PIN encryption keys

The PIN encryption key is a Triple DES 168-bit key that a BlackBerry® device uses to encrypt BlackBerry® Messenger messages that it sends to other devices and to authenticate and decrypt BlackBerry Messenger messages that it receives from other devices. If a BlackBerry device user knows the PIN of another device, the user can send a BlackBerry Messenger message to the device. Before a user can send a BlackBerry Messenger message, the user must invite the recipient to add the user to the recipient's contact list.

By default, each device uses the same global PIN encryption key, which Research In Motion adds to the device during the manufacturing process. The global PIN encryption key permits every device to authenticate and decrypt every BlackBerry Messenger message that the device receives. Because all devices share the same global PIN encryption key, there is a limit to how effectively BlackBerry Messenger messages are encrypted. BlackBerry Messenger messages are not considered as confidential as email messages that are sent from the BlackBerry® Enterprise Server, which use BlackBerry transport layer encryption. Encryption using the global PIN encryption key is sometimes referred to as "scrambling".

If the security policies of your organization require additional confidentiality for BlackBerry Messenger messages, you can generate a PIN encryption key that is specific to your organization. A device that has a PIN encryption key that is specific to your organization can perform the following actions:
  • can only encrypt BlackBerry Messenger messages sent to other devices on your organization's network that use the same PIN encryption key
  • can only decrypt BlackBerry Messenger messages that are sent from devices that use the global PIN encryption key or BlackBerry Messenger messages from other devices on your organization's network that use the same PIN encryption key
  • cannot decrypt BlackBerry Messenger messages sent from devices that use a PIN encryption key from another organization

You can generate a PIN encryption key for your organization and send it to devices using the BlackBerry Administration Service.

Optionally, you can configure the Firewall Block Incoming Messages IT policy rule to block BlackBerry Messenger messages that are sent from devices that have the global PIN encryption key. For more information, see the BlackBerry Enterprise Server Policy Reference Guide.


Was this information helpful? Send us your comments.