manualshive.com logo in svg

Blackberry Enterprise Server 4.1, Overview, Page: 62 / 92

Share
Download
Blackberry Enterprise Server 4.1 Overview Download Page 62

BlackBerry Enterprise Solution 

62

 

 

The BlackBerry Enterprise Server administrator should send the Set a Password and Lock Handheld IT 
administration command to a content-protected BlackBerry device that is in the possession of the BlackBerry 
device user only. Sending this command to a BlackBerry device in the possession of an attacker allows an 
attacker that uses a hardware-based attack to recover the key pair that the BlackBerry device creates when it 
receives the IT policy from flash memory, and thereby decrypt all the data on the BlackBerry device. 

For more information about the protocol, see “Appendix L: Protocol for resetting the password on a content-
protected BlackBerry device remotely” on page 89.  

Types of remote BlackBerry device wipes 

The BlackBerry device wipe process is designed to delete all data in internal memory and overwrite that memory 
with zeroes.  

Type 

Description 

factory default device wipe 

This method of removing BlackBerry device data is initiated by the 
BlackBerry Enterprise Server administrator remotely using the Remote 
Wipe Reset to Factory Defaults IT policy rule. See “Removing third-party 
applications during a user-initiated security wipe” on page 65 for more 
information. 

security wipe of data (standard 
security wipe) 

 

This method of removing BlackBerry device data is initiated by the 
BlackBerry Enterprise Server administrator remotely, or by the BlackBerry 
device user locally on the BlackBerry device. See “Remotely erasing data 
from BlackBerry device memory and making the BlackBerry device 
unavailable” on page 63 for more information. 

security wipe of data and third-
party applications (standard 
security wipe with Include third 
party applications option 
selected on device) 

This method of removing BlackBerry device data is initiated by the 
BlackBerry device user locally on the BlackBerry device. The BlackBerry 
Enterprise Server administrator can achieve the same result by performing 
a factory default device wipe. See “Removing third-party applications 
during a user-initiated security wipe” on page 65 for more information. 

security wipe of data on a 
content-protected device 
(standard security wipe on a 
content-protected device) 

If content protection is turned on, during a security wipe the BlackBerry 
device uses a memory scrub process to overwrite the BlackBerry device 
flash memory file system. The BlackBerry memory scrub process complies 
with United States government requirements for clearing sensitive user 
data, including 

Department of Defense directive 5220.22-M

 and 

National 

Institute of Standards and Technology Special Publication 800-88

For more information, see 

Erasing File Systems on BlackBerry Devices Technical Overview

The BlackBerry device performs the following actions, depending on the method used to wipe the internal device 
memory: 

BlackBerry device action 

Description 

deletes user data 

The BlackBerry device permanently deletes all user data in memory. 

deletes corporate PIN-to-PIN 
encryption key 

The BlackBerry device permanently deletes its references to the corporate 
peer-to-peer, or PIN-to-PIN, encryption key in memory. 

deletes the master encryption 
key 

The BlackBerry device permanently deletes its references to the master 
encryption key in memory.

 

unbinds the smart card (if 
applicable) 

The BlackBerry device permanently deletes the smart card binding 
information from the NV store so that a user can authenticate with the 
BlackBerry device using a new smart card. 

www.blackberry.com 

 

Summary of Contents for Enterprise Server 4.1

Page 1: ...prise Solution Security Technical Overview for BlackBerry Enterprise Server Version 4 1 Service Pack 6 and BlackBerry Device Software Version 4 6 2009 Research In Motion Limited All rights reserved ww...

Page 2: ...ing unsecured messaging 21 Extending BlackBerry device messaging security 22 PGP Support Package for BlackBerry devices 22 PGP encryption 23 S MIME Support Package for BlackBerry devices 24 S MIME enc...

Page 3: ...segmented network architecture to prevent the spread of malware on your organization s network 46 Protecting Wi Fi connections to the BlackBerry Enterprise Solution 46 Enterprise Wi Fi network solutio...

Page 4: ...S and WTLS standards that the RIM Crypto API supports 72 Key establishment algorithm cipher suites that the RIM Crypto API supports 72 Symmetric algorithms that the RIM Crypto API supports 73 Hash alg...

Page 5: ...ods and encryption algorithms with which the BlackBerry device supports the use of CCKM 85 VPN solution on the Wi Fi enabled BlackBerry device 86 Appendix I Algorithm suites that the BlackBerry device...

Page 6: ...y device BlackBerry Device Software BlackBerry Desktop Software and the BlackBerry Enterprise Server is designed to protect your organization from data loss or alteration in the event of malicious int...

Page 7: ...nd the message to the BlackBerry device If message failure occurs the BlackBerry device prompts the BlackBerry device user to generate a new master encryption key BlackBerry Enterprise Solution securi...

Page 8: ...rotected email or PIN message BlackBerry Enterprise Server Version 4 1 SP6 or later BlackBerry Device Software Version 4 6 or later On supported BlackBerry devices that have the PGP Support Package fo...

Page 9: ...t match the BlackBerry device and the BlackBerry Enterprise Server cannot decrypt and must therefore discard messages that they receive Where master encryption keys are stored The BlackBerry Configura...

Page 10: ...ry device when the BlackBerry device user connects the BlackBerry device to the computer The current key then becomes the new previous key and the pending key becomes the new current key How the messa...

Page 11: ...aster encryption key generation function uses the current time as the seed for the C language srand function The master encryption key generation function then gathers entropy randomness using the fol...

Page 12: ...public keys and the ECMQV algorithm to negotiate a common key in such a way that an unauthorized party cannot calculate the same key This protocol achieves perfect forward secrecy The new master encr...

Page 13: ...signed to seed a DSA PRNG function to generate a message key using the following process 1 The BlackBerry device obtains random data from multiple sources for the seed using a technique derived from t...

Page 14: ...cryptography standard For more information see Appendix E Process for deriving encryption keys that protect the keys used with content protection on page 77 5 The BlackBerry device uses the ephemeral...

Page 15: ...en the BlackBerry device receives data encrypted with a master encryption key while it is locked it uses the grand master key to decrypt the required master encryption key in flash memory and receive...

Page 16: ...electromagnetic analysis countermeasure protection that is designed to address the potential of side channel attacks against the BlackBerry device The AES implementation uses masking countermeasures...

Page 17: ...age 2 The BlackBerry device encrypts the message using the message key 3 The BlackBerry device encrypts the message key using the master encryption key which is unique to that BlackBerry device 4 The...

Page 18: ...cations if not functioning correctly might impact the security usability and performance of the BlackBerry Enterprise Solution and might cause loss of BlackBerry device data To use the third party enc...

Page 19: ...connection from the BlackBerry Enterprise Server to the BlackBerry Infrastructure is a two way TCP connection on port 3101 The BlackBerry Infrastructure directs messages from the BlackBerry device to...

Page 20: ...actions can occur automatically when the user opens the message or when the user requests the actions manually 1 The BlackBerry device sends the message key and a request for the attachment header dat...

Page 21: ...d resend the peer to peer encryption key for BlackBerry device users in the BlackBerry Manager Text messaging Text messaging using SMS and MMS are available on some BlackBerry devices Supported BlackB...

Page 22: ...receive PGP protected messages in OpenPGP and PGP MIME formats using their computer email applications to send and receive PGP protected messages in these formats using their BlackBerry devices The PG...

Page 23: ...is designed to be distributed and accessed by message recipients and senders without compromising security conditions PGP private key The BlackBerry device uses the PGP private key to digitally sign...

Page 24: ...ckBerry devices with the S MIME Support Package for BlackBerry devices installed can decrypt messages that are encrypted using S MIME encryption and BlackBerry device users can read the decrypted mess...

Page 25: ...n the BlackBerry device the BlackBerry device decrypts the S MIME encrypted message and renders the message contents If the message is encrypted with a shared password the BlackBerry device user types...

Page 26: ...Notes encrypted messages or S MIME encrypted messages that the BlackBerry devices decrypted the BlackBerry devices send the messages to the recipients as plain text The BlackBerry Enterprise Server ad...

Page 27: ...very Lotus Notes encrypted message the user receives on the BlackBerry device Visit www blackberry com knowledgecenterpublic to view the article KB 12420 How to Change the length of time for which the...

Page 28: ...on the BlackBerry device An IT policy is a collection of one or more IT policy rules An IT administration command is a function that the BlackBerry Enterprise Server administrator can send over the w...

Page 29: ...memory for example from a USB mass storage device access control to objects on the external memory device using code signing with 1024 bit RSA The external memory device stores encrypted copies of the...

Page 30: ...a BlackBerry device user turns on content protection on the BlackBerry device the BlackBerry device uses content protection to encrypt user data items including the following Item Description AutoText...

Page 31: ...age 14 Protected storage of master encryption keys on a locked BlackBerry device If the BlackBerry Enterprise Server administrator turns on content protection of master encryption keys the BlackBerry...

Page 32: ...Berry device applications to empty any caches and free memory associated with unused sensitive application data automatically overwrites the memory freed by the memory cleaner application when it runs...

Page 33: ...hitecture For more information on the BlackBerry Enterprise Server architecture see the BlackBerry Enterprise Server Feature and Technical Overview To improve the security and performance of the Black...

Page 34: ...atabase the BlackBerry Configuration Database stores BlackBerry services that might otherwise require access to the messaging server can access encryption keys and passwords through the BlackBerry Con...

Page 35: ...your organization must change the account associated with a Microsoft SQL Server service the system administrator should use the SQL Server Enterprise Manager to do so The SQL Server Enterprise Manag...

Page 36: ...d the Default IT policy and the IT policy public key to the BlackBerry device before the BlackBerry device can communicate with the new BlackBerry Enterprise Server The new BlackBerry Configuration Da...

Page 37: ...which terminate the SRP connection if they receive unrecognized packets the BlackBerry Infrastructure does not send basic information packets to the BlackBerry Enterprise Server until the BlackBerry...

Page 38: ...ication from the BlackBerry Infrastructure of when the BlackBerry device changes state When the BlackBerry device state indicates that it can send and receive messages over the wireless network the Bl...

Page 39: ...ise Server and the BlackBerry device use the same authentication information to validate each other that the SRP authentication handshake sequence uses to determine whether or not the BlackBerry Enter...

Page 40: ...erprise Server and the BlackBerry device use the initial key establishment protocol to establish a master encryption key The BlackBerry Enterprise Server and the BlackBerry device verify the master en...

Page 41: ...r encryption key Only the BlackBerry device and BlackBerry Enterprise Server have the correct valid master encryption key The BlackBerry Enterprise Server encrypts data traffic between specific compon...

Page 42: ...ame and key The GroupWise server verifies the trusted application name and key and permits the BlackBerry Enterprise Server to establish a connection to the BlackBerry device user s GroupWise database...

Page 43: ...rotocol are strong enough Using a secure connection to push BlackBerry MDS Studio Applications to BlackBerry devices After the system administrator configures authentication between the BlackBerry MDS...

Page 44: ...rypted and is not decrypted at the Connection Service Use handheld mode TLS SSL when only the endpoints of the transaction are trusted for example with banking services Note BlackBerry devices with Bl...

Page 45: ...over a 521 bit curve 2 Signs the ECDSA key using a stored root certificate 3 Signs the wireless software upgrade communication that it sends to the BlackBerry device using the digitally signed ECDSA k...

Page 46: ...computer in its own network segment Placing the BlackBerry Enterprise Solution components in segmented network architecture is an option designed to prevent the spread of potential attacks from one Bl...

Page 47: ...ically to access the mobile network provider s voice and data services The Wi Fi enabled BlackBerry device and the BlackBerry Infrastructure send all data between them over the established SSL connect...

Page 48: ...CMP encryption for WPA Personal WPA2 Personal WPA Enterprise and WPA2 Enterprise Layer 3 security Use VPNs the only layer 3 security method that the BlackBerry device currently supports at the IP laye...

Page 49: ...ckBerry devices from the BlackBerry Manager using wireless IT commands and IT policy rules The enterprise Wi Fi network solution includes specific IT policy rules for the security of the enterprise Wi...

Page 50: ...Wi Fi network communications but it relies on a single shared passphrase of up to 256 bits in length for access control All access points and wireless clients must know the passphrase The supported Wi...

Page 51: ...cess point can cache a PMK which is derived from keying material that the EAP exchange generates PMK caching reuses previously established keying material to skip IEEE 802 1x authentication and mutual...

Page 52: ...BlackBerry device user must have a valid email address for the BlackBerry device to activate successfully and register with the wireless network Authenticating a user to a BlackBerry device using a p...

Page 53: ...smart card by setting the User Authenticator field in the BlackBerry device Security Options When the BlackBerry Enterprise Server administrator or the user enables two factor authentication the follo...

Page 54: ...ckBerry Enterprise Server administrator can use either of the following methods to change the default behavior of BlackBerry devices and BlackBerry Desktop Software in your organization set the values...

Page 55: ...and the BlackBerry Desktop Software behavior over the wireless network By default the BlackBerry Enterprise Server is designed to resend the IT policy to BlackBerry devices of users that are assigned...

Page 56: ...e packages The wireless service provider cannot select available BlackBerry Device Software upgrade packages and send them to BlackBerry devices unless you set the BES Upgrade Exclusivity flag in the...

Page 57: ...ption Description Turn off the GPS feature on BlackBerry devices The following measures prevent third party applications and preloaded BlackBerry applications from accessing the global position of the...

Page 58: ...server If a tool that is running on a potentially untrusted computer tries to open a USB connection to a BlackBerry device the BlackBerry device sends a random challenge to the computer The RIM tool a...

Page 59: ...rules that are designed to enable the BlackBerry Enterprise Server administrator to prevent BlackBerry devices from downloading third party applications over the wireless network specify whether or no...

Page 60: ...opers who create controlled access third party APIs can act as a signing authority for those APIs The application developer can download and install the BlackBerry Signing Authority Tool to allow othe...

Page 61: ...r to allow the user to terminate the process of erasing data from and making the BlackBerry device unavailable during the delay period The BlackBerry Enterprise Server administrator can use this comma...

Page 62: ...standard security wipe with Include third party applications option selected on device This method of removing BlackBerry device data is initiated by the BlackBerry device user locally on the BlackBer...

Page 63: ...e BlackBerry device The user types the password incorrectly more times than the Set Maximum Password Attempts IT policy rule allows on the BlackBerry device The default is ten attempts The BlackBerry...

Page 64: ...tored IT policy third party applications and application data When the BlackBerry device reverts to its factory default settings it overwrites BlackBerry device internal memory and if content protecti...

Page 65: ...Berry device has not successfully received IT policy updates or IT administration commands the BlackBerry device permanently deletes its user and application data Secure Wipe Delay After Lock Set this...

Page 66: ...ool Administrator Guide the BlackBerry Signing Authority Tool implementation of public key cryptography installing setting up and managing the BlackBerry Signing Authority Tool restricting access to A...

Page 67: ...ecurity Technical Overview PGP security and encryption using PGP Universal Server to store and manage PGP keys searching for and validating PGP keys sending and receiving PGP messages PGP Support Pack...

Page 68: ...g S MIME options for digitally signing and encrypting messages sending and receiving S MIME messages Security for BlackBerry Devices with Bluetooth Wireless Technology Bluetooth wireless technology ov...

Page 69: ...or directly access the encryption code because all calls to the native C encryption code are routed through the JDE Java code Cryptographic functionality that the RIM Crypto API provides Symmetric blo...

Page 70: ...equired message digest code SHA 1 SHA 256 SHA 384 or SHA 512 or RIPEMD 160 512 to 4096 integer factorization RSA using PSS 512 to 4096 integer factorization ECDSA 160 to 571 EC discrete logarithm ECNR...

Page 71: ...BlackBerry Enterprise Solution 71 Code Digest length bits RIPEMD 128 160 128 160 www blackberry com...

Page 72: ...imitations Cipher suite type Typical component limitation in bits export RSA and DH 1024 bits or less EC 163 bits or less non export non elliptic curve operations 4096 bits elliptic curve operations 5...

Page 73: ...40 RC4 56 RC5 56 DES RC4 128 RC5 64 Triple DES DES 40 RC5 DES RC5 128 Triple DES DES 40 AES 128 DES AES 256 RC4 128 RC4 128 Triple DES Hash algorithms that the RIM Crypto API supports Direct mode SSL...

Page 74: ...his way until accumulating at least 8 bits 2 The rand function generates a random integer 3 The BlackBerry Enterprise Server or BlackBerry Desktop Software examines the integer s least significant bit...

Page 75: ...aster encryption key 7 The BlackBerry device overwrites flash memory with zeroes 8 The BlackBerry device memory scrub process overwrites the BlackBerry device heap in RAM changing the state of each bi...

Page 76: ...d later If content protection is turned on to overwrite the BlackBerry device NAND flash memory during a BlackBerry device wipe by writing a single character before clearing the data the BlackBerry de...

Page 77: ...s is intended to keep two identical passwords from turning into the same key 2 The BlackBerry device concatenates the salt the password and the salt again into a byte array Salt Password Salt 3 The Bl...

Page 78: ...when content protection is turned on During the initial AES algorithm calculation the following actions occur 1 The BlackBerry device performs the masking operation by creating a mask table M where ea...

Page 79: ...hat the key schedule calculates for each round of encryption with random values and any S Box masks that the AES algorithm requires to operate How the AES algorithm calculation uses masks The BlackBer...

Page 80: ...elliptic curve scalar multiplication where x is the scalar and R is a point on E Fq s the master encryption key value h the SHA 512 hash of s How the BlackBerry Router protocol uses the Schnorr ident...

Page 81: ...ise Server picks a random value eD where 1 eD p 1 9 The BlackBerry Enterprise Server sends RB eD and KeyID to the BlackBerry device 10 The BlackBerry Router observes the data that the BlackBerry Enter...

Page 82: ...ckBerry Enterprise Server sends the value RC to the BlackBerry Router to initiate connection closure 4 The BlackBerry Router performs the following calculations checks that when the value RC approache...

Page 83: ...for supplicant authentication with an authentication server by creating an encrypted tunnel between the supplicant and the authentication server using TLS using the TLS tunnel to send the supplicant a...

Page 84: ...ion The BlackBerry device supports EAP MS CHAPv2 and EAP GTC as second phase protocols that the BlackBerry device can use with EAP FAST for the authentication credential exchange EAP SIM EAP SIM is de...

Page 85: ...distribution to a wireless client The Wi Fi enabled BlackBerry device supports the use of TKIP with EAP TLS EAP TTLS EAP FAST PEAP PSK AES CCMP AES CCMP is part of the IEEE 802 11i enterprise Wi Fi ne...

Page 86: ...s to the enterprise Wi Fi network The Wi Fi enabled BlackBerry device is also compatible with VPN environments that use two factor authentication using hard tokens or software tokens for user credenti...

Page 87: ...BlackBerry Enterprise Solution 87 RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA TLS 2009 Research In Motion Limited All rights reserved www blackberry com...

Page 88: ...ry protocols that are designed to be secure to perform all communication necessary to obtain the seed on behalf of the RSA SecurID Library 6 The BlackBerry device imports the sdtid file seed If the ad...

Page 89: ...rived encryption key The protocol also uses blinding to prevent the BlackBerry Enterprise Server from reconstructing the derived key itself Cryptosystem parameters The BlackBerry Enterprise Server and...

Page 90: ...etermine which B the BlackBerry device used and hence which b to use verifies that D is a valid public key calculates K bD brdP rdB rK The BlackBerry Enterprise Server knows only rK and cannot calcula...

Page 91: ...rvices or the third party in any way EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION ALL CONDITIONS ENDORSEMENTS GUARANTEES REPRESENTATIONS OR WARRANTIES OF ANY KIN...

Page 92: ...r agreements applicable thereto with third parties except to the extent expressly covered by a license or other agreement with RIM Certain features outlined in this documentation require a minimum ver...

Reviews:

No comments