PGP Support Package for BlackBerry
Extending PGP email security to enterprise smartphones

CMYK 0 12

ij/ Ooje
PGP email security extends to enterprise smartphones.

PGP Customer Spotlight

The PGP Encryption Platform was the best fit for our distributed organization and one of the few solutions that supported end-to-end encryption on BlackBerry devices.
Tom Goschtz Chief Technology Officer Corporate Center Bertelsmann AG

Data Sheet

PGP Encryption Unencrypted

Policy Keys Logs

JGKX hk766

Benefits

E asy, automatic operation Protects data without changing the handheld users experience. E nforced security policies Automatically enforces data protection with centrally managed policies. A ccelerated deployment Reduces setup time and speeds enterprise data protection using the BlackBerry devices native email client. R educed operation costs Result from fast deployment, and automation of email encryption policies.
BlackBerry Enterprise Server PGP Universal Server
Transparent protection of sensitive email messages
Mobile devices such as BlackBerry smartphones are popular tools for digital communications, in the office and on the road. As more employees and executives begin to carry these wireless devices, the amount of sensitive and confidential information they put at risk increases. Lacking the right protection, sensitive email that is stored or transmitted on mobile devices may be breached. The resulting damages can include lost revenue, regulatory penalties, and brand damage. In collaboration with Research In Motion (RIM) PGP Corporation offers the PGP Support Package for BlackBerry that enables enterprises to extend the market-leading PGP messaging security solutions for laptops and desktops to BlackBerry smartphones. This comprehensive email solution includes data encryption, digital signature, secured attachments, and automated key management. Always on, Always Connected, and Always Secure The PGP Support Package for BlackBerry is a logical addition to an enterprises BlackBerry solution. When used with the BlackBerry Enterprise Solution, it delivers the pervasive encryption functionality that is needed to protect an organizations mobile communications, in a single, easy-to-use and easy-to-manage solution. The organization can automatically and seamlessly secure mobile communications from a senders email client to the BlackBerry devices and at all points in between using centrally defined, policy-based encryption. PGP Encryption Platform-Enabled The PGP Support Package for BlackBerry is a PGP Encryption Platformenabled application. The PGP Encryption Platform provides a strategic enterprise encryption framework for shared user management, policy, and provisioning that is automated across multiple, integrated encryption appli-cations. The PGP Universal Server manages existing policies, users, keys, and configurations, which expedites deployment and policy enforcement.
Easy, Automatic Operation
The PGP Support Package for BlackBerry combines PGP email security with the mobility and flexibility of BlackBerry devices. It simplifies encryption technology for end users with: A utomated protection Automatically encrypts, digitally signs, decrypts, and verifies email and attachments on BlackBerry devices. I ntuitive interface Requires no special training for end users.

deTHYO

e j d Y Oo je i j / 9 s e j d g T h k J G K X d e H Y O o j e j d g T h sejdgThk8766JGKeij/789s k8766JG ojeij/789 2Ke
Thk876 ij/789sejd g T h k 6 J G K X d e T H Y O o j e i j / 9 s e j d g Th k J G K e i j / 9 s e j d Y O o j e i j / 9 s e j d g
Data Sheet | PGP Support Package for BlackBerry
PGP Support Package for BlackBerry is fully interoperable with other PGP Encryption Platform-enabled applications. Advantages of this platform-based integration include: PGP Support Package for BlackBerry reduces deployment tasks and time, eliminates end-user training costs, and precludes increases.
Enforced Security Policies
BlackBerry Handheld Software v4.1 or higher, PGP Universal Server for key management, PGP Desktop Email 9.x or greater, PGP Desktop Email 9.5 or later required for Lotus Notes environments. For complete technical specifications, please visit www.pgp.com.

Technical Specifications

C onsistent policy enforcement Consistently enforces messaging security policies, regardless of enterprise origination point (PC or BlackBerry) or message destination. R apid implementation Helps administrators quickly implement new policies to control mail flow and encryption. U nified management Lets administrators centrally define, manage, and enforce email encryption policy.

Accelerated Deployment

Enterprises can quickly and easily deploy the PGP Support Package for BlackBerry to new and existing BlackBerry devices because of its: S eamless integration Integrates with the BlackBerry devices native email client, and leverages its existing security features. R apid, simple deployment Enables BlackBerry devices to automatically enroll in PGP Universal Server. A utomated lookup of PGP keys Automatically searches for recipient encryption keys during message composition.
Reduced Operational Costs
PGP Support Package for BlackBerry reduces deployment tasks and time, eliminates end-user training costs, and precludes increases in help desk calls. Its integration with the PGP Encryption Platform also streamlines the ongoing operations of encryption management and security policy enforcement.
PGP Universal Server Management
PGP Support Package for BlackBerry is deployed and managed with the PGP Universal Server. Its advantages include: S ecure provisioning PGP Universal Server authenticates users based on administrator-defined policy. K ey management Encryption keys are automatically delivered to PGP BlackBerry users during provisioning. A dditional Decryption Key The PGP Universal Server-managed Additional Decryption Key (ADK) retains corporate access to data.

2010 PGP Corporation. PGP and the PGP logo are registered trademarks of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners. BBDS100114

www.pgp.com

hTgd jejo

YHedX KGJ6

678khTg dj
O es987/jiejoO 7/jiejo Y d j e s 7 / j i e K G J k hT g d j e s 7 / j i e j o O Y H T e d X K G J 7 k h T g d j e s 9 8

PGP Support Package for BlackBerry Smartphones

Version: 5.0

Security Technical Overview
Published: 2010-03-10 SWD-995511-0310094129-001

Contents

1 BlackBerry Enterprise Solution security..... 2 New in this release...... 3 System requirements: PGP Support Package for BlackBerry smartphones... 4 Extending messaging security using PGP encryption.... Security features of the PGP Support Package for BlackBerry smartphones... Processing PGP protected messages on a BlackBerry Enterprise Server... What happens when a BlackBerry device protects a message using PGP encryption... Process flow: Sending an email message using PGP encryption... Process flow: Receiving a PGP encrypted message.... Encryption algorithms that the BlackBerry device supports for PGP encryption... Making PGP encryption mandatory..... 5 Configuring the BlackBerry Enterprise Solution to use a PGP Universal Server... Enrolling and authenticating a BlackBerry device with a PGP Universal Server... How a BlackBerry device uses the email policy of a PGP Universal Server.... PGP policy conditions on the PGP Universal Server that the PGP Support Package for BlackBerry smartphones supports...... 6 PGP public keys and PGP private keys.... Retrieving PGP keys from a PGP Universal Server or LDAP servers... Configuring the BlackBerry MDS Connection Service to connect to an LDAP server that stores PGP public keys...... Protecting connections to LDAP servers..... Where a BlackBerry device stores PGP keys..... How a BlackBerry device protects the PGP key store.... Protecting the PGP private key on a BlackBerry device.... Security levels that help protect the PGP private key on a BlackBerry device... Accessing PGP private keys on a BlackBerry device.... How a user can access the PGP private key on a BlackBerry device if the PGP Universal Server stores the PGP private key using server key mode..... How a user can access the PGP private key on a BlackBerry device if the PGP Universal Server stores the PGP private key using guarded key mode.....
How a user can access the PGP private key on a BlackBerry device if the PGP Universal Server stores the PGP private key using client key mode..... Changing the minimum key length that a BlackBerry device can use... Searching for PGP keys on a BlackBerry device.... Checking the revocation status of a PGP key on a BlackBerry device... 7 Extending messaging security to attachments.... Viewing PGP encrypted attachments on a BlackBerry device... Process flow: Viewing an attachment in a PGP encrypted message or S/MIME-encrypted message.. Process flow: Viewing an attachment that is encrypted using S/MIME encryption, PGP/MIME encryption, or OpenPGP encryption...... 8 Permitting a BlackBerry device to use a password for PGP encryption... 9 Using an X.509 certificate to encrypt a message or validate a digital signature.. 10 Deleting decrypted PGP data from a BlackBerry device... 11 IT policy rules that apply to the PGP Support Package for BlackBerry smartphones.. 12 Related resources..... 13 Glossary....... 14 Legal notice......

BlackBerry Enterprise Solution security
The BlackBerry Enterprise Solution consists of various products and components that are designed to extend your organizations communication methods to BlackBerry devices. The BlackBerry Enterprise Solution is designed to help protect data that is in transit at all points between a BlackBerry device and the BlackBerry Enterprise Server. To help protect data that is in transit over the wireless network, the BlackBerry Enterprise Server and BlackBerry device use symmetric key cryptography to encrypt the data sent between them. The BlackBerry Enterprise Solution is designed to prevent third parties, including wireless service providers, from accessing your organization's potentially sensitive information in a decrypted format. The BlackBerry Enterprise Solution uses confidentiality, integrity, and authenticity, which are principles for information security, to help protect your organization from data loss or alteration. Principles confidentiality integrity Description The BlackBerry Enterprise Solution uses symmetric key cryptography to help make sure that only intended recipients can view the contents of email messages. The BlackBerry Enterprise Solution uses symmetric key cryptography to help protect every email message that the BlackBerry device sends and to help prevent third parties from decrypting or altering the message data. Only the BlackBerry Enterprise Server and BlackBerry device know the value of the keys that they use to encrypt messages and recognize the format of a decrypted and decompressed message. The BlackBerry Enterprise Server or BlackBerry device reject a message automatically if it is not encrypted with keys that they recognize as valid. Before the BlackBerry Enterprise Server sends data to the BlackBerry device, the BlackBerry device authenticates with the BlackBerry Enterprise Server to prove that the BlackBerry device knows the device transport key that is used to encrypt data.

authenticity

New in this release
This document describes the security of the PGP Support Package for BlackBerry smartphones and the features that the PGP Support Package 5.0 for BlackBerry smartphones and BlackBerry Enterprise Server 5.0 SP1 or later support, unless otherwise stated. Feature Description

Security features of the PGP Support Package for BlackBerry smartphones
Feature ability to retrieve a PGP key and check the revocation status of the PGP key over the wireless network ability to encrypt outgoing messages using PGP encryption ability to decrypt incoming PGP encrypted messages ability to sign outgoing messages using PGP private keys ability to verify PGP signatures Description The PGP Support Package for BlackBerry smartphones can retrieve the PGP key and check the revocation status of a PGP key from a PGP Universal Server or external LDAP server. A user can encrypt email messages and PIN messages using PGP encryption and send the messages from a BlackBerry device. A user can decrypt PGP encrypted email messages and PIN messages that a BlackBerry device receives. A user can sign email messages and PIN messages using the user's PGP private keys, and send the messages from a BlackBerry device. A user can verify the PGP signatures on email messages and PIN messages that a BlackBerry device receives.
Processing PGP protected messages on a BlackBerry Enterprise Server
Feature ability to view encrypted attachments in PGP encrypted messages support for PGP encryption using a password support for the email policy of a PGP Universal Server support for Unicode messages
Description The PGP Support Package for BlackBerry smartphones can retrieve information about PGP encrypted attachments from PGP encrypted email messages. A user can use a password for PGP encryption when the user sends PGP encrypted messages from a BlackBerry device. The PGP Support Package for BlackBerry smartphones is designed to use the email policy of a PGP Universal Server to determine whether a BlackBerry device must sign, encrypt, or sign and encrypt an email message. A user can view, forward, and reply to PGP encrypted messages that contain Unicode characters on a BlackBerry device. The BlackBerry device decodes the Unicode characters and displays the messages. The user can also view certificates that contain Unicode characters. The user can encrypt and send PGP encrypted messages that contain Unicode characters on the BlackBerry device. The BlackBerry device encodes the messages to include the information that an email application requires to view the Unicode characters.
A user can send a PGP protected message in PGP/MIME format or OpenPGP format to a BlackBerry device. If the BlackBerry Enterprise Server and the BlackBerry device support PGP technology, the BlackBerry Enterprise Server processes PGP/MIME messages, and the BlackBerry device can decrypt the PGP/MIME formatted messages that it receives. If the BlackBerry Enterprise Server, the BlackBerry device, or both do not support PGP technology, the BlackBerry Enterprise Server does not process PGP/MIME messages, and the BlackBerry device receives PGP/MIME formatted messages as unreadable attachments. OpenPGP formatted messages include ""BEGIN PGP MESSAGE"" headers and ""END PGP MESSAGE"" footers. When a BlackBerry device that supports PGP technology decrypts an OpenPGP formatted message, the BlackBerry device displays all message content in the headers and footers.

What happens when a BlackBerry device protects a message using PGP encryption
After you configure the BlackBerry Enterprise Solution to support PGP encryption, when a user composes an email message or a PIN message, the user can choose one of the following options on a BlackBerry device: attach PGP keys from the PGP key store on the BlackBerry device and send the keys as.asc file attachments
encrypt the PGP message with a password send the message as plain text sign, encrypt, or sign and encrypt the message using PGP encryption
When a user chooses to sign, encrypt, or sign and encrypt the message, the BlackBerry device searches for a valid PGP key for the recipient in the PGP key store, the PGP Universal Server, or any available LDAP servers. A valid PGP key is a key that is trusted, is not revoked or expired, and has a strong public key. If the BlackBerry device finds a valid PGP key, the BlackBerry device signs, encrypts, or signs and encrypts the message before it sends the message. If the BlackBerry device does not find a valid PGP key, the BlackBerry device provides the user with options to not send the message, download a valid PGP key manually, or send the message in unencrypted form. The user can send the message in unencrypted form only if the email policy of the PGP Universal Server permits and you changed the value of the PGP Force Encrypted Messages IT policy rule to No. If the user downloads a PGP key for the intended recipient manually, the BlackBerry device displays search criteria that the user can change. The BlackBerry device tries to retrieve the PGP key from an LDAP server. If the BlackBerry device finds the PGP key, the BlackBerry device signs, encrypts, or signs and encrypts the message before it sends the message.
Process flow: Sending an email message using PGP encryption
If a sender installs the PGP Support Package for BlackBerry smartphones on a BlackBerry device, the BlackBerry device encrypts outgoing email messages. 1. The BlackBerry device performs the following actions: a. uses the BlackBerry MDS Connection Service to retrieve the PGP public key of the recipient from the PGP Universal Server or LDAP server b. encrypts the email message using the PGP public key of the recipient c. uses BlackBerry transport layer encryption to encrypt the PGP encrypted message d. sends the message that is encrypted using BlackBerry transport layer encryption and PGP encryption to the BlackBerry Enterprise Server

A BlackBerry device is designed to use the email policy of a PGP Universal Server to determine whether to sign, encrypt, or sign and encrypt an email message that it sends. The BlackBerry device uses the minimum security requirements of the email policy and any additional security requirements that the user applies to the message when the user sends it. If the BlackBerry device cannot retrieve PGP keys for a message recipient and the user sends the message to the PGP Universal Server, the PGP Universal Server can further process the message, using the default email policy, to determine what action to take on the message. The BlackBerry device retrieves the data for the email policy of the PGP Universal Server at intervals that you can configure using the PGP Universal Policy Cache Timeout IT policy rule. By default, the BlackBerry device caches the email policy for a maximum of 24 hours. For more information about sending messages to the PGP Universal Server, see the documentation for the PGP Universal Server.
PGP policy conditions on the PGP Universal Server that the PGP Support Package for BlackBerry smartphones supports
The PGP Support Package for BlackBerry smartphones does not support message properties and operators that are designed to control dictionaries, mailing lists, and user groups. Message property message body Description Is Contains Begins with

Message property

Description Ends with Matches pattern Is Contains Begins with Ends with Matches pattern Is Contains Begins with Ends with Matches pattern Is Is greater than Is less than Is Contains Begins with Ends with Matches pattern Is Contains Begins with Ends with Matches pattern Is in subdomain of Is Contains Begins with Ends with Matches pattern
message has attachment with file name that message header <header> (where <header> is one of subject, importance, or sensitivity)

message size

recipient email address

recipient domain

sender domain
Message property sender email address
Description Is Contains Begins with Ends with Matches pattern
For more information about the policy conditions, see the documentation for the PGP Universal Server.
PGP public keys and PGP private keys
Key PGP public key Description
The PGP Support Package for BlackBerry smartphones uses public key cryptography with PGP public keys and PGP private keys.

The PGP Support Package for BlackBerry smartphones uses the PGP public key of the recipient to encrypt outgoing email messages and the PGP public key of the sender to verify digital signatures on incoming email messages. The PGP public key is designed so that recipients and senders can distribute and access the key without compromising it. The PGP public key is stored typically on the PGP Universal Server or an LDAP server. The PGP Support Package for BlackBerry smartphones uses the PGP private key of the sender to digitally sign outgoing email messages and the PGP private key of the recipient to decrypt incoming email messages. To make sure that security is not compromised, you must make sure that private key information remains private to the key owner. The BlackBerry device stores the PGP private key.

PGP private key

Retrieving PGP keys from a PGP Universal Server or LDAP servers
If your organizations environment includes a PGP Universal Server, the administrator of the PGP Universal Server can configure the email policy of the PGP Universal Server. After a user installs the PGP Support Package for BlackBerry smartphones, a BlackBerry device can retrieve and enforce the email policy of the PGP Universal Server for all email messages that the user sends. The BlackBerry device is designed to use the BlackBerry MDS Connection Service to connect to the PGP Universal Server or any LDAP server that a user specifies on the BlackBerry device or that you specify using the BlackBerry Administration Service. The BlackBerry MDS Connection Service uses standard protocols, such as HTTP and TCP/IP, to permit the BlackBerry device to retrieve PGP public keys, PGP key status, and X.509 certificate status from the PGP Universal Server or an LDAP server over the wireless network. The BlackBerry MDS Connection Service can connect to LDAP servers using LDAPS.
Configuring the BlackBerry MDS Connection Service to connect to an LDAP server that stores PGP public keys
To prevent a user from enrolling and authenticating with the PGP Universal Server, you or the user can configure the BlackBerry MDS Connection Service to retrieve PGP public keys on behalf of a BlackBerry device. The BlackBerry MDS Connection Service retrieves and verifies the authenticity and status of PGP public keys before it sends the PGP public keys to the BlackBerry device.

The PGP Universal Server can store PGP public keys and PGP private keys using key storage modes. The key storage mode that the PGP Universal Server uses to store PGP keys impacts how a user can access the PGP private keys from a BlackBerry device. For more information about the key storage modes, see the documentation for the PGP Universal Server.
How a user can access the PGP private key on a BlackBerry device if the PGP Universal Server stores the PGP private key using server key mode
If the PGP Universal Server stores the PGP private key using server key mode, the PGP Universal Server stores a user's PGP public key and PGP private key. The user can download the PGP private key to a BlackBerry device without a passphrase and can import the key into the PGP key store on the BlackBerry device automatically.
The BlackBerry device prompts the user for the key store password when it retrieves the PGP private key from the PGP key store so that the BlackBerry device can sign or decrypt messages.
How a user can access the PGP private key on a BlackBerry device if the PGP Universal Server stores the PGP private key using guarded key mode
If the PGP Universal Server stores the PGP private key using guarded key mode, the PGP Universal Server stores a user's PGP public key and a passphrase-protected copy of the user's PGP private key. The user creates the passphrase when the user generates the PGP private key. The user can download the PGP private key to a BlackBerry device. The BlackBerry device prompts the user for the passphrase before the BlackBerry device imports the PGP private key into the PGP key store on the BlackBerry device. The BlackBerry device prompts the user for the key store password when it retrieves the PGP private key from the PGP key store so that the BlackBerry device can sign or decrypt messages. An administrator of the PGP Universal Server can turn on guarded key mode for a user in the administrative console of the PGP Universal Server.
How a user can access the PGP private key on a BlackBerry device if the PGP Universal Server stores the PGP private key using client key mode

If the PGP Universal Server stores the PGP private key using client key mode, a PGP Desktop application stores and manages a user's PGP private keys. The PGP Universal Server stores the user's PGP public key. The user can create a passphrase when the user generates the PGP private key. The user must export the PGP private key from the PGP Desktop application and send the key to a BlackBerry device in an email message. After the BlackBerry device receives the email message with the attached PGP private key, the BlackBerry device prompts the user for the passphrase, if necessary, before it imports the PGP private key into the PGP key store on the BlackBerry device. The BlackBerry device prompts the user for the key store password when it retrieves the PGP private key from the PGP key store so that the BlackBerry device can sign or decrypt messages. An administrator of the PGP Universal Server can turn on client key mode for a user in the administrative console of the PGP Universal Server.
Changing the minimum key length that a BlackBerry device can use
The key length (also known as the key size) of a PGP public key or PGP private key determines the key strength. The larger the PGP public key and PGP private key, the stronger the PGP key pair. The key lengths of the PGP public key and PGP private key are the same. By default, a BlackBerry device uses a minimum key length of 1024 bits for the DH algorithm, DSA algorithm, and RSA algorithm. You can change the minimum key lengths to meet the security requirements of your organization using the following IT policy rules: PGP Minimum Strong DH Key Length PGP Minimum Strong DSA Key Length PGP Minimum Strong RSA Key Length The maximum key length that the BlackBerry device supports for the RSA algorithm and DH algorithm is 4096 bits. The maximum key length that the BlackBerry device supports for the DSA algorithm is 1024 bits. For more information about the IT policy rules, see the BlackBerry Enterprise Server Policy Reference Guide.
Searching for PGP keys on a BlackBerry device
The PGP Support Package for BlackBerry smartphones permits a user to search for PGP keys. A user who is not enrolled with a PGP Universal Server can search LDAP servers that are external to your organization (for example, the PGP Global Directory) for PGP keys using the first name, last name, or email address of the PGP key subject. The user can download PGP keys from the search results. While the user composes an email message, the BlackBerry device searches for and retrieves PGP keys that are not on the BlackBerry device. The BlackBerry device uses the email addresses of the intended recipients to search for PGP keys. When the user searches for a PGP key, the user can specify whether the BlackBerry device must prompt the user to download the revocation status of the PGP key before the BlackBerry device can retrieve the PGP key and add it to the PGP key store. The user should validate PGP keys that the BlackBerry device retrieves from an LDAP server that is external to your organization using the fingerprints of the PGP keys. For more information about the PGP Global Directory, visit keyserver.pgp.com.

Checking the revocation status of a PGP key on a BlackBerry device
In the following situations, a user can check the revocation status of a PGP key to determine whether the PGP key is revoked: when receiving a signed message or signed and encrypted message on a BlackBerry device before sending a message to a recipient who has an email application that supports PGP encryption when searching for PGP keys
The user can also check the revocation status of a PGP key from the PGP key store. The BlackBerry device uses the BlackBerry MDS Connection Service to request and retrieve the revocation status of the PGP key from an LDAP server. If the BlackBerry device retrieves an updated PGP key, it updates the PGP key store on the BlackBerry device.
Extending messaging security to attachments
The BlackBerry Enterprise Server supports attachments in PGP encrypted messages and S/MIME-encrypted messages. It also permits a user to view encrypted attachments on a BlackBerry device. You can use the S/MIME Allowed Encrypted Attachment Mode IT policy rule and the PGP Allowed Encrypted Attachment Mode IT policy rule to specify the least restrictive mode that a BlackBerry device can use to retrieve attachment information that is PGP encrypted or S/MIME encrypted. The BlackBerry device supports OpenPGP format and PGP/MIME format for PGP encryption.
Viewing PGP encrypted attachments on a BlackBerry device
The PGP Support Package for BlackBerry smartphones supports OpenPGP messages that a user sends from Microsoft Outlook only. Microsoft Outlook preserves the file extension of the attachment. After the user installs the PGP Support Package for BlackBerry smartphones, a BlackBerry device can display encrypted attachments with the original file extension, or the original file extension with.asc added. The PGP Support Package for BlackBerry smartphones supports the formats <filename.xxx> or <filename.xxx>.asc, but not the format <filename>.asc. If a user receives an encrypted attachment that the BlackBerry device with the PGP Support Package for BlackBerry smartphones cannot open, the sender might have sent the message from an email application that does not support attachments in encrypted messages. The user cannot open an attachment in a PGP protected message on the BlackBerry device if the attachment was encrypted using IBM Lotus Notes and PGP Desktop Professional. A recipient also cannot open an attachment that a PGP Universal Server encrypted in OpenPGP format and renamed Attachment1.pgp.

Process flow: Viewing an attachment in a PGP encrypted message or S/ MIME-encrypted message
The S/MIME Allowed Encrypted Attachment Mode IT policy rule or PGP Allowed Encrypted Attachment Mode IT policy rule determines how a BlackBerry device responds when it receives a PGP/MIME encrypted message or S/MIME-encrypted message that contains an attachment. These rules determine whether the following actions occur automatically when the user opens the email message, or whether the user must request the actions manually. 1. 2. 3. A BlackBerry device sends the message key and a request for the data in the attachment header to the BlackBerry Enterprise Server. The BlackBerry Enterprise Server uses the message key to decrypt the email message and access the data in the attachment header. The BlackBerry Enterprise Server sends the data in the attachment header to the BlackBerry device. The BlackBerry device processes the data in the attachment header with the email message and displays the associated attachment information so that the user can select the attachment for viewing.
Process flow: Viewing an attachment that is encrypted using S/MIME encryption, PGP/MIME encryption, or OpenPGP encryption
1. 2. The BlackBerry device sends the message key and a request for the attachment data to the BlackBerry Enterprise Server. The BlackBerry Enterprise Server uses the message key to decrypt the email message and access the attachment data that corresponds to the data in the attachment header. The BlackBerry Enterprise Server decrypts the attachment and sends the rendered attachment data to the BlackBerry device. The BlackBerry device displays the attachment.
To help protect the decrypted attachment data that the BlackBerry device stores, you can turn on content protection.
Permitting a BlackBerry device to use a password for PGP encryption
A BlackBerry device that is running BlackBerry Device Software 4.6 or later and the PGP Support Package for BlackBerry smartphones can use a password, which both the sender and recipient know, to encrypt email messages or PIN messages using PGP encryption. To configure a BlackBerry device to use a password for PGP encryption, you can use the PGP Allowed Encryption Types IT policy rule to permit the sender and recipient to use a password, a PGP public key, or both. The sender and recipient share the password manually. When the sender or recipient types the password to encrypt or decrypt the PGP encrypted message, the BlackBerry device combines the password with random bytes to generate a new encryption key.
Using an X.509 certificate to encrypt a message or validate a digital signature

PGP/MIME PGP Multipurpose Internet Mail Extensions PIN personal identification number RFC Request for Comments S/MIME Secure Multipurpose Internet Mail Extensions SHA Secure Hash Algorithm SSL Secure Sockets Layer TCP/IP Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of communication protocols that is used to transmit data over networks, such as the Internet. TLS Transport Layer Security Triple DES Triple Data Encryption Standard WTLS Wireless Transport Layer Security

Legal notice

2010 Research In Motion Limited. All rights reserved. BlackBerry, RIM, Research In Motion, SureType, SurePress and related trademarks, names, and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world. IBM, Domino, Lotus, and Lotus Notes are trademarks of International Business Machines Corporation. Java is a trademark of Sun Microsystems, Inc. Microsoft, Microsoft Exchange Server, and Outlook are trademarks of Microsoft Corporation. PGP is a trademark of PGP Corporation. RSA is a trademark of RSA Security. Wi-Fi is a trademark of the Wi-Fi Alliance. All other trademarks are the property of their respective owners. The BlackBerry smartphone and other devices and/or associated software are protected by copyright, international treaties, and various patents, including one or more of the following U.S. patents: 6,278,442; 6,271,605; 6,219,694; 6,075,470; 6,073,318; D445,428; D433,460; D416,256. Other patents are registered or pending in the U.S. and in various countries around the world. Visit www.rim.com/patents for a list of RIM (as hereinafter defined) patents. This documentation including all documentation incorporated by reference herein such as documentation provided or made available at www.blackberry.com/go/docs is provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by Research In Motion Limited and its affiliated companies ("RIM") and RIM assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect RIM proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of RIM technology in generalized terms. RIM reserves the right to periodically change information that is contained in this documentation; however, RIM makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all. This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or third-party web sites (collectively the "Third Party Products and Services"). RIM does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by RIM of the Third Party Products and Services or the third party in any way. EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NONINFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL RIM BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NONPERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH RIM PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF RIM PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, RIM SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY. THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO RIM AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED RIM DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS. IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF RIM OR ANY AFFILIATES OF RIM HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION. Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with RIM's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with RIM's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by RIM and RIM assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with RIM. Certain features outlined in this documentation require a minimum version of BlackBerry Enterprise Server, BlackBerry Desktop Software, and/or BlackBerry Device Software.

The terms of use of any RIM product or service are set out in a separate license or other agreement with RIM applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY RIM FOR PORTIONS OF ANY RIM PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION. Research In Motion Limited 295 Phillip Street Waterloo, ON N2L 3W8 Canada Research In Motion UK Limited Centrum House 36 Station Road Egham, Surrey TW20 9LF United Kingdom Published in Canada