Help Center

Local Navigation

Message keys

A BlackBerry® Enterprise Server and BlackBerry device generate one or more message keys that are designed to protect the integrity of the data (for example, short keys or large messages) that the BlackBerry Enterprise Server and BlackBerry device send between each other. If a message exceeds 2 KB and consists of several data packets, the BlackBerry Enterprise Server and BlackBerry device generate a unique message key for each data packet.

Each message key consists of random data that is designed to make it difficult for a third party to decrypt, re-create, or duplicate the message key.

The BlackBerry Enterprise Server and BlackBerry device do not store the message keys but they free the memory that is associated with the message keys after the BlackBerry Enterprise Server or BlackBerry device uses the message keys to decrypt the message.

Process flow: Generating a message key on a BlackBerry Enterprise Server

A BlackBerry® Enterprise Server is designed to use the DSA PRNG function to generate a message key.

To generate a message key, the BlackBerry Enterprise Server performs the following actions:

  1. retrieves random data from multiple sources for the seed, using a technique that the BlackBerry Enterprise Server derives from the initialization function of the ARC4 encryption algorithm
  2. uses the random data to reorder the contents of a 256-byte state array (also known as a 2048-bit state array)

    If the Microsoft® Cryptographic API exists on the computer that hosts the BlackBerry Enterprise Server, the BlackBerry Enterprise Server requests 512 bits of randomness from the Microsoft Cryptographic API to increase the randomness of the data.

  3. adds the 256-byte state array into the ARC4 algorithm to further randomize the 256-byte state array
  4. draws 521 bytes from the 256-byte state array

    The BlackBerry Enterprise Server draws an additional 9 bytes for the 256-byte state array, for a total of 521 bits (512 + 9 = 521) to make sure that the pointers before and after the generation process are not in the same place, and in case the first few bytes of the 256-byte state array are not random.

  5. uses SHA-512 to hash the 521-byte value to 64 bytes
  6. uses the 64-byte value to seed the DSA PRNG function

    The BlackBerry Enterprise Server stores a copy of the seed in a file. When the BlackBerry Enterprise Server restarts, it reads the seed from the file and uses the XOR function to compare the stored seed with the new seed.

  7. uses the DSA PRNG function to generate 256 pseudorandom bits for use with AES encryption and 128 pseudorandom bits for use with Triple DES encryption
  8. uses the pseudorandom bits with AES encryption or Triple DES encryption to generate the message key

For more information about the DSA PRNG function, see Federal Information Processing Standard - FIPS PUB 186-2.

Process flow: Generating a message key on a BlackBerry device

A BlackBerry® device is designed to use the DSA PRNG function to generate a message key.

To generate a message key, the BlackBerry device performs the following actions:

  1. retrieves random data from multiple sources to generate the seed using a technique that the BlackBerry device derives from the initialization function of the ARC4 encryption algorithm
  2. uses the random data to reorder the contents of a 256-byte state array (also known as a 2048-bit state array)
  3. adds the 256-byte state array into the ARC4 encryption algorithm to further randomize the 256-byte state array
  4. draws 521 bytes from the ARC4 state array

    The BlackBerry device draws an additional 9 bytes for the 256-byte state array, for a total of 521 bytes (512 + 9 = 521) to make sure that the pointers before and after the call are not in the same place, and in case the first few bytes of the ARC4 state array are not random.

  5. uses SHA-512 to hash the 521-byte value to 64 bytes
  6. uses the 64-byte value to seed the DSA PRNG function

    The BlackBerry device stores a copy of the seed in a file. When the BlackBerry device restarts, it reads the seed from the file and uses the XOR function to compare the stored seed with the new seed.

  7. uses the DSA PRNG function to generate 128 pseudorandom bits for use with Triple DES encryption and 256 pseudorandom bits for use with AES encryption
  8. uses the pseudorandom bits with Triple DES encryption or AES encryption to generate the message key

For more information about the DSA PRNG function, see Federal Information Processing Standard - FIPS PUB 186-2.


Was this information helpful? Send us your comments.