Help Center

Local Navigation

Authenticating data that a BlackBerry device sends to the BlackBerry MDS Integration Service

When a BlackBerry® device sends data to the BlackBerry MDS Integration Service, the BlackBerry MDS security protocol uses HMAC to authenticate part of each message header and message content, and to encrypt the MAC of each BlackBerry MDS message header. If necessary, the BlackBerry MDS security protocol also encrypts the content of each message.

The BlackBerry MDS security protocol uses a session key to authenticate data that the BlackBerry device sends to the BlackBerry MDS Integration Service. The BlackBerry device and BlackBerry MDS Integration Service share the same session key. The session key is stored in the BlackBerry Configuration Database. The BlackBerry MDS security protocol uses AES-128 in CBC mode with PKCS #5 padding to encrypt the session key using the database access key of the database server. The BlackBerry MDS security protocol also uses AES-128 in CBC mode with PKCS #5 padding to encrypt and decrypt data that the BlackBerry device and BlackBerry MDS Integration Service send between each other using the session key.

Using SSL to connect to web services

The BlackBerry® MDS Integration Service uses a certificate to permit client authentication between the BlackBerry MDS Integration Service and web services. By default, the BlackBerry MDS Integration Service generates a self-signed certificate when it starts after the BlackBerry MDS Integration Service installation process completes or when it cannot locate a certificate in the BlackBerry MDS Integration Service key store. You can replace the self-signed certificate with a signed certificate if the security policies in your organization require it.

If the BlackBerry MDS Integration Service must use SSL to connect to web services, you must export the certificate to the web services to authenticate communication with the web services. If a BlackBerry® MDS Runtime Application must use SSL to connect to web services, you can configure the BlackBerry® Enterprise Server to verify that the certificate chain for the certificate is strong enough. You can use the Weak Digest Algorithms IT policy rule to identify algorithms that the BlackBerry device and BlackBerry Enterprise Server should consider to be weak. After you configure authentication between the BlackBerry MDS Integration Service and web services, you can configure the BlackBerry device to install only BlackBerry MDS Runtime Applications that use SSL.

For more information, see the BlackBerry Enterprise Server Administration Guide.

Process flow: Registering a BlackBerry device with a BlackBerry MDS Integration Service

  1. A BlackBerry® device performs the following actions:
    • generates an AES-128 session key
    • uses RSA-1024 with PKCS #1 padding to encrypt the AES session key
    • sends the AES-128 session key to the BlackBerry MDS Integration Service
    • stores the AES-128 session key in flash memory
  2. The BlackBerry MDS security protocol on the BlackBerry MDS Integration Service uses AES-128 in CBC mode with PKCS #5 padding to encrypt a AES-128 session key using an AES-128 database access key.
  3. The BlackBerry MDS Integration Service stores the encrypted AES-128 session key in the BlackBerry MDS Integration Service database and stores the AES-128 database access key in the database key store.
  4. The BlackBerry MDS security protocol on the BlackBerry MDS Integration Service and BlackBerry device uses HMAC with a SHA-1 hash function and the 128-bit shared secret key to authenticate data that the BlackBerry device and BlackBerry MDS Integration Service send between each other.

The BlackBerry MDS security protocol uses AES-128 in CBC mode with PKCS #5 padding to encrypt and decrypt data that a BlackBerry device and BlackBerry MDS Integration Service send between each other.


Was this information helpful? Send us your comments.