Security Technical Overview

Local Navigation

How a Wi-Fi enabled device can connect to the BlackBerry Infrastructure

A Wi-Fi® enabled BlackBerry® device can connect directly to the BlackBerry® Infrastructure over the Internet to access the data services that a wireless service provider offers, even if UMA is not available. If UMA is available, the device can also access the voice services. A direct connection from the device to the BlackBerry Infrastructure is an alternative to the connection from the device to the BlackBerry Infrastructure over the mobile network. If a user’s wireless service provider makes UMA technology (also known as GAN technology) available, and the user subscribes to the UMA feature, the device is designed to open an SSL connection to the GANC using an IPSec VPN tunnel over an enterprise Wi-Fi network.

The device and BlackBerry Infrastructure send all data to each other over an SSL connection. The SSL connection is designed to encrypt the data that the device and BlackBerry Infrastructure send between each other.

How an SSL connection between a Wi-Fi enabled device and the BlackBerry Infrastructure protects data

An SSL connection between a Wi-Fi® enabled BlackBerry® device and the BlackBerry® Infrastructure is designed to provide the same protection that an SRP connection between the BlackBerry® Enterprise Server and BlackBerry Infrastructure provides. It is designed so that a potentially malicious user cannot use the SSL connection to send data to or receive data from the device.

If a potentially malicious user tries to impersonate the BlackBerry Infrastructure, the device is designed to prevent the connection. The device verifies whether the public key of the SSL certificate of the BlackBerry Infrastructure matches the private key of the root certificate that is preloaded on the device during the manufacturing process. If a user accepts a certificate that is not valid, the connection cannot open unless the device can also authenticate with a valid BlackBerry Enterprise Server or valid BlackBerry® Internet Service.

Back To Top

Process flow: Opening an SSL connection between the BlackBerry Infrastructure and a Wi-Fi enabled device

  1. A Wi-Fi® enabled BlackBerry® device sends a request to the BlackBerry® Infrastructure to open an SSL connection.
  2. The BlackBerry Infrastructure sends its SSL certificate to the device.
  3. The device uses a root certificate that is preloaded on the device to verify the SSL certificate. If the user deleted the root certificate, the device prompts the user to trust the SSL certificate.
  4. The device opens the SSL connection.
Back To Top

Cipher suites that a Wi-Fi enabled device supports for opening SSL connections and TLS connections

A Wi-Fi® enabled BlackBerry® device supports various cipher suites for direct mode SSL/TLS when the device opens SSL connections or TLS connections to the BlackBerry® Infrastructure or to web servers that are external to your organization.

The device supports the following cipher suites, in order, when it opens SSL connections:
  • SSL_RSA_WITH_RC4_128_SHA
  • SSL_RSA_WITH_RC4_128_MD5
  • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_DHE_RSA_WITH_DES_CBC_SHA
  • SSL_DH_anon_WITH_RC4_128_MD5
  • SSL_DHE_DSS_WITH_DES_CBC_SHA
  • SSL_RSA_WITH_DES_CBC_SHA
  • SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
  • SSL_RSA_EXPORT_WITH_RC4_40_MD5
  • SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
  • SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
  • SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
  • SSL_DH_anon_WITH_DES_CBC_SHA
  • SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
  • SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
The device supports the following cipher suites, in order, when it opens TLS connections:
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DH_anon_WITH_AES_128_CBC_SHA
  • TLS_DH_anon_WITH_AES_256_CBC_SHA
  • TLS_DH_anon_WITH_RC4_128_MD5
  • TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_DES_CBC_SHA
  • TLS_DHE_DSS_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_EXPORT_WITH_RC4_40_MD5
  • TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
  • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DH_anon_WITH_DES_CBC_SHA
  • TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
  • TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
Back To Top

Was this information helpful? Send us your comments.