Help Center

Local Navigation

Extending messaging security using S/MIME encryption

You can extend messaging security for the BlackBerry® Enterprise Solution and permit a BlackBerry device user to send and receive S/MIME-protected email messages and S/MIME-protected PIN messages on a BlackBerry device.

To extend messaging security, you or the BlackBerry device user must install the S/MIME Support Package for BlackBerry® smartphones on the BlackBerry device and transfer the S/MIME private key of the BlackBerry device user to the BlackBerry device. The S/MIME Support Package for BlackBerry smartphones is designed to work with email applications such as Microsoft® Outlook®, Microsoft Outlook Express, and IBM® Lotus Notes®, and with PKIs such as Netscape®, Entrust Authority™ Security Manager version 5 and later, and Microsoft certification authorities.

The BlackBerry device user uses the S/MIME private key to decrypt S/MIME-protected messages on the BlackBerry device and to sign, encrypt, and send S/MIME-protected messages from the BlackBerry device. If the BlackBerry® Enterprise Server receives an S/MIME-encrypted message but the BlackBerry device user did not install the S/MIME Support Package for BlackBerry smartphones, the BlackBerry Enterprise Server sends a message to the BlackBerry device to indicate that the BlackBerry device does not support S/MIME-encrypted messages.

After the BlackBerry device user installs the S/MIME Support Package for BlackBerry smartphones, the BlackBerry device user can synchronize and manage S/MIME certificates and S/MIME private keys using the certificate synchronization tool of the BlackBerry® Desktop Manager. The BlackBerry Enterprise Server does not apply an appended disclaimer to S/MIME-protected messages that the BlackBerry device user sends from the BlackBerry device. Digital signatures on S/MIME-protected messages that the BlackBerry device sends are not valid if disclaimers are appended to the messages.

To require the BlackBerry device user to use S/MIME encryption when forwarding or replying to messages, you can configure the S/MIME Force Digital Signature IT policy rule and the S/MIME Force Encrypted Messages IT policy rule.

The S/MIME Support Package for BlackBerry smartphones is also designed to support the following features:
  • encoding and decoding of Unicode messages
  • ability to use a password, which the sender and recipient each know, to encrypt S/MIME-protected email messages or PIN messages
  • ability to read S/MIME certificates that are stored on a smart card

S/MIME certificates and S/MIME private keys

The S/MIME Support Package for BlackBerry® smartphones uses public key cryptography with S/MIME certificates and S/MIME private keys to encrypt and decrypt email messages and PIN messages. The S/MIME Support Package for BlackBerry smartphones use PKI protocols to search for and retrieve S/MIME certificates and certificate status over the wireless network.

Item

Description

S/MIME certificate

When a user sends an email message or PIN message from a BlackBerry device, the BlackBerry device uses the S/MIME certificate of the recipient to encrypt the message.

When a user receives a signed email message or signed PIN message on a BlackBerry device, the BlackBerry device uses the S/MIME certificate of the sender to verify the message signature.

S/MIME private key

When a user sends a signed email message or signed PIN message from a BlackBerry device, the BlackBerry device hashes the message using SHA-1, SHA-2, or MD5. The BlackBerry device then uses the S/MIME private key of the user to digitally sign the message hash.

When a user receives an encrypted email message or encrypted PIN message on a BlackBerry device, the BlackBerry device uses the private key of the user to decrypt the message. The BlackBerry device stores the private key.

Retrieving S/MIME certificates and checking certificate status

The S/MIME Support Package for BlackBerry® smartphones is designed so that the BlackBerry device and the certificate synchronization tool of the BlackBerry® Desktop Manager can perform the following actions:
  • use LDAP, LDAPS, or DSML to search for and retrieve S/MIME certificates of recipients from LDAP servers or DSML certificate servers
  • use OCSP to check the revocation status of S/MIME certificates
  • retrieve the revocation status of S/MIME certificates from a certificate revocation list

S/MIME encryption algorithms

When you turn on S/MIME encryption, the default value of the S/MIME Allowed Content Ciphers IT policy rule specifies that a BlackBerry® device can use any of the following encryption algorithms to encrypt messages: AES-256, AES-192, AES-128, CAST-128, RC2-128, or Triple DES. By default, the BlackBerry device cannot use the RC2-64 algorithm and RC2-40 algorithm to encrypt S/MIME messages. You can change the value of the S/MIME Allowed Content Ciphers IT policy rule to use a subset of the encryption algorithms if your organization’s security policies require it.

If a BlackBerry device user wants to send an email message to a recipient that the user previously received an email message from, the BlackBerry device is designed to store the encryption algorithms that the recipient’s email application can support, and use one of those encryption algorithms. By default, if the BlackBerry device cannot determine the encryption algorithms that the recipient’s email application can support, the BlackBerry device encrypts the email message using Triple DES.

You can use the Weak Digest Algorithms IT policy rule to specify the algorithms that your organization considers to be weak. The BlackBerry device uses the list of weak algorithms in the Weak Digest Algorithms IT policy rule when the BlackBerry device verifies the following information:

  • An S/MIME-enabled application did not use a weak algorithm to generate the digital signatures on the email messages that the BlackBerry device receives.
  • The certificate chains for the certificates that an S/MIME-enabled application used to digitally sign email messages that the BlackBerry device receives do not contain hash values generated using a weak algorithm.

Process flow: Sending an email message using S/MIME encryption

This diagram shows the elements that are described in the following process flow.

If a sender installs the S/MIME Support Package for BlackBerry® smartphones on a BlackBerry device, the BlackBerry device encrypts outgoing email messages.

  1. The BlackBerry device performs the following actions:
    1. checks the BlackBerry device key store for the S/MIME certificate of the recipient
    2. if the BlackBerry device key store does not include the S/MIME certificate of the recipient, uses the BlackBerry MDS Connection Service to retrieve the S/MIME certificate of the recipient from the LDAP server or DSML server and verify the certificate status
    3. encrypts the email message with the S/MIME certificate of the recipient or a password that the sender specifies
    4. if the sender specifies a password, combines the password with random bytes to generate an encryption key that is specific to S/MIME encryption
    5. uses BlackBerry transport layer encryption to encrypt the S/MIME-encrypted message
    6. sends the message that is encrypted using BlackBerry transport layer encryption and S/MIME encryption to the BlackBerry® Enterprise Server
  2. The BlackBerry Enterprise Server decrypts the BlackBerry transport layer encryption and sends the S/MIME-encrypted message to the recipient.
  3. The recipient decrypts the S/MIME-encrypted message using the S/MIME private key or a password that the sender provides.

Process flow: Receiving an S/MIME-encrypted email message

This diagram shows the elements that are described in the following process flow.

If a recipient installs the S/MIME Support Package for BlackBerry® smartphones, the BlackBerry device decrypts incoming email messages.

  1. The sender uses the S/MIME technology on the email application to encrypt the email message using the S/MIME certificate of the recipient.
  2. The BlackBerry® Enterprise Server performs the following actions:
    1. retrieves the S/MIME-encrypted message from the messaging server
    2. encrypts the email message a second time with S/MIME encryption if the email message is signed-only or weakly encrypted and if you turned on the Turn on S/MIME encryption on signed and weakly encrypted messages option in the BlackBerry Administration Service
    3. uses BlackBerry transport layer encryption to encrypt the S/MIME-encrypted message
    4. sends the email message that is encrypted using BlackBerry transport layer encryption and S/MIME encryption to the BlackBerry device
  3. The BlackBerry device decrypts the BlackBerry transport layer encryption and stores the S/MIME-encrypted message in BlackBerry device memory.
  4. When the recipient opens the email message on the BlackBerry device, the BlackBerry device decrypts the S/MIME-encrypted message using the S/MIME private key of the recipient and displays the message contents. If the email message is encrypted with a password, the recipient types the password to decrypt the S/MIME-encrypted message.

Was this information helpful? Send us your comments.