Security Technical Overview

Local Navigation

How a BlackBerry Enterprise Server and the BlackBerry Infrastructure authenticate with each other

The BlackBerry® Infrastructure and BlackBerry® Enterprise Server must authenticate with each other before they can transfer data. The BlackBerry Enterprise Server uses SRP to authenticate with and connect to the BlackBerry Infrastructure.

SRP is a point-to-point protocol that runs over TCP/IP. The BlackBerry Enterprise Server uses SRP to contact the BlackBerry Infrastructure and open a connection. When the BlackBerry Enterprise Server and BlackBerry Infrastructure open a connection, they perform the following actions:
  • authenticate with each other
  • exchange configuration information
  • send and receive data

The BlackBerry Enterprise Server and BlackBerry Infrastructure use the SRP authentication key when they authenticate with each other. The SRP authentication key is a 20-byte encryption key that the BlackBerry Enterprise Server and BlackBerry Infrastructure share.

The BlackBerry Enterprise Server sends only outgoing traffic to a BlackBerry device using an authenticated connection to the BlackBerry Infrastructure.

What happens when a BlackBerry Enterprise Server and the BlackBerry Infrastructure open an initial connection

After a BlackBerry® Enterprise Server and the BlackBerry® Infrastructure open an initial connection over the Internet, the BlackBerry Enterprise Server is designed to send a basic information packet to the BlackBerry Infrastructure immediately. A basic information packet includes version information, SRP identifiers, and other information that is required to open an SRP connection. Both the BlackBerry Enterprise Server and BlackBerry Infrastructure can recognize the basic information packet. The BlackBerry Enterprise Server and BlackBerry Infrastructure can use the basic information packet to configure the parameters of the SRP implementation.

The BlackBerry Infrastructure does not send basic information packets to the BlackBerry Enterprise Server until after the BlackBerry Enterprise Server sends a packet to the BlackBerry Infrastructure. This process permits the BlackBerry Infrastructure to be backward compatible with previous BlackBerry Enterprise Server versions, which close the SRP connection if they receive unrecognized basic information packets.

Back To Top

How the BlackBerry Enterprise Solution protects a TCP/IP connection between a BlackBerry Enterprise Server and the BlackBerry Infrastructure

After a BlackBerry® Enterprise Server and the BlackBerry® Infrastructure open an SRP connection, the BlackBerry Enterprise Server uses a persistent TCP/IP connection to send data to the BlackBerry Infrastructure. The BlackBerry Infrastructure uses wireless network protocols (for example, GSM® or EDGE) to send data to the BlackBerry device. The TCP/IP connection between the BlackBerry Enterprise Server and BlackBerry Infrastructure is designed to be highly secure in the following ways:
  • The BlackBerry Enterprise Server deletes data traffic that it receives from any source other than the messaging server, or from the device through the BlackBerry Infrastructure or BlackBerry® Desktop Software.
  • The BlackBerry Enterprise Server and device use BlackBerry transport layer encryption to encrypt the data that they send to each other. No intermediate point decrypts and encrypts the data again.
  • No data traffic of any kind can occur between the BlackBerry Enterprise Server and either the wireless network or the device unless the BlackBerry Enterprise Server can decrypt the data using a valid device transport key. Only the BlackBerry Enterprise Server and device have the correct device transport key.

You must configure your organization’s firewall or proxy server to permit the BlackBerry Enterprise Server to start and maintain an outgoing connection to the BlackBerry Infrastructure over TCP port 3101.

Back To Top

Process flow: Authenticating a BlackBerry Enterprise Server with the BlackBerry Infrastructure

  1. The BlackBerry® Enterprise Server sends a data packet that contains its unique SRP identifier to the BlackBerry® Infrastructure to claim the SRP identifier.
  2. The BlackBerry Infrastructure sends a random challenge string to the BlackBerry Enterprise Server.
  3. The BlackBerry Enterprise Server sends a challenge string to the BlackBerry Infrastructure.
  4. The BlackBerry Infrastructure hashes the challenge string with the SRP authentication key using HMAC with the SHA-1 algorithm. The BlackBerry Infrastructure sends the resulting 20-byte value to the BlackBerry Enterprise Server as a challenge string.
  5. The BlackBerry Enterprise Server hashes the challenge string with the SRP authentication key, and sends a challenge response to the BlackBerry Infrastructure.
  6. The BlackBerry Infrastructure performs one of the following actions:
    • accepts the challenge response and sends a confirmation to the BlackBerry Enterprise Server to complete the authentication process and configure an authenticated SRP connection
    • rejects the challenge response

    If the BlackBerry Infrastructure rejects the challenge response, the authentication process is not successful. The BlackBerry Infrastructure and BlackBerry Enterprise Server close the SRP connection. If a BlackBerry Enterprise Server uses the same SRP authentication key and SRP identifier to connect to (and then disconnect from) the BlackBerry Infrastructure 5 times in 1 minute, the BlackBerry Infrastructure deactivates the SRP identifier to help prevent a potentially malicious user from using the SRP identifier to create conditions for a DoS attack.

Back To Top

Was this information helpful? Send us your comments.