Protecting a connection between a Wi-Fi enabled device and an enterprise Wi-Fi network using RSA authentication
You can use software tokens to provide layer 2 authentication or layer 3 authentication on a Wi-Fi® enabled BlackBerry® device. When you configure a software token for a user, the device is designed to use the passcode to authenticate the user to the Wi-Fi network using PEAP authentication, EAP-GTC authentication, EAP-FAST authentication, EAP-TTLS authentication, or a VPN.
The RSA SecurID® Library on the device permits the device to periodically generate token codes for a software token. The device imports a seed, which consists of random data, and uses the seed to initialize the software token algorithm. The software token algorithm generates the token code on the device.
When the user opens a Wi-Fi connection or VPN connection that requires two-factor authentication on the device, the device prompts the user to type the software token PIN. The RSA SecurID Library adds the software token PIN to the beginning of the token code to create a passcode that the device can use with a two-factor authentication process.
BlackBerry transport layer encryption is designed to protect the seed when the BlackBerry® Enterprise Server sends it over the transport layer. The device uses Research In Motion® proprietary protocols that are designed to be highly secure to perform all communication necessary to retrieve the seed on behalf of the RSA SecurID Library.
Process flow: Generating a token code for a software token
- An administrator of the RSA SecurID® uses the RSA®
Authentication Manager to import a seed as a soft token file in .asc format to a software token database and issue the software token file in .sdtid format. If necessary, the administrator can perform one or more of the following actions:
- permit the user to specify the software token PIN
- configure the RSA SecurID to automatically generate and send a software token PIN to a Wi-Fi® enabled BlackBerry® device
- require the user to specify the software token PIN the first time that the user tries to complete RSA authentication on the BlackBerry device
- bind the seed to a specific BlackBerry device PIN
- specify a password to encrypt the .sdtid file seed
- You assign the .sdtid file seed for the BlackBerry device to the user account in the BlackBerry Administration Service. If required, you can type the password to decrypt the seed to use it on the BlackBerry device.
- The BlackBerry® Enterprise Server performs the following actions:
- The BlackBerry Enterprise Server stores the .sdtid file seed in the BlackBerry Configuration Database.
- The BlackBerry Enterprise Server pushes the .sdtid file seed (and the password, if the administrator of the RSA SecurID specified one) to the BlackBerry device during the BlackBerry device activation process and each time the administrator of the RSA SecurID changes the .sdtid file seed for the BlackBerry device.
- The BlackBerry device performs the following actions:
- The BlackBerry device imports the .sdtid file seed. If the administrator of the RSA SecurID specified a password in the RSA Authentication Manager to encrypt the .sdtid file seed, the BlackBerry device uses the password to decrypt the .sdtid file seed. If the administrator of the RSA SecurID specified that the .sdtid file seed must bind to a specific BlackBerry device PIN, only the BlackBerry device with the specific PIN can import the seed.
- The BlackBerry device stores the .sdtid file seed in flash memory.
- The BlackBerry device imports a copy of the .sdtid file seed into the RSA SecurID on the BlackBerry device. When the BlackBerry device imports the .sdtid file seed into the RSA SecurID, the RSA SecurID randomly generates a password to encrypt the .sdtid file seed.
- The RSA SecurID library on the BlackBerry device authenticates with the RSA® Authentication Agent and initializes the software token algorithm one time each minute.
- Each time the user tries to open a Wi-Fi connection or VPN connection that requires RSA authentication, the BlackBerry device uses the initialized algorithm to combine the .sdtid file seed with random data that is based on the BlackBerry device time and generate a new token code for the software token.
The administrator of the RSA SecurID can use RSA Authentication Manager version 6.1 or later to configure an optional password to issue an encrypted .sdtid file seed to the user. The RSA SecurID library on the BlackBerry device can decrypt the .sdtid file seed using an optional password. The RSA SecurID library uses code signing to help prevent third-party applications from changing or reading the information that the RSA SecurID library stores on the BlackBerry device.