BlackBerry Smart Card Reader
A small, lightweight and wearable smart card reader that enables controlled access to BlackBerry smartphones and computers.

For More Information

To learn more about BlackBerry Smart Card Reader visit: www.blackberry.com/go/smartcardreader or contact your BlackBerry sales representative

To Purchase

Purchase BlackBerry Smart Card Reader: Online: www.blackberry.com/go/smartcardreader By telephone: 1-800-327-9085 Or email: sales@blackberry.net.
* Requires BlackBerry Enterprise Software v4.0.2 or higher. Available for BlackBerry Enterprise Server for Microsoft Exchange and BlackBerry Enterprise Server for IBM Lotus Domino only. Requires appropriate software drivers. 2008 Research In Motion Limited. All rights reserved. BlackBerry, RIM, Research In Motion, SureType and related trademarks, names and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world. images are simulated. Printed in Canada. MKT-14142-0022
Making It Easier Than Ever to Comply with Operational Requirements for Two-factor Authentication
Communicate Without Compromise
Mobility That Doesnt Sacrifice Security
The BlackBerry Smart Card Reader builds on the security, flexibility and mobility of the trusted BlackBerry Enterprise Solution.
The BlackBerry Smart Card Reader allows mobile personnel to meet operational requirements for using two-factor authentication with Bluetooth-enabled Microsoft Windows computers, BlackBerry smartphones, PKI applications and for secure web browsing without negatively impacting the user experience. The BlackBerry Smart Card Reader can replace serial or USB based card readers, even if your organization has not deployed a BlackBerry solution. This enables you to benefit from un-tethered access to your smart card credentials from your desktop or laptop computer.
The BlackBerry Smart Card Reader is designed to minimize the impact of operational requirements on users, making it easier for them to comply with your security policies.
The BlackBerry Smart Card Reader can help your organization: Increase Security Compliance Increasing the convenience and comfort of using smart cards with BlackBerry smartphones and computers helps to ensure that users comply with organizational security directives. Using IT policy controls, BlackBerry smartphones and computers can be configured to lock if the BlackBerry Smart Card Reader goes out of range, rendering the smartphone or computer unusable and information inaccessible until proximity is restored and user authentication requirements have been met. Meet Strict Government Security Requirements The BlackBerry Smart Card Reader uses FIPS 140-2 validated encryption technology. Built on the proven BlackBerry Java Virtual Machine (JVM), the BlackBerry Smart Card Reader uses an AES-256 encryption overlay for Bluetooth. It allows organizations using smart cards to add additional security features to the industry leading BlackBerry Enterprise Solution security architecture. Provide an Enhanced User Experience Compared With Competing Solutions The slim, lightweight BlackBerry Smart Card Reader features long battery life and Bluetooth technology that allows users to comfortably wear the reader on a lanyard. No more heavy peripherals or bulky smartphone attachments are required for authenticating to BlackBerry smartphones or computers with smart cards. Manage Key Lifetimes Wirelessly System administrators gain additional control over the wireless environment with the ability to wirelessly manage security key lifetimes on the BlackBerry Smart Card Reader through the BlackBerry Enterprise Server.*
Prevent Unauthorized Access
The BlackBerry Smart Card Reader is designed to solve a fundamental security concern for organizations, helping eliminate unauthorized access to unlocked computers and BlackBerry smartphones. Instead of inserting the smart card into a stationary reader or bulky peripheral attachment which can easily be left behind, users insert a smart card into this lightweight reader and wear it on a lanyard, causing smartphones and computers to lock when the user is not in proximity.
Advanced Security Features
When used with the BlackBerry Enterprise Solution, the BlackBerry Smart Card Reader supports advanced security features to meet IT and public sector requirements, including: AES-256 encryption FIPS 140-2 validated encryption module S/MIME support Wireless IT policy enforcement on smartphones

S/MIME Support

The BlackBerry Smart Card Reader works with certificates on smart cards to leverage your organizations S/MIME infrastructure and is designed to enable your employees to digitally sign and encrypt messages on either their BlackBerry smartphones or computers to provide sender-to-recipient security.

Specifications

Size Weight User Input Bluetooth Card Standards Notification User Interface Battery Security 4.06 x 2.3 x 0.81 inches/10.32 x 5.85 x 2.056 cm (L x W x D) Approximately 2.6 oz/73.6 g Single button control Support for version 1.2 with AES-256 encryption security overlay ISO 7816 and T=0 and T=1 protocols Windows Hardware Quality Labs and PC/SC Compliant LCD and multi-color LED on the reader with some notifications appearing on the paired BlackBerry smartphone Intuitive menus and dialogs appear on the BlackBerry smartphone Removable and rechargeable Lithium cell that is compatible with existing BlackBerry chargers T Policy to control lifetime of keys on reader and I BlackBerry smartphone ertified AES-256 Bluetooth security overlay C FIPS 140-2 validated encryption module ightly integrated with the S/MIME Support Package for the T BlackBerry Enterprise Solution overity Certified for Quality Code Level 2 and Secure Code Level 2 C
System Requirements and Compatibility
The BlackBerry Smart Card Reader works with: lackBerry Enterprise Server Software v3.6 and higher B ll Bluetooth-enabled BlackBerry smartphones A Bluetooth-enabled computer with Windows XP Service Pack 2 A or Windows Vista ll ISO 7816 compliant smart cards A ut of the box support for Common Access Cards (CACs) and O Safenet 330 cards V and 5V smart cards 3 Third parties will be able to implement support for any card using the published BlackBerry Smart Card APIs.
The BlackBerry Smart Card Reader Desktop Application v1.5 is Coverity Certified for Quality Code Level 2 and Secure Code Level 2. For more information on the BlackBerry Smart Card Reader Desktop Application certification, please visit http://certified.coverity.com
BLACKBERRY SMART CARD READER

BlackBerry Smart Card Reader
Version 1.5 Service Pack 1 Security Technical Overview
2007 Research In Motion Limited. All rights reserved.

www.blackberry.com

Contents
BlackBerry Smart Card Reader.... 4 Authenticating a user using a smart card.... 4 Integrating a smart card with existing secure messaging technology.. 4 New in this release..... 5 System requirements.... 5 System architecture..... 5 BlackBerry Enterprise Solution security.... 5 Bluetooth enabled BlackBerry devices....6 Managing Bluetooth enabled BlackBerry devices...6 Restricting Bluetooth technology on the computer.... 7 Bluetooth security measures on the BlackBerry Smart Card Reader.. 7 BlackBerry Smart Card Reader security.... 8 Control Bluetooth connections from third-party applications...10 Managing BlackBerry Smart Card Reader technology...10 Establishing an encrypted and authenticated connection to the BlackBerry Smart Card Reader.13 Performing the Bluetooth pairing process and the secure pairing process on the BlackBerry device 14 Performing the Bluetooth pairing process and the secure pairing process on the computer..14 Reconnecting to the BlackBerry device or computer automatically...14 Initial key establishment protocol used in the secure pairing process..14 Connection key establishment protocol used in the secure pairing process..15 Encrypting and authenticating data on the application layer..17 Using two-factor authentication....17 Turning on two-factor authentication on the BlackBerry device...17 Setting two-factor authentication on the computer...18 Related resources..... 19 Appendix A: BlackBerry Smart Card Reader supported algorithms..20 Appendix B: Connection key establishment protocol errors...21 Appendix C: Application layer protocol encryption and authentication.. 22 Appendix D: BlackBerry Smart Card Reader shared cryptosystem parameters.. 23 Appendix E: Examples of attacks that the BlackBerry Smart Card Reader security protocols are designed to prevent.....24 Eavesdropping.....24 Impersonating a BlackBerry device or computer...24 Man-in-the-middle attack.....24 Offline attack.....24
Offline dictionary attack.....25 Online dictionary attack.....25 Small subgroup attack.....25 Appendix F: Smart card binding information....26 Appendix G: BlackBerry Smart Card Reader reset process.... 27
This document describes the security features that the BlackBerry Smart Card Reader Version 1.5 SP1 supports unless otherwise stated. See the documentation for earlier software versions of the BlackBerry Smart Card Reader to determine if an earlier version supports a specific feature. See the BlackBerry Enterprise Solution Security Acronym Glossary for the full terms substituted by the acronyms in this document.
The BlackBerry Smart Card Reader for BlackBerry devices is an accessory that, when used in proximity to certain Bluetooth enabled BlackBerry devices and computers, integrates smart card use with the BlackBerry Enterprise Solution, letting users authenticate with their smart cards to log in to Bluetooth enabled BlackBerry devices and computers. The BlackBerry Smart Card Reader is designed to perform the following actions:
communicate over the wireless network with Bluetooth wireless technology version 1.1 or laterenabled BlackBerry devices and computers using the AES 256 encryption method (by default) on the application layer create a reliable two-factor authentication environment for granting users access to BlackBerry and PKI applications enable the wireless digital signing and encryption of wireless email messages sent from the BlackBerry device using the S/MIME Support Package store all encryption keys in RAM only and never write the keys to flash memory
Authenticating a user using a smart card
The BlackBerry Smart Card Reader allows you to use two-factor authentication, using a smart card, to require users to prove their identities to the BlackBerry devices or computers by two factors:
what they have (the smart card) what they know (their smart card password)
Integrating a smart card with existing secure messaging technology
In addition to standard BlackBerry encryption, you can turn on secure messaging technology to offer an additional layer of security between the sender and the recipient of an email or PIN message. The S/MIME Support Package is designed to let BlackBerry device users who are already sending and receiving S/MIME messages using the email applications on their computers to send and receive S/MIME protected messages using their BlackBerry devices. Users can sign, encrypt, and send S/MIME messages from their BlackBerry devices. BlackBerry devices can decrypt received messages that are encrypted using S/MIME so that users can read them on their BlackBerry devices. Users might require a smart card authenticator module and must have a smart card driver and the BlackBerry Smart Card Reader driver installed on their Bluetooth enabled BlackBerry devices to perform a Bluetooth pairing followed by a secure pairing with their BlackBerry Smart Card Readers. The S/MIME Support Package supports smart card use and includes tools for obtaining certificates and transferring them to the BlackBerry device for use with the S/MIME Support Package. After the BlackBerry device and the BlackBerry Smart Card Reader establish a secure pairing, you can set the S/MIME Force Smartcard Use IT policy rule to require the use of the smart card to sign, encrypt, or sign and encrypt S/MIME-protected messages on the BlackBerry device.

Managing Bluetooth enabled BlackBerry devices
Using BlackBerry Enterprise Server Software Version 4.0 or later, you can set BlackBerry Enterprise Server IT policy rules that are designed to control the behavior of Bluetooth enabled BlackBerry devices, including the following examples:
prevent Bluetooth enabled BlackBerry devices from establishing a Bluetooth connection to another Bluetooth enabled BlackBerry device, another Bluetooth enabled device, or the BlackBerry Desktop Software prevent users from turning on discoverable mode on Bluetooth enabled BlackBerry devices require Bluetooth enabled BlackBerry devices to use Bluetooth encryption on all connections require Bluetooth enabled BlackBerry devices to prompt the user to type the BlackBerry device password to turn on Bluetooth support require Bluetooth enabled BlackBerry devices to prompt the user to type the BlackBerry device password to turn on discoverable mode prevent Bluetooth enabled BlackBerry devices from using the Bluetooth Headset Profile, the Bluetooth Handsfree Profile, or the Bluetooth Serial Port Profile prevent Bluetooth enabled BlackBerry devices from using wireless bypass over a Bluetooth connection
prevent Bluetooth enabled BlackBerry devices from sending or receiving address book information over a Bluetooth connection prevent Bluetooth enabled BlackBerry devices from making phone calls
See the Policy Reference Guide for more information.
Restricting Bluetooth technology on the computer
On a Bluetooth enabled computer, when a Bluetooth wireless adaptor exists and is turned on, the computer also installs Bluetooth drivers (and a personal area networking device, optionally) for that wireless transceiver. To prevent users without administrator privileges, and external Bluetooth devices other than the BlackBerry Smart Card Reader from using the Bluetooth technology installed on the computer, you or BlackBerry Smart Card Reader users with administrator privileges can restrict the availability of the Bluetooth technology on the computer. See Restricting Bluetooth technology on Bluetooth enabled computers BlackBerry Smart Card Reader Technical Overview for more information about restricting Bluetooth technology on computers in your organization.
Bluetooth security measures on the BlackBerry Smart Card Reader
The following security methods on the BlackBerry Smart Card Reader enhance the existing protection of the Bluetooth wireless technology on Bluetooth enabled BlackBerry devices. Security method Limited use of discoverable mode Description When the user starts the Bluetooth connection process between the BlackBerry Smart Card Reader and the Bluetooth enabled BlackBerry device or computer, the BlackBerry Smart Card Reader enters into discoverable mode long enough for the BlackBerry device or computer to search for the BlackBerry Smart Card Reader and pair with it. The BlackBerry Smart Card Reader is designed to enter into discoverable mode whenever it displays the reader ID and its LED is solid green. The BlackBerry Smart Card Reader uses the Bluetooth Serial Port Profile only, allowing you to use application control to shut down all the other profiles and prevent third-party applications from using the BlackBerry Smart Card Reader. During the Bluetooth pairing process, the BlackBerry Smart Card Reader uses a random key (unlike the hard-coded keys that headsets and other Bluetooth enabled devices use). Users always start the Bluetooth pairing process from their BlackBerry devices or computers. If a message prompts users to type a pairing password when they did not start a pairing process, they know that another device, which they might not want to connect to, started the pairing process. The Bluetooth pairing process is designed to help prevent a passive attack in which a user with malicious intent tries to search for the BlackBerry device PIN. You can use the Maximum Bluetooth Range IT policy rule to control the power level of the Bluetooth wireless transceiver on the BlackBerry Smart Card Reader. Setting the power level also controls the range of proximity between the BlackBerry Smart Card Reader and the BlackBerry device at which the two parties close the Bluetooth connection between them. The range value does not translate to a specific distance because the Bluetooth range is partially determined by the power level. The range value is also heavily influenced by environmental factors, including obstructions and electromagnetic radiation. As a general rule, the Bluetooth range at power setting n+1 is longer than the range at power setting n.

Limited use of serial port profiles
Use of Bluetooth pairing process to help prevent passive attack
Control of the Bluetooth range
Security method Protection of Bluetooth encryption key
Description After the user resets the BlackBerry Smart Card Reader, a BlackBerry device can perform the Bluetooth pairing process and the secure paring process to reconnect to the BlackBerry Smart Card Reader. If that BlackBerry device was the last BlackBerry device to connect to the BlackBerry Smart Card Reader before the user reset the BlackBerry Smart Card Reader, the BlackBerry Smart Card Reader restores the backed-up Bluetooth encryption key for that Bluetooth connection and opens the Bluetooth connection to the BlackBerry device automatically. You can use the Maximum Bluetooth Encryption Key Regeneration Period IT policy rule to set the period after which the BlackBerry device generates a new Bluetooth encryption key.
BlackBerry Smart Card Reader security
The BlackBerry Smart Card Reader is designed to provide strong authentication to prevent offline and online dictionary attacks using the following security methods by default. Security method Secure connections Description The BlackBerry Smart Card Reader uses processes designed to pair the BlackBerry Smart Card Reader with the Bluetooth enabled BlackBerry device or computer using a Bluetooth encryption key to establish a Bluetooth connection between them pair the smart card with the Bluetooth enabled BlackBerry device or computer using a secure pairing key to establish an authenticated connection between them establish session keys to protect data that the BlackBerry device or computer and the BlackBerry Smart Card Reader send between them on the application layer over the Bluetooth connection BlackBerry devices connected to the BlackBerry Smart Card Reader can delete the secure pairing key when the BlackBerry device disconnects from the BlackBerry Smart Card Reader and the disconnection timeout period expires. Computers connected to the BlackBerry Smart Card Reader can delete the secure pairing key when the computers enter standby mode.
Secure deletion of connection information
Shared master encryption key
The BlackBerry Smart Card Reader creates a shared master encryption key from the secure pairing key and a secret private key that the BlackBerry Smart Card Reader creates.

Each time the BlackBerry device or computer and the BlackBerry Smart Card Reader negotiate keys during the initial key establishment protocol and the connection key establishment protocol, the BlackBerry device or computer sends a 64-byte seed to the BlackBerry Smart Card Reader. The BlackBerry Smart Card Reader adds this value to its random source. See the BlackBerry Enterprise Solution Security Technical Overview for more information about the BlackBerry device random number generation process.
Control Bluetooth connections from third-party applications
Application control is designed to limit the use of Bluetooth wireless technology (and the Bluetooth profiles) to specific, permitted third-party applications. Using the BlackBerry Enterprise Server Version 4.0 or later, you can set BlackBerry Enterprise Server IT policy rules and application policy rules to control how third-party applications use the BlackBerry Smart Card Reader to connect to Bluetooth enabled BlackBerry devices. Use application control policy rules to
permit or prevent third-party applications from being downloaded onto BlackBerry devices define the features (for example, the email application, the phone application, and the BlackBerry device key store) that third-party applications can access on the BlackBerry device define the types of connections that a third-party application can establish (for example, opening network connections inside the firewall) on the BlackBerry device send third-party applications to BlackBerry devices over the wireless network prevent third-party applications that have obtained a digital signature from the RIM signing authority system from using the BlackBerry device controlled APIs to do anything other than access persistent storage of user data and communicate with other applications
You can set application control policy rules so that all Bluetooth profiles are unavailable for applications by default and then turn on the Bluetooth Serial Port Profile for the BlackBerry Smart Card Reader driver only. In this configuration, only the necessary applications are permitted to use the BlackBerry Smart Card Reader driver.
Managing BlackBerry Smart Card Reader technology
You can set BlackBerry Enterprise Server IT policy rules that are designed to control the behavior of the BlackBerry Smart Card Reader.
IT policy rule Disable Auto Reconnect To BlackBerry Smart Card Reader
Recommended use Prevent automatic reconnections to the BlackBerry Smart Card Reader from previously connected BlackBerry devices and computers. Turning off automatic reconnections from the BlackBerry device is designed to increase the life of the BlackBerry device. Specify whether the connected BlackBerry device deletes its secure pairing key and drops its connection to the BlackBerry Smart Card Reader. Specify whether the BlackBerry Smart Card Reader deletes all secure pairing keys and drops all connections to connected computers when the BlackBerry disconnection timeout period expires. Specify whether the computer delete its secure pairing key and drops the connection to the BlackBerry Smart Card Reader when the computer enters standby mode. Specify whether the user must type the BlackBerry device password and the smart card password to use the BlackBerry device. Note: Use Microsoft Windows Local Security Policy settings to specify whether the user must connect to a supported smart card reader from the Microsoft Windows login screen to use the computer. Specify whether the user must choose a smart card certificate for use with smart card two-factor authentication. If smart card twofactor authentication is turned on, when the user unlocks the BlackBerry device, the BlackBerry device sends a challenge to the smart card to verify that it is the same smart card that the BlackBerry device used to initialize the authenticator module. Specify whether the BlackBerry device locks when the user removes the smart card from a supported smart card reader or disconnects a supported smart card reader from the BlackBerry device. Warning: Not all smart card reader drivers support smart card removal detection. Note: Use Microsoft Windows Local Security Policy settings to specify whether a computer locks when the user removes the smart card from a supported smart card reader or disconnects a supported smart card reader from the computer. Specify a period, in hours, after which the BlackBerry Smart Card Reader regenerates the Bluetooth encryption key if the BlackBerry device or computer is connected to the BlackBerry Smart Card Reader when the period expires. If the BlackBerry device or computer is not connected to the BlackBerry Smart Card Reader when the period expires, the BlackBerry Smart Card Reader regenerates the encryption key when the BlackBerry device or computer reconnects to the BlackBerry Smart Card Reader.

Force Erase All Keys on BlackBerry Disconnected Timeout
Force Erase Key On PC Standby
Force Smart Card Two Factor Authentication
Force Smart Card Two Factor Challenge Response
Lock on Smart Card Removal
Maximum Bluetooth Encryption Key Regeneration Period
IT policy rule Maximum Connection Heartbeat Period
Recommended use Specify the maximum heartbeat period, in seconds. During each heartbeat period, the paired BlackBerry device or computer sends a heartbeat, which the BlackBerry Smart Card Reader acknowledges. If either side fails to send or acknowledge a heartbeat in the maximum heartbeat period, the BlackBerry device or computer closes the Bluetooth connection. When the Bluetooth connection closes, the disconnected timer starts if you or the user turned that feature on the BlackBerry device or computer. The BlackBerry device or computer deletes the secure pairing keys when the disconnected timer expires. Use this IT policy rule to prevent a user with malicious intent from using a low-level Bluetooth heartbeat to perform the following actions: keep the Bluetooth connection open between the BlackBerry device or computer and the BlackBerry Smart Card Reader keep the secure pairing keys present, for an extended period after the BlackBerry device and BlackBerry Smart Card Reader should close the Bluetooth connection
Maximum BlackBerry Disconnected Timeout
Specify the maximum time, in seconds, after the BlackBerry device and the BlackBerry Smart Card Reader close the Bluetooth connection between them that the disconnection timeout period expires. Note: You can use the Force Erase All Keys on BlackBerry Disconnected Timeout IT policy rule to specify whether the BlackBerry device and computer delete their secure pairing keys for their current connections to the BlackBerry Smart Card Reader when the disconnection timeout period expires. Specify the maximum time, in hours, after the BlackBerry device and the BlackBerry Smart Card Reader establish the secure pairing information between them, that the BlackBerry device and the BlackBerry Smart Card Reader delete their secure pairing information. Specify the maximum time, in minutes, of inactivity over a Bluetooth connection between the BlackBerry Smart Card Reader and the BlackBerry device that the BlackBerry device and the BlackBerry Smart Card Reader before deleting their secure pairing information. Specify the maximum time, in seconds, after the user removes the smart card from the BlackBerry Smart Card Reader that the secure pairing information is deleted from the BlackBerry device and the BlackBerry Smart Card Reader. Specify the maximum number of transactions (smart cardrelated operations) that the BlackBerry device and the BlackBerry Smart Card Reader can send and receive before the secure pairing information is deleted from the BlackBerry device. Specify the maximum power range, as a value between 30% (the shortest range) and 100% (the longest range), that the BlackBerry Smart Card Reader uses to send Bluetooth data packets.

Maximum BlackBerry Long Term Timeout
Maximum BlackBerry Bluetooth Traffic Inactivity Timeout
Maximum Smart Card Not Present Timeout
Maximum Number of BlackBerry Transactions

Maximum Bluetooth Range

IT policy rule Maximum PC Disconnected Timeout
Recommended use Specify the maximum time, in seconds, after the computer and the BlackBerry Smart Card Reader close the Bluetooth connection between them that the secure pairing information for that dropped connection is deleted from the computer and the BlackBerry Smart Card Reader. Specify the maximum time, in hours, after the computer and the BlackBerry Smart Card Reader establish the secure pairing information between them that the computer and the BlackBerry Smart Card Reader delete their secure pairing information. Specify the maximum time, in minutes, of inactivity over the Bluetooth connection between the BlackBerry Smart Card Reader and the computer allowed before the computer and the BlackBerry Smart Card Reader delete their secure pairing information. Specify the maximum number of transactions (smart cardrelated operations) that the computer and the BlackBerry Smart Card Reader can send and receive between them before the computer and the BlackBerry Smart Card Reader delete their secure pairing information. Note: A transaction is any request and response set of data packets other than a connection heartbeat. Specify the maximum number of computers that can pair with the BlackBerry Smart Card Reader.
Maximum PC Long Term Timeout
Maximum PC Bluetooth Traffic Inactivity Timeout
Maximum Number of PC Transactions
Maximum Number of PC Pairings
Note: The BlackBerry Smart Card Reader also recognizes the Disable Radio When Cradled IT policy rule, which controls whether the wireless transceiver is turned off when the BlackBerry device is connected to USB peripherals. If you set this IT policy rule to True, the Bluetooth wireless adaptor of the BlackBerry Smart Card Reader is turned off whenever the BlackBerry Smart Card Reader is connected to a computer using USB. See the Policy Reference Guide for more information.
Establishing an encrypted and authenticated connection to the BlackBerry Smart Card Reader
Before the smart card and the BlackBerry device can establish an encrypted and authenticated connection between them, the BlackBerry Smart Card Reader and the BlackBerry device or computer must perform a Bluetooth pairing process to establish a Bluetooth connection between the BlackBerry device or computer and the BlackBerry Smart Card Reader. The BlackBerry device or computer and the BlackBerry Smart Card Reader can then perform a secure pairing process to establish a connection between the smart card and the BlackBerry device or computer. The secure pairing is designed to allow the BlackBerry Smart Card Reader and the BlackBerry device or computer to encrypt and authenticate the data that they send between them over the application layer. During the secure pairing process

the initial key establishment protocol creates a shared master encryption key on the BlackBerry device or computer and the BlackBerry Smart Card Reader that the BlackBerry device or computer and the BlackBerry Smart Card Reader use to encrypt and decrypt the data that they send between them the connection key establishment protocol creates a shared connection key on the BlackBerry device or computer and the BlackBerry Smart Card Reader that the BlackBerry device or computer and the BlackBerry Smart Card Reader use to send data between them
The user must perform a Bluetooth pairing process once only but must perform a secure pairing each time that the BlackBerry device or computer deletes the secure pairing information. You can control when the BlackBerry
device or computer deletes the secure pairing information using BlackBerry Enterprise Server IT policy rules for the BlackBerry Smart Card Reader.
Performing the Bluetooth pairing process and the secure pairing process on the BlackBerry device
The user can start the Bluetooth pairing process and the secure pairing process automatically by clicking Connect on the BlackBerry Smart Card Reader options screen on the BlackBerry device. If the user is running BlackBerry Device Software Version 4.0 or later on the BlackBerry device, the user can start the secure pairing process by trying an action on the BlackBerry device that requires the smart card (for example, importing certificates, signing or decrypting a message, or turning on two-factor authentication). If the user is running BlackBerry Device Software Version 4.0.2 or later on the BlackBerry device, trying an action on the BlackBerry device that requires the smart card can also start the Bluetooth pairing process. See the BlackBerry Smart Card Reader Getting Started Guide for more information.
Performing the Bluetooth pairing process and the secure pairing process on the computer
The user must manually connect to the BlackBerry Smart Card Reader from the BlackBerry Smart Card Reader Options dialog on the computer to start the Bluetooth pairing process. When the Bluetooth pairing is established, the computer automatically prompts the user to perform the secure pairing process. See the BlackBerry Smart Card Reader Getting Started Guide for more information.
Reconnecting to the BlackBerry device or computer automatically
The BlackBerry Smart Card Reader is designed to reconnect automatically to a BlackBerry device or computer with which it has previously connected and for which it has not deleted the Bluetooth encryption key or secure pairing key. You can set the Disable Auto Reconnect To BlackBerry Smart Card Reader IT policy rule to prevent the BlackBerry device or computer from reconnecting to the BlackBerry Smart Card Reader automatically. Turning off the automatic reconnection feature is designed to increase the battery life of the BlackBerry device.

Initial key establishment protocol used in the secure pairing process
The initial key establishment protocol uses the ECDH algorithm to negotiate numerous algorithms for use in subsequent secure pairing key and connection key exchanges, including the following algorithms:
the elliptic curve used by future ECDH exchanges (The initial key establishment protocol is designed to negotiate to use 521-bit Random Curve.) the encryption algorithm and hash algorithms used by the encryption and authentication processes on the application layer (The initial key establishment protocol is designed to negotiate to use AES-256 and SHA256 for application layer encryption and authentication, and SHA-512 for IT policy authentication.)
See Appendix A: BlackBerry Smart Card Reader supported algorithms on page 20 for more information. Initial key establishment protocol process 1. The BlackBerry device or computer sends an initial echo of the value 0xC1F34151520CC9C2 to the BlackBerry Smart Card Reader to confirm that a Bluetooth connection to the BlackBerry Smart Card Reader exists and to verify that both sides understand the protocol. The BlackBerry Smart Card Reader receives the initial echo and replies with an echo transmission of the same value. The BlackBerry device or computer receives the echo and replies to the BlackBerry Smart Card Reader with a request for a list of supported algorithms. The BlackBerry Smart Card Reader creates a list of all of the algorithms that it supports and sends the supported algorithms list to the BlackBerry device or computer. The BlackBerry device or computer searches the list for a match with one of its own supported algorithms.

2. 3. 4. 5.

If a match is not available, the BlackBerry device or computer sends an error to the BlackBerry Smart Card Reader and stops processing the list. If a match exists, the BlackBerry device or computer begins the key establishment process by sending a pairing request using the selected algorithms and a 64-byte seed to the BlackBerry Smart Card Reader. 6. The BlackBerry Smart Card Reader verifies the selected algorithms. 7. The BlackBerry Smart Card Reader performs the following calculation to select a short-term key (Y): selects random y, 1 < y < r 1 calculates Y = yS 8. The BlackBerry Smart Card Reader sends Y to the BlackBerry device or computer. selects random x, 1 < x < r 1 calculates X = xS calculates the master encryption key (MK) using the following information: Parameter K H1 H2 Value xY = xyS SHA-512 (sent data packets) SHA-512 (received data packets) 9. The BlackBerry device or computer performs the following calculations to select a short-term key (X):

calculates H = H1 + H2 calculates MK = SHA-256( H || K ) 10. The BlackBerry device sends X to the BlackBerry Smart Card Reader. 11. The BlackBerry Smart Card Reader calculates MK using the following information: Parameter K H1 H2 H MK Value yX = yxS SHA-512 (sent data packets) SHA-512 (received data packets) H1 + H2 SHA-256 ( H || K )
12. The initial key establishment protocol completes; the BlackBerry device or computer and the BlackBerry Smart Card Reader share a master encryption key. See Appendix D: BlackBerry Smart Card Reader shared cryptosystem parameters on page 23 for more information about variables used in this process.
Connection key establishment protocol used in the secure pairing process
After the initial key establishment protocol process completes successfully, the BlackBerry device or computer and the BlackBerry Smart Card Reader share a master encryption key. They must then establish a connection key to use to send data between them. The connection key establishment protocol starts from the secure pairing key s using SPEKE, letting a BlackBerry device or computer establish long-term public keys and a strong, cryptographically protected connection with a BlackBerry Smart Card Reader. The connection key establishment protocol uses the ECDH (elliptic curve) algorithm that the initial key establishment protocol negotiates. The ECDH algorithm provides perfect forward secrecy, which uses the key that protects data to prevent the protocol from deriving previous or subsequent encryption keys. Each run of the connection key establishment protocol uses a unique, random, ephemeral key pair to create the new connection key. The BlackBerry Smart Card Reader discards the ephemeral key pair after establishing the connection key.
Even if the ephemeral private keys from a particular protocol run using the ECDH algorithm are compromised, the connection keys from other runs of the same protocol remain uncompromised. Connection key establishment protocol process 1. The BlackBerry device or computer sends an initial echo of the value 0xC1F34151520CC9C2 to the BlackBerry Smart Card Reader to confirm that a Bluetooth connection to the BlackBerry Smart Card Reader exists and to verify that both sides understand the protocol. The BlackBerry Smart Card Reader receives the initial echo and replies with an echo transmission of the same value. The BlackBerry device or computer receives the echo and uses the algorithm that the initial key establishment protocol negotiated to send the selected algorithms and a seed to the BlackBerry Smart Card Reader. The BlackBerry Smart Card Reader performs the following calculation to select a short-term key (Y): selects random y, 1 < y < r 1 calculates Y = yP where P is defined on the curve negotiated by the initial key establishment protocol 5. The BlackBerry Smart Card Reader sends Y to the BlackBerry device or computer. selects random x, 1 < x < r 1 calculates X = xP calculates the connection key (CK) using the following information: Parameter K H1 H2 H CK 7. 8. Value xY = xyP SHA-512 (sent data packets) SHA-512 (received data packets) H1 + H2 SHA-256 ( MK || H || MK || K ) 6. The BlackBerry device or computer performs the following calculation to select a short-term key (X):

Unbinding the smart card from the BlackBerry device When you or the user start the process that lets the BlackBerry device erase its stored user and application data, the BlackBerry device deletes the smart card binding information from its NV store. When the process completes, a user can authenticate with the BlackBerry device using a new smart card. You can delete the smart card binding information from the BlackBerry device manually in the following ways: Send the Erase Data and Disable Device IT Admin command to the BlackBerry device to delete the binding between a users current smart card and the BlackBerry device. When the user turns off two-factor authentication, the BlackBerry device turns off two-factor authentication with the installed smart card and deletes the smart card binding information from the BlackBerry device.
Setting two-factor authentication on the computer
See the Microsoft Windows documentation for information about configuring a computer to require the user to connect to a supported smart card reader from the Microsoft Windows login screen to use the computer.

Related resources

Resource BlackBerry Enterprise Solution Security Technical Overview Information preventing the decryption of information at an intermediate point between the BlackBerry device and the BlackBerry Enterprise Server or organization LAN managing security settings for all BlackBerry devices protecting data in transit between the BlackBerry device and the BlackBerry Enterprise Server understanding the algorithms provided by the RIM cryptographic API (Crypto API) understanding the TLS and WTLS standards that the RIM Crypto API currently supports understanding the process that occurs to securely delete data on the BlackBerry device when content protection feature is turned on generating and changing master encryption keys turning on S/MIME protected messaging turning on encryption options setting IT policy rules setting message classifications setting up the BlackBerry Smart Card Reader installing or upgrading the BlackBerry Smart Card Reader pairing the BlackBerry device or the computer with the BlackBerry Smart Card Reader troubleshooting using BlackBerry Enterprise Server IT policies installing the S/MIME Support Package managing certificates on the BlackBerry device and computer setting S/MIME options for digitally signing and encrypting messages sending and receiving S/MIME protected messages understanding Bluetooth wireless technology understanding the risks of using Bluetooth wireless technology on mobile devices protecting Bluetooth enabled BlackBerry devices information about BlackBerry Enterprise Solution security

Impersonating a BlackBerry device or computer
An impersonation of the BlackBerry Smart Card Reader occurs when the user with malicious intent sends messages to the BlackBerry device or computer so that the BlackBerry device or computer believes it is communicating with the BlackBerry Smart Card Reader. The user with malicious intent must send X = xP, instead of xS to the BlackBerry Smart Card Reader. A user with malicious intent might try this because the user with malicious intent does not know the secure pairing key. The initial key establishment protocol is designed so that the BlackBerry Smart Card Reader calculates K = yX = yxP. To calculate the same key, the user with malicious intent must determine y from Y. This problem is considered to be computationally infeasible. The connection key establishment protocol is designed so that the user with malicious intent can only guess the secure pairing key the user with malicious intent can only compute the master encryption key by solving the discrete log problem, which is computationally infeasible, to try to determine the secret private key on the BlackBerry device or computer

Man-in-the-middle attack

A man-in-the-middle attack occurs when the user with malicious intent intercepts and modifies messages in transit between the BlackBerry Smart Card Reader and the BlackBerry device or computer. A successful man-inthe-middle attack results in each party not knowing that the user with malicious intent is sitting between them, monitoring and changing data traffic. The user with malicious intent must remain in the middle (between the BlackBerry device or computer and the BlackBerry Smart Card Reader) forever, not just for the duration of the key establishment protocol, for a man-inthe-middle attack to occur. For a user with malicious intent to successfully start a man-in-the-middle attack, the user with malicious intent must know the secure pairing key. The initial key establishment protocol is designed to use ECDH and the shared master encryption key to prevent a man-in-the-middle attack. If a user with malicious intent learns the secure pairing key after the initial key establishment protocol is complete, the mathematical hardness of the discrete log problem protects the master encryption key. To determine the master encryption key, a user with malicious intent must determine one of x or y. The user cannot gain knowledge of the master encryption key before the initial key establishment protocol begins as long as the secure pairing key remains secret until the initial key establishment protocol completes successfully. The connection key establishment protocol is designed to use SPEKE to prevent a man-in-the-middle attack through the use of the secure pairing key.

Offline attack

An offline attack occurs when the user with malicious intent tries to send X = xP, instead of xS to the BlackBerry Smart Card Reader. A user with malicious intent might try this because the user with malicious intent does not know the secure pairing key. The initial key establishment protocol is designed so that the BlackBerry Smart Card Reader replies with Y=xS and calculates K = yX = yxP. Meanwhile, the user with malicious intent must
calculates K = xY = yxS = yxzP, for some z such that S = zP. To calculate yxP from yzxP without knowledge of z corresponds to solving the discrete logarithm problem, which is computationally infeasible, for S.
Offline dictionary attack
An offline dictionary attack occurs when the user with malicious intent tries all possible passwords and determines the correct password. The connection key establishment protocol is designed to use SPEKE to prevent a known offline dictionary attack through the use of a password (the secure pairing key) in case the user with malicious intent uses computational resources (where, in theory, nothing limits the speed at which the user with malicious intent can force the password) to determine the password.

Online dictionary attack

An online dictionary attack is similar to an offline dictionary attack, but the user with malicious intent must rely on the BlackBerry device, the computer, or the BlackBerry Smart Card Reader to determine if a key is the correct secure pairing key. The BlackBerry Smart Card Reader supports only one try to guess the secure pairing key. If the guess is incorrect, the BlackBerry Smart Card Reader changes the secure pairing key before the next try occurs.

Small subgroup attack

A small subgroup attack occurs when the user with malicious intent tries to limit the protocol to generate master encryption keys from only a small subset of keys. The BlackBerry Smart Card Reader security protocols are designed to use ECDH operations that use the cofactor in their calculations and verify that the result is not the point at infinity. For example, if the user with malicious intent chooses X as the point at infinity, then K is the point at infinity regardless of what the BlackBerry Smart Card Reader chose for Y. By checking that X is not at the point of infinity, 1, or 1, the BlackBerry Smart Card Reader security protocols avert this threat.
Appendix F: Smart card binding information
When you or a user turns on two-factor authentication on the BlackBerry device, the BlackBerry device binds to the installed smart card automatically by storing the following smart card binding information in a special BlackBerry device NV store location that is inaccessible to a user.