authenticity

New in this release
This document describes the security features and functionality of the S/MIME Support Package for BlackBerry smartphones and the features that the S/MIME Support Package for BlackBerry smartphones 5.0 or later and BlackBerry Enterprise Server 5.0 SP1 or later support, unless otherwise stated. Feature Description
support for Advanced Security SD cards An Advanced Security SD card permits a user to prove the users identity to the BlackBerry device by using what the user has (smart card) and what the user knows (smart card password). The BlackBerry Enterprise Solution supports Advanced Security SD cards that use the MCEX smart card security system. complete text of an encrypted or signed A BlackBerry device can retrieve the complete text of an original encrypted or signed email message is included when a user email message when a user replies to or forwards the email message. replies to or forwards the email message To configure this feature, you can use the S/MIME More All and Send Mode IT policy rule or the Message truncation mode option on the BlackBerry device. support for certificates with private keys A user can import a certificate that includes private keys from an Advanced Security (.pfx files) SD card or email message into the NV store of the BlackBerry device flash memory.
System requirements: S/MIME Support Package for BlackBerry smartphones
BlackBerry Enterprise Server 4.1 SP3 or later for Microsoft Exchange or BlackBerry Enterprise Server 4.1 SP3 or later for IBM Lotus Domino Any Microsoft Exchange Server or IBM Lotus Domino server that the latest version of the BlackBerry Enterprise Server in your organization's environment supports Java based BlackBerry devices that run BlackBerry Device Software 4.5 or later
Extending messaging security using S/MIME encryption
You can extend messaging security for the BlackBerry Enterprise Solution and permit a BlackBerry device user to send and receive S/MIME-protected email messages and S/MIME-protected PIN messages on a BlackBerry device. To extend messaging security, you or the BlackBerry device user must install the S/MIME Support Package for BlackBerry smartphones on the BlackBerry device and transfer the S/MIME private key of the BlackBerry device user to the BlackBerry device. The S/MIME Support Package for BlackBerry smartphones is designed to work with email applications such as Microsoft Outlook, Microsoft Outlook Express, and IBM Lotus Notes, and with PKIs such as Netscape, Entrust Authority Security Manager version 5 and later, and Microsoft certification authorities. The BlackBerry device user uses the S/MIME private key to decrypt S/MIME-protected messages on the BlackBerry device and to sign, encrypt, and send S/MIME-protected messages from the BlackBerry device. If the BlackBerry Enterprise Server receives an S/MIME-encrypted message but the BlackBerry device user did not install the S/MIME Support Package for BlackBerry smartphones, the BlackBerry Enterprise Server sends a message to the BlackBerry device to indicate that the BlackBerry device does not support S/MIME-encrypted messages. After the BlackBerry device user installs the S/MIME Support Package for BlackBerry smartphones, the BlackBerry device user can synchronize and manage S/MIME certificates and S/MIME private keys using the certificate synchronization tool of the BlackBerry Desktop Manager. The BlackBerry Enterprise Server does not apply an appended disclaimer to S/MIME-protected messages that the BlackBerry device user sends from the BlackBerry device. Digital signatures on S/MIME-protected messages that the BlackBerry device sends are not valid if disclaimers are appended to the messages. To require the BlackBerry device user to use S/MIME encryption when forwarding or replying to messages, you can configure the S/MIME Force Digital Signature IT policy rule and the S/MIME Force Encrypted Messages IT policy rule. The S/MIME Support Package for BlackBerry smartphones is also designed to support the following features: encoding and decoding of Unicode messages ability to use a password, which the sender and recipient each know, to encrypt S/MIME-protected email messages or PIN messages ability to read S/MIME certificates that are stored on a smart card

Configuring the BlackBerry Enterprise Server to support S/MIME encryption
By default, S/MIME encryption on the BlackBerry Enterprise Server is turned off and the BlackBerry Enterprise Server does not process S/MIME-encrypted messages. To turn on S/MIME encryption, you must select the Enable S/MIME Message Processing option in the BlackBerry Administration Service or a BlackBerry device user must transfer the S/MIME private key to the BlackBerry device. After you turn on S/MIME encryption on the BlackBerry Enterprise Server, a BlackBerry device user can install the S/MIME Support Package for BlackBerry smartphones on the BlackBerry device or you can configure a software configuration to install the S/MIME Support Package for BlackBerry smartphones on a BlackBerry device over the wireless network. After the S/MIME Support Package for BlackBerry smartphones is installed on the BlackBerry device, the user can add certificates to the BlackBerry Enterprise Server device by enrolling them over the wireless network or using the certificate synchronization tool of the BlackBerry Desktop Manager. For more information, see the BlackBerry Enterprise Server Administration Guide.
S/MIME encryption algorithms
When you turn on S/MIME encryption, the default value of the S/MIME Allowed Content Ciphers IT policy rule specifies that a BlackBerry device can use any of the following encryption algorithms to encrypt messages: AES-256, AES-192, AES-128, CAST-128, RC2-128, or Triple DES. By default, the BlackBerry device cannot use the RC2-64 algorithm and RC2-40 algorithm to encrypt S/MIME messages. You can change the value of the S/MIME Allowed Content Ciphers IT policy rule to use a subset of the encryption algorithms if your organizations security policies require it. If a BlackBerry device user wants to send an email message to a recipient that the user previously received an email message from, the BlackBerry device is designed to store the encryption algorithms that the recipients email application can support, and use one of those encryption algorithms. By default, if the BlackBerry device cannot determine the encryption algorithms that the recipients email application can support, the BlackBerry device encrypts the email message using Triple DES. You can use the Weak Digest Algorithms IT policy rule to specify the algorithms that your organization considers to be weak. The BlackBerry device uses the list of weak algorithms in the Weak Digest Algorithms IT policy rule when the BlackBerry device verifies the following information: An S/MIME-enabled application did not use a weak algorithm to generate the digital signatures on the email messages that the BlackBerry device receives. The certificate chains for the certificates that an S/MIME-enabled application used to digitally sign email messages that the BlackBerry device receives do not contain hash values generated using a weak algorithm.
Making S/MIME encryption mandatory
By default, the S/MIME Support Package for BlackBerry smartphones permits a BlackBerry device user to send and receive plain-text email messages and PIN messages on a BlackBerry device. You can configure the Disable Message Normal Send IT policy rule and Disable Peer-to-Peer Normal Send IT policy rule to prevent the user from sending plain-text messages on the BlackBerry device. For more information about the IT policy rules, see the BlackBerry Enterprise Server Policy Reference Guide.

What happens when a BlackBerry device protects a message using S/MIME encryption
When a BlackBerry device user composes an email message or a PIN message, the user can select one of the following options: attach S/MIME certificates from the BlackBerry device key store and send the S/MIME certificates as.cer file attachments attach information about the LDAP servers, OCSP servers, and CRL servers send the message as plain text sign, encrypt, or sign and encrypt the message using S/MIME encryption When a user selects the option to encrypt or sign and encrypt the message, or when a message classification requires that the BlackBerry device encrypt or sign and encrypt the message, the BlackBerry device performs one of the following actions: If the BlackBerry device key store includes a valid S/MIME certificate for the recipient (for example, the certificate is trusted, is not revoked or expired, and has a strong public key), the BlackBerry device encrypts or signs and encrypts the message before it sends the message. If the BlackBerry device key store does not include a valid S/MIME certificate for the recipient, the BlackBerry device tries to retrieve an S/MIME certificate over the wireless network. If the BlackBerry device retrieves a valid certificate, the BlackBerry device encrypts or signs and encrypts the message before it sends the message. If the BlackBerry device does not retrieve a valid certificate, the BlackBerry device provides the user with options to cancel the message, download an S/ MIME certificate manually, or send the message in unencrypted form.
If the user downloads an S/MIME certificate for an intended recipient manually, the BlackBerry device displays search parameters that the user can refine. The BlackBerry device tries to retrieve the S/MIME certificate from an LDAP server. If the BlackBerry device finds the S/MIME certificate, the BlackBerry device encrypts, or signs and encrypts the message before it sends the message.
Process flow: Sending an email message using S/MIME encryption
Process flow: Receiving an S/MIME-encrypted email message
If a sender installs the S/MIME Support Package for BlackBerry smartphones on a BlackBerry device, the BlackBerry device encrypts outgoing email messages. 1. The BlackBerry device performs the following actions: a. checks the BlackBerry device key store for the S/MIME certificate of the recipient b. if the BlackBerry device key store does not include the S/MIME certificate of the recipient, uses the BlackBerry MDS Connection Service to retrieve the S/MIME certificate of the recipient from the LDAP server or DSML server and verify the certificate status c. encrypts the email message with the S/MIME certificate of the recipient or a password that the sender specifies d. if the sender specifies a password, combines the password with random bytes to generate an encryption key that is specific to S/MIME encryption e. uses BlackBerry transport layer encryption to encrypt the S/MIME-encrypted message f. sends the message that is encrypted using BlackBerry transport layer encryption and S/MIME encryption to the BlackBerry Enterprise Server The BlackBerry Enterprise Server decrypts the BlackBerry transport layer encryption and sends the S/MIME-encrypted message to the recipient. The recipient decrypts the S/MIME-encrypted message using the S/MIME private key or a password that the sender provides.

If a recipient installs the S/MIME Support Package for BlackBerry smartphones, the BlackBerry device decrypts incoming email messages. 1. 2. The sender uses the S/MIME technology on the email application to encrypt the email message using the S/MIME certificate of the recipient. The BlackBerry Enterprise Server performs the following actions: a. retrieves the S/MIME-encrypted message from the messaging server

c. d. 3. 4.

encrypts the email message a second time with S/MIME encryption if the email message is signed-only or weakly encrypted and if you turned on the Turn on S/MIME encryption on signed and weakly encrypted messages option in the BlackBerry Administration Service uses BlackBerry transport layer encryption to encrypt the S/MIME-encrypted message sends the email message that is encrypted using BlackBerry transport layer encryption and S/MIME encryption to the BlackBerry device
The BlackBerry device decrypts the BlackBerry transport layer encryption and stores the S/MIME-encrypted message in BlackBerry device memory. When the recipient opens the email message on the BlackBerry device, the BlackBerry device decrypts the S/MIMEencrypted message using the S/MIME private key of the recipient and displays the message contents. If the email message is encrypted with a password, the recipient types the password to decrypt the S/MIME-encrypted message.
S/MIME certificates and S/MIME private keys
The S/MIME Support Package for BlackBerry smartphones uses public key cryptography with S/MIME certificates and S/MIME private keys to encrypt and decrypt email messages and PIN messages. The S/MIME Support Package for BlackBerry smartphones use PKI protocols to search for and retrieve S/MIME certificates and certificate status over the wireless network. Item S/MIME certificate Description When a user sends an email message or PIN message from a BlackBerry device, the BlackBerry device uses the S/MIME certificate of the recipient to encrypt the message. When a user receives a signed email message or signed PIN message on a BlackBerry device, the BlackBerry device uses the S/MIME certificate of the sender to verify the message signature. When a user sends a signed email message or signed PIN message from a BlackBerry device, the BlackBerry device hashes the message using SHA-1, SHA-256, SHA-384, SHA-512, or MD5. The BlackBerry device then uses the S/MIME private key of the user to digitally sign the message hash. When a user receives an encrypted email message or encrypted PIN message on a BlackBerry device, the BlackBerry device uses the private key of the user to decrypt the message. The BlackBerry device stores the private key.

S/MIME private key

Adding certificates or private keys to a BlackBerry device
A BlackBerry device user can add a certificate to a BlackBerry device using any of the following methods: import a certificate from an email message download a certificate from the BlackBerry Desktop Manager using the certificate synchronization tool retrieve a certificate from LDAP servers or DSML servers over the wireless network enroll a certificate from a certification authority over the wireless network import a certificate from an Advanced Security SD card download a certificate from a link to a web page
If the certificate includes private keys, the user can import the certificate from an Advanced Security SD card or email message.
S/MIME certificates and S/MIME private keys that a BlackBerry device stores
The user can use the certificate on a BlackBerry device for S/MIME encryption, two-factor authentication with the BlackBerry Smart Card Reader, two-factor content protection with the BlackBerry Smart Card Reader or Advanced Security SD card, or SSL connections. If the BlackBerry device is a Wi-Fi enabled BlackBerry device, the user can also use the certificate on the BlackBerry device for EAP authentication.
A BlackBerry device stores the following S/MIME certificates and S/MIME private keys in the BlackBerry device key store: S/MIME certificates that the BlackBerry device receives from the certificate synchronization tool or over the wireless network, retrieves from LDAP servers, imports from a smart card, or imports from email messages S/MIME private keys that a BlackBerry device receives from the certificate synchronization tool of the BlackBerry Desktop Manager or over the wireless network root certificates that the BlackBerry Device Software includes
How a BlackBerry device protects the BlackBerry device key store
A BlackBerry device helps protect the BlackBerry device key store using a key store password. The BlackBerry device stores a SHA-256 hash of the key store password. The hash of the key store password is designed to prevent a potentially malicious user from determining the key store password using the contents of the BlackBerry device memory. When a user types the key store password, the BlackBerry device performs a one-way hash function on the typed characters using SHA-256, and it compares the hashed input to the hashed password that is stored. The user must type the key store password before the BlackBerry device adds an S/MIME certificate to the BlackBerry device key store or deletes an S/MIME certificate from the BlackBerry device key store.

Changing the characteristics of the key store and the key store password
You can configure the following IT policy rules to change the characteristics of the password for the BlackBerry device key store: Disable Key Store Backup Forbidden Passwords Key Store Password Maximum Timeout Minimal Encryption Key Store Security Level Minimal Signing Key Store Security Level Minimum Password Length
A BlackBerry device user can configure the following security options on a BlackBerry device to change the characteristics of the BlackBerry device key store: Allow Key Store Backup/Restore Certificate Service
How a BlackBerry device trusts an S/MIME certificate
Certificate Status Expires After Change Password Key Store Address Injector Private Key Password Timeout
For more information about configuring the IT policy rules, see the BlackBerry Enterprise Server Policy Reference Guide. For more information about configuring the security options on the BlackBerry device, see the user guide for the BlackBerry device.
When a BlackBerry device user installs the S/MIME Support Package for BlackBerry smartphones on the BlackBerry device and installs the certificate synchronization tool of the BlackBerry Desktop Manager on a computer, the certificate synchronization tool prompts the user to download the user's S/MIME private key and any root certificates from the computer to the BlackBerry device. When the user downloads the S/MIME private key, the BlackBerry device retrieves the corresponding S/MIME certificate and all certificates in the certificate chain. After the BlackBerry device retrieves the certificates, the user can choose to trust selected certificates only, or trust the root certificate. If a user receives a root certificate from a source that the BlackBerry device does not trust, the user should verify the root certificate manually (for example, by verifying the certificate thumbprint) before trusting it. The BlackBerry Device Software includes some root certificates so that a user is not required to verify all root certificates manually. The S/MIME Support Package for BlackBerry smartphones also supports cross-certification between certification authorities.
Checking the status of an S/MIME certificate on a BlackBerry device
In the following situations, a BlackBerry device user can check the status of an S/MIME certificate to determine whether the S/MIME certificate is valid: when the user receives a signed message or a signed and encrypted message on a BlackBerry device before the user sends a message from a BlackBerry device to a recipient who has an email application that supports S/ MIME encryption when the user searches for S/MIME certificates on a BlackBerry device
The user can also check the status of an S/MIME certificate from the BlackBerry device key store. The BlackBerry device uses the BlackBerry MDS Connection Service to request and retrieve the status of the S/MIME certificate from an OCSP server or a CRL server. The user can request the status of a single certificate or an entire certificate chain.

Managing certificates using the BlackBerry Desktop Manager
When the user searches for an S/MIME certificate, the user can specify whether the BlackBerry device must prompt the user to download the status of the S/MIME certificate when the user downloads the S/MIME certificate and adds it to the BlackBerry device key store.
A BlackBerry device user can use the certificate synchronization tool of the BlackBerry Desktop Manager to search for certificates, download certificates to a BlackBerry device, and verify the authenticity and status of certificates. The certification authority and the certificate synchronization tool send certificates and the status of certificates between them. The certificate synchronization tool can connect to LDAP servers to search for and retrieve certificates. It can connect to CRL servers and OCSP servers to retrieve the status of certificates.
To configure the certificate synchronization tool to connect to the servers, the user must provide the FQDN of the servers. For more information, see the help for the BlackBerry Desktop Manager.
Managing certificates over the wireless network
The BlackBerry MDS Connection Service uses standard Internet protocols to permit a BlackBerry device with the S/MIME Support Package for BlackBerry smartphones to retrieve S/MIME certificates from LDAP servers and DSML servers over the wireless network. The BlackBerry MDS Connection Service can retrieve the status of S/MIME certificates for a BlackBerry device from OCSP servers and CRL servers over the wireless network. The BlackBerry device stores the certificates and summary information about the certificates in the BlackBerry device key store. The BlackBerry Enterprise Server stores the summary information about the certificates in the BlackBerry Configuration Database. When a BlackBerry device user adds a certificate to a BlackBerry device or deletes a certificate from a BlackBerry device, the BlackBerry Enterprise Server synchronizes with the BlackBerry device over the wireless network automatically. You can configure the BlackBerry MDS Connection Service to connect to LDAP servers, DSML servers, OCSP servers, and CRL servers so that all BlackBerry devices that are connected to the BlackBerry MDS Connection Service can retrieve certificates and the status of certificates. A user can configure connections to LDAP servers, OCSP servers, and CRL servers on the BlackBerry device. A user cannot configure connections to DSML servers on the BlackBerry device.

Best practice: Configuring BlackBerry Enterprise Solution options for S/MIME encryption
Best practice Encrypt messages with S/MIME encryption for a second time. Description
You can configure the BlackBerry Enterprise Server to encrypt messages with S/ MIME encryption for a second time when the BlackBerry Enterprise Server processes S/MIME-encrypted messages that are weakly encrypted or when S/MIME messages are signed but not encrypted. This option is designed to make sure that S/MIME-encrypted messages are strongly encrypted with S/MIME when a recipient receives the messages on a BlackBerry device. To apply this best practice, you can use the Turn on S/MIME encryption on signed and weakly encrypted messages option in the BlackBerry Administration Service. You can configure the BlackBerry Enterprise Server to process S/MIME-signed messages that a BlackBerry device sends so that a recipient with an email application that does not support S/MIME encryption can read the text of S/MIMEsigned messages. The recipient can read the text of the messages but cannot verify the digital signature. To apply this best practice, you can use the Send S/MIME Messages in Clear-Signed Format option in the BlackBerry Administration Service. To conserve bandwidth, you can configure the BlackBerry Enterprise Server to delete attachments from any S/MIME-signed messages that the BlackBerry Enterprise Server receives. The BlackBerry device cannot verify the S/MIME digital signature of a message after the BlackBerry Enterprise Server deletes the attachments from the message. To apply this best practice, you can use the Remove Attachment Data from Signed S/MIME Messages option in the BlackBerry Administration Service. By default, the BlackBerry Enterprise Server sends S/MIME-encrypted messages using the legacy MIME content-type. You can configure the BlackBerry Enterprise Server to send S/MIME-encrypted messages using an updated MIME content-type that meets the requirements of the PKCS #7 specification instead. If the sender
Permit a recipient who has an email application that does not have S/MIME encryption to read S/MIME-signed messages.
Conserve bandwidth over the wireless network.
Send S/MIME-encrypted messages using PKCS #7.

Best practice

Description sends an S/MIME-encrypted message to a messaging server that does not support the MIME content-type used, the messaging server does not render the S/MIMEencrypted message correctly. To apply this best practice, you can use the Use PKCS #7 MIME Type option in the BlackBerry Administration Service. Consider preventing a sender from sending an S/MIME-encrypted message using a certificate if any of the following situations exist: BlackBerry device cannot verify the certificate corresponding public key is weak BlackBerry device does not trust the certificate certificate is expired or revoked on the BlackBerry device certificate status is expired

For more information about applying these best practices, see the BlackBerry Enterprise Server Administration Guide and BlackBerry Enterprise Server Policy Reference Guide.
Extending messaging security to attachments
The BlackBerry Enterprise Server supports attachments in PGP encrypted messages and S/MIME-encrypted messages. It also permits a user to view encrypted attachments on a BlackBerry device. You can use the S/MIME Allowed Encrypted Attachment Mode IT policy rule and the PGP Allowed Encrypted Attachment Mode IT policy rule to specify the least restrictive mode that a BlackBerry device can use to retrieve attachment information that is PGP encrypted or S/MIME encrypted. The BlackBerry device supports OpenPGP format and PGP/MIME format for PGP encryption.
Process flow: Viewing an attachment in a PGP encrypted message or S/ MIME-encrypted message
The S/MIME Allowed Encrypted Attachment Mode IT policy rule or PGP Allowed Encrypted Attachment Mode IT policy rule determines how a BlackBerry device responds when it receives a PGP/MIME encrypted message or S/MIME-encrypted message that contains an attachment. These rules determine whether the following actions occur automatically when the user opens the email message, or whether the user must request the actions manually. 1. 2. 3. A BlackBerry device sends the message key and a request for the data in the attachment header to the BlackBerry Enterprise Server. The BlackBerry Enterprise Server uses the message key to decrypt the email message and access the data in the attachment header. The BlackBerry Enterprise Server sends the data in the attachment header to the BlackBerry device. The BlackBerry device processes the data in the attachment header with the email message and displays the associated attachment information so that the user can select the attachment for viewing.
Process flow: Viewing an attachment that is encrypted using S/MIME encryption, PGP/MIME encryption, or OpenPGP encryption
1. 2. The BlackBerry device sends the message key and a request for the attachment data to the BlackBerry Enterprise Server. The BlackBerry Enterprise Server uses the message key to decrypt the email message and access the attachment data that corresponds to the data in the attachment header. The BlackBerry Enterprise Server decrypts the attachment and sends the rendered attachment data to the BlackBerry device. The BlackBerry device displays the attachment.
To help protect the decrypted attachment data that the BlackBerry device stores, you can turn on content protection.

Enforcing secure messaging using classifications
You can use message classifications to require S/MIME-enabled users or PGP enabled users to sign, encrypt, or sign and encrypt email messages that they send from the BlackBerry devices. You use the Message Classification IT policy rule to configure one or more message classifications that users can apply to email messages. The message classification that the users select when they compose email messages determines the type of S/MIME message protection or PGP message protection that applies to the email messages. If a user does not select a message classification, by default, the BlackBerry device applies the first classification in the message classification list on the BlackBerry device. You can change the order that the BlackBerry device lists the classifications in. The message protection options on the BlackBerry device are limited to the types of encryption and digitial signing that the highly secure messaging packages on the BlackBerry device permit. When a user applies a message classification to an email message on a BlackBerry device, the user must select one type of message protection that the message classification permits, or accept the default type of message protection. If a user selects a message classification that requires signing, encryption, or signing and encryption of the email message, and the user did not install a highly secure messaging package on the BlackBerry device, the user cannot send the email message.
Permitting a BlackBerry device to use a password for S/MIME encryption
Permitting a BlackBerry device to use a password for S/ MIME encryption
A BlackBerry device that is running BlackBerry Device Software 4.6 or later and the S/MIME Support Package for BlackBerry smartphones can use a password, which both sender and recipient know, to encrypt email messages or PIN messages using S/ MIME encryption. To configure a BlackBerry device to use a password for S/MIME encryption, you can use the S/MIME Allowed Encryption Types IT policy rule to permit the sender and recipient to use a password or use a password and certificate. The sender and recipient share the password manually. When the sender or recipient types the password to encrypt or decrypt the S/MIME-encrypted message, the BlackBerry device combines the password with random bytes to generate a new encryption key.

Deleting decrypted S/MIME data from a BlackBerry device
A BlackBerry device turns on the Java garbage collection process automatically when the BlackBerry device user installs the S/MIME Support Package for BlackBerry smartphones and the S/MIME private key on the BlackBerry device. When the BlackBerry device turns on the garbage collection process, the BlackBerry device also runs the memory cleaner application. The memory cleaner application is designed to delete unreferenced or cached decrypted data from the BlackBerry device, including data from the S/MIME application, BlackBerry device key store, content protection cache, contact list cache, S/MIME certificate search, and BlackBerry device clipboard. You or a user can configure the memory cleaner application to permanently delete decrypted data from the BlackBerry device memory when the BlackBerry device is holstered or inactive, or after a specified period of time. For more information, see the BlackBerry Enterprise Solution Security Technical Overview.
Using a smart card with S/MIME encryption
The S/MIME Support Package for BlackBerry smartphones supports certificates that are stored on a smart card and includes tools that a BlackBerry device user can use to download certificates and transfer them from the smart card to the BlackBerry device. You can configure the S/MIME Force Smartcard Use IT policy rule to require the BlackBerry device to use the certificates that are stored on the smart card to sign, encrypt, or sign and encrypt messages.
BlackBerry Smart Card Reader
The BlackBerry Smart Card Reader is an accessory that, when used in proximity to a Bluetooth enabled BlackBerry device or a Bluetooth enabled computer, permits a user to authenticate with a smart card and log in to the BlackBerry device or computer. The BlackBerry Smart Card Reader is designed to perform the following actions: communicate with BlackBerry devices and computers using Bluetooth technology version 1.1 or later and, by default, use AES-256 encryption on the application layer permit a user to use two-factor authentication to access BlackBerry services and PKI applications permit a user to digitally sign and encrypt email messages and receive encrypted messages on the BlackBerry device when the user installs the S/MIME Support Package for BlackBerry smartphones store all encryption keys in RAM only and never write the keys to flash memory The BlackBerry Smart Card Reader permits a user to prove the users identity to the BlackBerry device or a computer using what the user has (smart card) and what the user knows (smart card password). For more information, see the BlackBerry Smart Card Reader Security Technical Overview.
Advanced Security SD cards
Similar to the BlackBerry Smart Card Reader, an Advanced Security SD card permits a user to prove the users identity to the BlackBerry device using what the user has (smart card) and what the user knows (smart card password). The BlackBerry Enterprise Solution supports Advanced Security SD cards that use the security system for the MCEX smart card. You can configure a BlackBerry device to require that a user uses an Advanced Security SD card to perform the following actions: unlock the BlackBerry device and access BlackBerry services and PKI applications using two-factor authentication digitally sign and encrypt email messages and PIN messages using S/MIME encryption when the user installs the S/MIME Support Package for BlackBerry smartphones on the BlackBerry device decrypt S/MIME-encrypted email messages and PIN messages import certificates that are stored on the Advanced Security SD card into the NV store of the BlackBerry device flash memory open SSL connections

user guide for the BlackBerry device
www.blackberry.com/security

Glossary

Advanced Security SD card An Advanced Security SD card is a media card that complies with the Advanced Security SD Extension Specification that the SD Association developed. BlackBerry devices support only microSD cards that use the MCEX security system. AES Advanced Encryption Standard API application programming interface ASCII American Standard Code for Information Interchange BlackBerry device key store The BlackBerry device key store stores certificates, key pairs, and PGP keys that a BlackBerry device can use to help protect messages, access web sites, and connect to an enterprise Wi-Fi network. To access the items in the key store, the user must type a key store password. BlackBerry device memory The BlackBerry device memory consists of the NV store, flash memory, RAM, on-board device memory, and BlackBerry device key store. BlackBerry MDS BlackBerry Mobile Data System BlackBerry transport layer encryption BlackBerry transport layer encryption (formerly known as standard BlackBerry encryption) uses a symmetric key encryption algorithm to help protect data that is in transit between a BlackBerry device and the BlackBerry Enterprise Server when the data is outside an organization's firewall. content protection Content protection helps protect user data on a locked BlackBerry device by encrypting the user data using the content protection key and ECC private key. content protection key The device transport key (formerly known as the master encryption key) is unique to a BlackBerry device. The BlackBerry device and BlackBerry Enterprise Server use the device transport key to encrypt the message keys. CRL certificate revocation list
device transport key The device transport key (formerly known as the master encryption key) is unique to a BlackBerry device. The BlackBerry device and BlackBerry Enterprise Server use the device transport key to encrypt the message keys. DH Diffie-Hellman DSA Digital Signature Algorithm DSML Directory Service Markup Language EAP Extensible Authentication Protocol ECC Elliptic Curve Cryptography ECC private key The ECC private key decrypts the data that a BlackBerry device received when the BlackBerry device was locked. flash memory The flash memory is an internal file system on a BlackBerry device that stores application data and user data. FQDN fully qualified domain name IT policy An IT policy consists of various IT policy rules that control the security features and behavior of BlackBerry devices, BlackBerry enabled devices, the BlackBerry Desktop Software, and the BlackBerry Web Desktop Manager. IT policy rule An IT policy rule permits you to customize and control the actions that BlackBerry devices, BlackBerry enabled devices, the BlackBerry Desktop Software, and the BlackBerry Web Desktop Manager can perform. LAN local area network LDAP Lightweight Directory Access Protocol LDAPS Lightweight Directory Access Protocol over SSL

PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL RIM BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NONPERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH RIM PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF RIM PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, RIM SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY. THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO RIM AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED RIM DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS. IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF RIM OR ANY AFFILIATES OF RIM HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION. Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with RIM's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with RIM's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by RIM and RIM assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with RIM.

User Guide Supplement

S/MIME Support Package for BlackBerry Smartphones BlackBerry 8700 Series
SWD-327206-0324102627-001

Contents

Certificates........3 Certificate basics........3 Certificate status........5 Certificate options.......7 Certificate shortcuts........8 Certificate troubleshooting........9 Certificate servers.......11 Add a certificate server.......11 Change connection information for a certificate server......11 Connection options for LDAP certificate servers.......11 Connection options for OCSP and CRL servers...... 12 Send connection information for a certificate server..... 12 Delete a certificate server....... 12 Key stores........13 About the key store........13 Change the key store password....... 13 Change when your device deletes the key store password...... 13 Add contacts to your address book automatically when you add items to the key store.... 13 Change the service that your device uses to download certificates.....14 Turn off automatic backup of key store data.......14 Change the refresh rate for certificate revocation lists......14 Reject certificate revocation lists from unverified CRL servers.....14 S/MIME-protected messages.......17 S/MIME-protected message basics......17 S/MIME-protected message status......18 S/MIME-protected message options.......19 S/MIME-protected message troubleshooting......22 Smart cards.......23 About using a smart card with your device......23 Import a certificate from a smart card.......23

Certificates

Certificate basics
Download a certificate from an LDAP certificate server
1. In the device options, click Security Options. 2. 3. 4. 5. 6. 7. 8. 9. Click Certificates. Click the trackwheel. Click Fetch Certificates. Specify the search criteria. Click the trackwheel. Click Search. Click a certificate. Click Add Certificate to Key Store.
View properties for a certificate
1. 2. 3. 4. In the device options, click Security Options. Click Certificates. Click a certificate. Click Details.

Certificate properties

Revocation Status: This field displays the revocation status of the certificate at a specified date and time. Trust Status: This field displays the trust status of the certificate chain. A certificate can be explicitly trusted (the certificate itself is trusted), implicitly trusted (the root certificate in the certificate chain is trusted on your BlackBerry device), or not trusted (the certificate is not explicitly trusted and the root certificate in the certificate chain is not trusted or does not exist on your device). Expiration Date: This field displays the date that the certificate issuer specified as the expiration date of the certificate. Certificate Type: This field displays the certificate format. Your device supports X.509 and WTLS certificate formats.
Public Key Type: This field displays the standard to which the public key complies. Your device supports RSA, DSA, Diffie-Hellman, and ECC keys. Subject: This field displays information about the certificate subject. Issuer: This field displays information about the certificate issuer. Serial Number: This field displays the certificate serial number in hexadecimal format. Key Usage: This field displays approved uses of the public key. Subject Alt Name: This field displays an alternate email address for the certificate subject, if an alternate email address is available. SHA1 Thumbprint: This field displays the SHA-1 digital thumbprint of the certificate. MD5 Thumbprint: This field displays the MD5 digital thumbprint of the certificate.
View one type of certificate in the certificate list
1. In the device options, click Security Options. 2. Click Certificates. 3. Click the trackwheel. 4. Click one of the following menu items: Show My Certs Show Others Certs Show CA Certs Show Root Certs To view all the certificates on your BlackBerry device, click the trackwheel. Click Show All Certs.

Send a certificate

When you send a certificate, your BlackBerry device sends the public key, but does not send the corresponding private key. 1. 2. 3. 4. In the device options, click Security Options. Click Certificates. Highlight a certificate. Click the trackwheel.
5. Click Send via Email or Send via PIN.

Delete a certificate

1. 2. 3. 4. 5. In the device options, click Security Options. Click Certificates. Highlight a certificate. Click the trackwheel. Click Delete.
View the certificate chain for a certificate
1. 2. 3. 4. 5. In the device options, click Security Options. Click Certificates. Highlight a certificate. Click the trackwheel. Click Show Chain.

Certificate status

Certificate status indicators
: The certificate has a corresponding private key that is stored on your BlackBerry device or a smart card. : The certificate chain is trusted and valid, and the revocation status of the certificate chain is good. : The revocation status of the certificate chain is unknown, or a public key for a certificate in the certificate chain is weak. : The certificate is untrusted or revoked, or a certificate in the certificate chain is untrusted, revoked, expired, not valid, or cannot be verified.
Check the revocation status of a certificate or certificate chain
1. In the device options, click Security Options. 2. Click Certificates. 3. Highlight a certificate.
4. Click the trackwheel. 5. Click Fetch Status or Fetch Chain Status.
Change the trust status of a certificate
1. 2. 3. 4. 5. 6. In the device options, click Security Options. Click Certificates. Highlight a certificate. Click the trackwheel. Click Trust or Distrust. If necessary, perform one of the following actions: To trust the highlighted certificate, click Selected Certificate. To trust the highlighted certificate and all the other certificates in the chain, click Entire Chain.

Revoke a certificate

If you revoke a certificate, the certificate is revoked only in the key store on your BlackBerry device. Your device does not update the revocation status on the certificate authority or CRL servers. 1. 2. 3. 4. 5. 6. 7. 8. In the device options, click Security Options. Click Certificates. Highlight a certificate. Click the trackwheel. Click Revoke. Click Yes. Change the Reason field. Click OK.
To cancel a certificate hold, highlight the certificate. Click the trackwheel. Click Cancel Hold.
Certificate revocation reasons
Unknown: The revocation reason does not match any of the predefined reasons. Key Compromise: A person who is not the key subject might have discovered the private key value. CA Compromise: Someone might have revealed the private key of the certificate issuer. Change in Affiliation: The certificate subject no longer works for the organization.
Superseded: A new certificate is replacing an existing certificate. Cessation of Operation: The certificate subject no longer requires the certificate. Certificate Hold: You want to revoke the certificate temporarily.

Certificate options

Change the display name for a certificate
1. In the device options, click Security Options. 2. 3. 4. 5. 6. 7. Click Certificates. Highlight a certificate. Click the trackwheel. Click Change Label. Type a display name for the certificate. Click OK.

Add an email address to a certificate
1. 2. 3. 4. 5. 6. 7. 8. In the device options, click Security Options. Click Certificates. Highlight a certificate. Click the trackwheel. Click Associate Addresses. Click the trackwheel. Click Add Address. Perform one of the following actions: Click a contact. Click Use Once. Click Email. Type an email address. Click the trackwheel. Click Continue.
9. Click the trackwheel. 10. Click Save.
Turn off the display name prompt that appears when you add a certificate to the key store
1. In the device options, click Security Options. 2. Click Certificates.

3. 4. 5. 6. 7. 8. 9.

Click the trackwheel. Click Fetch Certificates. Click the trackwheel. Click Options. Change the Prompt for Label field to No. Click the trackwheel. Click Save.
When you add a certificate, your BlackBerry device uses the certificate subject as the name for the certificate.
Turn off the fetch status prompt that appears when you add a certificate to the key store
1. In the device options, click Security Options. 2. 3. 4. 5. 6. 7. Click Certificates. Click the trackwheel. Click Fetch Certificates. Click the trackwheel. Click Options. Perform one of the following actions: To download the revocation status of a certificate when you add it to the key store, change the Fetch Status field to Yes. To add a certificate to the key store without downloading the revocation status, change the Fetch Status field to No.
8. Click the trackwheel. 9. Click Save.

Certificate shortcuts

To view the certificate issuer, press the Space key. To view the properties of a certificate, press the Enter key. To view the security level of a certificate, press the Alt key and L. To view the serial number of a certificate, press the Alt key and S. To view certificates for certificate authorities, press the Alt key and C. To view personal certificates and certificates for other people, press the Alt key and E. To view personal certificates, press the Alt key and P. To view certificates for other people, press the Alt key and O. To view root certificates, press the Alt key and R. To view all certificates, press the Alt key and A.
Certificate troubleshooting
I cannot download a certificate
If you changed the connection type that your BlackBerry device uses to connect to the LDAP certificate server, try switching to the default connection type.

Certificate servers

Add a certificate server
1. In the device options, click Security Options. 2. 3. 4. 5. 6. 7. Click Certificate Servers. Click the trackwheel. Click New Server. Specify information for the certificate server. Click the trackwheel. Click Save.
Change connection information for a certificate server
1. 2. 3. 4. 5. 6. 7. 8. In the device options, click Security Options. Click Certificate Servers. Highlight a certificate server. Click the trackwheel. Click Edit. Change connection information for the certificate server. Click the trackwheel. Click Save.
Connection options for LDAP certificate servers
Friendly Name: Type a display name for the certificate server. Server Name: Type the network address of the certificate server. Base Query: Type the base query information for the certificate server using X.509 certificate syntax (for example, o=test.rim.net). Port: Type the port number for your organizations network. The default port number is 389. Authentication Type: Specify whether you must log in to the certificate server.
Connection Type: Specify whether your BlackBerry device uses an SSL connection or a TLS connection to connect to the certificate server.
Connection options for OCSP and CRL servers
Friendly Name: Type a display name for the certificate server. Server URL: Type the web address of the certificate server.
Send connection information for a certificate server
1. 2. 3. 4. 5. In the device options, click Security Options. Click Certificate Servers. Highlight a certificate server. Click the trackwheel. Click Email Server or PIN Server.
Delete a certificate server
1. 2. 3. 4. 5. In the device options, click Security Options. Click Certificate Servers. Highlight a certificate server. Click the trackwheel. Click Delete.

Key stores

About the key store
The key store on your BlackBerry device might store the following items. To access these items in the key store, you must type a key store password. personal certificates (certificate and private key pairs) certificates that you download using the certificate synchronization tool of the BlackBerry Desktop Manager certificates that you download from an LDAP certificate server certificates that you add from a message personal PGP keys (public and private key pairs) PGP public keys that you download from an LDAP certificate server PGP public keys that you add from a message root certificates that are included in the BlackBerry Desktop Software
Change the key store password
1. 2. 3. 4. In the device options, click Security Options. Click Key Stores. Click the trackwheel. Click Change Password.
Change when your device deletes the key store password
1. 2. 3. 4. 5. In the device options, click Security Options. Click Key Stores. Change the Private Key Password Timeout field. Click the trackwheel. Click Save.

To access private keys after your BlackBerry device deletes the key store password, you must type your key store password.
Add contacts to your address book automatically when you add items to the key store
1. In the device options, click Security Options. 2. Click Key Stores.
3. Change the Key Store Address Injector field to Enabled. 4. Click the trackwheel. 5. Click Save.
Change the service that your device uses to download certificates
Depending on your organization, you might not be able to change the service that you use to download certificates. For more information, contact your administrator. 1. 2. 3. 4. 5. In the device options, click Security Options. Click Key Stores. Change the Certificate Service field. Click the trackwheel. Click Save.
Turn off automatic backup of key store data
By default, items in the key store on your BlackBerry device are backed up or restored when you back up or restore your device data. If you do not want to back up your private key to or restore your private key from your computer for security reasons, you can turn off automatic backup and restore of key store data. 1. 2. 3. 4. 5. In the device options, click Security Options. Click Key Stores. Change the Allow Key Store Backup/Restore field to No. Click the trackwheel. Click Save.
To turn on automatic backup of key store data, change the Allow Key Store Backup/Restore field to Yes.
Change the refresh rate for certificate revocation lists
1. 2. 3. 4. 5. In the device options, click Security Options. Click Key Stores. Change the Certificate Status Expires After field. Click the trackwheel. Click Save.
Your BlackBerry device downloads a new revocation status automatically when your device uses a key store item with a status that is older than the time limit that you set.
Reject certificate revocation lists from unverified CRL servers
1. In the device options, click Security Options.

2. 3. 4. 5.

Click Key Stores. Change the Accept Unverified CRLs field to No. Click the trackwheel. Click Save.
Your BlackBerry device rejects certificate revocation lists from CRL servers that the BlackBerry MDS Connection Service cannot verify.
S/MIME-protected messages
S/MIME-protected message basics
About signing and encrypting messages
You can digitally sign or encrypt messages to add another level of security to email messages and PIN messages that you send from your BlackBerry device. Digital signatures are designed to help recipients verify the authenticity and integrity of messages that you send. When you digitally sign a message using your private key, recipients use your public key to verify that the message is from you and that the message has not been changed. Encryption is designed to keep messages confidential. When you encrypt a message, your device uses the recipients public key to encrypt the message. Recipients use their private key to decrypt the message. To send an encrypted PIN message, you must have a PIN and an email address for the contact in your address book. Your device uses the email address in your address book to locate a PGP key or certificate for the contact.

Sign or encrypt a message
You can sign or encrypt email messages and PIN messages. 1. When composing a message, change the Encoding field. 2. If necessary, change the Classification field.
Attach a certificate to a message
You can attach a certificate to email messages and PIN messages. 1. 2. 3. 4. 5. When composing a message, click the trackwheel. Click Attach Certificates. Highlight a certificate. Click the trackwheel. Click Continue.
Download the certificate used to sign or encrypt a message
If a certificate is not included in a received message or is not already stored in the key store on your BlackBerry device, you can download the certificate. 1. In a message, highlight the encryption indicator or a digital signature indicator. 2. Click the trackwheel. 3. Click Fetch Senders Certificate.
Add a certificate from a message
1. In a message, highlight a digital signature indicator. 2. Click the trackwheel. 3. Click Import Senders certificate.
Add a certificate from an attachment
1. 2. 3. 4. In a message, click the certificate attachment. Click Retrieve Certificate Attachment. Click the certificate. Click Import Certificate.
Add connection information for a certificate server from a message
1. In a message, highlight the certificate server indicator. 2. Click the trackwheel. 3. Click Import Server.
View the certificate used to sign or encrypt a message
1. In a message, highlight the encryption status indicator or a digital signature indicator. 2. Click the trackwheel. 3. Click Display Sender's Certificate or Display Encryption Certificate.
View encryption information for a weakly encrypted message
1. In a weakly encrypted message, highlight the encryption status indicator. 2. Click the trackwheel. 3. Click Encryption Details.
S/MIME-protected message status
Digital signature indicators
: Your BlackBerry device verified the digital signature. :
Your device cannot verify the digital signature. : Your device requires more data to verify the digital signature. : Your device trusts the certificate chain. : The senders email address does not match the email address of the certificate subject, or the senders certificate is revoked, is not trusted, cannot be verified , or is not on your device. : The certificate is weak, the certificate status is not current, or your device requires more data to verify the trust status of the certificate. : The senders certificate is expired.
Encryption status indicators
Your administrator sets whether messages that you receive are considered to be strong or weak. : The message is strongly encrypted. : The message is weakly encrypted.
Check the status of a certificate or certificate chain
If a certificate is included in a received message, or is already stored in the key store on your BlackBerry device, you can check the status of the sender's certificate, or you can check the status of the sender's certificate and all other certificates in the certificate chain. 1. In a message, highlight a digital signature indicator. 2. Click the trackwheel. 3. Click Check Senders Certificate or Check Senders Cert Chain.

S/MIME-protected message options
Change your signing or encryption certificate
Your BlackBerry device uses your encryption certificate to encrypt messages in the sent items folder and includes your encryption certificate in messages that you send so that recipients can encrypt their reply messages.

1. 2. 3. 4. 5.

In the device options, click Security Options. Click S/MIME. In the Signing Options section or the Encryption Options section, change the Certificate field. Click the trackwheel. Click Save.
Change the default signing and encryption option
Your BlackBerry device is designed to use the default signing and encryption option when you send a message to a contact that you have not sent a message to or received a message from previously. If you have sent a message to or received message from the contact previously, your device tries to use the signing and encryption option that was used for the last message. 1. 2. 3. 4. 5. In the device options, click Advanced Options. Click Default Services. Change the Default Encoding field. Click the trackwheel. Click Save.
About message classifications
If your BlackBerry device is associated with an email account that uses a BlackBerry Enterprise Server that supports this feature and your administrator turns on message classifications, the BlackBerry Enterprise Server applies a minimum set of security actions to each message that you compose, forward, or reply to, based on the classification that you assign to the message. Your administrator specifies the message classifications that you can use. If you receive a message that uses message classifications, you can view the abbreviation for the classification in the subject line of the message and the full description for the classification in the body of the message. You can also view the abbreviation and full description for the classification for a sent message in the sent items folder.
Change the default message classification
Verify that your administrator has turned on message classifications. Your BlackBerry device is designed to use the default message classification when you send a message to a contact that you have not sent a message to or received a message from previously. If you have sent a message to or received message from the contact previously, your device tries to use the message classification that was used for the last message. 1. In the device options, click Advanced Options. 2. 3. 4. 5. Click Default Services. Change the Default Classification field. Click the trackwheel. Click Save.

Change the size of S/MIME indicators in messages
1. 2. 3. 4. 5. In the device options, click Security Options. Click S/MIME. Change the Message Viewer Icons field. Click the trackwheel. Click Save.
Change the encryption algorithms for S/MIME-protected messages
If a message has multiple recipients, your BlackBerry device uses the first selected encryption algorithm in the list that all recipients are known to support. 1. 2. 3. 4. 5. In the device options, click Security Options. Click S/MIME. Select the check box beside one or more encryption algorithms. Click the trackwheel. Click Save.
Request delivery notification for signed S/MIME-protected messages
1. In the device options, click Security Options. 2. 3. 4. 5. Click S/MIME. Change the Request S/MIME Receipts field to Yes. Click the trackwheel. Click Save.
Turn off the prompt that appears before an S/MIME-protected message is truncated
1. 2. 3. 4. 5. In the device options, click Security Options. Click S/MIME. Change the Warn about truncated messages field to No. Click the trackwheel. Click Save.
To turn on the prompt again, change the Warn about truncated messages field to Yes.
Turn off the prompt that appears when you use an S/MIME certificate that is not recommended for use
1. In the device options, click Security Options. 2. Click S/MIME.
3. Change the Warn about problems with my certificates field to No. 4. Click the trackwheel. 5. Click Save. To turn on the prompt again, change the Warn about problems with my certificates field to Yes.
S/MIME-protected message troubleshooting
Some signing and encryption options are not available on my device
Try performing the following actions: Verify that the email account that you are using supports all signing and encryption options. If you use message classifications, verify that the message classification supports the signing or encryption options that you want. Try using a different message classification.
I cannot open an attachment in an encrypted message
The attachment information might not be available on the BlackBerry Enterprise Server, your administrator might have set options to prevent you from opening attachments in encrypted messages, or you might have received the message from an email account that does not support attachments in encrypted messages. You cannot open an attachment in a PGP protected message that was encrypted using the OpenPGP format by an IBM Lotus Notes client working with PGP Desktop Professional or that was encrypted by the PGP Universal Server.

Smart cards

About using a smart card with your device
Smart cards store certificates and private keys. You can use a smart card reader to import certificates from a smart card to the key store on your BlackBerry device, but you cannot import private keys. As a result, private key operations such as signing and decryption use the smart card, and public key operations such as verification and encryption use the public certificates on your device. If you use a smart card certificate to authenticate to your device, after you connect your smart card reader to your device, your device requests authentication from the smart card each time that you unlock your device. If the S/MIME Support Package for BlackBerry devices is installed on your device, you can use smart card certificates to send S/MIMEprotected messages.

Import a certificate from a smart card
1. 2. 3. 4. 5. 6. 7. 8. 9. In the device options, click Security Options. Click Certificates. Click the trackwheel. Click Import Smart Card Certs. Type your smart card password. Select the check box beside a certificate. Click OK. Type your key store password. Click OK.