RIM assumes no liability whatsoever, in relation thereto.
