The BlackBerry® Infrastructure and BlackBerry® Enterprise Server must authenticate with each other before they can transfer data. The BlackBerry Enterprise Server uses SRP to authenticate with and connect to the BlackBerry Infrastructure.
The BlackBerry Enterprise Server and BlackBerry Infrastructure use the SRP authentication key when they authenticate with each other. The SRP authentication key is a 20-byte encryption key that the BlackBerry Enterprise Server and BlackBerry Infrastructure share.
What happens when a BlackBerry Enterprise Server and the BlackBerry Infrastructure open an initial connection
After a BlackBerry® Enterprise Server and the BlackBerry® Infrastructure open an initial connection over the Internet, the BlackBerry Enterprise Server is designed to send a basic information packet to the BlackBerry Infrastructure immediately. A basic information packet includes version information, SRP identifiers, and other information that is required to open an SRP connection. Both the BlackBerry Enterprise Server and BlackBerry Infrastructure can recognize the basic information packet. The BlackBerry Enterprise Server and BlackBerry Infrastructure can use the basic information packet to configure the parameters of the SRP implementation.
The BlackBerry Infrastructure does not send basic information packets to the BlackBerry Enterprise Server until after the BlackBerry Enterprise Server sends a packet to the BlackBerry Infrastructure. This process permits the BlackBerry Infrastructure to be backward compatible with previous BlackBerry Enterprise Server versions, which close the SRP connection if they receive unrecognized basic information packets.
How the BlackBerry Enterprise Solution protects a TCP/IP connection between a BlackBerry Enterprise Server and the BlackBerry Infrastructure
- The BlackBerry Enterprise Server deletes data traffic that it receives from any source other than the messaging server, or from the device through the BlackBerry Infrastructure or BlackBerry® Desktop Software.
- The BlackBerry Enterprise Server and device use BlackBerry transport layer encryption to encrypt the data that they send to each other. No intermediate point decrypts and encrypts the data again.
- No data traffic of any kind can occur between the BlackBerry Enterprise Server and either the wireless network or the device unless the BlackBerry Enterprise Server can decrypt the data using a valid device transport key. Only the BlackBerry Enterprise Server and device have the correct device transport key.
You must configure your organization’s firewall or proxy server to permit the BlackBerry Enterprise Server to start and maintain an outgoing connection to the BlackBerry Infrastructure over TCP port 3101.
- The BlackBerry® Enterprise Server sends a data packet that contains its unique SRP identifier to the BlackBerry® Infrastructure to claim the SRP identifier.
- The BlackBerry Infrastructure sends a random challenge string to the BlackBerry Enterprise Server.
- The BlackBerry Enterprise Server sends a challenge string to the BlackBerry Infrastructure.
- The BlackBerry Infrastructure hashes the challenge string with the SRP authentication key using HMAC with the SHA-1 algorithm. The BlackBerry Infrastructure sends the resulting 20-byte value to the BlackBerry Enterprise Server as a challenge string.
- The BlackBerry Enterprise Server hashes the challenge string with the SRP authentication key, and sends a challenge response to the BlackBerry Infrastructure.
- The BlackBerry Infrastructure
performs one of the following actions:
- accepts the challenge response and sends a confirmation to the BlackBerry Enterprise Server to complete the authentication process and configure an authenticated SRP connection
- rejects the challenge response
If the BlackBerry Infrastructure rejects the challenge response, the authentication process is not successful. The BlackBerry Infrastructure and BlackBerry Enterprise Server close the SRP connection. If a BlackBerry Enterprise Server uses the same SRP authentication key and SRP identifier to connect to (and then disconnect from) the BlackBerry Infrastructure 5 times in 1 minute, the BlackBerry Infrastructure deactivates the SRP identifier to help prevent a potentially malicious user from using the SRP identifier to create conditions for a DoS attack.