Security Technical Overview

Local Navigation

Extending messaging security for attachments

The BlackBerry® Enterprise Server supports attachments in PGP® protected messages and S/MIME-protected messages. It also permits a BlackBerry device user to view encrypted attachments on a BlackBerry device. For PGP protected messages, the device supports OpenPGP format and PGP/MIME format. For S/MIME-protected messages, the device supports Triple DES, AES-128, AES-192 or AES-256.

You can use the PGP Allowed Encrypted Attachment Mode IT policy rule and the S/MIME Allowed Encrypted Attachment Mode IT policy rule to control whether users can view encrypted attachments on their devices. By default these rules permit a device to request decrypted attachment information from the BlackBerry Enterprise Server automatically when a user opens a protected message.

On a device that is running BlackBerry® 7 or later in a Microsoft® Exchange environment, you can use the S/MIME Attachment Support IT policy rule to control whether users can send and forward attachments in S/MIME-protected messages. The S/MIME Attachment Support IT policy rule can be set to one of the following values:
  • None, which prevents the device from sending attachments in S/MIME-protected messages.
  • End-to-End, which permits the device to send attachments in new S/MIME-protected messages that the sender composes, if the attachments are located on the sender's device.
  • End-to-End or Trusted BES, which permits the device to send attachments in S/MIME-protected messages whether or not the attachments are located on the sender's device.

By default, the "End-to-End or Trusted BES" value is configured for this rule.

Process flow: Viewing an attachment in a PGP encrypted message or S/MIME-encrypted message

The S/MIME Allowed Encrypted Attachment Mode IT policy rule or PGP® Allowed Encrypted Attachment Mode IT policy rule determines how a BlackBerry® device responds when it receives a PGP/MIME encrypted message or S/MIME-encrypted message that contains an attachment. These rules determine whether the following actions occur automatically when the user opens the email message, or whether the user must request the actions manually.

  1. A device sends the message key and a request for the data in the attachment header to the BlackBerry® Enterprise Server.
  2. The BlackBerry Enterprise Server uses the message key to decrypt the email message and access the data in the attachment header. The BlackBerry Enterprise Server sends the data in the attachment header to the device.
  3. The device processes the data in the attachment header with the email message and displays the associated attachment information so that the user can select the attachment for viewing.
Back To Top

Process flow: Viewing an attachment that is encrypted using S/MIME encryption, PGP/MIME encryption, or OpenPGP encryption

  1. The BlackBerry® device sends the message key and a request for the attachment data to the BlackBerry® Enterprise Server.
  2. The BlackBerry Enterprise Server uses the message key to decrypt the email message and access the attachment data that corresponds to the data in the attachment header. The BlackBerry Enterprise Server decrypts the attachment and sends the rendered attachment data to the device.
  3. The device displays the attachment.

To help protect the decrypted attachment data that the device stores, you can turn on content protection.

Back To Top

Process flow: Sending an S/MIME-protected email message that contains attachments that are located on a device

On a BlackBerry® device that is running BlackBerry® 7 or later in a Microsoft® Exchange environment, you can use the S/MIME Attachment Support IT policy rule.

The S/MIME Attachment Support IT policy rule determines how a device responds when a BlackBerry device user sends a new S/MIME-protected message with an attachment, forwards an S/MIME-protected message with an attachment, or replies to an S/MIME-protected email message with an attachment. By default, this rule is set to the "End-to-End or Trusted BES" value. When the user composes and sends an S/MIME-protected message that includes attachments that are located on the device, it uses End-to-End mode. In all other scenarios (even when a user forwards an S/MIME-protected message after downloading the original message attachment to the device), the device uses Trusted BES mode.

  1. A user performs the following actions when the user composes an email message:
    1. Attaches at least one file to the email message
    2. Selects the S/MIME encoding action for the email message (for example, sign, encrypt, or sign and encrypt using S/MIME)
    3. Sends the email message
  2. The email application on the device performs the following actions:
    1. Generates an email message including attachments
    2. Encrypts, signs, or encrypts and signs the email message using S/MIME
    3. Sends the email message to the BlackBerry® Enterprise Server
  3. The BlackBerry Enterprise Server sends the email to the recipient's inbox.
Back To Top

Process flow: Forwarding an S/MIME-protected email message that contains attachments that are not located on a device

On a BlackBerry® device that is running BlackBerry® 7 or later in a Microsoft® Exchange environment, you can use the S/MIME Attachment Support IT policy rule.

The S/MIME Attachment Support IT policy rule determines how a device responds when a BlackBerry device user sends a new S/MIME-protected email message with an attachment, forwards an S/MIME-protected email message with an attachment, or replies to an S/MIME-protected email message with an attachment. By default, this rule is set to the "End-to-End or Trusted BES" value, which means the device can forward email messages with attachments whether or not the attachments are located on the device. When the device forwards encrypted email messages that include attachments that are not located on the device, it uses Trusted BES mode.

  1. A user performs the following actions when the user forwards a message:
    1. Selects whether the message should be signed, encrypted, or signed and encrypted using S/MIME
    2. If applicable, attaches any new message attachments
    3. Sends the message
  2. The email application on the device performs the following actions:
    1. Creates a message header that contains information about whether the user wants the forwarded message to be signed, encrypted, or signed and encrypted using S/MIME. If the original message that the user forwards was encrypted, the message header includes a key for decrypting the original message.
    2. Sends the partial message, which includes the new message body, any new attachments that are located on the device, and the message header, to the BlackBerry® Enterprise Server.
  3. The BlackBerry Enterprise Server performs the following actions when it receives the partial message:
    1. Parses the message header
    2. Obtains the original message and performs one of the following actions:
      • If the original sender signed the message that a user is forwarding, removes all of the original signatures
      • If the original sender encrypted the message that a user is forwarding, decrypts the message using the key in the message header
      • If the original sender signed and encrypted the message that a user is forwarding, decrypts the message using the key in the message header and then removes all of the original signatures
    3. Appends all of the attachments from the original message, any new message attachments, and the original message body to the new message
    4. If the user indicates that the new message must be signed, sends a Message Signature Request to the device, waits for a reply from the device, and adds the signature into the message
    5. If the user indicates that the new message must be encrypted, encrypts the full message
    6. Sends the message to the recipient's inbox
Back To Top

Was this information helpful? Send us your comments.