PKI component support

The S/MIME Support Package for BlackBerry devices is designed to support the following PKI components:
LDAP: The BlackBerry device and the certificate synchronization tool use LDAP or LDAPS to search for and retrieve certificates. OCSP: The BlackBerry device and the certificate synchronization tool use OCSP to check the revocation status of a certificate on demand. CRL: The BlackBerry device and the certificate synchronization tool obtain the most recent known revocation status of certificates from a CRL, which is published at a frequency set on the CA server.
Certificate servers Server type CA Description CRL LDAP OCSP stores certificates and certificate status publishes certificates to LDAP servers publishes certificate revocation lists to CRL servers stores lists of revoked certificates that the CA publishes at a specified frequency stores certificates and certificate status provides certificates to the BlackBerry device verifies certificate revocation status on demand
Computer-based certificate management
The certificate synchronization tool on the BlackBerry Desktop Manager lets users search for certificates, download the certificates to their BlackBerry devices, and verify the authenticity and status of certificates. CA servers, PKI servers, and the certificate synchronization tool send certificates and information about the certificates between them.
Server connections for certificate management on computers
Certificate management over the wireless network
The following BlackBerry Enterprise Server versions support data transfer over the wireless network between the BlackBerry device and the PKI components:
BlackBerry Enterprise Server Version 3.5 or later for Microsoft Exchange BlackBerry Enterprise Server Version 4.1 SP2 or later for IBM Lotus Domino
The BlackBerry MDS Connection Service uses standard Internet protocols to allow BlackBerry devices with the S/MIME Support Package for BlackBerry devices installed and turned on to retrieve S/MIME certificates and S/MIME certificate status from PKI servers over the wireless network. The BlackBerry devices can store the certificates and summary information about the certificates. The BlackBerry Enterprise Server also stores summary information about the certificates that each S/MIMEenabled BlackBerry device stores. When a BlackBerry device user adds a certificate to or removes a certificate from an S/MIME-enabled BlackBerry device, the BlackBerry Enterprise Server synchronizes with the BlackBerry device over the wireless network automatically to update the information about the certificates on the BlackBerry Enterprise Server.

Server connections for certificate management over the wireless network
Setting the default connections for PKI components
You can set the default LDAP, OCSP, and CRL connections on the BlackBerry Enterprise Server so that all BlackBerry devices on the BlackBerry Enterprise Server can connect to the PKI. Users can add and set LDAP, OCSP, and CRL servers from their BlackBerry devices. See the S/MIME Support Package User Guide Supplement for more information. Types of LDAP server connections When a BlackBerry device user searches for certificates, the BlackBerry device uses the connection type specified in the LDAP server properties on the BlackBerry device. The BlackBerry device retrieves the certificate using an unprotected LDAP connection, by default.
S/MIME Support Package for BlackBerry Devices The BlackBerry device is designed to use an LDAP or LDAPS connection when the user searches for certificates using the BlackBerry device. The BlackBerry device user can specify the connection type for external LDAP certificate servers on the BlackBerry device. Set an LDAP server for your organization 1. 2. 3. 4. 5. In the BlackBerry Manager, in the left pane, click a BlackBerry Enterprise Server. Click the Connection Service tab. Click Edit Properties. Click LDAP. Set the following fields: Field Host Name Port LDAP User ID LDAP Password LDAP Password (confirm) Default Server Base Query Description Type the name of the default LDAP server. Type the port number on which the default LDAP server listens. Note: If you typed a host name, you must type a port number. Type a user ID if the LDAP server requires simple authentication. Type a password if the LDAP server requires simple authentication. Type the authentication password again. Type the default base query for the default LDAP server, using %20 for spaces. Note: Each LDAP server can host multiple domains but can only search in one domain at a time. You might need to set a default base query for some LDAP servers. Type the maximum number of entries to return for each query. In the drop-down list, click True to compress LDAP lookup results.
Query Limit Enable Data Compression
Securing connections to external LDAP certificate servers The user can set an SSL/TLS option on the BlackBerry device to require the BlackBerry device to use an LDAPS connection in proxy mode. The BlackBerry device does not support end-to-end LDAPS connections. The BlackBerry device automatically uses port 636 for LDAPS connections and port 389 for LDAP connections to external LDAP certificate servers. Set an OCSP server 1. 2. 3. 4. 5. In the BlackBerry Manager, in the left pane, click a BlackBerry Enterprise Server. Click the Connection Service tab. Click Edit Properties. Click OCSP. Set the following fields: Field Default Responder URL Description Type the default URL for the OCSP responder.

Authenticity: S/MIME technology uses digital signatures to permit the message recipient to identify and trust the message sender.

Certificates

Certificates are digital documents that contain information about the certificate subject. Certificates use the hierarchical structure of the X.509 standard DN syntax to define the certificate subject attributes. Common attributes of certificate subjects Attribute C CN E L O OU ST Description Country name Common name Email address Locality Organization name Organizational unit name State or province Example C=United States CN=Amy Krul E=akrul@rim.com L=San Francisco O=Research In Motion OU=Pixelvibe Division ST=California
A certificate binds the association between the certificate subject identity and the public key of the certificate subject, providing a level of trust in the authenticity of the association.

Certificate authorities

A CA issues certificates. For the BlackBerry device to trust the certificate, the BlackBerry device must trust the CA that issued the certificate. This trust relationship is indicated by a certificate chain from the certificate of the user to the certificate of the CA and continuing back through the certificates of any other authorizing entities connected to the certificate of the user. The original certificate in a chain is called a root certificate. When the user installs the S/MIME Support Package for BlackBerry devices on the BlackBerry device and adds the certificate synchronization tool to the BlackBerry Desktop Manager, the certificate synchronization tool prompts the BlackBerry device user to download the existing S/MIME private key from the computer to the BlackBerry device. When the BlackBerry device user downloads the private key, the BlackBerry device automatically retrieves the corresponding certificate and all certificates in the chain. By using this mechanism, your organization can distribute trusted root certificates to all BlackBerry device users so that they can use the PKI system of your organization. Users can choose to trust selected certificates only, or trust the root certificate to trust an entire certificate chain. The S/MIME Support Package for BlackBerry devices supports cross-certification between CAs. A CA can issue a certificate that contains the name and public key of another CA, which allows users from one organization to chain to a root certificate in another organization.

The BlackBerry device is designed to perform the following actions by default to support using a strong S/MIME public key to protect messages:
setting the S/MIME Minimum Strong ECC Key Length IT policy rule to 163 setting the following IT policy rules to 1024:
S/MIME Minimum Strong DH Key Length S/MIME Minimum Strong DSA Key Length S/MIME Minimum Strong RSA Key Length
S/MIME Support Package for BlackBerry Devices See BlackBerry Enterprise Server IT policy rules for the S/MIME Support Package for BlackBerry devices on page 23 for more information.
Turning on S/MIME messaging
S/MIME messaging is turned off by default on the BlackBerry Enterprise Server. You must set the Enable S/MIME Message Processing option in the BlackBerry Manager to turn on S/MIME messaging on the BlackBerry Enterprise Server. After you turn on S/MIME messaging on the BlackBerry Enterprise Server, when a user installs the S/MIME Support Package for BlackBerry devices on the BlackBerry device and selects the Certificate Synchronization option during the BlackBerry Desktop Software installation process, and then runs the certificate synchronization tool or completes the wireless activation process, the BlackBerry Manager automatically turns on S/MIME messaging for the user. If you use a software configuration to install the S/MIME Support Package for BlackBerry devices on BlackBerry devices over the wireless network, the BlackBerry Enterprise Server turns on user-level support for the S/MIME Support Package for BlackBerry devices on the BlackBerry devices only after the BlackBerry devices complete the wireless activation process. See the BlackBerry Enterprise Server System Administration Guide for more information. Turning on additional options for S/MIME messaging In BlackBerry Enterprise Server Version 4.0 or later, you can set additional S/MIME encryption types in the BlackBerry Manager. BlackBerry Enterprise Server version BlackBerry Enterprise Server Version 4.0 or later for Microsoft Exchange BlackBerry Enterprise Server Version 4.1.2 or later for IBM Lotus Domino Encryption option turn on S/MIME encryption of signed and weakly encrypted messages Description Setting this option requires the BlackBerry Enterprise Server to encrypt messages with S/MIME encryption a second time when processing S/MIME messages that are weakly encrypted or are signed but unencrypted. This process is designed to make sure that S/MIME-protected messages are strongly encrypted with S/MIME when users receive the messages on their BlackBerry devices. When a user sends a signed S/MIME message from the BlackBerry device, the text of the message appears in the message body, followed by the digital signature. A message recipient whose email application does not support S/MIME can read the text of the message but cannot verify the digital signature. The BlackBerry Enterprise Server deletes attachment data from any signed-only S/MIME messages it receives to conserve bandwidth so that users on the BlackBerry Enterprise Server can receive more message text on their BlackBerry devices. The BlackBerry device cannot verify the S/MIME digital signature of the message after the BlackBerry Enterprise Server deletes the attachment data from the message.

BlackBerry Enterprise Server for Microsoft Exchange Version 4.1 or later BlackBerry Enterprise Server for IBM Lotus Domino Version 4.1.2 or later
send S/MIME messages in clearsigned format
delete attachment data from signed S/MIME messages
BlackBerry Enterprise Server version
Encryption option use the Pkcs7 MIME type
Description The BlackBerry Enterprise Server sends encrypted S/MIME messages using a newer MIME content-type, in accordance with PKCS#7, instead of the default legacy MIME content-type. If a BlackBerry device user sends an S/MIMEencrypted message to a messaging server that does not support the MIME content-type used, the messaging server does not render the S/MIME-protected message correctly.
See the BlackBerry Enterprise Server System Administration Guide for more information. Turning on message classification The BlackBerry Enterprise Server requires the BlackBerry device to use specific S/MIME-protected messaging levels according to the classification level that the user selects when composing a message on the BlackBerry device. With BlackBerry Enterprise Server Version 4.1 SP2 or later for Microsoft Exchange and BlackBerry Enterprise Server Version 4.1 SP2 or later for IBM Lotus Domino you can use the Message Classification IT policy rule to add a set of message classifications available to users to apply to email messages sent using the BlackBerry Enterprise Server. Message classifications can require users to sign, encrypt, or sign and encrypt messages.
Searching for and validating S/MIME certificates
S/MIME certificate search
The S/MIME Support Package for BlackBerry devices includes an S/MIME Certificate Search application on the BlackBerry device. BlackBerry device users can query set LDAP certificate servers, download S/MIME certificates from the search results, and add certificates to the key store of the BlackBerry device. The BlackBerry device automatically searches for and downloads certificates that are not on the BlackBerry device based on the email addresses of the specified recipients while the user is composing an email message. BlackBerry device users can perform manual searches based on the first name, last name, and email address of the S/MIME certificate subject.

Revocation status of S/MIME certificates
BlackBerry device users can perform revocation status checks for S/MIME certificates when they receive signed or signed and encrypted messages on their BlackBerry devices, and before they send messages to S/MIME certificate subjects. Users can also check the revocation status of an S/MIME certificate from the key stores on their BlackBerry devices and in the S/MIME Certificate Search screen. The BlackBerry device uses the BlackBerry MDS Connection Service to request and retrieve the revocation status of the S/MIME certificate from either an OCSP server or a CRL server. The user can request the status of a single certificate or an entire certificate chain. On the BlackBerry device, in the S/MIME Certificate Search Options screen, users can set whether they are prompted to download the revocation status of the S/MIME certificate when they download an S/MIME certificate and add it to the key store on the BlackBerry device.
Storing S/MIME certificates and private keys
BlackBerry device storage
The S/MIME key store, which is part of the BlackBerry device flash memory, stores
S/MIME certificate and private key pairs that the BlackBerry device receives from the certificate synchronization tool S/MIME certificates that the BlackBerry device receives from the certificate synchronization tool, retrieves from LDAP certificate servers, imports from a smart card, or imports from email messages root certificates that RIM provides with BlackBerry software
Key store security features BlackBerry device users must supply the key store password to add and delete S/MIME certificates stored on the BlackBerry device. The BlackBerry device stores a SHA-256 hash of the key store password. The hash of the password is designed to protect the actual key store password by preventing the possibility of a user with malicious intent determining the password from the contents of the BlackBerry device memory. When the user types the key store password, the BlackBerry device performs a one-way hash function on the entered characters using SHA-256, and then compares the hashed input to the stored hashed password. You can set BlackBerry Enterprise Server IT policy rules to set the key store password. See the Policy Reference Guide for more information. IT policy rule Minimum Password Length Forbidden Passwords Key Store Password Maximum Timeout Disable Key Store Backup Minimal Signing Key Store Security Level Possible use Set a key store password that is between 4 and 12 alphanumeric characters in length. Specify weak passwords to prevent. Specify the maximum length of time (0, 1, 2, 5, 10, 20, 30 minutes, or 1 hour) that the key store remains unlocked after the user types the correct key store password. Set this IT policy rule to prevent the backup of S/MIME private keys in the key store. Set to one of the following levels: High security: The BlackBerry device prompts users for their key store passwords each time an application tries to access private keys that indicate that they can be used for signing. Medium security: The BlackBerry device prompts users for their key store password when an application tries to access private keys that indicate that they can be used for signing for the first time, or when their private key password timeout expires. High security: The BlackBerry device prompts the users for their key store passwords each time an application tries to access private keys that indicate that they can be used for encryption. Medium security: The BlackBerry device prompts users for their key store passwords when an application tries to access private keys that indicate that they can be used for encryption the first time, or when their private key password timeout expires.

Minimal Encryption Key Store Security Level
Set to one of the following levels:
S/MIME Support Package for BlackBerry Devices Users can set the following options for additional key store security on the BlackBerry device (in Security Options > Key Stores). Setting Allow Key Store Backup/Restore Description Specify whether to back up and restore S/MIME certificates, private keys, public keys, and symmetric keys in the key store. Note: The BlackBerry device does not permit the user to back up and restore S/MIME private keys if you have set the Disable Key Store Backup IT policy rule to True. Specify the maximum amount of time that the key store remains unlocked after the BlackBerry device user types the correct key store password. Note: The BlackBerry device user cannot select a value that exceeds the value that you specify using the Key Store Password Maximum Timeout IT policy rule. Specify whether to add a new contact to the address book when the BlackBerry device user adds a certificate to the key store on the BlackBerry device. Define the BlackBerry MDS Connection Service that the BlackBerry device uses to retrieve S/MIME certificates and certificate status from the PKI. Specify the maximum amount of time (1, 2, 4, or 12 hours, 1 day, 1 week, 1 month, or 6 months) for which the revocation status of the S/MIME certificate remains valid. Specify Never to indicate that the revocation status of the S/MIME certificate remains valid forever. Type a new key store password.
Private Key Password Timeout
Key Store Address Injector

Certificate Service

Certificate Status Expires After
Change Password Private key security
Users can specify additional settings for private key security for digitally signing keys and decryption keys using the certificate synchronization tool on the BlackBerry Desktop Manager. The BlackBerry device does not enforce the security level that the user specifies for this rule if it is lower than the value that you specify using the Minimal Signing Key Store Security Level and the Minimal Encryption Key Store Security Level IT policy rules. Security level High Description The BlackBerry device prompts the user for the key store password each time an application tries to access the private key, whether the private key password timeout period for the user is expired or valid. The BlackBerry device prompts the user for the key store password when an application tries to access the private key for the first time when the private key password timeout period for the user expires The BlackBerry device does not prompt the user for the key store password if an application makes a subsequent attempt to access the private key while the private key password timeout is still valid. Low The BlackBerry device does not prompt the user when an application tries to access the private key of the user.

Medium

Allowing users to change the security level of private keys in the key store on their BlackBerry devices Users can set the security level at which the key store on the BlackBerry device stores a private key. The security level controls whether the BlackBerry device prompts users for their key store passwords each time an application tries to access a private key.
The user can choose a security level for a private key on the BlackBerry device that is higher than what the BlackBerry Enterprise Server administrator sets using the Minimal Encryption Key Store Security Level IT policy rule and the Minimal Signing Key Store Security Level IT policy rule. When the user changes the security level of the private key, the BlackBerry device re-encrypts the private key before adding it back to the key store.
Certificate storage on a smart card
The BlackBerry Smart Card Reader for BlackBerry devices is an accessory that, when used in proximity to certain Bluetooth enabled BlackBerry devices, integrates smart card use with the BlackBerry Enterprise Solution. The BlackBerry Smart Card Reader creates a reliable environment for two-factor authentication for granting a user access to BlackBerry and PKI applications. It also turns on the wireless digital signing and encryption of wireless email messages using the S/MIME Support Package for BlackBerry devices. See the BlackBerry Smart Card Reader Security Technical Overview for more information about BlackBerry Smart Card Reader features. Importing an S/MIME certificate from a smart card If a user has a smart card authenticator, driver for the smart card, and driver for the smart card reader installed on the Bluetooth enabled BlackBerry device, the user can perform a Bluetooth pairing process followed by a secure pairing process with the BlackBerry Smart Card Reader. After the BlackBerry device and the BlackBerry Smart Card Reader establish a secure pairing, you can set the S/MIME Force Smartcard Use IT policy rule to require the use of the smart card to import certificates, sign, encrypt, or sign and encrypt S/MIME-protected messages on the BlackBerry device.
Clearing decrypted S/MIME content from the BlackBerry device
The BlackBerry device automatically turns on the feature for secure garbage collection when the S/MIME Support Package for BlackBerry devices is installed and the private key of the user is on the BlackBerry device. When the feature for secure garbage collection is turned on, the BlackBerry device performs the following actions:
overwrites the memory reclaimed by the standard garbage collection process with zeroes periodically runs the memory cleaner application, which tells BlackBerry device applications to clear any caches and free memory associated with unused, sensitive application data automatically overwrites the memory that the memory cleaner application makes available when it runs

Prevent BlackBerry device users from accepting unverified CRLs when checking the status of a certificate using the BlackBerry MDS Connection Service. Set a string of trusted certificate thumbprints to prevent users from adding certificates with thumbprints that are not included in the string to the trusted key store.
Set the Trusted Certificate Thumbprints IT policy rule to a semi-colon separated list of Hex-ASCII certificate thumbprints that are generated using either SHA-1 or MD5.
S/MIME Support Package for BlackBerry Devices Users can set security options for S/MIME certificates on their BlackBerry devices (in Security Options > Certificates) by clicking a specific certificate and selecting an action. Action Explicitly trust an S/MIME certificate. Delete the trust associated with an explicitly trusted S/MIME certificate. Invalidate the status of an S/MIME certificate in the key store on the BlackBerry device. Delete an S/MIME certificate from the key store on the BlackBerry device. Send an S/MIME certificate in an email message. Send an S/MIME certificate in a PIN message. Download the status of the S/MIME certificate. Download the status of the entire S/MIME certificate chain. Description Click Trust. Click Distrust. Click Revoke. Click Delete. Click Send via Email. Click Send via PIN. Click Fetch Status. Click Fetch Chain Status.
Sending and receiving S/MIME-protected messages
The S/MIME Support Package for BlackBerry devices includes options for digital signing and encryption that the user can define on the BlackBerry device, or that you can set and push to BlackBerry devices using the BlackBerry Enterprise Server IT policy. See BlackBerry Enterprise Server IT policy rules for the S/MIME Support Package for BlackBerry devices on page 23 for more information.
Options for message signing and encryption
When users select encoding options on their BlackBerry devices or are required by the message classification that they select on the BlackBerry devices to send an encrypted or signed and encrypted S/MIME message, one of the following conditions occurs:
If a BlackBerry device user has an appropriate (in other words, trusted, not revoked, not expired, and with a strong public key) S/MIME certificate for the recipient, the BlackBerry device sends the message. If a BlackBerry device user does not have an appropriate S/MIME certificate for the recipient, the BlackBerry device tries to retrieve a certificate automatically. If it finds an appropriate certificate, the BlackBerry device sends the message. If it does not find an appropriate certificate, the BlackBerry device prompts the user to choose one of the following options:
not send the message manually download an appropriate S/MIME certificate send the message in unencrypted form
Manually downloading an S/MIME certificate If the user responds to the BlackBerry device prompt by choosing to manually download an appropriate S/MIME certificate for the intended recipient, the BlackBerry device displays a Certificate Search application. The user can refine search parameters in the Certificate Search application before the BlackBerry device tries to retrieve an appropriate S/MIME certificate from a set LDAP certificate server. If it finds an appropriate S/MIME certificate, the BlackBerry device sends the message. Sending a message in unencrypted form When composing a message, users can select the following options:

Attach S/MIME certificates from the key store on the BlackBerry device and send the keys as.cer file attachments.
Attach certificate server configuration information. Send the message as plain text.
See the S/MIME Support Package User Guide Supplement for more information. By default, the S/MIME Support Package for BlackBerry devices permits users to send and receive plain text email and PIN messages on their BlackBerry devices. You can set BlackBerry Enterprise Server IT policy rules to prevent users from sending plain text messages from their S/MIME enabled BlackBerry devices. Scenario Force users to send signed, encrypted, or signed and encrypted S/MIME email messages from their S/MIME enabled BlackBerry devices. Force users to send signed, encrypted, or signed and encrypted S/MIME PIN messages from their S/MIME enabled BlackBerry devices. Possible solution Set the Disable Message Normal Send IT policy rule to True.
Set the Disable Peer-to-Peer Normal Send IT policy rule to True.
Viewing attachments in S/MIME-encrypted messages
The BlackBerry Enterprise Server administrator can use the S/MIME Allowed Encrypted Attachment Mode IT policy rule to specify the least restrictive mode that the BlackBerry device can use to retrieve S/MIME-encrypted attachment information. When a user receives an S/MIME-encrypted message that includes an attachment on their BlackBerry device, depending on the setting of the S/MIME Allowed Encrypted Attachment Mode IT policy rule, the following actions can occur automatically when the user opens the message, or when the user requests them manually. 1. 2. 3. 4. The BlackBerry device sends the message key and a request for the attachment header data to the BlackBerry Enterprise Server. The BlackBerry Enterprise Server uses the message key to decrypt the message and access the attachment header data. The BlackBerry Enterprise Server sends the attachment header data to the BlackBerry device. The BlackBerry device processes the attachment header data with the message and displays the associated attachment information so that the user can select the attachment for viewing.

IT policy rule S/MIME Minimum Strong RSA Key Length Entrust Messaging Server (EMS) Email Address
Description specifies the minimum RSA key size, in bits, that you consider strong, for use with S/MIME specifies the email address for an Entrust Entelligence Messaging Server
The following IT policy rules apply only to users using a smart card certificate on BlackBerry devices running BlackBerry Device Software Version 3.6 or earlier with the S/MIME Support Package Version 4.0 or later for BlackBerry devices installed or BlackBerry Device Software Version 4.0 or later (S/MIME Support Package for BlackBerry devices optional) on which the BlackBerry Smart Card Reader driver is installed. IT policy rule Force Smart Card Two Factor Challenge Response S/MIME Force Smartcard Use Description specifies whether the BlackBerry device requires the user to choose a smart card certificate for use with two-factor authentication using smart cards specifies whether all certificate operations must be performed using a paired BlackBerry Smart Card Reader and smart card
See the BlackBerry Smart Card Reader Security Technical Overview for information about BlackBerry Enterprise Server IT policy rules that apply only to BlackBerry devices on which the S/MIME Support Package for BlackBerry devices and the BlackBerry Smart Card Reader are installed.

Related resources

Resource BlackBerry Enterprise Server System Administration Guide Information BlackBerry Enterprise Solution Security Technical Overview generating and changing master encryption keys turning on S/MIME turning on encryption options setting IT policy rules setting message classifications preventing the decryption of information at an intermediate point between the BlackBerry device and the BlackBerry Enterprise Server or organizations LAN managing security settings for all BlackBerry devices protecting data in transit between the BlackBerry device and BlackBerry Enterprise Server understanding the algorithms provided by the RIM cryptographic API (Crypto API) understanding the TLS and WTLS standards that the RIM Crypto API currently supports understanding the memory scrub process that occurs on the BlackBerry device when content protection is turned on using BlackBerry Enterprise Server IT policies installing the S/MIME Support Package for BlackBerry devices managing certificates on the BlackBerry device and computer setting S/MIME options for digitally signing and encrypting messages sending and receiving S/MIME-protected messages information about BlackBerry Enterprise Solution security
Policy Reference Guide S/MIME Support Package User Guide Supplement
Visit www.blackberry.com/security.
S/MIME Support Package for BlackBerry Devices Part number: 10975703 Version 1
2008 Research In Motion Limited. All Rights Reserved. The BlackBerry and RIM families of related marks, images, and symbols are the exclusive properties of Research In Motion Limited. RIM, Research In Motion, Always On, Always Connected, the envelope in motion symbol, and BlackBerry are registered with the U.S. Patent and Trademark Office and may be pending or registered in other countries. Bluetooth is a trademark of Bluetooth SIG. Entrust, Entrust Authority, and Entrust Entelligence are trademarks of Entrust, Inc. IBM, Lotus, Domino, and Lotus Notes are trademarks of International Business Machine Corporation. Java is a trademark of Sun Microsystems, Inc. Microsoft and Outlook are trademarks of Microsoft Corporation. Netscape is a trademark of Netscape Communication Corporation. Novell and GroupWise are trademarks of Novell, Inc. RSA is a trademark of RSA Security. All other brands, product names, company names, trademarks and service marks are the properties of their respective owners.

The BlackBerry device and/or associated software are protected by copyright, international treaties and various patents, including one or more of the following U.S. patents: 6,278,442; 6,271,605; 6,219,694; 6,075,470; 6,073,318; D445,428; D433,460; D416,256. Other patents are registered or pending in various countries around the world. Visit www.rim.com/patents.shtml for a current list of RIM [as hereinafter defined] patents. This document is provided as is and Research In Motion Limited and its affiliated companies (RIM) assume no responsibility for any typographical, technical, or other inaccuracies in this document. RIM reserves the right to periodically change information that is contained in this document; however, RIM makes no commitment to provide any such changes, updates, enhancements, or other additions to this document to you in a timely manner or at all. RIM MAKES NO REPRESENTATIONS, WARRANTIES, CONDITIONS OR COVENANTS, EITHER EXPRESS OR IMPLIED (INCLUDING WITHOUT LIMITATION, ANY EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS OF FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, MERCHANTABILITY, DURABILITY, TITLE, OR RELATED TO THE PERFORMANCE OR NONPERFORMANCE OF ANY SOFTWARE REFERENCED HEREIN OR PERFORMANCE OF ANY SERVICES REFERENCED HEREIN). IN CONNECTION WITH YOUR USE OF THIS DOCUMENTATION, NEITHER RIM NOR ITS RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES, OR CONSULTANTS SHALL BE LIABLE TO YOU FOR ANY DAMAGES WHATSOEVER BE THEY DIRECT, ECONOMIC, COMMERCIAL, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR INDIRECT DAMAGES, EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INCLUDING WITHOUT LIMITATION, LOSS OF BUSINESS REVENUE OR EARNINGS, LOST DATA, DAMAGES CAUSED BY DELAYS, LOST PROFITS, OR A FAILURE TO REALIZE EXPECTED SAVINGS. This document might contain references to third-party sources of information, hardware or software, products or services and, or third-party web sites (collectively the Third-Party Information). RIM does not control, and is not responsible for, any Third-Party Information, including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third-Party Information. The inclusion of Third-Party Information in this document does not imply endorsement by RIM of the Third-Party Information or the third-party in any way. Installation and use of Third-Party Information with RIM products and services may require one or more patent, trademark, or copyright licenses in order to avoid infringement of the intellectual property rights of others. Any dealings with Third-Party Information, including, without limitation, compliance with applicable licenses and terms and conditions, are solely between you and the third-party. You are solely responsible for determining whether such third-party licenses are required and are responsible for acquiring any such licenses relating to Third-Party Information. To the extent that such intellectual property licenses may be required, RIM expressly recommends that you do not install or use Third-Party Information until all such applicable licenses have been acquired by you or on your behalf. Your use of Third-Party Information shall be governed by and subject to you agreeing to the terms of the Third-Party Information licenses. Any Third-Party Information that is provided with RIM products and services is provided as is. RIM makes no representation, warranty, or guarantee whatsoever in relation to the Third-Party Information and RIM assumes no liability whatsoever in relation to the Third-Party Information even if RIM has been advised of the possibility of such damages or can anticipate such damages.

S/MIME Support Package for BlackBerry smartphones

Version: 5.0

Security Technical Overview
SWD-944401-0209112538-001

Contents

1 BlackBerry Enterprise Solution security..... New in this release...... 3 System requirements: S/MIME Support Package for BlackBerry smartphones... 4 Extending messaging security using S/MIME encryption.... 5 Configuring the BlackBerry Enterprise Server to support S/MIME encryption... S/MIME encryption algorithms...... Making S/MIME encryption mandatory..... 6 What happens when a BlackBerry device protects a message using S/MIME encryption... Process flow: Sending an email message using S/MIME encryption.... Process flow: Receiving an S/MIME-encrypted email message.... 7 S/MIME certificates and S/MIME private keys..... Adding certificates or private keys to a BlackBerry device.... S/MIME certificates and S/MIME private keys that a BlackBerry device stores... How a BlackBerry device protects the BlackBerry device key store... How a BlackBerry device trusts an S/MIME certificate.... Checking the status of an S/MIME certificate on a BlackBerry device... Managing certificates using the BlackBerry Desktop Manager... Managing certificates over the wireless network.... Protecting connections to LDAP servers..... Searching for S/MIME certificates on a BlackBerry device.... Enrolling certificates on a BlackBerry device over the wireless network... Protecting the S/MIME private key on a BlackBerry device.... Security levels that protect the S/MIME private key.... Changing the minimum key length that a BlackBerry device can use... 8 Best practice: Configuring BlackBerry Enterprise Solution options for S/MIME encryption.. 9 Extending messaging security to attachments.... Process flow: Viewing an attachment in a PGP encrypted message or S/MIME-encrypted message..
Process flow: Viewing an attachment that is encrypted using S/MIME encryption, PGP/MIME encryption, or OpenPGP encryption...... 10 Enforcing secure messaging using classifications..... 11 Permitting a BlackBerry device to use a password for S/MIME encryption... 12 Deleting decrypted S/MIME data from a BlackBerry device... 13 Using a smart card with S/MIME encryption.... BlackBerry Smart Card Reader..... Advanced Security SD cards...... 14 IT policy rules that apply to the S/MIME Support Package for BlackBerry smartphones.. 15 Related resources..... 16 Glossary....... 17 Provide feedback...... 18 Legal notice......
BlackBerry Enterprise Solution security
The BlackBerry Enterprise Solution consists of various products and components that are designed to extend your organizations communication methods to BlackBerry devices. The BlackBerry Enterprise Solution is designed to protect data that is in transit at all points between a BlackBerry device and BlackBerry Enterprise Server. To help protect data that is in transit over the wireless network, the BlackBerry Enterprise Server and BlackBerry device use symmetric key cryptography to encrypt the data. Only the BlackBerry Enterprise Server and BlackBerry device can decrypt the data that they send between each other. The BlackBerry Enterprise Server is designed to prevent third parties, including wireless service providers, from accessing your organization's potentially sensitive information in a decrypted format. The BlackBerry Enterprise Solution uses confidentiality, integrity, and authenticity, which are principles for information security, to help protect your organization from data loss or alteration. Principles confidentiality integrity Description The BlackBerry Enterprise Solution uses symmetric key cryptography to help make sure that only intended recipients can view the contents of email messages. The BlackBerry Enterprise Solution uses symmetric key cryptography to help protect every email message that the BlackBerry device sends and to help prevent third parties from decrypting or altering the message data. Only the BlackBerry Enterprise Server and BlackBerry device know the value of the keys that they use to encrypt messages and recognize the format of a decrypted and decompressed message. The BlackBerry Enterprise Server or BlackBerry device reject a message automatically if it is not encrypted with keys that they recognize as valid. Before the BlackBerry Enterprise Server sends data to the BlackBerry device, the BlackBerry device authenticates with the BlackBerry Enterprise Server to prove that the BlackBerry device knows the device transport key that is used to encrypt data.

Configuring the BlackBerry Enterprise Server to support S/MIME encryption
By default, S/MIME encryption on the BlackBerry Enterprise Server is turned off and the BlackBerry Enterprise Server does not process S/MIME-encrypted messages. To turn on S/MIME encryption, you must select the Enable S/MIME Message Processing option in the BlackBerry Administration Service or a BlackBerry device user must transfer the S/MIME private key to the BlackBerry device. After you turn on S/MIME encryption on the BlackBerry Enterprise Server, a BlackBerry device user can install the S/MIME Support Package for BlackBerry smartphones on the BlackBerry device or you can configure a software configuration to install the S/MIME Support Package for BlackBerry smartphones on a BlackBerry device over the wireless network. After the S/MIME Support Package for BlackBerry smartphones is installed on the BlackBerry device, the user can add certificates to the BlackBerry Enterprise Server device by enrolling them over the wireless network or using the certificate synchronization tool of the BlackBerry Desktop Manager. For more information, see the BlackBerry Enterprise Server Administration Guide.
S/MIME encryption algorithms
When you turn on S/MIME encryption, the default value of the S/MIME Allowed Content Ciphers IT policy rule specifies that a BlackBerry device can use any of the following encryption algorithms to encrypt messages: AES-256, AES-192, AES-128, CAST-128, RC2-128, or Triple DES. By default, the BlackBerry device cannot use the RC2-64 algorithm and RC2-40 algorithm to encrypt S/MIME messages. You can change the value of the S/MIME Allowed Content Ciphers IT policy rule to use a subset of the encryption algorithms if your organizations security policies require it. If a BlackBerry device user wants to send an email message to a recipient that the user previously received an email message from, the BlackBerry device is designed to store the encryption algorithms that the recipients email application can support, and use one of those encryption algorithms. By default, if the BlackBerry device cannot determine the encryption algorithms that the recipients email application can support, the BlackBerry device encrypts the email message using Triple DES. You can use the Weak Digest Algorithms IT policy rule to specify the algorithms that your organization considers to be weak. The BlackBerry device uses the list of weak algorithms in the Weak Digest Algorithms IT policy rule when the BlackBerry device verifies the following information: An S/MIME-enabled application did not use a weak algorithm to generate the digital signatures on the email messages that the BlackBerry device receives. The certificate chains for the certificates that an S/MIME-enabled application used to digitally sign email messages that the BlackBerry device receives do not contain hash values generated using a weak algorithm.

Making S/MIME encryption mandatory
By default, the S/MIME Support Package for BlackBerry smartphones permits a BlackBerry device user to send and receive plain-text email messages and PIN messages on a BlackBerry device. You can configure the Disable Message Normal Send IT policy rule and Disable Peer-to-Peer Normal Send IT policy rule to prevent the user from sending plain-text messages on the BlackBerry device. For more information about the IT policy rules, see the BlackBerry Enterprise Server Policy Reference Guide.
What happens when a BlackBerry device protects a message using S/MIME encryption
When a BlackBerry device user composes an email message or a PIN message, the user can select one of the following options: attach S/MIME certificates from the BlackBerry device key store and send the S/MIME certificates as.cer file attachments attach information about the LDAP servers, OCSP servers, and CRL servers send the message as plain text sign, encrypt, or sign and encrypt the message using S/MIME encryption When a user selects the option to encrypt or sign and encrypt the message, or when a message classification requires that the BlackBerry device encrypt or sign and encrypt the message, the BlackBerry device performs one of the following actions: If the BlackBerry device key store includes a valid S/MIME certificate for the recipient (for example, the certificate is trusted, is not revoked or expired, and has a strong public key), the BlackBerry device encrypts or signs and encrypts the message before it sends the message. If the BlackBerry device key store does not include a valid S/MIME certificate for the recipient, the BlackBerry device tries to retrieve an S/MIME certificate over the wireless network. If the BlackBerry device retrieves a valid certificate, the BlackBerry device encrypts or signs and encrypts the message before it sends the message. If the BlackBerry device does not retrieve a valid certificate, the BlackBerry device provides the user with options to cancel the message, download an S/ MIME certificate manually, or send the message in unencrypted form.
If the user downloads an S/MIME certificate for an intended recipient manually, the BlackBerry device displays search parameters that the user can refine. The BlackBerry device tries to retrieve the S/MIME certificate from an LDAP server. If the BlackBerry device finds the S/MIME certificate, the BlackBerry device encrypts, or signs and encrypts the message before it sends the message.

Process flow: Sending an email message using S/MIME encryption
Process flow: Receiving an S/MIME-encrypted email message
If a sender installs the S/MIME Support Package for BlackBerry smartphones on a BlackBerry device, the BlackBerry device encrypts outgoing email messages. 1. The BlackBerry device performs the following actions: a. checks the BlackBerry device key store for the S/MIME certificate of the recipient b. if the BlackBerry device key store does not include the S/MIME certificate of the recipient, uses the BlackBerry MDS Connection Service to retrieve the S/MIME certificate of the recipient from the LDAP server or DSML server and verify the certificate status c. encrypts the email message with the S/MIME certificate of the recipient or a password that the sender specifies d. if the sender specifies a password, combines the password with random bytes to generate an encryption key that is specific to S/MIME encryption e. uses BlackBerry transport layer encryption to encrypt the S/MIME-encrypted message f. sends the message that is encrypted using BlackBerry transport layer encryption and S/MIME encryption to the BlackBerry Enterprise Server The BlackBerry Enterprise Server decrypts the BlackBerry transport layer encryption and sends the S/MIME-encrypted message to the recipient. The recipient decrypts the S/MIME-encrypted message using the S/MIME private key or a password that the sender provides.
If a recipient installs the S/MIME Support Package for BlackBerry smartphones, the BlackBerry device decrypts incoming email messages. 1. 2. The sender uses the S/MIME technology on the email application to encrypt the email message using the S/MIME certificate of the recipient. The BlackBerry Enterprise Server performs the following actions: a. retrieves the S/MIME-encrypted message from the messaging server

c. d. 3. 4.

encrypts the email message a second time with S/MIME encryption if the email message is signed-only or weakly encrypted and if you turned on the Turn on S/MIME encryption on signed and weakly encrypted messages option in the BlackBerry Administration Service uses BlackBerry transport layer encryption to encrypt the S/MIME-encrypted message sends the email message that is encrypted using BlackBerry transport layer encryption and S/MIME encryption to the BlackBerry device

The BlackBerry device decrypts the BlackBerry transport layer encryption and stores the S/MIME-encrypted message in BlackBerry device memory. When the recipient opens the email message on the BlackBerry device, the BlackBerry device decrypts the S/MIMEencrypted message using the S/MIME private key of the recipient and displays the message contents. If the email message is encrypted with a password, the recipient types the password to decrypt the S/MIME-encrypted message.
S/MIME certificates and S/MIME private keys
The S/MIME Support Package for BlackBerry smartphones uses public key cryptography with S/MIME certificates and S/MIME private keys to encrypt and decrypt email messages and PIN messages. The S/MIME Support Package for BlackBerry smartphones use PKI protocols to search for and retrieve S/MIME certificates and certificate status over the wireless network. Item S/MIME certificate Description When a user sends an email message or PIN message from a BlackBerry device, the BlackBerry device uses the S/MIME certificate of the recipient to encrypt the message. When a user receives a signed email message or signed PIN message on a BlackBerry device, the BlackBerry device uses the S/MIME certificate of the sender to verify the message signature. When a user sends a signed email message or signed PIN message from a BlackBerry device, the BlackBerry device hashes the message using SHA-1, SHA-256, SHA-384, SHA-512, or MD5. The BlackBerry device then uses the S/MIME private key of the user to digitally sign the message hash. When a user receives an encrypted email message or encrypted PIN message on a BlackBerry device, the BlackBerry device uses the private key of the user to decrypt the message. The BlackBerry device stores the private key.

S/MIME private key

Adding certificates or private keys to a BlackBerry device
A BlackBerry device user can add a certificate to a BlackBerry device using any of the following methods: import a certificate from an email message download a certificate from the BlackBerry Desktop Manager using the certificate synchronization tool retrieve a certificate from LDAP servers or DSML servers over the wireless network enroll a certificate from a certification authority over the wireless network import a certificate from an Advanced Security SD card download a certificate from a link to a web page

Enrolling certificates on a BlackBerry device over the wireless network
Protecting connections to LDAP servers
By default, a BlackBerry device retrieves certificates using a LDAP connection that is not protected. You or a BlackBerry device user can configure a BlackBerry device to retrieve certificates from an LDAP server using a protected (LDAPS) connection. For example, if the BlackBerry device can retrieve certificates from an LDAP server that is external to your organization's network, you or the user can use an LDAPS connection. The user can select the SSL/TLS option on the BlackBerry device to require that the BlackBerry device use an LDAPS connection in proxy mode. The BlackBerry device does not support end-to-end LDAPS connections. By default, the BlackBerry device uses port 389 for LDAP connections and port 636 for LDAPS connections.
Searching for S/MIME certificates on a BlackBerry device
After a BlackBerry device user installs the S/MIME Support Package for BlackBerry smartphones on a BlackBerry device, the user can search for S/MIME certificates. The S/MIME Support Package for BlackBerry smartphones can query LDAP servers and DSML servers, search for and retrieve S/MIME certificates, and add certificates to the BlackBerry device key store. While the user composes an email message, the BlackBerry device searches for certificates in the BlackBerry device key store and retrieves certificates that are not on the BlackBerry device. The BlackBerry device uses the email addresses of the intended recipients to search for certificates. The user can also search for certificates using the first name, last name, and email address of a recipient who has an email application that supports S/MIME encryption.
You can configure the BlackBerry Enterprise Server to permit a BlackBerry device to enroll certificates over the wireless network. You can permit the BlackBerry device to enroll certificates over the wireless network so that you do not have to instruct the user to send the certificates in an email message or to use the certificate synchronization tool in the BlackBerry Desktop Manager. You can enroll certificates from one of the following certification authorities: RSA certification authority Microsoft standalone certification authority Microsoft enterprise certification authority For more information about configuring the BlackBerry Enterprise Server to permit the BlackBerry device to enroll certificates over the wireless network, see the BlackBerry Enterprise Server Administration Guide.

Protecting the S/MIME private key on a BlackBerry device
You or a BlackBerry device user can specify a security level to help protect the S/MIME private key in the BlackBerry device key store. The security level determines whether the BlackBerry device prompts the user for the key store password each time an application tries to access the private key. You can change the security level using the Minimal Encryption Key Store Security Level IT policy rule and Minimal Signing Key Store Security Level IT policy rule. A user can change the security level on a BlackBerry device or using the certificate synchronization tool of the BlackBerry Desktop Manager. The user can configure a security level for a private key on the BlackBerry device that is higher than what you configure using the Minimal Encryption Key Store Security Level IT policy rule and Minimal Signing Key Store Security Level IT policy rule. When the user changes the security level of the private key, the BlackBerry device encrypts the private key again before it adds the private key to the BlackBerry device key store again.
Security levels that protect the S/MIME private key
Security level high medium Description A BlackBerry device prompts a BlackBerry device user for the key store password each time an application tries to access the S/MIME private key. A BlackBerry device prompts the user for the key store password when an application tries to access the S/MIME private key for the first time or when the timeout period for the key store password expires. The BlackBerry device prompts the user when it accesses the S/MIME private key, but the BlackBerry device does not require the user to provide the key store password if the timeout period is still valid. The user can choose the Dont tell me again option and the BlackBerry device does not prompt the user for the key store password until after the timeout period expires. A BlackBerry device does not prompt the user when an application tries to access the S/MIME private key.
Changing the minimum key length that a BlackBerry device can use

The key length (also known as the key size) of an S/MIME public key or S/MIME private key determines the key strength. The larger the S/MIME public key and S/MIME private key, the stronger the S/MIME key pair.
By default, a BlackBerry device uses a minimum key length of 1024 bits for the DH algorithm, DSA algorithm, and RSA algorithm and a minimum key length of 163 bits for the ECC algorithm. You can change the minimum key lengths to meet the security requirements of your organization by using the following IT policy rules: S/MIME Minimum Strong DH Key Length S/MIME Minimum Strong DSA Key Length S/MIME Minimum Strong ECC Key Length S/MIME Minimum Strong RSA Key Length The maximum key length that the BlackBerry device supports for the RSA algorithm and DH algorithm is 4096 bits. The maximum key length that the BlackBerry device supports for the DSA algorithm is 1024 bits. The maximum key length that the BlackBerry device supports for the ECC algorithm is 571 bits. For more information about the IT policy rules, see the BlackBerry Enterprise Server Policy Reference Guide.
Best practice: Configuring BlackBerry Enterprise Solution options for S/MIME encryption
Best practice Encrypt messages with S/MIME encryption for a second time. Description
You can configure the BlackBerry Enterprise Server to encrypt messages with S/ MIME encryption for a second time when the BlackBerry Enterprise Server processes S/MIME-encrypted messages that are weakly encrypted or when S/MIME messages are signed but not encrypted. This option is designed to make sure that S/MIME-encrypted messages are strongly encrypted with S/MIME when a recipient receives the messages on a BlackBerry device. To apply this best practice, you can use the Turn on S/MIME encryption on signed and weakly encrypted messages option in the BlackBerry Administration Service. You can configure the BlackBerry Enterprise Server to process S/MIME-signed messages that a BlackBerry device sends so that a recipient with an email application that does not support S/MIME encryption can read the text of S/MIMEsigned messages. The recipient can read the text of the messages but cannot verify the digital signature. To apply this best practice, you can use the Send S/MIME Messages in Clear-Signed Format option in the BlackBerry Administration Service. To conserve bandwidth, you can configure the BlackBerry Enterprise Server to delete attachments from any S/MIME-signed messages that the BlackBerry Enterprise Server receives. The BlackBerry device cannot verify the S/MIME digital signature of a message after the BlackBerry Enterprise Server deletes the attachments from the message. To apply this best practice, you can use the Remove Attachment Data from Signed S/MIME Messages option in the BlackBerry Administration Service. By default, the BlackBerry Enterprise Server sends S/MIME-encrypted messages using the legacy MIME content-type. You can configure the BlackBerry Enterprise Server to send S/MIME-encrypted messages using an updated MIME content-type that meets the requirements of the PKCS #7 specification instead. If the sender

Description To apply this best practice, you can use the Certificate Status Maximum Expiry Time IT policy rule. Consider preventing a recipient from accepting certificate revocation lists that are not verified when the BlackBerry device checks the status of a certificate using the BlackBerry MDS Connection Service. To apply this best practice, you can use the Disable Unverified CRLs IT policy rule. Consider configuring a semicolon-separated list of Hex-ASCII certificate thumbprints that are generated using either SHA-1 or MD5. To apply this best practice, you can use the Trusted Certificate Thumbprints IT policy rule.
Prevent a recipient from accepting certificate revocation lists that are not verified. Specify a list of trusted certificate thumbprints to prevent a user from adding certificates with thumbprints that are not included in the list to the BlackBerry device key store.
For more information about applying these best practices, see the BlackBerry Enterprise Server Administration Guide and BlackBerry Enterprise Server Policy Reference Guide.
Extending messaging security to attachments
The BlackBerry Enterprise Server supports attachments in PGP encrypted messages and S/MIME-encrypted messages. It also permits a user to view encrypted attachments on a BlackBerry device. You can use the S/MIME Allowed Encrypted Attachment Mode IT policy rule and the PGP Allowed Encrypted Attachment Mode IT policy rule to specify the least restrictive mode that a BlackBerry device can use to retrieve attachment information that is PGP encrypted or S/MIME encrypted. The BlackBerry device supports OpenPGP format and PGP/MIME format for PGP encryption.
Process flow: Viewing an attachment in a PGP encrypted message or S/ MIME-encrypted message
The S/MIME Allowed Encrypted Attachment Mode IT policy rule or PGP Allowed Encrypted Attachment Mode IT policy rule determines how a BlackBerry device responds when it receives a PGP/MIME encrypted message or S/MIME-encrypted message that contains an attachment. These rules determine whether the following actions occur automatically when the user opens the email message, or whether the user must request the actions manually. 1. 2. 3. A BlackBerry device sends the message key and a request for the data in the attachment header to the BlackBerry Enterprise Server. The BlackBerry Enterprise Server uses the message key to decrypt the email message and access the data in the attachment header. The BlackBerry Enterprise Server sends the data in the attachment header to the BlackBerry device. The BlackBerry device processes the data in the attachment header with the email message and displays the associated attachment information so that the user can select the attachment for viewing.

Process flow: Viewing an attachment that is encrypted using S/MIME encryption, PGP/MIME encryption, or OpenPGP encryption
1. 2. The BlackBerry device sends the message key and a request for the attachment data to the BlackBerry Enterprise Server. The BlackBerry Enterprise Server uses the message key to decrypt the email message and access the attachment data that corresponds to the data in the attachment header. The BlackBerry Enterprise Server decrypts the attachment and sends the rendered attachment data to the BlackBerry device. The BlackBerry device displays the attachment.
To help protect the decrypted attachment data that the BlackBerry device stores, you can turn on content protection.
Enforcing secure messaging using classifications
You can use message classifications to require S/MIME-enabled users or PGP enabled users to sign, encrypt, or sign and encrypt email messages that they send from the BlackBerry devices. You use the Message Classification IT policy rule to configure one or more message classifications that users can apply to email messages. The message classification that the users select when they compose email messages determines the type of S/MIME message protection or PGP message protection that applies to the email messages. If a user does not select a message classification, by default, the BlackBerry device applies the first classification in the message classification list on the BlackBerry device. You can change the order that the BlackBerry device lists the classifications in. The message protection options on the BlackBerry device are limited to the types of encryption and digitial signing that the highly secure messaging packages on the BlackBerry device permit. When a user applies a message classification to an email message on a BlackBerry device, the user must select one type of message protection that the message classification permits, or accept the default type of message protection. If a user selects a message classification that requires signing, encryption, or signing and encryption of the email message, and the user did not install a highly secure messaging package on the BlackBerry device, the user cannot send the email message.
Permitting a BlackBerry device to use a password for S/MIME encryption
Permitting a BlackBerry device to use a password for S/ MIME encryption
A BlackBerry device that is running BlackBerry Device Software 4.6 or later and the S/MIME Support Package for BlackBerry smartphones can use a password, which both sender and recipient know, to encrypt email messages or PIN messages using S/ MIME encryption. To configure a BlackBerry device to use a password for S/MIME encryption, you can use the S/MIME Allowed Encryption Types IT policy rule to permit the sender and recipient to use a password or use a password and certificate. The sender and recipient share the password manually. When the sender or recipient types the password to encrypt or decrypt the S/MIME-encrypted message, the BlackBerry device combines the password with random bytes to generate a new encryption key.

Advanced Security SD cards
Similar to the BlackBerry Smart Card Reader, an Advanced Security SD card permits a user to prove the users identity to the BlackBerry device using what the user has (smart card) and what the user knows (smart card password). The BlackBerry Enterprise Solution supports Advanced Security SD cards that use the security system for the MCEX smart card. You can configure a BlackBerry device to require that a user uses an Advanced Security SD card to perform the following actions: unlock the BlackBerry device and access BlackBerry services and PKI applications using two-factor authentication digitally sign and encrypt email messages and PIN messages using S/MIME encryption when the user installs the S/MIME Support Package for BlackBerry smartphones on the BlackBerry device decrypt S/MIME-encrypted email messages and PIN messages import certificates that are stored on the Advanced Security SD card into the NV store of the BlackBerry device flash memory open SSL connections
To configure the BlackBerry device to support an Advanced Security SD card, a user must insert the Advanced Security SD card into the BlackBerry device and install the smart card driver of the Advanced Security SD card on the BlackBerry device using the BlackBerry Desktop Manager. After the user installs the smart card driver on the BlackBerry device, the user can configure the driver settings in the security options, on the Smart Card screen. To control how a BlackBerry device can use an Advanced Security SD card, you can use the Force Smart Card Two-Factor Authentication IT policy rule, Force Smart Card Two Factor Challenge Response IT policy rule, or Disable Certificate or Key Import From External Memory IT policy rule. To permit third-party applications on the BlackBerry device to access the Advanced Security SD card, a developer can use the SmartCard API in the BlackBerry Java Development Environment. BlackBerry Device Software versions 5.0 and later support Advanced Security SD cards. For more information about configuring the BlackBerry device to support an Advanced Security SD card, see the user guide for the BlackBerry device. For more information about using IT policy rules, see the BlackBerry Enterprise Server Policy Reference Guide.
IT policy rules that apply to the S/MIME Support Package for BlackBerry smartphones
Entrust Messaging Server (EMS) Email Address S/MIME Allowed Content Ciphers S/MIME Allowed Encrypted Attachment Mode S/MIME Allowed Encryption Types S/MIME Blind Copy Address S/MIME Force Digital Signature S/MIME Force Encrypted Messages S/MIME Force Smartcard Use S/MIME Minimum Strong DH Key Length S/MIME Minimum Strong DSA Key Length S/MIME Minimum Strong ECC Key Length S/MIME Minimum Strong RSA Key Length S/MIME More All and Send Mode

PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL RIM BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NONPERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH RIM PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF RIM PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, RIM SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY. THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO RIM AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED RIM DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS. IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF RIM OR ANY AFFILIATES OF RIM HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION. Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with RIM's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with RIM's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by RIM and RIM assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with RIM.