Security Technical Overview

Local Navigation

Resetting a device password when content protection is turned on

If you or a BlackBerry® device user turns on content protection for a BlackBerry device that is running BlackBerry® Device Software version 4.3 or later, you can reset the device password using a BlackBerry® Enterprise Server version 4.1 SP5 or later. The BlackBerry® Enterprise Solution uses the remote password reset cryptographic protocol to reset the device password when content protection is turned on. The device does not prompt the user for the old device password.

The remote password reset cryptographic protocol is designed to provide the following features:
  • permit the device to encrypt the content protection key again with the new password, without the old password being available
  • prevent a hardware-based attack on the device from recovering the content protection key without knowing either the device password or the IT policy private key that the BlackBerry Enterprise Server generates for the device
  • prevent the BlackBerry Enterprise Server from accessing any data that a potentially malicious user could use to recover the content protection key

To reset the device password, you send the Specify new device password and lock device IT administration command to the device. You should send the IT administration command to a content-protected device that is in the possession of the user only. If you send the IT administration command to a device that is in the possession of a potentially malicious user, that user can use a hardware-based attack to recover the key pair that the device created when it received the IT policy. The potentially malicious user can use the key pair to decrypt all the data on the device.

Process flow: Resetting a device password when content protection is turned on

The process flow is designed so that the BlackBerry® Enterprise Server cannot reconstruct the encryption key at a later time.

The BlackBerry Enterprise Server performs the following actions when you send the Specify new device password and lock device IT administration command to a BlackBerry device when content protection is turned on:

  1. generates an encryption key using the IT policy public key and the NIST recommended 521-bit elliptic curve over a prime field
  2. encrypts the content protection key using the encryption key and the new device password (which is also encrypted)
  3. sends the data required to reconstruct the encryption key to the device
Back To Top

Cryptosystem parameters that the remote password reset cryptographic protocol uses

The BlackBerry® Enterprise Server and BlackBerry device are designed to share the following cryptosystem parameters when they use the remote password reset cryptographic protocol.

Uppercase parameters represent elliptic curve points. Lowercase parameters represent scalars. The elliptic curve group operations are additive.

Parameter

Description

E(Fq)

This parameter represents the NIST approved 521-bit random elliptic curve over Fq, which has a cofactor of 1.

Fq

This parameter represents a finite field of prime order q.

P

This parameter represents a point of E that generates a prime subgroup of E(Fq) of order p.

B = bP

This parameter represents the long-term IT policy public key and IT policy private key pair that the BlackBerry Enterprise Server generates for the BlackBerry device. The BlackBerry Enterprise Server stores b in the BlackBerry Configuration Database and sends B to the BlackBerry device in the IT policy.

D = dP

This parameter represents the key pair that the BlackBerry device creates when it receives B. The BlackBerry device stores D, but it deletes d to prevent a hardware-based attack from recovering d and B and then calculating K = dB.

K = dB

This parameter represents the encryption key that the BlackBerry device uses to encrypt the content protection key.

r

This parameter represents a short-term random number that the BlackBerry device stores in RAM.

D' = rD

This parameter represents a blinded version of D.

K' = bD' = brD = rK

This parameter represents a blinded version of K.

Back To Top

Was this information helpful? Send us your comments.