Security Technical Overview

Local Navigation

PIN encryption keys

The PIN encryption key is a Triple DES 168-bit key that a BlackBerry® device uses to encrypt PIN messages that it sends to other devices and to authenticate and decrypt PIN messages that it receives from other devices. If a BlackBerry device user knows the PIN of another device, the user can send a PIN message to the device. Unlike an email message that a user sends to an email address, a PIN message bypasses the BlackBerry® Enterprise Server and your organization's network.

By default, each device uses the same global PIN encryption key, which Research In Motion adds to the device during the manufacturing process. The global PIN encryption key permits every device to authenticate and decrypt every PIN message that the device receives. Because all devices share the same global PIN encryption key, there is a limit to how effectively PIN messages are encrypted. PIN messages are not considered as confidential as email messages that are sent from the BlackBerry Enterprise Server, which use BlackBerry transport layer encryption. Encryption using the global PIN encryption key is sometimes referred to as "scrambling".

If the security policies of your organization require additional confidentiality for PIN messages, you can generate a PIN encryption key that is specific to your organization or configure S/MIME encryption or PGP® encryption for PIN messages.

A device that has a PIN encryption key that is specific to your organization can perform the following actions:
  • can only encrypt PIN messages sent to other devices on your organization's network that use the same PIN encryption key
  • can only decrypt PIN messages that are sent from devices that use the global PIN encryption key or PIN messages from other devices on your organization's network that use the same PIN encryption key
  • cannot decrypt PIN messages sent from devices that use a PIN encryption key from another organization

You can generate a PIN encryption key for your organization and send it to devices using the BlackBerry Administration Service.

When you use a PIN encryption key that is specific to your organization, BlackBerry® Messenger messages also use the PIN encryption key. If you use a PIN encryption key that is specific to your organization, you limit users so that they can only use BlackBerry Messenger with other users in your organization and you create a closed community within your organization.

Optionally, you can configure the Firewall Block Incoming Messages IT policy rule to block PIN messages that are sent from devices that have the global PIN encryption key. For more information, see the BlackBerry Enterprise Server Policy Reference Guide.


Was this information helpful? Send us your comments.