Help Center

Local Navigation

Extending messaging security using PGP encryption

You can extend messaging security for the BlackBerry® Enterprise Solution and permit a BlackBerry device user to send and receive PGP® protected email messages and PGP protected PIN messages on a BlackBerry device. The BlackBerry Enterprise Solution supports the OpenPGP format and PGP/MIME format on the BlackBerry device.

To extend messaging security, you must instruct the BlackBerry device user to install the PGP® Support Package for BlackBerry® smartphones on the BlackBerry device and to transfer the PGP private key of the BlackBerry device user to the BlackBerry device. The BlackBerry device user can use the PGP private key to digitally sign, encrypt, and send PGP protected messages from the BlackBerry device. If a BlackBerry device user does not install the PGP Support Package for BlackBerry smartphones, the BlackBerry device displays an error message when the BlackBerry device user tries to open PGP protected messages.

To require the BlackBerry device user to use PGP encryption when forwarding or replying to messages, you can configure the PGP Force Digital Signature IT policy rule and the PGP Force Encrypted Messages IT policy rule.

The PGP Support Package for BlackBerry smartphones is designed to support encoding and decoding Unicode messages and permits PGP encryption using keys or passwords. The PGP Support Package for BlackBerry smartphones permits the BlackBerry device to encrypt PGP protected email messages or PGP protected PIN messages using a password that the sender and recipient both know.

For more information about the OpenPGP format, see RFC 2440. For more information about the PGP/MIME format, see RFC 3156.

PGP public keys and PGP private keys

The PGP® Support Package for BlackBerry® smartphones uses public key cryptography with PGP public keys and PGP private keys.

Key

Description

PGP public key

The PGP Support Package for BlackBerry smartphones uses the PGP public key of the recipient to encrypt outgoing email messages and the PGP public key of the sender to verify digital signatures on incoming email messages.

The PGP public key is designed so that recipients and senders can distribute and access the key without compromising it. The PGP public key is stored typically on the PGP® Universal Server or an LDAP server.

PGP private key

The PGP Support Package for BlackBerry smartphones uses the PGP private key of the sender to digitally sign outgoing email messages and the PGP private key of the recipient to decrypt incoming email messages.

To make sure that security is not compromised, you must make sure that private key information remains private to the key owner. The BlackBerry device stores the PGP private key.

Retrieving PGP keys from a PGP Universal Server or LDAP servers

If your organization’s environment includes a PGP® Universal Server, the administrator of the PGP Universal Server can configure the email policy of the PGP Universal Server. After a user installs the PGP® Support Package for BlackBerry® smartphones, a BlackBerry device can retrieve and enforce the email policy of the PGP Universal Server for all email messages that the user sends.

The BlackBerry device is designed to use the BlackBerry MDS Connection Service to connect to the PGP Universal Server or any LDAP server that a user specifies on the BlackBerry device or that you specify using the BlackBerry Administration Service. The BlackBerry MDS Connection Service uses standard protocols, such as HTTP and TCP/IP, to permit the BlackBerry device to retrieve PGP public keys, PGP key status, and X.509 certificate status from the PGP Universal Server or an LDAP server over the wireless network. The BlackBerry MDS Connection Service can connect to LDAP servers using LDAPS.

Encryption algorithms that the BlackBerry device supports for PGP encryption

When you turn on PGP® encryption, the default value of the PGP Allowed Content Ciphers IT policy rule specifies that a BlackBerry® device can use any of the following encryption algorithms to encrypt email messages and PIN messages: AES-256, AES-192, AES-128, CAST-128, or Triple DES-168. You can change the value to use a subset of the encryption algorithms if your organization’s security policies require it.

The PGP public key of the recipient indicates which encryption algorithm the recipient’s email application supports, and the BlackBerry device is designed to use that encryption algorithm. By default, if the PGP public key of the recipient does not include a list of encryption algorithms, the BlackBerry device encrypts the email message or PIN message using Triple DES.

Process flow: Sending an email message using PGP encryption

This diagram shows the elements that are described in the following process flow.

If a sender installs the PGP® Support Package for BlackBerry® smartphones on a BlackBerry device, the BlackBerry device encrypts outgoing email messages.

  1. The BlackBerry device performs the following actions:
    1. uses the BlackBerry MDS Connection Service to retrieve the PGP public key of the recipient from the PGP® Universal Server or LDAP server
    2. encrypts the email message using the PGP public key of the recipient
    3. uses BlackBerry transport layer encryption to encrypt the PGP encrypted message
    4. sends the message that is encrypted using BlackBerry transport layer encryption and PGP encryption to the BlackBerry® Enterprise Server
  2. The BlackBerry Enterprise Server removes the BlackBerry transport layer encryption and sends the PGP encrypted message to the recipient.

Process flow: Receiving a PGP encrypted message

This diagram shows the elements that are described in the following process flow.

If a recipient installs the PGP® Support Package for BlackBerry® smartphones on a BlackBerry device, the BlackBerry device decrypts incoming PGP encrypted messages.

  1. A sender uses the PGP technology on the email application to encrypt an email message using the PGP public key of the recipient.
  2. The BlackBerry® Enterprise Server performs the following actions:
    1. retrieves the email message from the messaging server
    2. uses BlackBerry transport layer encryption to encrypt the PGP encrypted message
    3. sends the email message encrypted using BlackBerry transport layer encryption and PGP encryption to the BlackBerry device
  3. The BlackBerry device performs the following actions:
    1. decrypts the BlackBerry transport layer encryption and stores the PGP encrypted message in the flash memory of the BlackBerry device
    2. decrypts the PGP encrypted message using the PGP private key of the recipient and displays the contents of the email message when the recipient opens the email message on the BlackBerry device

Was this information helpful? Send us your comments.