The BlackBerry® Enterprise Solution uses AES or Triple DES as the symmetric key cryptographic algorithm for encrypting data. By default, the BlackBerry® Enterprise Server uses the strongest algorithm that both the BlackBerry Enterprise Server and the BlackBerry device support for BlackBerry transport layer encryption.
If you configure the BlackBerry Enterprise Server to support AES and Triple DES, by default, the BlackBerry Enterprise Solution generates device transport keys using AES encryption. If a device uses BlackBerry® Device Software version 3.7 or earlier or BlackBerry® Desktop Software version 3.7 or earlier, the BlackBerry Enterprise Solution generates the device transport keys of the device using Triple DES.
By default, when a BlackBerry® device supports AES, the BlackBerry® Enterprise Solution uses AES for BlackBerry transport layer encryption. The BlackBerry Enterprise Solution uses AES in CBC mode to generate the message keys and device transport keys. The keys consist of 256 bits of data.
For more information about how the BlackBerry Enterprise Server uses AES for BlackBerry transport layer encryption to communicate with devices, visit www.blackberry.com/support to read article KB05429.
How a device uses the AES algorithm to help protect user data and keys
The BlackBerry® device implementation of the AES algorithm is designed to help protect user data and keys (such as the device transport key and ephemeral key) from traditional attacks and side-channel attacks.
A traditional attack tries to exploit data that a cryptographic system stores or transmits. The potentially malicious user tries to determine the key or the plain-text data by exploiting a weakness in the design of the cryptographic algorithm or protocol.
The potentially malicious user uses a side-channel attack to try to exploit the physical properties of the device implementation of the AES algorithm using power analysis (for example, SPA and DPA) and electromagnetic analysis (for example, SEMA and DEMA). A potentially malicious user tries to determine the keys that the device uses by measuring and analyzing the power consumption or the electromagnetic radiation that the device emits during cryptographic operations. The device uses a masking operation, table splitting, and a random mask application to help protect the keys and plain-text data against side-channel attacks at all points during the encryption and decryption operations.
Process flow: Running a masking operation during the first AES calculation when content protection is turned on
- runs a masking operation by performing the following actions:
- runs the result of step 1 as the input through both M and S'
- combines the output of step 2 from M and S'
- deletes the mask and produces the AES output
Process flow: Running a masking operation during subsequent AES calculations when content protection is turned on
Process flow: Running a masking operation when a device does not use content protection
How the AES algorithm creates S-Box tables and uses round keys and masks
The BlackBerry device masks the round keys with random values and any S-Box masks that the AES algorithm requires to work. Round keys are subkeys that the key schedule calculates for each round of encryption.
The BlackBerry device changes the random masks periodically and uses extra S-Box data to make identification of the S-Box table difficult, whether the BlackBerry device uses the S-Box table in the encryption process, decryption process, or key schedule process.
How the BlackBerry Enterprise Solution uses Triple DES to encrypt data
The BlackBerry® Enterprise Solution uses a two-key Triple DES encryption algorithm to generate message keys and device transport keys. In the three iterations of the DES algorithm, the first 56-bit key in outer CBC mode encrypts the data, the second 56-bit key decrypts the data, and the first key encrypts the data again.
The BlackBerry Enterprise Solution stores the message keys and device transport keys as 128-bit binary strings with each parity bit in the least significant bit of each of the 8 bytes of key data. The message keys and device transport keys have overall key lengths of 112 bits and include 16 bits of parity data.
All versions of the BlackBerry® Enterprise Server, BlackBerry® Device Software, and BlackBerry® Desktop Software support Triple DES.
For more information about Triple DES, see Federal Information Processing Standard - FIPS PUB 81 .