BlackBerry Enterprise Solution Security Technical Overview for BlackBerry Enterprise Server Version 4.1 Service Pack 5 and BlackBerry Device Software Version 4.5 © 2008 Research In Motion Limited. All rights reserved. www.blackberry.
BlackBerry Enterprise Solution Contents Wireless security.......................................................................................................................................................6 BlackBerry Enterprise Solution security ...............................................................................................................6 BlackBerry Enterprise Solution security features ...........................................................................................
BlackBerry Enterprise Solution BlackBerry architecture component security .................................................................................................... 33 BlackBerry Infrastructure ................................................................................................................................. 33 BlackBerry Enterprise Server ...........................................................................................................................34 Messaging server ..
BlackBerry Enterprise Solution Controlling BlackBerry device behavior using IT policy rules ....................................................................55 Enforcing BlackBerry device and BlackBerry Desktop Software security ................................................56 Controlling BlackBerry device access to the BlackBerry Enterprise Server.............................................56 Controlling wireless software upgrades using the BlackBerry Enterprise Server...............................
BlackBerry Enterprise Solution Encryption algorithms that the BlackBerry device supports for use with layer 2 security methods ...83 EAP authentication methods and encryption algorithms with which the BlackBerry device supports the use of CCKM.................................................................................................................................................84 VPN solution on the Wi-Fi enabled BlackBerry device.....................................................................
BlackBerry Enterprise Solution 6 This document describes the security features of the BlackBerry® Enterprise Solution and provides an overview of the BlackBerry security architecture. This document describes the security features that the BlackBerry® Enterprise Server Version 4.1 SP5, BlackBerry® Desktop Software Version 4.5, and BlackBerry® Device Software Version 4.5 support, unless otherwise stated.
BlackBerry Enterprise Solution 7 Concept Description BlackBerry Enterprise Solution implementation authenticity enables the message recipient to identify and trust the identity of the message sender Require that the BlackBerry device authenticate itself to the BlackBerry Enterprise Server to prove that it knows the master encryption key before the BlackBerry Enterprise Server can send data to the BlackBerry device.
BlackBerry Enterprise Solution 8 Feature Description control BlackBerry device and BlackBerry Desktop Software functionality • Send wireless commands to turn on and turn off BlackBerry device functionality, delete information from BlackBerry devices, and lock BlackBerry devices. • Send IT policies to BlackBerry devices to customize security settings for BlackBerry device users or groups of BlackBerry device users on a BlackBerry Enterprise Server.
BlackBerry Enterprise Solution 9 Feature Software versions supported Description The BlackBerry Enterprise Solution allows administrators to apply an encoding scheme to BlackBerry data using transcoder application code. • BlackBerry Enterprise Server Version 4.1 SP5 or later • BlackBerry Device Software Version 4.5 or later Third-party application developers can create encoding schemes that encrypt, convert, or otherwise change the format of BlackBerry device data.
BlackBerry Enterprise Solution 10 Messaging server platform Messaging server storage location BlackBerry device storage location BlackBerry Enterprise Server storage location IBM® Lotus® Domino® the BlackBerry profiles database a key store database in flash memory the BlackBerry Configuration Database Microsoft® Exchange the computer email application user mailbox a key store database in flash memory the BlackBerry Configuration Database Novell® GroupWise® not stored a key store database in
BlackBerry Enterprise Solution 11 Profiles database stores an account record containing the field RIMCurrentEncryptionKeyText, which stores the master encryption keys in alphanumeric representation of a hexadecimal string, for every BlackBerry device user. How master encryption keys are generated Both the BlackBerry Enterprise Server administrator and a BlackBerry device user can generate and regenerate master encryption keys.
BlackBerry Enterprise Solution 5. 12 The BlackBerry Desktop Software uses the first 256 bits if it is generating the master encryption key using AES encryption or the first 128 bits if it is generating the master encryption key using Triple DES encryption. The BlackBerry Desktop Software discards any unused bits. BlackBerry Enterprise Server versions earlier than 4.0 use a different desktop based master encryption key generation process.
BlackBerry Enterprise Solution 13 Process for generating message keys on the BlackBerry Enterprise Server The BlackBerry Enterprise Server is designed to seed a DSA PRNG function to generate a message key using the following process: 1. The BlackBerry Enterprise Server obtains random data from multiple sources for the seed, using a technique derived from the initialization function of the ARC4 encryption algorithm. 2.
BlackBerry Enterprise Solution 14 7. The DSA PRNG function generates 128 pseudo-random bits for use with Triple DES and 256 pseudo-random bits for use with AES. 8. The BlackBerry device uses the pseudo-random bits with the appropriate algorithm to generate the message key.
BlackBerry Enterprise Solution 3. 15 The locked BlackBerry device uses the ECC public key to encrypt data that it receives. Process for decrypting user data on an unlocked BlackBerry device 1. A user types the correct BlackBerry device password to unlock the BlackBerry device. 2. The BlackBerry device uses the BlackBerry device password to derive the ephemeral 256 bit AES encryption key again. 3.
BlackBerry Enterprise Solution 16 verifies that a BlackBerry message remains protected in transit to the BlackBerry Enterprise Server while the message data is outside your organization’s firewall. The BlackBerry Enterprise Solution uses either the Triple DES or the AES algorithm for standard BlackBerry encryption.
BlackBerry Enterprise Solution 17 Standard BlackBerry message encryption Standard BlackBerry encryption is designed to encrypt messages that the BlackBerry device sends or that the BlackBerry Enterprise Server forwards to the BlackBerry device.
BlackBerry Enterprise Solution 18 Permitting third-party applications to encode BlackBerry device data The BlackBerry Enterprise Server and the BlackBerry Device Software support a Transcoder API. This API permits third-party application developers to create encoding schemes that encrypt, convert, or otherwise change the format of data, and apply an encoding scheme to BlackBerry device data using transcoder application code.
BlackBerry Enterprise Solution 19 The BlackBerry Enterprise Server is designed to maintain a constant, direct outbound TCP/IP connection to the wireless network over the Internet through the firewall on port 3101 (or 4101 in the case of a BlackBerry device that supports implementation alongside an enterprise Wi-Fi network). This constant connection enables the efficient, continuous delivery of data to and from the BlackBerry device. 8.
BlackBerry Enterprise Solution 20 The system administrator can install the BlackBerry Attachment Service on a remote computer and then place that computer on its own network segment to prevent the spread of potential attacks from the BlackBerry Attachment Service to another computer within your organization’s network. In a segmented network, attacks are isolated and contained on a single area of the network.
BlackBerry Enterprise Solution 21 with Triple DES to encrypt PIN messages, every BlackBerry device can decrypt every PIN message that it receives because every BlackBerry device stores the same global peer-to-peer encryption key.
BlackBerry Enterprise Solution 22 Turning off unsecured messaging The BlackBerry Enterprise Server administrator can turn off unsecured messaging to make sure that all communication originating at BlackBerry devices in your organization travels through the enterprise messaging environment. Scenario Description turn off PIN messaging Set the Allow Peer-to-Peer Messages IT policy rule to False.
BlackBerry Enterprise Solution 23 The BlackBerry device is designed to use the BlackBerry MDS Connection Service, which resides on the BlackBerry Enterprise Server, to connect to the PGP Universal Server and to the external LDAP PGP key server(s) that the BlackBerry device user sets on the BlackBerry device.
BlackBerry Enterprise Solution 24 algorithms to encrypt PGP messages. The BlackBerry Enterprise Server administrator can set the PGP Allowed Content Ciphers IT policy rule to encrypt PGP messages using any of AES (256-bit), AES (192-bit), AES (128-bit), CAST (128-bit), and Triple DES (168-bit). The message recipient’s PGP key indicates which content ciphers the recipient can support, and the BlackBerry device is designed to use one of those ciphers.
BlackBerry Enterprise Solution 4. 25 The BlackBerry Enterprise Server removes the standard BlackBerry encryption and sends the S/MIMEencrypted message to the recipient. If the S/MIME Support Package for BlackBerry devices exists on a BlackBerry device, when the user receives a message on the BlackBerry device, the BlackBerry device decrypts the message using the following process: 1. The BlackBerry Enterprise Server receives the S/MIME-protected message. 2.
BlackBerry Enterprise Solution 26 Decrypting and reading messages on the BlackBerry device using Lotus Notes API 7.0 The BlackBerry® Enterprise Server Version 4.1 or later for IBM® Lotus® Domino® with Lotus Notes® API 7.0 automatically turns on support for reading IBM Lotus Notes encrypted messages and S/MIME-encrypted messages on the BlackBerry device. Lotus Notes API 7.0 requires the BlackBerry device user’s Notes .id file and password to decrypt the received secure messages.
BlackBerry Enterprise Solution 27 The encrypted Notes .id password remains stored in the BlackBerry Enterprise Server for IBM Lotus Domino messaging agent memory cache. The BlackBerry Enterprise Server administrator can customize the length of time for which the BlackBerry Enterprise Server for IBM Lotus Domino messaging agent caches the password. The BlackBerry Enterprise Server administrator can also set the timeout value to 0 to require the BlackBerry device user to type the Notes .
BlackBerry Enterprise Solution 28 Database Message storage method BlackBerry profiles • stores important configuration information for each BlackBerry device user, including the BlackBerry device identification information and master encryption key • stores a link to a user’s BlackBerry state database and stores other information that the BlackBerry Enterprise Server uses to manage the flow of messages to and from the BlackBerry device IT policy signing and storage on the BlackBerry device An IT po
BlackBerry Enterprise Solution • 29 external file encryption by encrypting specific files on the external memory device using AES The external file system encryption does not apply to files that the BlackBerry device user manually transfers to external memory (for example, from a USB mass storage device).
BlackBerry Enterprise Solution 30 Item Description calendar • subject • location • organizer • attendees • notes included in the appointment or meeting request contacts (in the address book) all information except the contact title and category Note: Set the Force Include Address Book In Content Protection IT policy rule to True to prevent the BlackBerry device user from turning off the Include Address Book option on the BlackBerry device.
BlackBerry Enterprise Solution 31 Protected storage of master encryption keys on a locked BlackBerry device If the BlackBerry Enterprise Server administrator turns on content protection of master encryption keys, the BlackBerry device uses the grand master key to encrypt the master encryption keys stored in flash memory and encrypts the grand master key using the content protection key.
BlackBerry Enterprise Solution • periodically runs the memory cleaner application, which tells BlackBerry device applications to empty any caches and free memory associated with unused, sensitive application data • automatically overwrites the memory freed by the memory cleaner application when it runs 32 Any of the following conditions enable the BlackBerry device to perform secure garbage collection: • content protection is turned on • an application uses the RIM Cryptographic Application Programm
BlackBerry Enterprise Solution 33 BlackBerry architecture component security The BlackBerry Enterprise Server consists of services that provide functionality and components that monitor services and processes, route, compress, and encrypt data, and communicate with the BlackBerry Infrastructure over the wireless network. BlackBerry Enterprise Server architecture For more information on the BlackBerry Enterprise Server architecture, see the BlackBerry Enterprise Server Feature and Technical Overview.
BlackBerry Enterprise Solution 34 BlackBerry Enterprise Server The BlackBerry Enterprise Server is designed to establish a secure, two-way link between a BlackBerry device user’s work email account and that user’s BlackBerry device. The BlackBerry Enterprise Server uses this link to complete message delivery within the protection of your organization’s firewall.
BlackBerry Enterprise Solution 35 Configuration option Recommendations shield your Microsoft SQL Server installation from Internet based attacks • Require Windows Authentication Mode for connections to Microsoft SQL Server to restrict connections to Microsoft® Windows® user and domain user accounts and enable credentials delegation. Windows Authentication Mode eliminates the need to store passwords on the client side.
BlackBerry Enterprise Solution 36 Configuration option Recommendations Use a secure file system • Use NTFS for the Microsoft SQL Server because it is more stable and recoverable than FAT file systems, and enables security options such as file and directory ACLs and EFS. • Do not change the permissions that the Microsoft SQL Server sets during installation. The Microsoft SQL Server sets appropriate ACLs on registry keys and files if it detects NTFS.
BlackBerry Enterprise Solution 37 Protecting the BlackBerry Enterprise Solution connections The BlackBerry Enterprise Server is designed to communicate with the BlackBerry Infrastructure using SRP authentication to establish a connection to the wireless network. The BlackBerry Enterprise Server contacts the BlackBerry Infrastructure to establish an initial connection using SRP.
BlackBerry Enterprise Solution 38 Step Action Description 3 The BlackBerry Enterprise Server sends a challenge string to the BlackBerry Infrastructure. When the BlackBerry Enterprise Server receives the BlackBerry Infrastructure challenge string, it sends a challenge string to the BlackBerry Infrastructure. 4 The BlackBerry Infrastructure sends a challenge response to the BlackBerry Enterprise Server.
BlackBerry Enterprise Solution 39 Scenario Result The connection between the BlackBerry Enterprise Server and the BlackBerry Infrastructure terminates. • The BlackBerry Infrastructure informs the source BlackBerry device that the message could not be delivered and deletes the message after trying for 10 minutes. • When the connection is re-established, the BlackBerry Enterprise Server resends the undelivered message to the recipient BlackBerry device.
BlackBerry Enterprise Solution 40 For more information about the BlackBerry Router protocol and the authentication process, see “Masking operation process that the AES implementation uses when content protection is turned on” on page 77. Authentication during wireless enterprise activation Wireless enterprise activation enables a BlackBerry device user to activate a supported BlackBerry device on the BlackBerry Enterprise Server without a physical connection to a computer.
BlackBerry Enterprise Solution 41 Step Action Description 6 The BlackBerry Enterprise Server sends data to the BlackBerry device. If wireless PIM synchronization and wireless backup is enabled for the BlackBerry device user, the BlackBerry Enterprise Server sends the following data to the user’s BlackBerry device: • calendar entries • contacts, tasks, and memos • existing BlackBerry device options (if applicable) that the BlackBerry device backed up using automatic wireless backup.
BlackBerry Enterprise Solution 42 Security measure Description The BlackBerry device initiates inbound connections using the BlackBerry Router to an enterprise Wi-Fi network only. The BlackBerry Router sends the Internet or intranet content requests from the BlackBerry device over port 4101 to the enterprise Wi-Fi network. The BlackBerry Router verifies that the PIN belongs to a valid BlackBerry device that is registered on the wireless network.
BlackBerry Enterprise Solution 43 2. The BlackBerry Desktop Software implementation of the secure channel technology uses the shared secret password and the ECDH protocol with a 521-bit curve to create a master encryption key. 3. The secure channel technology uses the master encryption key to create two encryption keys and two HMAC-SHA-256 keys. 4.
BlackBerry Enterprise Solution 44 message, the BlackBerry MDS Services security protocol encrypts and decrypts data that the BlackBerry device and the BlackBerry MDS Services send between them. Authentication process used by the BlackBerry MDS Services security protocol 1. The BlackBerry device generates the 128-bit AES session key. 2.
BlackBerry Enterprise Solution 45 HTTPS protocol BlackBerry MDS encryption method Description Handheld mode TLS/SSL TLS and WTLS key establishment algorithms, symmetric ciphers and hash algorithms that the RIM Crypto API currently supports on the BlackBerry device • The BlackBerry device uses handheld (direct) mode TLS/SSL to encrypt data for the entire connection between the BlackBerry device and the content server.
BlackBerry Enterprise Solution 46 Authentication process for requests for wireless software upgrades When the BlackBerry Infrastructure sends a wireless software upgrade communication, it performs the following actions: 1. Generates an ECDSA key periodically, using ECC over a 521-bit curve. 2. Signs the ECDSA key, using a stored root certificate. 3. Signs the wireless software upgrade communication that it sends to the BlackBerry device, using the digitally signed ECDSA key.
BlackBerry Enterprise Solution 47 segmented network architecture, the system administrator can place the BlackBerry Enterprise Solution components in network segments. To place the BlackBerry Enterprise Solution in multiple network segments, the system administrator must install each component on a remote computer and then place each computer in its own network segment.
BlackBerry Enterprise Solution 48 Accessing the BlackBerry Infrastructure Wi-Fi enabled BlackBerry devices can connect directly to the BlackBerry Infrastructure over the Internet for access to voice and data services that a mobile network provider offers, even if UMA is not available.
BlackBerry Enterprise Solution 49 Enterprise Wi-Fi network security technology Wi-Fi enabled BlackBerry device implementation Layer 2 security Set layer 2 (the IEEE® 802.11® link layer) security methods and protocols for use with layer 2 methods that operate between the BlackBerry device and a wireless access point on the enterprise Wi-Fi network using encryption, or encryption and BlackBerry device user authentication.
BlackBerry Enterprise Solution 50 After an authentication server permits the supported Wi-Fi enabled BlackBerry device to access the enterprise Wi-Fi network, the access point and the BlackBerry device use IEEE 802.1x EAPoL-Key messages to establish the WEP, TKIP, or AES-CCMP encryption keys, depending on the EAP method that is set on the BlackBerry device.
BlackBerry Enterprise Solution 51 Authentication method Description Wi-Fi enabled BlackBerry device implementation Using IEEE 802.11i with PSK Small office and home environments where it is not feasible to set up a server-based authentication infrastructure might use IEEE 802.1x with the PSK method. The access point and the wireless client use a PSK (also known as a passphrase) to mutually derive link layer encryption keys.
BlackBerry Enterprise Solution 52 the authentication server certificate.
BlackBerry Enterprise Solution 53 users must authenticate with the WLAN Login application browser using login credentials that the system administrator provides. When the BlackBerry device authenticates with the captive portal, the BlackBerry device user can use the BlackBerry® Browser on the BlackBerry device to access other web sites and data service available on the segregated Wi-Fi network. The BlackBerry device is designed to support web browsing using the BlackBerry MDS Connection Service.
BlackBerry Enterprise Solution 54 For more information, see the BlackBerry Smart Card Reader Security Technical Overview. Binding the smart card to the BlackBerry device If a user has a smart card authenticator, smart card driver, and smart card reader driver installed on their BlackBerry device, either the BlackBerry Enterprise Server administrator or that user can initiate two-factor authentication on the BlackBerry device to bind the BlackBerry device to the installed smart card.
BlackBerry Enterprise Solution 55 Field Description Initialized indicates whether the BlackBerry device is authenticated with and bound to the smart card • a value of Yes indicates that the BlackBerry device is bound to the smart card • a value of No indicates that the BlackBerry device is not bound to the smart card Controlling BlackBerry devices With the BlackBerry Enterprise Solution, the BlackBerry Enterprise Server administrator can monitor and control all BlackBerry devices over the wireless
BlackBerry Enterprise Solution 56 Creating new IT policy rules to control custom applications Create new IT policy rules to control custom applications that your organization develops to run in BlackBerry environments. After the BlackBerry Enterprise Server administrator creates a new IT policy rule, the BlackBerry Enterprise Server administrator can add it to and assign a value to it in any new or existing IT policy.
BlackBerry Enterprise Solution 57 The BlackBerry Enterprise Server administrator can define the following types of criteria: • specific, permitted BlackBerry device PINs as a string • a permitted range of BlackBerry device PINs The BlackBerry Enterprise Server administrator can also control access based on specific manufacturers and models of BlackBerry devices.
BlackBerry Enterprise Solution 58 connection. BlackBerry devices and the BlackBerry Desktop Software can use CHAP to send a challenge and subsequently use the SHA-1 algorithm to either calculate a response to the challenge or validate the response of the other party, depending on which party initiated the Bluetooth link establishment process.
BlackBerry Enterprise Solution 59 How the BlackBerry device protects its operating system and the BlackBerry Device Software Each time a user turns on the BlackBerry device specific components on the BlackBerry device automatically check the authenticity of the operating system and the integrity of the BlackBerry Device Software.
BlackBerry Enterprise Solution • 60 specify whether or not applications, including third-party applications, on the BlackBerry device can initiate specific types of connections Note: The BlackBerry Enterprise Server administrator cannot use an IT policy to permit or prevent downloading specific applications on the BlackBerry device. The BlackBerry Enterprise Server administrator can do this using one or more application control policies.
BlackBerry Enterprise Solution 61 Each third-party application requires authorization to run on the BlackBerry device. MIDlets (applications that use standard MIDP and CLDC APIs only) cannot write to memory on a BlackBerry device, access the memory of other applications, or access the persistent data of other MIDlets unless they are digitally signed by RIM’s signing authority system.
BlackBerry Enterprise Solution 62 Remotely resetting the password of a content protected BlackBerry device The remote password reset cryptographic protocol is designed to allow the BlackBerry Enterprise Server administrator to set the BlackBerry device password remotely, even if content protection is enabled on the BlackBerry device. The BlackBerry device does not prompt the user for the old BlackBerry device password.
BlackBerry Enterprise Solution 63 IT policy rule Description Secure Wipe if Low Battery Set this IT policy rule to require that, if the BlackBerry device battery power is insufficient to receive IT policy updates or IT administration commands, the BlackBerry device permanently deletes its user and application data. The BlackBerry device wipe process is designed to delete all data in memory and overwrite memory with zeroes.
BlackBerry Enterprise Solution 64 do not exist on the BlackBerry device (in other words, if there is no connection between the BlackBerry Enterprise Server and the BlackBerry device). • The BlackBerry Enterprise Server administrator clicks Nuke Handheld in the BlackBerry Manager. This option overwrites all contents in BlackBerry device memory with zeroes.
BlackBerry Enterprise Solution 65 Related resources Resource Information BlackBerry Enterprise Server Feature and Technical Overview • BlackBerry Enterprise Server architecture BlackBerry Enterprise Server Wi-Fi Implementation Supplement • understanding configuration options for implementing a BlackBerry device on an enterprise Wi-Fi network • administering and troubleshooting a BlackBerry device on an enterprise Wi-Fi network • network environment settings • messaging and collaboration envir
BlackBerry Enterprise Solution 66 Resource Information Garbage Collection in the BlackBerry Java Development Environment • cleaning BlackBerry device memory Policy Reference Guide • list of BlackBerry Enterprise Server IT policy rules, application control policy rules, and MDS policy rules • using IT policies, application control policies, and MDS policies • PGP security and encryption • using PGP Universal Server to store and manage PGP keys • searching for and validating PGP keys • send
BlackBerry Enterprise Solution 67 Resource Information Visit www.blackberry.com/security. • www.blackberry.
BlackBerry Enterprise Solution 68 Appendix A: RIM Crypto API Interface The RIM Crypto API on the BlackBerry device and in the BlackBerry JDE provides developers with a toolkit of cryptographic algorithms and support tools that they can use to create secure applications for business connectivity. RIM uses code signing to authorize running secure applications on the BlackBerry device and to control third-party application access to the RIM Crypto API.
BlackBerry Enterprise Solution 69 Key agreement scheme algorithms Algorithm Key length (bits) Type DH 512 to 4096 discrete logarithm KEA 1024 discrete logarithm ECDH 160 to 571 (EC) discrete logarithm ECMQV 160 to 571 (EC) discrete logarithm Signature scheme algorithms Algorithm Key length (bits) Type DSA 512 to 1024 discrete logarithm RSA using PKCS #1 (version 1.5 and 2.0) 512 to 4096 integer factorization RSA using ANSI X9.31 Note: ANSI X9.
BlackBerry Enterprise Solution 70 Code Digest length (bits) RIPEMD-128, 160 128, 160 www.blackberry.
BlackBerry Enterprise Solution 71 Appendix B: TLS and WTLS standards that the RIM Crypto API supports The TLS and WTLS protocol cipher suite components that the RIM Crypto API supports apply only to WTLS and handheld (direct) mode TLS/SSL on the BlackBerry device.
BlackBerry Enterprise Solution 72 Symmetric algorithms that the RIM Crypto API supports Direct mode SSL Direct mode TLS WTLS RC4 40 RC4 40 RC5 40 DES 40 RC4 56 RC5 56 DES RC4 128 RC5 64 Triple DES DES 40 RC5 RC4 128 DES RC5 128 Triple DES DES 40 AES 128 DES AES 256 Triple DES RC4 128 Hash algorithms that the RIM Crypto API supports Direct mode SSL Direct mode TLS WTLS MD5 MD5 SHA SHA-1 SHA-1 SHA-40 SHA-80 MD5 MD5 40 MD5 80 © 2008 Research In Motion Limited.
BlackBerry Enterprise Solution 73 Appendix C: Previous version of wired master encryption key generation Each time a BlackBerry Enterprise Server or BlackBerry Desktop Software version earlier than 4.0 calls the master encryption key generation function, the C language srand function is seeded with the current time to generate a seed for the C language rand function.
BlackBerry Enterprise Solution 74 Appendix D: BlackBerry device wipe process A BlackBerry device wipe is designed to delete and overwrite the BlackBerry device memory using the following process: 1. The BlackBerry device sets a Device Under Attack flag in the NV store.
BlackBerry Enterprise Solution 4. Clears all bytes to 0xFF (1111 11112). 5. Writes 0x55 to each byte (0x0101 01012). 75 6. Clears all bytes to 0xFF (1111 11112). 7. Writes 0xAA to each byte (0x1010 10102). 8. Clears all bytes to 0xFF (1111 11112). © 2008 Research In Motion Limited. All rights reserved. www.blackberry.
BlackBerry Enterprise Solution 76 Appendix E: Ephemeral AES encryption key derivation process The BlackBerry device uses an ephemeral 256-bit AES encryption key to encrypt the content protection key and the ECC private key. The BlackBerry device derives the ephemeral 256-bit AES encryption key from the BlackBerry device password using the following process: 1. The BlackBerry device selects a 64-bit salt (random data to mix with the BlackBerry device password).
BlackBerry Enterprise Solution 77 Appendix F: Power and electromagnetic side-channel attacks and countermeasures The BlackBerry device implementation of AES is designed to protect user data and encryption keys from traditional and side-channel attacks.
BlackBerry Enterprise Solution 78 How the AES algorithm creates S-Box tables The BlackBerry device permutes each AES S-Box entry randomly and masks each entry with a random value. How the AES algorithm calculation uses round keys The BlackBerry device masks the round keys (subkeys that the key schedule calculates for each round of encryption) with random values and any S-Box masks that the AES algorithm requires to operate.
BlackBerry Enterprise Solution 79 Appendix G: BlackBerry Router protocol When the BlackBerry Enterprise Server and the BlackBerry device use the BlackBerry Router protocol to open a connection between them, the BlackBerry Router protocol is designed to use its unique authentication protocol to verify that the BlackBerry device has the correct master encryption key while preventing the BlackBerry Router from knowing the value of the master encryption key.
BlackBerry Enterprise Solution 80 device. The attacker must send master encryption key value (s) to the BlackBerry Enterprise Server, which requires effectively solving the discrete log problem to determine s or the hash of s. Impersonating a BlackBerry Enterprise Server An impersonation of the BlackBerry Enterprise Server occurs when the attacker sends messages to the BlackBerry device so that the BlackBerry device believes it is communicating with the BlackBerry Enterprise Server.
BlackBerry Enterprise Solution 81 If the BlackBerry device accepts yB, the BlackBerry Enterprise Server and the BlackBerry device open an authenticated connection between them. If the BlackBerry device calculates that yBP + eBRB ≠ hP, the BlackBerry device rejects the connection attempt. The BlackBerry Enterprise Server and the BlackBerry device do not open an authenticated connection between them.
BlackBerry Enterprise Solution 82 Appendix H: Enterprise Wi-Fi security methods that the BlackBerry device supports EAP authentication methods that the BlackBerry device supports The BlackBerry device supports EAP authentication methods with protected WLAN networks only. Authentication method Description BlackBerry device implementation LEAP Cisco® developed LEAP in response to the weaknesses identified in WEP. LEAP uses the IEEE 802.1x authentication framework.
BlackBerry Enterprise Solution 83 Authentication method Description BlackBerry device implementation EAP-TTLS EAP-TTLS is designed to extend EAPTLS by enabling authentication from the authentication server to the supplicant. When the authentication server has used its certificate to authenticate to the supplicant successfully and established a secure connection to the BlackBerry device, the server can use an authentication protocol over the established secure connection to authenticate the supplicant.
BlackBerry Enterprise Solution 84 Protocol Description Wi-Fi enabled BlackBerry device implementation TKIP TKIP is The Wi-Fi enabled BlackBerry device supports the use of TKIP with • part of the IEEE 802.
BlackBerry Enterprise Solution 85 VPN solution on the Wi-Fi enabled BlackBerry device The Wi-Fi enabled BlackBerry device has a built-in VPN client that supports several VPN concentrators. Visit www.blackberry.com/products/wlan/sys_req.shtml for a list of currently supported VPN concentrators. If the Wi-Fi enabled BlackBerry device has a VPN profile, it logs into the VPN concentrator automatically after connecting to the enterprise Wi-Fi network.
BlackBerry Enterprise Solution • RSA_WITH_RC4_128_MD5 • RSA_WITH_3DES_EDE_CBC_SHA • RSA_WITH_AES_128_CBC_SHA • RSA_WITH_AES_256_CBC_SHA • TLS © 2008 Research In Motion Limited. All rights reserved. 86 www.blackberry.
BlackBerry Enterprise Solution 87 Appendix J: RSA SecurID software token tokencode generation process 1. An administrator uses the RSA Authentication Manager to import the seed in the form of a soft token file in .asc format into the software token database. 2. The administrator uses the RSA Authentication Manager to issue the software token file in .sdtid format.
BlackBerry Enterprise Solution 88 3. The BlackBerry device receives B and verifies that B is a valid public key. 4. The BlackBerry device performs the following actions: • • • • picks d randomly calculates D = dP store D in flash memory calculates K = dB. 5. The BlackBerry device uses K to encrypt the current BlackBerry device password, and uses the encrypted password to encrypt the content protection key. 6. The BlackBerry device permanently deletes d and K.
BlackBerry Enterprise Solution 89 Protocol process When the BlackBerry Enterprise Server administrator sends the Set a Password and Lock Handheld IT administration command to a content-protected BlackBerry device, the following actions occur. 1. The BlackBerry Enterprise Server administrator types the new BlackBerry device password in the BlackBerry Manager. 2.
BlackBerry Enterprise Solution 90 Part number: 17930884 Version 2 ©2008 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research In Motion®, SureType® and related trademarks, names, and logos are the property of Research In Motion Limited and are registered and/or used as trademarks in the U.S., Canada, and countries around the world. Bluetooth is a trademark of Bluetooth SIG. Cisco is a trademark of Cisco Systems, Inc. Entrust is a trademark of Entrust, Inc.
BlackBerry Enterprise Solution 91 Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Installation or use of Third Party Products and Services with RIM's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights.