Two-factor content protection
Two-factor content protection on the BlackBerry® device is designed to protect the content protection decryption keys with both a private key that is stored on a smart card and the device password.
To store the private key, you can use either a smart card with the BlackBerry® Smart Card Reader or an Advanced Security SD card. The content protection key is not transferred from the device to the BlackBerry Smart Card Reader or Advanced Security SD card.
Two-factor content protection requires the device password, a smart card, and an authentication certificate that is stored on the device. The authentication certificate must contain the public key for the private key that is stored on the smart card. If the authentication certificate expires or is revoked, a user can continue to use it for two-factor content protection until the user creates and configures a new certificate to use with two-factor content protection.
You or a user can configure two-factor content protection. By default, if a user has a smart card and an authentication certificate on the device, the user can turn on two-factor content protection. To make two-factor content protection required or optional, or to prevent a user from configuring it, you can use the Two Factor Content Protection Usage IT policy rule. To unlock the device after you or a user turns on two-factor content protection, the user must type the device password and smart card PIN on the login screen in the appropriate fields.
If you or a user turns on two-factor content protection, you cannot change the device password using the BlackBerry Administration Service. Only the user can change the device password on the device.
BlackBerry® Device Software 5.0 and later and BlackBerry Smart Card Reader 2.0 and later support two-factor content protection. You must verify that the IT policies that you can use to manage two-factor content protection are available on your organization’s BlackBerry® Enterprise Server. BlackBerry Enterprise Server 5.0 SP1 and later include the IT policies that you require to manage two-factor content protection.
Process flow: Turning on two-factor content protection
- When you or a BlackBerry® device user turns on two-factor content protection on the BlackBerry device for the first time, the device performs the following actions:
- generates a random 256-bit symmetric key for the smart card authenticator
- derives an ephemeral AES-256 key from the symmetric key for the smart card authenticator and the device password, using PKCS #5
- uses the ephemeral key to encrypt the content protection key and ECC private keys
- stores the encrypted content protection key and encrypted ECC private keys in the device memory
- generates a 256-bit pseudorandom number
- computes the SHA-256 hash of the pseudorandom number and uses it to encrypt the symmetric key for the smart card authenticator, and stores the symmetric key for the smart card authenticator in the device memory
- encrypts the pseudorandom number using the public key in the authentication certificate that you configured for use with two-factor content protection, and stores the encrypted pseudorandom number in the device memory
- discards the pseudorandom number, the SHA-256 hash of the pseudorandom number, the ephemeral key, and the key for the smart card authenticator
- When the device locks, the device discards the content protection key and ECC private keys.
- When a user unlocks the device, the device retrieves the encrypted copy of the pseudorandom number from the device memory and sends it to the smart card authenticator.
- The smart card authenticator decrypts the encrypted copy of the pseudorandom number that was stored in the device memory.
- The device performs the following actions:
- retrieves the encrypted copy of the key for the smart card authenticator from the device memory and decrypts it using the SHA-256 hash of the decrypted pseudorandom number
- uses the key for the smart card authenticator and the device password to generate a 256-bit ephemeral key
- uses the 256-bit ephemeral key to decrypt the ECC private keys and content protection key
- repeats steps 1e to 1h
The device generates a new pseudorandom number each time the user unlocks the device.