BlackBerry Enterprise Solution Security Wireless security This document describes the security features of the BlackBerry Enterprise Solution and provides an overview of the BlackBerry security architecture. This document describes the security features that BlackBerry Enterprise Server version 4.1, BlackBerry Desktop Software version 4.1, and BlackBerry Device Software version 4.1 support, unless otherwise stated. See the documentation for earlier versions of the BlackBerry Enterprise Server, BlackBerry Desktop Software, and BlackBerry Device Software to determine if a feature is supported in that earlier software version.
See the BlackBerry Enterprise Solution Security Acronym Glossary for the full terms substituted by the acronyms in this document.

Wireless security

Many companies are realizing significant return on investments and productivity gains by extending their enterprise information to mobile employees. With an increased demand for mobile content and the threat of information theft, companies have concerns about addressing security needs and requirements when evaluating wireless solutions. Without an effective security model, your company might expose sensitive corporate data, with financial and legal implications. With the advent of powerful new personal devices such as mobile phones and personal digital assistants that can access and store sensitive corporate data, controlling access to these devices is an important issue. Leaving devices with remote access to sensitive data accessible to potentially malicious users could be dangerous. The BlackBerry Enterprise Solution (consisting of a BlackBerry device, BlackBerry Device Software, BlackBerry Desktop Software, and the BlackBerry Enterprise Server software) is designed to protect your corporation from data loss or alteration in the event of
malicious interception of data on the corporate network, while a user is sending and receiving messages and accessing corporate data wirelessly using the BlackBerry device an attack intended to steal corporate data, using malicious application code (for example, a virus) theft of the BlackBerry device identity theft
BlackBerry Enterprise Solution security
The BlackBerry Enterprise Solution implementation of symmetric key cryptography is designed to provide confidentiality, integrity, and authenticity implicitly. Concept confidentiality Description permits only the intended message recipient to view the contents of a message enables a message recipient to detect if a third-party altered the message data in transit between the message sender and the message recipient BlackBerry Enterprise Solution implementation Use encryption, which is data scrambling based on a secret key, to make sure that only the intended recipient can view the contents of the message. Protect each message that the BlackBerry device sends with one or more message keys comprised of random information, which is designed to prevent third-party decryption or alteration of the message data. Enable only the BlackBerry Enterprise Server and the BlackBerry device to know the value of the master encryption key, recognize the format of the decrypted and decompressed message, and automatically reject a message either one receives that is encrypted with the wrong master encryption key and therefore does not produce the required message format upon decryption.

pending key

Master encryption key generation Both you and a user can generate and regenerate master encryption keys. Key generation method desktop-based (wired) Initial key generation When a user connects the BlackBerry device to the desktop computer for the first time, the BlackBerry Desktop Software creates the master encryption key and sends it to the BlackBerry device and the messaging server. Key regeneration When the user subsequently connects the BlackBerry device to the desktop computer, the user can initiate regeneration of the master encryption key. The BlackBerry Desktop Software creates the master encryption key and sends it to the BlackBerry device and the messaging server. On the BlackBerry device, a user can

wireless

Wireless enterprise activation permits a
BlackBerry Enterprise Solution Security BlackBerry encryption keys Key generation method Initial key generation user to remotely activate a BlackBerry device on the BlackBerry Enterprise Server without a physical network connection. During the wireless enterprise activation, the BlackBerry Enterprise Server and the BlackBerry device negotiate to select the strongest algorithm that they both support and use that algorithm to generate the master encryption key. Note: See Wireless enterprise activation authentication on page 30 for more information. Key regeneration request a new master encryption key. The BlackBerry device sends the key regeneration request to the BlackBerry Enterprise Server wirelessly. In the BlackBerry Manager, you can initiate regeneration of a master encryption key for a BlackBerry device.
Desktop-based master encryption key generation process In BlackBerry Desktop Software version 4.0 or later, the master encryption key generation function uses the current time as the seed for the C language srand function. The master encryption key generation function then gathers entropy (randomness) using the following process: 1. When prompted by the BlackBerry Desktop Software, the user moves the mouse. The ARC4 encryption algorithm examines the lowest 12 bits of the x and y axes of the new mouse location. If the bits are different from the previous sample, the BlackBerry Desktop Software stores them, generating 3 bytes of randomness. If the bits are the same as the previous sample, no sample is taken. The ARC4 encryption algorithm sleeps for a random interval between 50 and 150 milliseconds, and then samples again. The ARC4 encryption algorithm loops until it gathers 384 bytes. The BlackBerry Desktop Software retrieves 384 bytes of randomness from the MSCAPI, for a total of 768 bytes. The BlackBerry Desktop Software hashes the 384 bytes of randomness from the ARC4 encryption algorithm and the 384 bytes of randomness from the MSCAPI with SHA512 to produce 512 bits of data. The BlackBerry Desktop Software frees the memory associated with the unused bits.

The BlackBerry Enterprise Server stores a copy of the seed in a file. When the BlackBerry Enterprise Server restarts, it reads the seed from the file and uses the XOR function to compare the stored seed with the new seed. 7. 8. The DSA PRNG function generates 128 pseudo-random bits for use with Triple DES and 256 pseudo-random bits for use with AES. The BlackBerry Enterprise Server uses the pseudo-random bits with the appropriate algorithm to generate the message key.

Content protection key

When you turn on or the user turns on content protection on the BlackBerry device, the BlackBerry device generates encryption keys, including the content protection key, that are designed to encrypt the user data on the BlackBerry device in the following scenarios: Scenario BlackBerry device is locked Encryption process The BlackBerry device frees the memory that it associates with the content protection key and the ECC private key that it stores in RAM. The BlackBerry device then uses the ECC public key, an asymmetric key, to encrypt new user data that it receives. The BlackBerry device decrypts the content protection key and the ECC private key in flash memory. The BlackBerry device then uses the ECC private key and the content protection key to decrypt user data on the BlackBerry device.
BlackBerry device is unlocked
See Protected storage of user data on a locked BlackBerry device on page 22 for more information. Content protection key generation process When you turn on or the user turns on content protection of data for the first time, the following process occurs: 1. 2. 3. 4. The BlackBerry device uses the NIST-approved DSA PRNG to randomly generate the content protection key, a semi-permanent 256 bit AES encryption key. The BlackBerry device generates an ECC key pair. The BlackBerry device prompts the user to type their BlackBerry device password. The BlackBerry device derives an ephemeral 256 bit AES encryption key from the BlackBerry device password, in accordance with PKCS #5 (the password-based cryptography standard). See Appendix E: Ephemeral AES encryption key derivation process on page 51 for more information. The BlackBerry device uses the ephemeral key to encrypt the content protection key and the ECC private key.
6. The BlackBerry device stores the encrypted content protection key, the encrypted ECC private key, and the ECC public key in flash memory. Note: If the user changes their BlackBerry device password, the BlackBerry device uses the new password to derive a new ephemeral key and uses the new ephemeral key to re-encrypt the encrypted versions of the content protection key and the ECC private key in flash memory. User data encryption process on a locked BlackBerry device 1. The BlackBerry device locks. When the BlackBerry device locks for the first time after you turn on or the user turns on content protection, it uses the content protection key to automatically encrypt the bulk of its stored user and application data. The BlackBerry device frees the memory associated with the decrypted content protection key and the decrypted ECC private key stored in RAM.

BlackBerry Enterprise Solution Security Extending BlackBerry device messaging security

SMS and MMS messaging

SMS and MMS messaging are available on some BlackBerry devices. Supported BlackBerry devices can send SMS and MMS messages over the wireless TCP/IP connection between them.
Controlling unsecured messaging
You can control PIN, SMS, and MMS messaging in your organization using the following IT policy rules: IT policy rule Allow External Connections Confirm on Send Disable Forwarding Between Services Description This rule controls whether applications can initiate external connections (for example, to WAP, SMS, MMS or other public gateways) on the BlackBerry device. This rule requires a user to confirm that they wish to send the message before sending an email message, PIN message, SMS message, or MMS message. This rule prevents a user from forwarding or replying to a message using a different BlackBerry Enterprise Server from the one that delivered the original message. This rule also prevents using an email account to forward or reply to a PIN message or reply to an email message with a PIN message. This rule prevents a user from sending plain text PIN messages when using a secure messaging package, such as the S/MIME Support Package or the PGP Support Package.
Disable Peer-to-Peer Normal Send
Turning off unsecured messaging You can turn off unsecured messaging (PIN, SMS, and MMS communication) to make sure that all communication originating at the BlackBerry devices in your organization travels through the enterprise messaging environment. Scenario turn off PIN messaging Description Set the Allow Peer-to-Peer Messages IT policy rule to False. Note: When you turn off PIN messaging, users cannot send PIN messages from the BlackBerry device; however, they can still receive PIN messages on their BlackBerry devices. Set the Allow SMS IT policy rule to False. Set the Disable MMS IT policy rule to True.
turn off SMS messaging turn off MMS messaging
Extending BlackBerry device messaging security
In addition to BlackBerry standard encryption, you can enable S/MIME technology or PGP technology to offer an additional layer of security between the sender and recipient of an email or PIN message. Using either one of these technologies enables sender-to-recipient authentication and confidentiality, and helps maintain data integrity and privacy from the time that a user sends a message from the BlackBerry device until the message recipient decodes and reads the message.

PGP Support Package

The PGP Support Package is designed to provide an OpenPGP (RFC 2440) implementation on the BlackBerry device. The implementation enables a user who is already sending and receiving PGP protected messages using their desktop email program to send and receive PGP protected messages using their BlackBerry device. The PGP Support Package includes tools for obtaining PGP keys and transferring them to the BlackBerry device. This means that users can sign, encrypt, and send PGP protected messages using their BlackBerry devices, and

If a user with this feature configured on the BlackBerry device forwards or replies to an encrypted message that the BlackBerry device has received, decrypted, and decompressed, the BlackBerry Enterprise Server for IBM Lotus Domino decrypts the message before the BlackBerry device sends the message to the recipient as plain text. Lotus Notes API 7.0 requires the users Notes.id file and password to decrypt the received secure message. The user must manually click Import Notes ID and attach a copy of the Notes.id file that they used to login. IBM Lotus Notes and S/MIME message decryption process If a user configures support for reading IBM Lotus Notes and S/MIME encrypted messages on their BlackBerry device, when the user receives an IBM Lotus Notes and S/MIME encrypted message, the BlackBerry Enterprise Server for IBM Lotus Domino decrypts the message using the following process: 1. 2. A user receives an IBM Lotus Notes and S/MIME encrypted message. The BlackBerry Enterprise Server for IBM Lotus Domino messaging agent uses the users cached Notes.id password to decrypt the message. If the BlackBerry Enterprise Server for IBM Lotus Domino messaging agent does not have the Notes.id password, the user must select More, More All, or Open Attachment to pull the decrypted message to the BlackBerry device. 3. The BlackBerry Enterprise Server pushes the decrypted message to the BlackBerry device, where the user can read the message.
Notes.id password protection After a user imports the Notes.id file and password (stored in the Notes.id file), the password is
encrypted in BlackBerry device memory using AES encrypted in the BlackBerry Enterprise Server for IBM Lotus Domino messaging agent memory using AES decrypted before being used to call the required Lotus Notes API security functions
The BlackBerry Enterprise Server for IBM Lotus Domino messaging agent deletes the Notes.id files and plain text passwords it stores when
a message decryption failure occurs on the BlackBerry Enterprise Server the BlackBerry Enterprise Server restarts the password times out (the default expiration timeout is 24 hours)
The encrypted Notes.id password remains stored in the BlackBerry Enterprise Server for IBM Lotus Domino messaging agent memory cache. The BlackBerry device deletes the Notes.id files and plain text passwords from BlackBerry device memory when
a message decryption failure occurs on the BlackBerry device the BlackBerry device resets the password times out (the default expiration timeout period is 24 hours)
If a user types more than ten consecutive incorrect passwords within one hour, the BlackBerry Enterprise Server for IBM Lotus Domino messaging agent makes secure messaging unavailable to that user for one hour. The temporary disabling period increases by ten minute increments to a limit of 24 hours. It increments each time a user exceeds the maximum number of failed password attempts and then defaults back to one hour. When secure messaging is temporarily unavailable, a user can manually re-enable secure messaging by importing the Notes.id file, or changing their Notes.id password using the BlackBerry Desktop Software or the Domino Web Access client.

Protected storage of master encryption keys on a locked BlackBerry device
If you turn on content protection of master encryption keys, the BlackBerry device uses the grand master key to encrypt the master encryption keys stored in flash memory and stores the decrypted grand master key in RAM. When you, the user, or a configured password timeout locks the BlackBerry device, the wireless radio remains on and the BlackBerry device does not free the memory associated with the grand master key. When the BlackBerry device receives data encrypted with a master encryption key while it is locked, it uses the decrypted grand master key to decrypt the required master encryption key in flash memory and receive the data. See Grand master key generation process on page 11 for more information. Enabling protected storage of master encryption keys on a locked BlackBerry device You enable protected storage of master encryption keys on the BlackBerry device by setting the Force Content Protection of Master Keys IT policy rule. When you turn on content protection of master encryption keys, the BlackBerry device uses the same ECC key strength that it uses to encrypt user and application data when encrypting the master encryption keys. See Enabling protected storage of BlackBerry device data on page 22 for more information.
Protected storage of master encryption keys on a BlackBerry device during a reset
If you turn on content protection of master encryption keys, during a BlackBerry device reset the BlackBerry device
turns off the wireless radio turns off serial bypass frees the memory associated with all data and encryption keys stored in RAM, including the decrypted grand master key locks
The wireless radio and serial bypass are designed to be turned off while the content protection key is not available to decrypt the grand master key in flash memory. Until a user unlocks the BlackBerry device using the correct BlackBerry device password the BlackBerry device cannot receive and decrypt data. When the user unlocks the BlackBerry device after a reset, the BlackBerry device
uses the content protection key to decrypt the grand master key in flash memory stores the decrypted grand master key in RAM again re-establishes the wireless connection to the BlackBerry Infrastructure
resumes serial bypass receives data from the BlackBerry Enterprise Server
Cleaning the BlackBerry device memory
The BlackBerry device runs a standard garbage collection process to clean the BlackBerry device memory. The garbage collection process, also called the memory cleaning function, is designed to remove referenced, decrypted content from the BlackBerry device flash memory and RAM, ask BlackBerry device applications to free memory associated with unused, sensitive application data, and overwrite the freed, associated memory with zeroes. Users can configure the memory cleaning function to run when their BlackBerry devices are holstered or when their BlackBerry devices remain idle for a configured period of time (2, 5, 10, 20, 30 minutes, or 1 hour). You can configure the memory cleaning function to run automatically when the

password-protect the service account
Assign a string password to your sa account, even on servers that require Windows Authentication. Note: A string password is designed to prevent exposure of a blank or weak sa password if the server is ever reconfigured for Mixed Mode Authentication.
BlackBerry Enterprise Solution Security BlackBerry architecture component security Configuration option limit the privilege level of Microsoft SQL Server Windows services Recommendations
Associate each service with a Windows account from which the service derives its security context. Note: Microsoft SQL Server allows a user of the sa login and in some cases other users to access operating system features derived from the security context of the account that owns the server process. If the server is not secured, a malicious user might use these operating system calls to extend an attack to any other resource to which the Microsoft SQL Server service account has access. If you must change the account associated with a Microsoft SQL Server service, use the SQL Server Enterprise Manager. The SQL Server Enterprise Manager sets the appropriate permissions on the files and registry keys that the Microsoft SQL Server uses.
use the Microsoft SQL Server Enterprise Manager
Do not use the Microsoft Management Console Services applet to change the account associated with a Microsoft SQL Server service. Using this Services applet requires you to manually adjust many registry and NTFS file system permissions and Microsoft Windows user rights. Note: See the Microsoft Knowledge Base article How to change the SQL Server or SQL Server Agent service account without using SQL Enterprise Manager in SQL Server 2000 or SQL Server Management Studio in SQL Server 2005. make the Microsoft SQL Server ports that are monitored by default on your firewall unavailable use a secure file system Configure your firewall to filter out packets that are addressed to TCP port 1433, addressed to UDP port 1434, or associated with named instances. Use NTFS for the Microsoft SQL Server because it is more stable and recoverable than FAT file systems, and enables security options such as file and directory ACLs and EFS. Do not change the permissions that the Microsoft SQL Server sets during installation. The Microsoft SQL Server sets appropriate ACLs on registry keys and files if it detects NTFS. If you must change the account that runs the Microsoft SQL Server, decrypt the files under the old account and re-encrypt them under the new account.

See the BlackBerry Enterprise Server Installation Guide for more information.
Protecting the BlackBerry Infrastructure connections
The BlackBerry Enterprise Server is designed to communicate with the BlackBerry Infrastructure using SRP authentication. The BlackBerry Enterprise Server contacts the BlackBerry Infrastructure to establish an initial connection using SRP. The BlackBerry Enterprise Server and the BlackBerry Infrastructure perform an authentication handshake when they attempt to establish a connection. If the authentication fails, they do not establish a connection. After the BlackBerry Enterprise Server and the BlackBerry Infrastructure establish an initial connection over the Internet, the BlackBerry Enterprise Server uses a persistent TCP/IP connection to send data to the BlackBerry Infrastructure. The BlackBerry Infrastructure uses standard protocols to send data to the BlackBerry device. A BlackBerry device can bypass SRP connectivity and authentication by using the BlackBerry Router to connect directly to the BlackBerry Enterprise Server. The BlackBerry Enterprise Server can communicate with the BlackBerry Router using a combination of the SRP and BlackBerry Router authentication protocols.

SRP authentication

SRP is designed to perform the following actions when the BlackBerry Enterprise Server and BlackBerry Infrastructure establish an authenticated connection and subsequently transfer data between them. SRP action authenticate the BlackBerry Infrastructure to the BlackBerry Enterprise Server and the BlackBerry Enterprise Server to the BlackBerry Infrastructure Description The BlackBerry Infrastructure and the BlackBerry Enterprise Server authenticate with each other before they can transfer data. The authentication handshake sequence depends on a shared secret encryption key (the SRP authentication key) on both the BlackBerry Enterprise Server and the BlackBerry Infrastructure. If at any point in the authentication handshake sequence the authentication fails, SRP terminates the connection.
BlackBerry Enterprise Solution Security Protecting the BlackBerry Infrastructure connections SRP action exchange configuration information between the BlackBerry Enterprise Server and the BlackBerry Infrastructure Description The BlackBerry Enterprise Server is designed to send a basic information packet to the BlackBerry Infrastructure immediately following the initial SRP authentication process. The packet format is designed to be recognizable to both the BlackBerry Enterprise Server and the BlackBerry Infrastructure, enabling both sides to configure the parameters of the SRP implementation dynamically. To support backward compatibility with older versions of the BlackBerry Enterprise Server software, which terminate the SRP connection if they receive unrecognized packets, the BlackBerry Infrastructure does not send basic information packets to the BlackBerry Enterprise Server until the BlackBerry Enterprise Server has sent a packet of the same format to the BlackBerry Infrastructure.

Authenticating a user to a BlackBerry device using a password
When you add a BlackBerry device to a BlackBerry Enterprise Server, you can require a user to authenticate to the BlackBerry device using a security password. You can use IT policy rules to configure features such as password duration, length, and strength, to require password patterns, and to forbid specific passwords. See the Policy Reference Guide for more information.
BlackBerry Enterprise Solution Security Authenticating a user If the user intends to activate their BlackBerry device wirelessly, they must contact you for a temporary activation password that the BlackBerry device uses to establish the master encryption key. You can set the BlackBerry device activation password and communicate it to the user. The activation password
applies to that users email account only is not valid after five unsuccessful activation attempts expires if a user does not activate the BlackBerry device within the default period of 48 hours, or a period of up to 720 hours that you configure after you create their activation password is removed from the BlackBerry Enterprise Server when the BlackBerry device activates successfully
Authenticating a user using a smart card
Use two-factor authentication, using a smart card, to require users to prove their identity to the BlackBerry device by two factors:
what they have (the smart card) what they know (their smart card password).
The BlackBerry Smart Card Reader integrates smart card use with the BlackBerry Enterprise Solution, enabling a user to authenticate with their smart card to login to certain Bluetooth-enabled BlackBerry devices. The BlackBerry Smart Card Reader
creates a reliable two-factor authentication environment for granting users access to BlackBerry and PKI applications is designed to enable the wireless digital signing and encryption of wireless email messages using the S/MIME Support Package stores all encryption keys in RAM only and never writes the keys to flash memory
See the BlackBerry Smart Card Reader Security White Paper for more information. Binding the smart card to the BlackBerry device If a user has a smart card authenticator, smart card driver, and smart card reader driver installed on their BlackBerry device, either you or that user can initiate two-factor authentication on the BlackBerry device to bind the BlackBerry device to the installed smart card. After the BlackBerry device binds to the smart card, it requires that smart card to authenticate the user. You can set the Force Smart Card Two-Factor Authentication IT policy rule in the BlackBerry Manager to require that a user authenticates with the BlackBerry device using a smart card. If you do not force the user to authenticate with the BlackBerry device using a smart card, the user can turn two-factor authentication on and off with their smart card by setting the User Authenticator field in the BlackBerry device Security Options. When you or the user enables two-factor authentication, the following events occur: 1. 2. The BlackBerry device locks. When a user tries to unlock the BlackBerry device, the BlackBerry device prompts the user to type the BlackBerry device password. If the user has not yet set a BlackBerry device password, the BlackBerry device forces them to set one. The BlackBerry device prompts the user to type the user authenticator (smart card) password to turn on two-factor authentication with the installed smart card. The BlackBerry device binds to the installed smart card automatically by storing the following smart card binding information in a special BlackBerry device NV store location that is inaccessible to a user:

name of a Java class required by the BlackBerry Smart Card Reader
BlackBerry Enterprise Solution Security Controlling BlackBerry devices
format of the binding information (currently, a version byte with a value of 0) type of smart card (for the Common Access Card, this string is GSA CAC) name of a Java class required by the smart card code unique 64-bit identifier that the smart card provides smart card label that the smart card provides (for example, GRAHAM.JOHN.1234567890)
The BlackBerry device pushes the current IT policy to the BlackBerry Smart Card Reader.
Confirming that the BlackBerry device is bound to the correct smart card After a user turns on two-factor authentication, whenever the BlackBerry device prompts the user to insert the smart card into the BlackBerry Smart Card Reader, the BlackBerry device prompt indicates the label and the card type of the correct (bound) smart card. If the BlackBerry device is running BlackBerry Device Software version 3.6 or earlier with either the S/MIME Support Package version 1.5 installed or no S/MIME Support Package installed, the information in the prompt is the only indication that a smart card is bound to the BlackBerry device. If the BlackBerry device is running either BlackBerry Device Software version 3.6 or earlier with the S/MIME Support Package version 4.0 or later installed or BlackBerry Device Software version 4.0 or later (S/MIME Support Package optional), the user can also view smart card information in the BlackBerry device Security Options. Field Name Initialized Description indicates the type of the installed smart card indicates whether the BlackBerry device is authenticated with and bound to the smart card a value of Yes indicates that the BlackBerry device is bound to the smart card a value of No indicates that the BlackBerry device is not bound to the smart card
Controlling BlackBerry devices
With the BlackBerry Enterprise Solution, you can monitor and control all BlackBerry devices wirelessly from the BlackBerry Manager.
Controlling BlackBerry device behaviour using IT policy rules
Use one or more IT policies to control the behavior of BlackBerry devices and the BlackBerry Desktop Software in your organization. The Default IT policy includes all standard IT policy rules on the BlackBerry Enterprise Server. When new users in a BlackBerry Domain complete activation of their BlackBerry devices on the BlackBerry Enterprise Server, the BlackBerry Enterprise Server automatically pushes the Default IT policy to their BlackBerry devices. The standard IT policy rules do not enforce the default BlackBerry device or BlackBerry Desktop Software behavior. You can use either of the following methods to change the default behavior of BlackBerry devices and BlackBerry Desktop Software in your organization:

BlackBerry Enterprise Solution Security Related resources

Related resources

Resource BlackBerry Enterprise Server Feature and Technical Overview BlackBerry Enterprise Server Installation Guide Information BlackBerry Enterprise Server System Administration Guide BlackBerry Enterprise Solution Security Acronym Glossary BlackBerry Signing Authority Tool Administrator Guide BlackBerry Java Development Environment BlackBerry Application Developer Guide Volume 1 BlackBerry Java Development Environment BlackBerry Application Developer Guide Volume 2 BlackBerry Smart Card Reader Security White Paper Garbage Collection in the BlackBerry Java Development Environment Policy Reference Guide PGP Support Package White Paper BlackBerry Enterprise Server architecture network environment settings messaging and collaboration environment settings database environment settings generating and changing master encryption keys enabling encryption managing security full terms substituted by acronyms in this and other security documents the BlackBerry Signing Authority Tool implementation of public key cryptography installing, setting up, and managing the BlackBerry Signing Authority Tool restricting access to APIs using BlackBerry APIs APIs, classes, and methods with limited access retrieving custom IT policy rules from the IT policy API deploying applications using the BlackBerry Desktop Software deploying applications wirelessly using controlled APIs code signatures secure pairing between the BlackBerry device and the BlackBerry Smart Card Reader initial key establishment protocol connection key establishment protocol cleaning BlackBerry device memory using BlackBerry Enterprise Server IT policies PGP security and encryption using PGP Universal Server to store and manage PGP keys searching for and validating PGP keys sending and receiving PGP messages
BlackBerry Enterprise Solution Security Related resources Resource PGP Support Package User Guide Supplement Information S/MIME Support Package White Paper S/MIME Support Package User Guide Supplement Security for BlackBerry Devices with Bluetooth Wireless Technology BlackBerry Wireless Enterprise Activation Technical Overview Wireless LAN Security installing the PGP Support Package managing PGP keys on the BlackBerry device setting PGP options for digitally signing and encrypting messages S/MIME security and encryption managing S/MIME certificates on the BlackBerry device and desktop computer installing the S/MIME Support Package managing certificates on the BlackBerry device and desktop computer setting S/MIME options for digitally signing and encrypting messages sending and receiving S/MIME messages Bluetooth wireless technology overview using and protecting Bluetooth-enabled BlackBerry devices risks of using Bluetooth wireless technology on mobile devices wireless enterprise activation process wireless master encryption key generation initial key establishment protocol key rollover protocol security options for implementing a supported BlackBerry device on a WLAN

integer factorization integer factorization

512 to to to 571

integer factorization (EC) discrete logarithm (EC) discrete logarithm
Key generation Algorithm RSA DH DSA EC Key length (bits) 512 to to to to 571 Type integer factorization discrete logarithm discrete logarithm (EC) discrete logarithm
Message authentication codes Code CBC MAC HMAC Key length (bits) variable (block cipher key length) variable
Message digest codes Code SHA-1, 224, 256, 384, 512 MD2 MD4 MD5 RIPEMD-128, 160 Digest length (bits) 160, 224, 256, 384, 128, 160
BlackBerry Enterprise Solution Security Appendix B: TLS and WTLS standards that the RIM Crypto API supports
Appendix B: TLS and WTLS standards that the RIM Crypto API supports
The TLS and WTLS protocol cipher suite components that the RIM Crypto API supports apply only to WTLS and handheld (direct) mode TLS/SSL on the BlackBerry device. The RIM Crypto API implementation of the TLS and WTLS protocols supports the use of RSA and DSA public key algorithms and the DH key exchange algorithm, with the following limitations: Cipher suite type export non-export Typical component limitation (in bits) RSA and DH: 1024 bits or less EC: 163 bits or less non-elliptic curve operations: 4096 bits
elliptic curve operations: 571 bits Note: These limitations are due to computational constraints on the BlackBerry device.
Key establishment algorithm cipher suites that the RIM Crypto API supports
Direct mode SSL RSA_EXPORT DH_anon_EXPORT DHE_DSS_EXPORT RSA DHE_DSS DH_anon Direct mode TLS RSA_EXPORT DH_anon_EXPORT DHE_DSS_EXPORT RSA DHE_DSS DH_anon WTLS RSA_anon RSA_anon_512 RSA_anon_768 RSA RSA_512 RSA_768 DH_anon DH_anon_512 DH_anon_768
Symmetric algorithms that the RIM Crypto API supports
Direct mode SSL RCDES 40 DES Triple DES RCDirect mode TLS RCRCRCDES 40 DES Triple DES AES 128 AES 256 RCWTLS RCRCRCRC5 RCDES 40 DES Triple DES
Hash algorithms that the RIM Crypto API supports

This document is provided as is and Research In Motion Limited and its affiliated companies (RIM) assume no responsibility for any typographical, technical, or other inaccuracies in this document. RIM reserves the right to periodically change information that is contained in this document; however, RIM makes no commitment to provide any such changes, updates, enhancements, or other additions to this document to you in a timely manner or at all. RIM MAKES NO REPRESENTATIONS, WARRANTIES, CONDITIONS OR COVENANTS, EITHER EXPRESS OR IMPLIED (INCLUDING WITHOUT LIMITATION, ANY EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS OF FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, MERCHANTABILITY, DURABILITY, TITLE, OR RELATED TO THE PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE REFERENCED HEREIN OR PERFORMANCE OF ANY SERVICES REFERENCED HEREIN). IN CONNECTION WITH YOUR USE OF THIS DOCUMENTATION, NEITHER RIM NOR ITS RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES, OR CONSULTANTS SHALL BE LIABLE TO YOU FOR ANY DAMAGES WHATSOEVER BE THEY DIRECT, ECONOMIC, COMMERCIAL, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR INDIRECT DAMAGES, EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INCLUDING WITHOUT LIMITATION, LOSS OF BUSINESS REVENUE OR EARNINGS, LOST DATA, DAMAGES CAUSED BY DELAYS, LOST PROFITS, OR A FAILURE TO REALIZE EXPECTED SAVINGS.
This document might contain references to third-party sources of information, hardware or software, products or services and, or third-party web sites (collectively the Third-Party Information). RIM does not control, and is not responsible for, any Third-Party Information, including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third-Party Information. The inclusion of Third-Party Information in this document does not imply endorsement by RIM of the Third-Party Information or the third-party in any way. Installation and use of Third-Party Information with RIM products and services may require one or more patent, trademark, or copyright licenses in order to avoid infringement of the intellectual property rights of others. Any dealings with Third-Party Information, including, without limitation, compliance with applicable licenses and terms and conditions, are solely between you and the third-party. You are solely responsible for determining whether such third-party licenses are required and are responsible for acquiring any such licenses relating to Third-Party Information. To the extent that such intellectual property licenses may be required, RIM expressly recommends that you do not install or use Third-Party Information until all such applicable licenses have been acquired by you or on your behalf. Your use of Third-Party Information shall be governed by and subject to you agreeing to the terms of the Third-Party Information licenses. Any Third-Party Information that is provided with RIM products and services is provided as is. RIM makes no representation, warranty, or guarantee whatsoever in relation to the Third-Party Information and RIM assumes no liability whatsoever in relation to the Third-Party Information even if RIM has been advised of the possibility of such damages or can anticipate such damages.

wireless

Wireless enterprise activation permits a BlackBerry device user to remotely activate a BlackBerry device on the BlackBerry Enterprise Server without a physical network connection. During the wireless enterprise activation, the BlackBerry Enterprise Server and the BlackBerry device negotiate to select the strongest algorithm that they both support and use that algorithm to generate the master encryption key. Note: For more information, see Authentication during wireless enterprise activation on page 39.
Computer based process for generating master encryption keys In BlackBerry Desktop Software Version 4.0 or later, the master encryption key generation function uses the current time as the seed for the C language srand function. The master encryption key generation function then gathers entropy (randomness) using the following process: 1. When prompted by the BlackBerry Desktop Software, the BlackBerry device user moves the mouse. The BlackBerry Desktop Software master encryption key generation function examines the lowest 12 bits of the x and y coordinates of the new mouse location. If the bits are different from the previous sample, the BlackBerry Desktop Software stores them, generating 3 bytes of randomness. If the bits are the same as the previous sample, no sample is taken. The BlackBerry Desktop Software master encryption key generation function waits for a random interval between 50 and 150 milliseconds, and then continues to sample in the same way until it gathers 384 bytes. The BlackBerry Desktop Software retrieves 384 bytes of randomness from the MSCAPI, for a total of 768 bytes. The BlackBerry Desktop Software hashes the 384 bytes of randomness from the BlackBerry device users mouse coordinates and the 384 bytes of randomness from the MSCAPI with SHA-512 to produce 512 bits of data. The BlackBerry Desktop Software frees the memory associated with the unused bits. The BlackBerry Desktop Software uses the first 256 bits if it is generating the master encryption key using AES encryption or the first 128 bits if it is generating the master encryption key using Triple DES encryption. The BlackBerry Desktop Software discards any unused bits.

BlackBerry wireless messaging security
The BlackBerry Enterprise Solution is designed with advanced security features to work seamlessly with existing networks while enabling BlackBerry device users to securely send and receive messages while away from their computers. Email messages remain encrypted at all points between the BlackBerry devices and the BlackBerry Enterprise Server.
Receiving an email message on the BlackBerry device
Sending a message from a computer to the BlackBerry device

1. 2. 3. 4. 5.

Alice sends a message to Bob from her computer. Alice and Bob work at the same organization. The messaging server receives the email message and notifies the BlackBerry Enterprise Server that the message has arrived. The messaging server delivers the message to Bobs computer. The BlackBerry Enterprise Server retrieves the message from the messaging server. The BlackBerry Enterprise Server queries the messaging server for BlackBerry device user preferences to determine whether or not to forward the message to Bobs BlackBerry device. The BlackBerry Enterprise Server places the message in the outgoing queue.
6. The BlackBerry Enterprise Server compresses and encrypts the message. 7.
The BlackBerry Enterprise Server is designed to maintain a constant, direct outbound TCP/IP connection to the wireless network over the Internet through the firewall on port 3101 (or 4101 in the case of a BlackBerry device that supports implementation alongside an enterprise Wi-Fi network). This constant connection enables the efficient, continuous delivery of data to and from the BlackBerry device. 8. The wireless network routes and then delivers the encrypted message to Bobs BlackBerry device. 9. Bobs BlackBerry device receives the encrypted message. The BlackBerry device then decrypts and displays the message for Bob to read.
Sending an email message from the BlackBerry device
Sending a message from a BlackBerry device to the computer
Bob responds to Alices message by composing an email on the BlackBerry device. When Bob sends the message, the BlackBerry device compresses, encrypts, and then sends the message over the wireless network. All messages that users create on their BlackBerry devices contain the necessary BlackBerry Enterprise Server routing information for the wireless network to make sure that the wireless network delivers the message to the appropriate BlackBerry Enterprise Server.

When the user tries to view an attachment that is encrypted using S/MIME, PGP/MIME, or OpenPGP on the BlackBerry device, the following actions occur: 1. 2. 3. 4. The BlackBerry device sends the message key and a request for the attachment data to the BlackBerry Enterprise Server. The BlackBerry Enterprise Server uses the message key to decrypt the message and access the attachment data that corresponds to the attachment header data. The BlackBerry Enterprise Server decrypts the attachment and sends the rendered attachment data to the BlackBerry device. The BlackBerry device displays the attachment.
Note: To protect the decrypted attachment data that the BlackBerry device stores, turn on content protection.

PIN-to-PIN messaging

A PIN uniquely identifies each BlackBerry device and BlackBerry enabled device on the wireless network. If a BlackBerry device user knows the PIN of another BlackBerry device, the user can send a PIN message to that BlackBerry device. Unlike an email message that the BlackBerry device user sends to an email address, a PIN message bypasses the BlackBerry Enterprise Server and your organizations network. PIN message scrambling During the manufacturing process, Research In Motion (RIM) loads a common peer-to-peer, or PIN-to-PIN, encryption key onto BlackBerry devices. Although the BlackBerry device uses the peer-to-peer encryption key
with Triple DES to encrypt PIN messages, every BlackBerry device can decrypt every PIN message that it receives because every BlackBerry device stores the same global peer-to-peer encryption key. This means that if a BlackBerry device or BlackBerry enabled device user other than the intended PIN message recipient intercepts a PIN message, that BlackBerry device or BlackBerry enabled device user can decrypt and read the PIN message using the global peer-to-peer encryption key. Therefore, consider PIN messages as scrambled, not encrypted, messages. The BlackBerry Enterprise Server administrator can limit the number of BlackBerry devices that can receive and decrypt your organizations PIN messages by generating a new peer-to-peer encryption key known only to BlackBerry devices in your organization. A BlackBerry device with an organization-specific peer-to-peer encryption key can send and receive PIN messages with other BlackBerry devices on your organizations network with the same peer-to-peer encryption key only. These PIN messages use organization-specific scrambling instead of the default global scrambling. The BlackBerry Enterprise Server administrator can also set the Firewall Block Incoming Messages IT policy rule to limit the number of BlackBerry devices in your organization that can receive either or both of PIN messages that use organization-specific scrambling and PIN messages that use the default global scrambling. The BlackBerry Enterprise Server administrator should generate a new organization-specific peer-to-peer encryption key if the administrator knows the current key is compromised. The BlackBerry Enterprise Server administrator can update and resend the peer-to-peer encryption key for BlackBerry device users in the BlackBerry Manager.

turn off SMS messaging turn off MMS messaging
Extending BlackBerry device messaging security
In addition to standard BlackBerry encryption, the BlackBerry Enterprise Server administrator can enable S/MIME technology or PGP technology to offer an additional layer of security between the sender and recipient of an email or PIN message. Using either one of these technologies enables sender-to-recipient authentication and confidentiality, and helps maintain data integrity and privacy from the time that a BlackBerry device user sends a message from the BlackBerry device until the message recipient decodes and reads the message.
PGP Support Package for BlackBerry devices
The PGP Support Package for BlackBerry devices is designed to provide support for using OpenPGP (RFC 2440) and PGP/MIME (RFC 3156) message formatting on the BlackBerry device to enable BlackBerry device users who already send and receive PGP protected messages in OpenPGP and PGP/MIME formats using their computer email applications to send and receive PGP protected messages in these formats using their BlackBerry devices. The PGP Support Package for BlackBerry devices includes tools for obtaining PGP keys and transferring them to the BlackBerry device so that BlackBerry devices with the PGP Support Package for BlackBerry devices installed can decrypt PGP protected messages and BlackBerry device users can read the decrypted messages on their BlackBerry devices. Users can digitally sign, encrypt, and send PGP protected messages from their BlackBerry devices. Without the PGP Support Package for BlackBerry devices, the BlackBerry device receives PGP protected messages as unreadable cipher text. Within the PGP Universal environment, the PGP Universal Server operates as a network appliance. The PGP Universal Server specifies secure email policies that the PGP Universal Server administrator designs. The BlackBerry device with the PGP Support Package for BlackBerry devices installed enforces compliance with the PGP Universal secure email policies for all email messages. The PGP Support Package for BlackBerry devices is designed to include support for the following features:
using the PGP Universal Server to retrieve and enforce a secure email policy searching for and retrieving PGP keys, PGP key status, and X.509 certificate status over the wireless network using either a PGP Universal Server or an external LDAP key server setting the BlackBerry device to connect to external LDAP PGP key servers using SSL/TLS (LDAPS) connections encrypting and decrypting PGP protected email and PIN messages allowing BlackBerry devices to use PGP key-only encryption when sending PGP protected messages from BlackBerry devices

verifying digital signatures on received email and PIN messages, and digitally signing outgoing email and PIN messages encoding and decoding Unicode messages
The BlackBerry device is designed to use the BlackBerry MDS Connection Service, which resides on the BlackBerry Enterprise Server, to connect to the PGP Universal Server and to the external LDAP PGP key server(s) that the BlackBerry device user sets on the BlackBerry device. The Connection Service uses standard protocols, such as HTTP and TCP/IP, to enable the BlackBerry device to retrieve PGP keys and PGP key status from the PGP Universal Server or an external LDAP PGP key server over the wireless network. PGP security PGP technology is designed to enable sender-to-recipient authentication and confidentiality and help maintain data integrity and privacy from the time that the BlackBerry device user sends a message over the wireless network until the message recipient decodes and reads the message. PGP technology relies on public key cryptography (using private and public key pairs) to provide confidentiality, integrity and authenticity. PGP key types The PGP Support Package for BlackBerry devices uses public key cryptography with the following keys: Key type PGP public key Description The BlackBerry device uses the recipients PGP public key to encrypt outgoing email messages, and uses the senders PGP public key to verify digital signatures on received email messages. The PGP public key is designed to be distributed and accessed by message recipients and senders without compromising security conditions. The BlackBerry device uses the PGP private key to digitally sign outgoing email messages and decrypt received email messages. Private key information should remain private to the key owner.

PGP private key

PGP encryption
If the PGP Support Package for BlackBerry devices exists on a BlackBerry device, when a user sends a message from that BlackBerry device, the BlackBerry device encrypts the message using the following process: 1. 2. 3. 4. The BlackBerry device encrypts the message using the message recipients PGP public key. The BlackBerry device uses standard BlackBerry encryption to encrypt the PGP encrypted message. The BlackBerry device sends the encrypted message to the BlackBerry Enterprise Server. The BlackBerry Enterprise Server removes the standard BlackBerry encryption and sends the PGP encrypted message to the recipient.

Decrypting and reading messages on the BlackBerry device using Lotus Notes API 7.0
In BlackBerry Enterprise Server Version 4.1 or later for IBM Lotus Domino with IBM Lotus Notes API Version 7.0, by default, BlackBerry devices can decrypt IBM Lotus Notes encrypted messages and S/MIMEencrypted messages. In BlackBerry Enterprise Server Version 4.1 or later for IBM Lotus Domino in an IBM Lotus Domino environment, the BlackBerry Enterprise Server supports using the AES algorithm with the master encryption key of the BlackBerry device to encrypt the Notes ID file and password and store them in the BlackBerry Enterprise Server for IBM Lotus Domino messaging agent memory. When BlackBerry device users forward or reply to IBM Lotus Notes encrypted messages or S/MIME-encrypted messages that the BlackBerry devices decrypted, the BlackBerry devices send the messages to the recipients as plain text. The BlackBerry Enterprise Server administrator can configure the default BlackBerry device behaviour in the following ways:
use the Disable Notes Native Encryption Forward And Reply IT policy rule to prevent BlackBerry device users from forwarding and replying to IBM Lotus Notes encrypted messages on their BlackBerry devices use the Notes Native Encryption Password Timeout IT policy rule to specify the maximum length of time (in minutes) that the BlackBerry device stores the IBM Lotus Notes.id password that the user types
Process for decrypting IBM Lotus Notes and S/MIME messages If a BlackBerry device user sets support for reading IBM Lotus Notes and S/MIME-encrypted messages on the BlackBerry device, when the BlackBerry device user receives an IBM Lotus Notes or S/MIME-encrypted message, the BlackBerry Enterprise Server for IBM Lotus Domino decrypts the message using the following process: 1. 2. A BlackBerry device user receives an IBM Lotus Notes and S/MIME-encrypted message. The BlackBerry Enterprise Server for IBM Lotus Domino messaging agent decrypts the BlackBerry device users cached Notes.id password and uses the decrypted password to decrypt the message. If the BlackBerry Enterprise Server for IBM Lotus Domino messaging agent does not have the Notes.id password, the BlackBerry device user must select More, More All, or Open Attachment to pull the decrypted message to the BlackBerry device. 3. 4. The BlackBerry Enterprise Server deletes the decrypted Notes.id password from memory. The encrypted Notes.id password remains cached. The BlackBerry Enterprise Server pushes the decrypted message to the BlackBerry device, where the user can read the message.

Application password encryption and storage on the BlackBerry device
A BlackBerry device user can use the Password Keeper tool to create and store all of the passwords that they might use to gain access to applications and web sites on the BlackBerry device. This means that a BlackBerry
device user is required to remember only the Password Keeper master password to retrieve all of their stored passwords. The first time that a BlackBerry device user opens the Password Keeper on the BlackBerry device, the user must create the Password Keeper master password. The Password Keeper encrypts the information (for example, application and web site passwords and data) that it stores using 256-bit AES, and uses the master password to decrypt the information when a BlackBerry device user types the master password to gain access to the Password Keeper tool. The BlackBerry device automatically deletes all of its data if a user types the Password Keeper master password incorrectly ten times. In the Password Keeper, a BlackBerry device user can
type a password and its identifying information (for example, which application the BlackBerry device user can access using the password) and save the information generate random passwords designed to improve password strength copy passwords to the clipboard to be pasted into an application or web site password prompt
Protected storage of external memory on the BlackBerry device
The BlackBerry device is designed to encrypt multimedia data that it stores on an external memory device according to the External File System Encryption Level IT policy rule or the corresponding BlackBerry device setting. The BlackBerry device is designed to support the following features:
external file encryption by encrypting specific files on the external memory device using AES The external file system encryption does not apply to files that the BlackBerry device user manually transfers to external memory (for example, from a USB mass storage device).
access control to objects on the external memory device using code signing with 1024-bit RSA
The external memory device stores encrypted copies of the file keys that the BlackBerry device is designed to use to decrypt and encrypt files on the external memory device. The BlackBerry device is designed to use a device key stored in the NV store in BlackBerry device RAM, a user-provided password, or both to encrypt the external memory file keys. The BlackBerry device is designed to permit code signing keys in the header information of the encrypted file on the external memory device. The BlackBerry device is designed to check the code signing keys when the BlackBerry device opens the input or output streams of the encrypted file. The BlackBerry device, any computer platform, and other devices that use the external memory device can modify encrypted files (for example, truncate files) on the external memory device. The BlackBerry device is not designed to perform integrity checks on the encrypted file data. Process for generating external memory file encryption keys When the BlackBerry Enterprise Server administrator turns on or the BlackBerry device user turns on encryption of external memory for the first time, the following process occurs: 1. 2. 3. 4. 5. The BlackBerry device generates a 256-bit AES encryption key. The BlackBerry device stores the encryption key in the NV store in RAM on the BlackBerry device. The BlackBerry device XORs the AES key with another 256-bit AES encryption key that is encrypted using a password to generate the external memory file encryption key (a session key). The BlackBerry device encrypts the external memory file encryption key using the AES encryption key. The BlackBerry device stores the encrypted external memory file encryption key on the external memory device.

IEEE 802.1X environment components
An IEEE 802.1X environment includes the following components:
IEEE 802.1X/EAP client software, also called a supplicant, running on the enterprise Wi-Fi network client device The Wi-Fi enabled BlackBerry device has a built-in IEEE 802.1x supplicant. IEEE 802.1x software running on the access point, also called an authenticator authentication server that authenticates the enterprise Wi-Fi network client device on behalf of the authenticator and allows the Wi-Fi network client to authenticate the Wi-Fi network In most cases, the authentication server uses the RADIUS protocol (RFC 2865 and RFC 3579) to communicate with the authenticator on the access point.
How the IEEE 802.1x environment controls access to the enterprise Wi-Fi network
When a wireless client first associates itself with an access point that is enabled for IEEE 802.1x security, the only communication that that access point permits is IEEE 802.1x authentication. Using a negotiated EAP method, the supplicant on the supported Wi-Fi enabled BlackBerry device sends its credentials (typically, a BlackBerry device user name and password) to the access point, which forwards the information to the authentication server. The authentication server authenticates the supported Wi-Fi enabled BlackBerry device on behalf of the access point and instructs the access point to permit or prevent access to the enterprise Wi-Fi network. The authentication server sends Wi-Fi network credentials to the supported Wi-Fi enabled BlackBerry device to allow it to authenticate the access point. After an authentication server permits the supported Wi-Fi enabled BlackBerry device to access the enterprise Wi-Fi network, the access point and the BlackBerry device use IEEE 802.1x EAPoL-Key messages to establish the WEP, TKIP, or AES-CCMP encryption keys, depending on the EAP method that is set on the BlackBerry device. After the access point and the supported Wi-Fi enabled BlackBerry device establish encryption keys, the BlackBerry device has encrypted access to the enterprise Wi-Fi network. If your enterprise Wi-Fi solution is using one of the supported EAP authentication methods, all of which are designed to provide mutual authentication between supported Wi-Fi enabled BlackBerry devices and the enterprise Wi-Fi network, the BlackBerry Enterprise Server administrator can grant and revoke supported Wi-Fi enabled BlackBerry devices access to the enterprise Wi-Fi network by updating the central authentication server only. The system administrator does not need to update the configuration of each access point.

creates a reliable two-factor authentication environment for granting BlackBerry device users access to BlackBerry and PKI applications is designed to enable the wireless digital signing and encryption of wireless email messages using the S/MIME Support Package for BlackBerry devices stores all encryption keys in RAM only and never writes the keys to flash memory
For more information, see the BlackBerry Smart Card Reader Security Technical Overview. Binding the smart card to the BlackBerry device If a user has a smart card authenticator, smart card driver, and smart card reader driver installed on their BlackBerry device, either the BlackBerry Enterprise Server administrator or that user can initiate two-factor authentication on the BlackBerry device to bind the BlackBerry device to the installed smart card. After the BlackBerry device binds to the smart card, it requires that smart card to authenticate the user. The BlackBerry Enterprise Server administrator can set the Force Smart Card Two-Factor Authentication IT policy rule in the BlackBerry Manager to require that a user authenticates with the BlackBerry device using a smart card. If the BlackBerry Enterprise Server administrator does not force the user to authenticate with the BlackBerry device using a smart card, the user can turn two-factor authentication on and off with their smart card by setting the User Authenticator field in the BlackBerry device Security Options. When the BlackBerry Enterprise Server administrator or the user enables two-factor authentication, the following events occur: 1. 2. The BlackBerry device locks. When a user tries to unlock the BlackBerry device, the BlackBerry device prompts the user to type the BlackBerry device password. If the user has not yet set a BlackBerry device password, the BlackBerry device forces them to set one. The BlackBerry device prompts the user to type the user authenticator (smart card) password to turn on two-factor authentication with the installed smart card. The BlackBerry device binds to the installed smart card automatically by storing the following smart card binding information in a special BlackBerry device NV store location that is inaccessible to a user:
the name of a Java class that the BlackBerry Smart Card Reader requires the binding information format the smart card type the name of a Java class that the smart card code requires a unique 64-bit identifier that the smart card provides a smart card label that the smart card provides (for example, GRAHAM.JOHN.1234567890)
Note: For the Common Access Card, this string is GSA CAC.
The BlackBerry device pushes the current IT policy to the BlackBerry Smart Card Reader.
Confirming that the BlackBerry device is bound to the correct smart card After a user turns on two-factor authentication, whenever the BlackBerry device prompts the user to insert the smart card into the BlackBerry Smart Card Reader, the BlackBerry device prompt indicates the label and the card type of the correct (bound) smart card. If the BlackBerry device is running BlackBerry Device Software Version 3.6 with either the S/MIME Support Package Version 1.5 for BlackBerry devices installed or no S/MIME Support

Package for BlackBerry devices installed, the information in the prompt is the only indication that a smart card is bound to the BlackBerry device. If the BlackBerry device is running BlackBerry Device Software Version 4.0 or later (S/MIME Support Package for BlackBerry devices optional), the user can also view smart card information in the BlackBerry device Security Options. Field Name Initialized Description indicates the type of the installed smart card indicates whether the BlackBerry device is authenticated with and bound to the smart card a value of Yes indicates that the BlackBerry device is bound to the smart card a value of No indicates that the BlackBerry device is not bound to the smart card
Controlling BlackBerry devices
With the BlackBerry Enterprise Solution, the BlackBerry Enterprise Server administrator can monitor and control all BlackBerry devices over the wireless network from the BlackBerry Manager.
Controlling BlackBerry device behavior using IT policy rules
Use one or more IT policies to control the behavior of BlackBerry devices and the BlackBerry Desktop Software in your organization. The Default IT policy includes all standard IT policy rules on the BlackBerry Enterprise Server. When new users in a BlackBerry Domain complete activation of their BlackBerry devices on the BlackBerry Enterprise Server, the BlackBerry Enterprise Server automatically pushes the Default IT policy to their BlackBerry devices. The BlackBerry Enterprise Server administrator can use either of the following methods to change the default behavior of BlackBerry devices and BlackBerry Desktop Software in your organization:
set the values of IT policy rules in the Default IT policy create a new IT policy, set its IT policy rule values, and assign one or more users or user groups to the new IT policy
Changing the default behavior An IT policy rule enables the BlackBerry Enterprise Server administrator to customize and control BlackBerry device and BlackBerry Desktop Software functionality using the following methods:
setting an IT policy rule to a True or False value typing a string, which simultaneously turns on an IT policy rule and provides the parameters for its use selecting a predefined permitted value to assign to an IT policy rule
The BlackBerry Enterprise Server administrator cannot use all IT policy rules to set the behavior of all BlackBerry device types. For more information, see the Policy Reference Guide. The BlackBerry Manager groups the IT policy rules by common properties or by application. Most IT policy rules are intended to be assigned to more than one BlackBerry device. Some IT policy rules set a unique value and are intended to be assigned to one BlackBerry device and one user only. For more information on those IT policy rules, see the BlackBerry Enterprise Server Implementation Guide for Wireless LAN. Reverting to the default behavior To revert to the default behavior that an IT policy rule customizes or controls, the BlackBerry Enterprise Server administrator can set that IT policy rule to Default, if that setting is available, or delete the previously set value.

security wipe of data (standard security wipe)
security wipe of data and thirdparty applications (standard security wipe with Include third party applications option selected on device) security wipe of data on a content-protected device (standard security wipe on a content-protected device)
For more information, see Erasing File Systems on BlackBerry Devices Technical Overview. The BlackBerry device performs the following actions, depending on the method used to wipe the internal device memory: BlackBerry device action deletes user data deletes corporate PIN-to-PIN encryption key deletes the master encryption key unbinds the smart card (if applicable) unbinds the IT policy Description The BlackBerry device permanently deletes all user data in memory. The BlackBerry device permanently deletes its references to the corporate peer-to-peer, or PIN-to-PIN, encryption key in memory. The BlackBerry device permanently deletes its references to the master encryption key in memory. The BlackBerry device permanently deletes the smart card binding information from the NV store so that a user can authenticate with the BlackBerry device using a new smart card. The BlackBerry device permanently deletes the IT policy public key from its NV store so that it can receive a new IT policy and IT policy public key from a BlackBerry Enterprise Server. The BlackBerry device permanently deletes its references to past BlackBerry device password hashes in memory. The BlackBerry device permanently deletes its BlackBerry Mobile Data System device policy from its NV store. The BlackBerry device permanently deletes its stored IT policy.
password history stored BlackBerry MDS device policy deletes stored IT policy
BlackBerry device action deletes third-party applications overwrites BlackBerry device memory if content protection is turned on
Description The BlackBerry device permanently deletes all third-party applications stored on the BlackBerry device. The BlackBerry device uses a memory scrub process to overwrite the BlackBerry device flash memory file system.
For more information, see Appendix D: BlackBerry device wipe process on page 75.
Remotely erasing data from BlackBerry device memory and making the BlackBerry device unavailable
A BlackBerry device that is not physically connected to a computer is designed to permanently delete its user and application data when any of the following events occur:

6. The BlackBerry Enterprise Server calculates that as RD approaches the point at infinity, RD is random.
checks that when the value RB approaches the point at infinity or RD equals RB, the value RB is random checks that when the value eD equals 0, the value eD is random
11. The BlackBerry Router forwards RB, eD, and KeyID to the BlackBerry device. 12. The BlackBerry device performs the following calculations:
checks that when the value RB approaches the point at infinity or RD equals RB, the value RB is random checks that when the value eD equals 0, the value eD is random computes yD = h eDrD mod p
13. The BlackBerry device picks a random value eB, where 1 < eB < p 1. 14. The BlackBerry device sends yD and eB to the BlackBerry Enterprise Server. 15. The BlackBerry Router observes the data that the BlackBerry device sends and confirms that if eB equals 0 or eB equals eD, the value eB is random. 16. The BlackBerry Router forwards yD and eB to the BlackBerry Enterprise Server. 17. The BlackBerry Enterprise Server performs the following calculations:
checks that when the value eD equals eB, the value eB is random checks that when the value eD equals 0, the value eD is random computes yB = h eBrB (mod p)
18. The BlackBerry Enterprise Server sends yB to the BlackBerry device. 19. The BlackBerry device receives yB. If the BlackBerry device accepts yB, the BlackBerry Enterprise Server and the BlackBerry device open an authenticated connection between them.
BlackBerry Enterprise Solution If the BlackBerry device calculates that yBP + eBRB hP, the BlackBerry device rejects the connection attempt. The BlackBerry Enterprise Server and the BlackBerry device do not open an authenticated connection between them. If the BlackBerry Router calculates that yBP + eBRB yDP + eDRD, the BlackBerry Router rejects the connection attempt.
If the BlackBerry Enterprise Server calculates that yDP + eDRD hP, the BlackBerry Enterprise Server rejects the connection attempt. 20. The BlackBerry Router stores RD, RB, yDP + eDRD, eD, and eB. 21. The BlackBerry Enterprise Server stores RD, RB, eD, eB, and h. 22. The BlackBerry Router overwrites yB and yD in memory with zeroes. 23. The BlackBerry Enterprise Server overwrites yB, yD, and rB in memory with zeroes. 24. The BlackBerry device overwrites yB, yD, and rD in memory with zeroes.
Process flow: Using the BlackBerry Router protocol to close an authenticated connection
1. 2. 3. 4. The BlackBerry Enterprise Server picks a random value rC, where 1 < rc < p 1. The BlackBerry Enterprise Server calculates RC = rCP. If RC equals RB, or RC equals RD the BlackBerry Enterprise Server calculates another RC value. The BlackBerry Enterprise Server sends the value RC to the BlackBerry Router to initiate connection closure. The BlackBerry Router performs the following calculations:

checks that when the value RC approaches the point at infinity, the value RC is random checks that when the value RC equals RB, or RC equals RD, the value RC is random
The BlackBerry Router picks a random value eC, where 1 < ec < p 1. If eC equals eD, or ec equals eB the BlackBerry Router calculates another eC value.
6. The BlackBerry Router sends the value eC to the BlackBerry Enterprise Server. 7. The BlackBerry Enterprise Server performs the following calculations:
checks that when the value eC equals 0, the value eC is random checks that when the value eC equals eB, or eC equals eD, the value eC is random
The BlackBerry Enterprise Server calculates yC = h eCrC mod p. If the BlackBerry Router accepts yC, the BlackBerry Router closes the authenticated connection to the BlackBerry device on behalf of the BlackBerry Enterprise Server. If the BlackBerry Router calculates that yCP + eCRC yDP +eDRD, the BlackBerry Router rejects the connection close attempt. The BlackBerry Router does not close the authenticated connection to the BlackBerry device.
9. The BlackBerry Enterprise Server sends the value yC to the BlackBerry Router.
Appendix H: Enterprise Wi-Fi security methods that the BlackBerry device supports
EAP authentication methods that the BlackBerry device supports
The BlackBerry device supports EAP authentication methods with protected WLAN networks only. Authentication method LEAP Description Cisco developed LEAP in response to the weaknesses identified in WEP. LEAP uses the IEEE 802.1x authentication framework. LEAP is designed to significantly improve on basic WEP security by providing authentication between the enterprise Wi-Fi network device and the enterprise Wi-Fi network, per-client dynamic generation of WEP keys, and automatic WEP key updates throughout the course of a session on the enterprise Wi-Fi network device. PEAP is an open standard jointly developed by Microsoft Corporation, RSA Security, and Cisco Systems, Inc. PEAP allows for supplicant authentication with an authentication server by creating an encrypted tunnel between the supplicant and the authentication server using TLS using the TLS tunnel to send the supplicant authentication credentials to the authentication server BlackBerry device implementation The BlackBerry device supports LEAP authentication based on a user name and password. The BlackBerry device uses a one-way function to encrypt passwords before sending them to the authentication server. LEAP does not provide mutual authentication between the BlackBerry device and the enterprise Wi-Fi network. Set strong password policies on networks that use LEAP.