manualshive.com logo in svg

Blackberry Enterprise Server 4.1, Обзор, Страница: 53 / 92

Поделиться
Скачать
Blackberry Enterprise Server 4.1 Скачать руководство пользователя страница 53

BlackBerry Enterprise Solution 

53

 

 

The BlackBerry Smart Card Reader integrates smart card use with the BlackBerry Enterprise Solution, enabling 
BlackBerry device users to authenticate with their smart cards to login to certain Bluetooth enabled BlackBerry 
devices. 

The BlackBerry Smart Card Reader  

 

creates a reliable two-factor authentication environment for granting BlackBerry device users access to 
BlackBerry and PKI applications 

 

is designed to enable the wireless digital signing and encryption of wireless email messages using the 
S/MIME Support Package for BlackBerry devices  

 

stores all encryption keys in RAM only and never writes the keys to flash memory 

For more information, see the 

BlackBerry Smart Card Reader Security Technical Overview

Binding the smart card to the BlackBerry device 

If a user has a smart card authenticator, smart card driver, and smart card reader driver installed on their 
BlackBerry device, either the BlackBerry Enterprise Server administrator or that user can initiate two-factor 
authentication on the BlackBerry device to bind the BlackBerry device to the installed smart card. After the 
BlackBerry device binds to the smart card, it requires that smart card to authenticate the user.  

The BlackBerry Enterprise Server administrator can set the Force Smart Card Two-Factor Authentication IT policy 
rule in the BlackBerry Manager to require that a user authenticates with the BlackBerry device using a smart 
card. If the BlackBerry Enterprise Server administrator does not force the user to authenticate with the 
BlackBerry device using a smart card, the user can turn two-factor authentication on and off with their smart 
card by setting the User Authenticator field in the BlackBerry device Security Options.  

When the BlackBerry Enterprise Server administrator or the user enables two-factor authentication, the following 
events occur: 

1.

 

The BlackBerry device locks. 

2.

 

When a user tries to unlock the BlackBerry device, the BlackBerry device prompts the user to type the 
BlackBerry device password. If the user has not yet set a BlackBerry device password, the BlackBerry device 
forces them to set one. 

3.

 

The BlackBerry device prompts the user to type the user authenticator (smart card) password to turn on 
two-factor authentication with the installed smart card. 

4.

 

The BlackBerry device binds to the installed smart card automatically by storing the following smart card 
binding information in a special BlackBerry device NV store location that is inaccessible to a user: 

 

the name of a Java class that the BlackBerry Smart Card Reader requires 

 

the binding information format 

 

the smart card type 

Note

: For the Common Access Card, this string is “GSA CAC”. 

 

the name of a Java class that the smart card code requires 

 

a unique 64-bit identifier that the smart card provides  

 

a smart card label that the smart card provides (for example, “GRAHAM.JOHN.1234567890”) 

5.

 

The BlackBerry device pushes the current IT policy to the BlackBerry Smart Card Reader. 

Confirming that the BlackBerry device is bound to the correct smart card 

After a user turns on two-factor authentication, whenever the BlackBerry device prompts the user to insert the 
smart card into the BlackBerry Smart Card Reader, the BlackBerry device prompt indicates the label and the card 
type of the correct (bound) smart card. If the BlackBerry device is running BlackBerry Device Software Version 
3.6 with either the S/MIME Support Package Version 1.5 for BlackBerry devices installed or no S/MIME Support 

www.blackberry.com 

 

Содержание Enterprise Server 4.1

Страница 1: ...prise Solution Security Technical Overview for BlackBerry Enterprise Server Version 4 1 Service Pack 6 and BlackBerry Device Software Version 4 6 2009 Research In Motion Limited All rights reserved ww...

Страница 2: ...ing unsecured messaging 21 Extending BlackBerry device messaging security 22 PGP Support Package for BlackBerry devices 22 PGP encryption 23 S MIME Support Package for BlackBerry devices 24 S MIME enc...

Страница 3: ...segmented network architecture to prevent the spread of malware on your organization s network 46 Protecting Wi Fi connections to the BlackBerry Enterprise Solution 46 Enterprise Wi Fi network solutio...

Страница 4: ...S and WTLS standards that the RIM Crypto API supports 72 Key establishment algorithm cipher suites that the RIM Crypto API supports 72 Symmetric algorithms that the RIM Crypto API supports 73 Hash alg...

Страница 5: ...ods and encryption algorithms with which the BlackBerry device supports the use of CCKM 85 VPN solution on the Wi Fi enabled BlackBerry device 86 Appendix I Algorithm suites that the BlackBerry device...

Страница 6: ...y device BlackBerry Device Software BlackBerry Desktop Software and the BlackBerry Enterprise Server is designed to protect your organization from data loss or alteration in the event of malicious int...

Страница 7: ...nd the message to the BlackBerry device If message failure occurs the BlackBerry device prompts the BlackBerry device user to generate a new master encryption key BlackBerry Enterprise Solution securi...

Страница 8: ...rotected email or PIN message BlackBerry Enterprise Server Version 4 1 SP6 or later BlackBerry Device Software Version 4 6 or later On supported BlackBerry devices that have the PGP Support Package fo...

Страница 9: ...t match the BlackBerry device and the BlackBerry Enterprise Server cannot decrypt and must therefore discard messages that they receive Where master encryption keys are stored The BlackBerry Configura...

Страница 10: ...ry device when the BlackBerry device user connects the BlackBerry device to the computer The current key then becomes the new previous key and the pending key becomes the new current key How the messa...

Страница 11: ...aster encryption key generation function uses the current time as the seed for the C language srand function The master encryption key generation function then gathers entropy randomness using the fol...

Страница 12: ...public keys and the ECMQV algorithm to negotiate a common key in such a way that an unauthorized party cannot calculate the same key This protocol achieves perfect forward secrecy The new master encr...

Страница 13: ...signed to seed a DSA PRNG function to generate a message key using the following process 1 The BlackBerry device obtains random data from multiple sources for the seed using a technique derived from t...

Страница 14: ...cryptography standard For more information see Appendix E Process for deriving encryption keys that protect the keys used with content protection on page 77 5 The BlackBerry device uses the ephemeral...

Страница 15: ...en the BlackBerry device receives data encrypted with a master encryption key while it is locked it uses the grand master key to decrypt the required master encryption key in flash memory and receive...

Страница 16: ...electromagnetic analysis countermeasure protection that is designed to address the potential of side channel attacks against the BlackBerry device The AES implementation uses masking countermeasures...

Страница 17: ...age 2 The BlackBerry device encrypts the message using the message key 3 The BlackBerry device encrypts the message key using the master encryption key which is unique to that BlackBerry device 4 The...

Страница 18: ...cations if not functioning correctly might impact the security usability and performance of the BlackBerry Enterprise Solution and might cause loss of BlackBerry device data To use the third party enc...

Страница 19: ...connection from the BlackBerry Enterprise Server to the BlackBerry Infrastructure is a two way TCP connection on port 3101 The BlackBerry Infrastructure directs messages from the BlackBerry device to...

Страница 20: ...actions can occur automatically when the user opens the message or when the user requests the actions manually 1 The BlackBerry device sends the message key and a request for the attachment header dat...

Страница 21: ...d resend the peer to peer encryption key for BlackBerry device users in the BlackBerry Manager Text messaging Text messaging using SMS and MMS are available on some BlackBerry devices Supported BlackB...

Страница 22: ...receive PGP protected messages in OpenPGP and PGP MIME formats using their computer email applications to send and receive PGP protected messages in these formats using their BlackBerry devices The PG...

Страница 23: ...is designed to be distributed and accessed by message recipients and senders without compromising security conditions PGP private key The BlackBerry device uses the PGP private key to digitally sign...

Страница 24: ...ckBerry devices with the S MIME Support Package for BlackBerry devices installed can decrypt messages that are encrypted using S MIME encryption and BlackBerry device users can read the decrypted mess...

Страница 25: ...n the BlackBerry device the BlackBerry device decrypts the S MIME encrypted message and renders the message contents If the message is encrypted with a shared password the BlackBerry device user types...

Страница 26: ...Notes encrypted messages or S MIME encrypted messages that the BlackBerry devices decrypted the BlackBerry devices send the messages to the recipients as plain text The BlackBerry Enterprise Server ad...

Страница 27: ...very Lotus Notes encrypted message the user receives on the BlackBerry device Visit www blackberry com knowledgecenterpublic to view the article KB 12420 How to Change the length of time for which the...

Страница 28: ...on the BlackBerry device An IT policy is a collection of one or more IT policy rules An IT administration command is a function that the BlackBerry Enterprise Server administrator can send over the w...

Страница 29: ...memory for example from a USB mass storage device access control to objects on the external memory device using code signing with 1024 bit RSA The external memory device stores encrypted copies of the...

Страница 30: ...a BlackBerry device user turns on content protection on the BlackBerry device the BlackBerry device uses content protection to encrypt user data items including the following Item Description AutoText...

Страница 31: ...age 14 Protected storage of master encryption keys on a locked BlackBerry device If the BlackBerry Enterprise Server administrator turns on content protection of master encryption keys the BlackBerry...

Страница 32: ...Berry device applications to empty any caches and free memory associated with unused sensitive application data automatically overwrites the memory freed by the memory cleaner application when it runs...

Страница 33: ...hitecture For more information on the BlackBerry Enterprise Server architecture see the BlackBerry Enterprise Server Feature and Technical Overview To improve the security and performance of the Black...

Страница 34: ...atabase the BlackBerry Configuration Database stores BlackBerry services that might otherwise require access to the messaging server can access encryption keys and passwords through the BlackBerry Con...

Страница 35: ...your organization must change the account associated with a Microsoft SQL Server service the system administrator should use the SQL Server Enterprise Manager to do so The SQL Server Enterprise Manag...

Страница 36: ...d the Default IT policy and the IT policy public key to the BlackBerry device before the BlackBerry device can communicate with the new BlackBerry Enterprise Server The new BlackBerry Configuration Da...

Страница 37: ...which terminate the SRP connection if they receive unrecognized packets the BlackBerry Infrastructure does not send basic information packets to the BlackBerry Enterprise Server until the BlackBerry...

Страница 38: ...ication from the BlackBerry Infrastructure of when the BlackBerry device changes state When the BlackBerry device state indicates that it can send and receive messages over the wireless network the Bl...

Страница 39: ...ise Server and the BlackBerry device use the same authentication information to validate each other that the SRP authentication handshake sequence uses to determine whether or not the BlackBerry Enter...

Страница 40: ...erprise Server and the BlackBerry device use the initial key establishment protocol to establish a master encryption key The BlackBerry Enterprise Server and the BlackBerry device verify the master en...

Страница 41: ...r encryption key Only the BlackBerry device and BlackBerry Enterprise Server have the correct valid master encryption key The BlackBerry Enterprise Server encrypts data traffic between specific compon...

Страница 42: ...ame and key The GroupWise server verifies the trusted application name and key and permits the BlackBerry Enterprise Server to establish a connection to the BlackBerry device user s GroupWise database...

Страница 43: ...rotocol are strong enough Using a secure connection to push BlackBerry MDS Studio Applications to BlackBerry devices After the system administrator configures authentication between the BlackBerry MDS...

Страница 44: ...rypted and is not decrypted at the Connection Service Use handheld mode TLS SSL when only the endpoints of the transaction are trusted for example with banking services Note BlackBerry devices with Bl...

Страница 45: ...over a 521 bit curve 2 Signs the ECDSA key using a stored root certificate 3 Signs the wireless software upgrade communication that it sends to the BlackBerry device using the digitally signed ECDSA k...

Страница 46: ...computer in its own network segment Placing the BlackBerry Enterprise Solution components in segmented network architecture is an option designed to prevent the spread of potential attacks from one Bl...

Страница 47: ...ically to access the mobile network provider s voice and data services The Wi Fi enabled BlackBerry device and the BlackBerry Infrastructure send all data between them over the established SSL connect...

Страница 48: ...CMP encryption for WPA Personal WPA2 Personal WPA Enterprise and WPA2 Enterprise Layer 3 security Use VPNs the only layer 3 security method that the BlackBerry device currently supports at the IP laye...

Страница 49: ...ckBerry devices from the BlackBerry Manager using wireless IT commands and IT policy rules The enterprise Wi Fi network solution includes specific IT policy rules for the security of the enterprise Wi...

Страница 50: ...Wi Fi network communications but it relies on a single shared passphrase of up to 256 bits in length for access control All access points and wireless clients must know the passphrase The supported Wi...

Страница 51: ...cess point can cache a PMK which is derived from keying material that the EAP exchange generates PMK caching reuses previously established keying material to skip IEEE 802 1x authentication and mutual...

Страница 52: ...BlackBerry device user must have a valid email address for the BlackBerry device to activate successfully and register with the wireless network Authenticating a user to a BlackBerry device using a p...

Страница 53: ...smart card by setting the User Authenticator field in the BlackBerry device Security Options When the BlackBerry Enterprise Server administrator or the user enables two factor authentication the follo...

Страница 54: ...ckBerry Enterprise Server administrator can use either of the following methods to change the default behavior of BlackBerry devices and BlackBerry Desktop Software in your organization set the values...

Страница 55: ...and the BlackBerry Desktop Software behavior over the wireless network By default the BlackBerry Enterprise Server is designed to resend the IT policy to BlackBerry devices of users that are assigned...

Страница 56: ...e packages The wireless service provider cannot select available BlackBerry Device Software upgrade packages and send them to BlackBerry devices unless you set the BES Upgrade Exclusivity flag in the...

Страница 57: ...ption Description Turn off the GPS feature on BlackBerry devices The following measures prevent third party applications and preloaded BlackBerry applications from accessing the global position of the...

Страница 58: ...server If a tool that is running on a potentially untrusted computer tries to open a USB connection to a BlackBerry device the BlackBerry device sends a random challenge to the computer The RIM tool a...

Страница 59: ...rules that are designed to enable the BlackBerry Enterprise Server administrator to prevent BlackBerry devices from downloading third party applications over the wireless network specify whether or no...

Страница 60: ...opers who create controlled access third party APIs can act as a signing authority for those APIs The application developer can download and install the BlackBerry Signing Authority Tool to allow othe...

Страница 61: ...r to allow the user to terminate the process of erasing data from and making the BlackBerry device unavailable during the delay period The BlackBerry Enterprise Server administrator can use this comma...

Страница 62: ...standard security wipe with Include third party applications option selected on device This method of removing BlackBerry device data is initiated by the BlackBerry device user locally on the BlackBer...

Страница 63: ...e BlackBerry device The user types the password incorrectly more times than the Set Maximum Password Attempts IT policy rule allows on the BlackBerry device The default is ten attempts The BlackBerry...

Страница 64: ...tored IT policy third party applications and application data When the BlackBerry device reverts to its factory default settings it overwrites BlackBerry device internal memory and if content protecti...

Страница 65: ...Berry device has not successfully received IT policy updates or IT administration commands the BlackBerry device permanently deletes its user and application data Secure Wipe Delay After Lock Set this...

Страница 66: ...ool Administrator Guide the BlackBerry Signing Authority Tool implementation of public key cryptography installing setting up and managing the BlackBerry Signing Authority Tool restricting access to A...

Страница 67: ...ecurity Technical Overview PGP security and encryption using PGP Universal Server to store and manage PGP keys searching for and validating PGP keys sending and receiving PGP messages PGP Support Pack...

Страница 68: ...g S MIME options for digitally signing and encrypting messages sending and receiving S MIME messages Security for BlackBerry Devices with Bluetooth Wireless Technology Bluetooth wireless technology ov...

Страница 69: ...or directly access the encryption code because all calls to the native C encryption code are routed through the JDE Java code Cryptographic functionality that the RIM Crypto API provides Symmetric blo...

Страница 70: ...equired message digest code SHA 1 SHA 256 SHA 384 or SHA 512 or RIPEMD 160 512 to 4096 integer factorization RSA using PSS 512 to 4096 integer factorization ECDSA 160 to 571 EC discrete logarithm ECNR...

Страница 71: ...BlackBerry Enterprise Solution 71 Code Digest length bits RIPEMD 128 160 128 160 www blackberry com...

Страница 72: ...imitations Cipher suite type Typical component limitation in bits export RSA and DH 1024 bits or less EC 163 bits or less non export non elliptic curve operations 4096 bits elliptic curve operations 5...

Страница 73: ...40 RC4 56 RC5 56 DES RC4 128 RC5 64 Triple DES DES 40 RC5 DES RC5 128 Triple DES DES 40 AES 128 DES AES 256 RC4 128 RC4 128 Triple DES Hash algorithms that the RIM Crypto API supports Direct mode SSL...

Страница 74: ...his way until accumulating at least 8 bits 2 The rand function generates a random integer 3 The BlackBerry Enterprise Server or BlackBerry Desktop Software examines the integer s least significant bit...

Страница 75: ...aster encryption key 7 The BlackBerry device overwrites flash memory with zeroes 8 The BlackBerry device memory scrub process overwrites the BlackBerry device heap in RAM changing the state of each bi...

Страница 76: ...d later If content protection is turned on to overwrite the BlackBerry device NAND flash memory during a BlackBerry device wipe by writing a single character before clearing the data the BlackBerry de...

Страница 77: ...s is intended to keep two identical passwords from turning into the same key 2 The BlackBerry device concatenates the salt the password and the salt again into a byte array Salt Password Salt 3 The Bl...

Страница 78: ...when content protection is turned on During the initial AES algorithm calculation the following actions occur 1 The BlackBerry device performs the masking operation by creating a mask table M where ea...

Страница 79: ...hat the key schedule calculates for each round of encryption with random values and any S Box masks that the AES algorithm requires to operate How the AES algorithm calculation uses masks The BlackBer...

Страница 80: ...elliptic curve scalar multiplication where x is the scalar and R is a point on E Fq s the master encryption key value h the SHA 512 hash of s How the BlackBerry Router protocol uses the Schnorr ident...

Страница 81: ...ise Server picks a random value eD where 1 eD p 1 9 The BlackBerry Enterprise Server sends RB eD and KeyID to the BlackBerry device 10 The BlackBerry Router observes the data that the BlackBerry Enter...

Страница 82: ...ckBerry Enterprise Server sends the value RC to the BlackBerry Router to initiate connection closure 4 The BlackBerry Router performs the following calculations checks that when the value RC approache...

Страница 83: ...for supplicant authentication with an authentication server by creating an encrypted tunnel between the supplicant and the authentication server using TLS using the TLS tunnel to send the supplicant a...

Страница 84: ...ion The BlackBerry device supports EAP MS CHAPv2 and EAP GTC as second phase protocols that the BlackBerry device can use with EAP FAST for the authentication credential exchange EAP SIM EAP SIM is de...

Страница 85: ...distribution to a wireless client The Wi Fi enabled BlackBerry device supports the use of TKIP with EAP TLS EAP TTLS EAP FAST PEAP PSK AES CCMP AES CCMP is part of the IEEE 802 11i enterprise Wi Fi ne...

Страница 86: ...s to the enterprise Wi Fi network The Wi Fi enabled BlackBerry device is also compatible with VPN environments that use two factor authentication using hard tokens or software tokens for user credenti...

Страница 87: ...BlackBerry Enterprise Solution 87 RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA TLS 2009 Research In Motion Limited All rights reserved www blackberry com...

Страница 88: ...ry protocols that are designed to be secure to perform all communication necessary to obtain the seed on behalf of the RSA SecurID Library 6 The BlackBerry device imports the sdtid file seed If the ad...

Страница 89: ...rived encryption key The protocol also uses blinding to prevent the BlackBerry Enterprise Server from reconstructing the derived key itself Cryptosystem parameters The BlackBerry Enterprise Server and...

Страница 90: ...etermine which B the BlackBerry device used and hence which b to use verifies that D is a valid public key calculates K bD brdP rdB rK The BlackBerry Enterprise Server knows only rK and cannot calcula...

Страница 91: ...rvices or the third party in any way EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION ALL CONDITIONS ENDORSEMENTS GUARANTEES REPRESENTATIONS OR WARRANTIES OF ANY KIN...

Страница 92: ...r agreements applicable thereto with third parties except to the extent expressly covered by a license or other agreement with RIM Certain features outlined in this documentation require a minimum ver...

Отзывы:

Нет отзывов