Security Technical Overview

Local Navigation

Message keys

A BlackBerry® Enterprise Server and BlackBerry device generate one or more message keys that are designed to protect the integrity of the data (for example, short keys or large messages) that the BlackBerry Enterprise Server and device send between each other. If a message exceeds 2 KB and consists of several data packets, the BlackBerry Enterprise Server and device generate a unique message key for each data packet.

Each message key consists of random data that is designed to make it difficult for a third party to decrypt, re-create, or duplicate the message key.

The BlackBerry Enterprise Server and device do not store the message keys but they free the memory that is associated with the message keys after the BlackBerry Enterprise Server or device uses the message keys to decrypt the message.

Process flow: Generating a message key on a BlackBerry Enterprise Server

A BlackBerry® Enterprise Server is designed to use the DSA PRNG function to generate a message key.

To generate a message key, the BlackBerry Enterprise Server performs the following actions:

  1. retrieves random data from multiple sources for the seed, using a technique that the BlackBerry Enterprise Server derives from the initialization function of the ARC4 encryption algorithm
  2. uses the random data to reorder the contents of a 256-byte state array (also known as a 2048-bit state array)

    If the Microsoft® Cryptographic API exists on the computer that hosts the BlackBerry Enterprise Server, the BlackBerry Enterprise Server requests 512 bits of randomness from the Microsoft Cryptographic API to increase the randomness of the data.

  3. adds the 256-byte state array into the ARC4 algorithm to further randomize the 256-byte state array
  4. draws 521 bytes from the 256-byte state array

    The BlackBerry Enterprise Server draws an additional 9 bytes for the 256-byte state array, for a total of 521 bits (512 + 9 = 521) to make sure that the pointers before and after the generation process are not in the same place, and in case the first few bytes of the 256-byte state array are not random.

  5. uses SHA-512 to hash the 521-byte value to 64 bytes
  6. uses the 64-byte value to seed the DSA PRNG function

    The BlackBerry Enterprise Server stores a copy of the seed in a file. When the BlackBerry Enterprise Server restarts, it reads the seed from the file and uses the XOR function to compare the stored seed with the new seed.

  7. uses the DSA PRNG function to generate 256 pseudorandom bits for use with AES encryption and 128 pseudorandom bits for use with Triple DES encryption
  8. uses the pseudorandom bits with AES encryption or Triple DES encryption to generate the message key

For more information about the DSA PRNG function, see Federal Information Processing Standard - FIPS PUB 186-2.

Back To Top

Process flow: Generating a message key on a device

A BlackBerry® device uses the DRBG function if the device is operating in FIPS mode, and the DSA PRNG function if the device is not operating in FIPS mode, to generate a message key.

To generate a message key, the device performs the following actions:

  1. Retrieves random data from multiple sources to generate the seed using a technique that the device derives from the initialization function of the ARC4 encryption algorithm
  2. Uses the random data to reorder the contents of a 256-byte state array (also known as a 2048-bit state array)
  3. Adds the 256-byte state array into the ARC4 encryption algorithm to further randomize the 256-byte state array
  4. Draws 521 bytes from the ARC4 state array

    The device draws an additional 9 bytes for the 256-byte state array, for a total of 521 bytes (512 + 9 = 521) to make sure that the pointers before and after the call are not in the same place, and in case the first few bytes of the ARC4 state array are not random

  5. Uses SHA-512 to hash the 521-byte value to 64 bytes
  6. Uses the 64-byte value to seed the DRBG function (if the device is not operating in FIPS mode, the device uses the DSA PRNG function)

    The device stores a copy of the seed in a file. When the device restarts, it reads the seed from the file and uses the XOR function to compare the stored seed with the new seed.

  7. Uses the DRBG function to generate 128 pseudorandom bits for use with Triple DES encryption and 256 pseudorandom bits for use with AES encryption (if the device is not operating in FIPS mode, the device uses the DSA PRNG function)
  8. Uses the pseudorandom bits to create the message key

For more information about the DRBG function, see NIST Special Publication 800-90. For more information about the DSA PRNG function, see Federal Information Processing Standard - FIPS PUB 186-2.

Back To Top
Related concepts

Was this information helpful? Send us your comments.