Security Technical Overview

Local Navigation

• Overview
  • BlackBerry Enterprise Solution security
  • Security features of the BlackBerry Enterprise Solution
  • Architecture: BlackBerry Enterprise Solution
• New in this release
• Keys on a device
  • Enforcing the FIPS mode of operation on a device
  • Device transport keys
    • States for device transport keys
    • Where the BlackBerry Enterprise Solution stores device transport keys
      • Where the BlackBerry Enterprise Server stores device transport keys in a Microsoft Exchange environment
      • Where the BlackBerry Enterprise Server stores device transport keys in an IBM Lotus Domino environment
    • Generating device transport keys
      • Generating the first device transport key for a device during the activation process
        • Security characteristics for generating the first device transport key
      • Generating subsequent device transport keys for a device
        • Security characteristics for generating subsequent device transport keys
      • Generating a device transport key manually
    • Process flow: Generating a device transport key using BlackBerry Desktop Software version 4.0 or later
  • Message keys
    • Process flow: Generating a message key on a BlackBerry Enterprise Server
    • Process flow: Generating a message key on a device
  • Content protection keys
    • Process flow: Turning on content protection using a BlackBerry Enterprise Server
    • Process flow: Generating a content protection key on a device
    • Process flow: Deriving an ephemeral key that protects a content protection key and ECC private key
  • Principal encryption keys
    • Process flow: Generating a principal encryption key
  • PIN encryption keys
• Encrypting data that the BlackBerry Enterprise Server and a device send to each other
  • Algorithms that the BlackBerry Enterprise Solution uses to encrypt data
    • How the BlackBerry Enterprise Solution uses AES to encrypt data
      • How a device uses the AES algorithm to help protect user data and keys
        • Process flow: Running a masking operation during the first AES calculation when content protection is turned on
        • Process flow: Running a masking operation during subsequent AES calculations when content protection is turned on
        • Process flow: Running a masking operation when a device does not use content protection
      • How the AES algorithm creates S-Box tables and uses round keys and masks
    • How the BlackBerry Enterprise Solution uses Triple DES to encrypt data
  • Process flow: Sending an email message to a device using BlackBerry transport layer encryption
  • Process flow: Sending an email message from a device using BlackBerry transport layer encryption
• Managing BlackBerry Enterprise Solution security
  • Using an IT policy to manage BlackBerry Enterprise Solution security
    • Preconfigured IT policies
    • Using IT policy rules to manage BlackBerry Enterprise Solution security
    • Sending an IT policy over the wireless network
    • Assigning IT policies and resolving IT policy conflicts
      • Reconciliation rules for conflicting IT policies when you apply one IT policy to the user account
      • Reconciliation rules for conflicting IT policies when you apply multiple IT policies to a user account
  • Best practice: Controlling which applications can use the GPS feature on a device
  • Using IT administration commands to protect a lost or stolen device
    • Process flow: Sending the Specify new device password and lock device IT administration command when content protection is turned on
  • Managing device access to the BlackBerry Enterprise Server
  • Using a segmented network to prevent the spread of malware
  • Moving a device to a BlackBerry Enterprise Server that uses a different BlackBerry Configuration Database
  • Configuring the IT Policy Viewer icon on a device
• Device storage space
  • Changing when a device cleans the device memory
  • When a BlackBerry device overwrites data in the BlackBerry device memory
  • Deleting all device data from the device storage space
    • When a device deletes all device data
    • Using IT policy rules to specify when a device must delete device data
    • Resetting a device to factory default settings
    • Process flow: Deleting all device data from a device
  • Scrubbing the memory of a device when deleting all device data
    • Scrubbing the device heap in RAM when deleting all device data
    • Scrubbing the flash memory on a device when deleting all device data
    • Scrubbing the user files on a device when deleting all device data
• Securing devices in your organization’s environment for personal use and work use
  • How a device classifies what data and applications are for work use or personal use
    • Data and applications that a device classifies for work use
    • Data and applications that a device classifies for personal use
  • Preventing a user from compromising work data on a device
    • Preventing a user from pasting work data into a personal application
    • Preventing a user from forwarding work data using personal channels
    • Prevent a user from using the work contact list in personal email accounts and personal calendars
    • Controlling the browsing traffic in the BlackBerry Browser
    • Preventing a user from backing up work data that is stored on a device
    • Protecting work data on a media card
  • Deleting only work data from a device
    • Process flow: Deleting only work data from a device
  • Managing third-party applications on a device that a user uses for personal purposes
  • Managing add-on applications on a device that a user uses for personal purposes
  • IT policy rules that apply to devices that users use for personal purposes
• Protecting data on a device
  • Encrypting user data on a locked device
    • Configuring the encryption of device data on a locked device
    • Process flow: Encrypting user data on a locked device
    • Process flow: Decrypting user data on an unlocked device
  • Encrypting the device transport key on a locked device
    • What happens when a user resets a device after you turn on content protection for the device transport key
  • Resetting a device password when content protection is turned on
    • Process flow: Resetting a device password when content protection is turned on
      • Cryptosystem parameters that the remote password reset cryptographic protocol uses
  • Protecting passwords that a device stores
  • Protecting data that a device stores on a media card
    • Process flow: Generating an encryption key for a media card
  • How the BlackBerry Attachment Service protects data on a device
    • Best practice: Protecting the BlackBerry Attachment Service
  • How a device protects its operating system and the BlackBerry Device Software
  • How a device authenticates the boot ROM code and binds the device processor when the device turns on
• Protecting the data that the BlackBerry Enterprise Server stores in your organization's environment
  • Where the BlackBerry Enterprise Server stores messages and user data in the messaging environment
  • Data that the BlackBerry Configuration Database stores
    • Best practice: Protecting the data that the BlackBerry Configuration Database stores
  • How the BlackBerry Enterprise Server and device protect IT policies
• Protecting communication with a device
  • Opening a direct connection between a device and a BlackBerry Router
    • Advantages of using the BlackBerry Router protocol
    • Process flow: Authenticating a device with the BlackBerry Enterprise Server using the BlackBerry Router protocol
    • Closing a direct connection between a device and BlackBerry Router
    • Impersonation attacks that the BlackBerry Router protocol is designed to prevent
    • How the BlackBerry Router protocol uses the Schnorr identification scheme to open an authenticated connection
    • Process flow: Using the BlackBerry Router protocol to open an authenticated connection
    • Process flow: Using the BlackBerry Router protocol to close an authenticated connection
    • Cryptosystem parameters that the BlackBerry Router protocol uses
  • Best practice: Protecting plain text messages that a device sends over the wireless network
  • How the BlackBerry Enterprise Server protects connections between a device and the Internet or intranet
  • Protecting HTTP connections from a device to content servers and application servers using HTTPS
  • Warning messages for invalid certificates
  • Permitting TLS connections to websites that use invalid certificates
    • When a website certificate changes
    • When IT policy rule changes affect TLS settings
  • How a device protects a connection to a WAP gateway
  • What happens to data that is not delivered to a device
    • What happens to data that is not delivered because the connection between a BlackBerry Enterprise Server and the BlackBerry Infrastructure closes
    • What happens to data that is not delivered because a device is not available on the wireless network
• Protecting communications in your organization's environment
  • How a BlackBerry Enterprise Server and the BlackBerry Infrastructure authenticate with each other
    • What happens when a BlackBerry Enterprise Server and the BlackBerry Infrastructure open an initial connection
    • How the BlackBerry Enterprise Solution protects a TCP/IP connection between a BlackBerry Enterprise Server and the BlackBerry Infrastructure
    • Process flow: Authenticating a BlackBerry Enterprise Server with the BlackBerry Infrastructure
  • How a BlackBerry Enterprise Server and messaging server protect a connection to each other
  • How the BlackBerry Enterprise Server components and the BlackBerry MVS protect communication
  • How the BlackBerry Desktop Manager protects communication using the BlackBerry inter-process protocol
    • Process flow: Authenticating the application loader tool or Roxio Media Manager with the BlackBerry Desktop Software using the BlackBerry inter-process protocol
  • How the BlackBerry Collaboration Service connects to an instant messaging server and collaboration clients on devices
  • Protecting your organization’s resources when using BlackBerry MDS Connection Service integrated authentication
    • Architecture: BlackBerry MDS Connection Service integrated authentication
    • How the BlackBerry MDS Connection Service uses Kerberos to help protect your organization's resources
    • Identifying the resources that users can access using BlackBerry MDS Connection Service integrated authentication
    • Process flow: Retrieving a resource when using BlackBerry MDS Connection Service integrated authentication
  • Protecting your organization’s resources when you configure BlackBerry Administration Service single sign-on
    • Architecture: BlackBerry Administration Service single sign-on
    • How BlackBerry Administration Service single sign-on uses Kerberos to help protect your organization’s resources
    • How the BlackBerry Administration Service completes Kerberos authentication
    • Process flow: Accessing the BlackBerry Administration Service console and BlackBerry Web Desktop Manager when you configure BlackBerry Administration Service single sign-on
• Activating a device
  • Activating a device over the wireless network
  • Process flow: Activating a device over the wireless network
• Managing certificates on a device
  • Purpose of certificates on a device
  • Importing certificates onto a device
  • Configuring BlackBerry devices to enroll certificates over the wireless network
  • Managing an enrolled certificate
  • Determining the status of certificates using a CRL or OCSP
  • Process flow: Enrolling a certificate when the certification authority approves certificate requests automatically
  • Process flow: Enrolling a certificate when a certification authority administrator approves certificate requests
  • Process flow: Enrolling a certificate using an RSA certification authority
• Protecting BlackBerry Device Software updates
  • Protecting BlackBerry Device Software updates over the wireless network
    • How the BlackBerry Enterprise Solution protects BlackBerry Device Software updates over the wireless network using encryption
    • How the BlackBerry Enterprise Solution protects BlackBerry Device Software updates over the wireless network using IT policies and content protection
    • Battery power requirements for BlackBerry Device Software updates over the wireless network
    • Process flow: Preparing to send a BlackBerry Device Software update over the wireless network
    • How a device validates a BlackBerry Device Software update over the wireless network
  • Updating the BlackBerry Device Software from an update web site
    • Protecting cryptographic services data when updating the BlackBerry Device Software from an update web site
    • Process flow: Generating a BlackBerry services key that protects cryptographic services data
    • Process flow: Backing up cryptographic services data using the BlackBerry Desktop Manager
    • Process flow: Restoring cryptographic services data using the BlackBerry Desktop Manager or BlackBerry Application Web Loader
• Extending messaging security to a device
  • Extending messaging security using PGP encryption
    • PGP public keys and PGP private keys
    • Retrieving PGP keys from a PGP Universal Server or LDAP servers
    • Encryption algorithms that the device supports for PGP encryption
    • Process flow: Sending an email message using PGP encryption
    • Process flow: Receiving a PGP encrypted message
  • Extending messaging security using S/MIME encryption
    • S/MIME certificates and S/MIME private keys
    • Retrieving S/MIME certificates and checking certificate status
    • S/MIME encryption algorithms
    • Process flow: Sending an email message using S/MIME encryption
    • Process flow: Receiving an S/MIME-encrypted email message
  • Extending messaging security using IBM Lotus Notes encryption
    • Protecting the password for an IBM Lotus Notes .id file
      • How a device protects the password for an IBM Lotus Notes .id file
      • How the BlackBerry Messaging Agent protects the password for an IBM Lotus Notes .id file
    • Process flow: Sending an email message using IBM Lotus Notes encryption
    • Process flow: Receiving an IBM Lotus Notes encrypted message
  • Extending messaging security for attachments
    • Process flow: Viewing an attachment in a PGP encrypted message or S/MIME-encrypted message
    • Process flow: Viewing an attachment that is encrypted using S/MIME encryption, PGP/MIME encryption, or OpenPGP encryption
    • Process flow: Sending an S/MIME-protected email message that contains attachments that are located on a device
    • Process flow: Forwarding an S/MIME-protected email message that contains attachments that are not located on a device
• Configuring two-factor authentication and protecting Bluetooth connections
  • BlackBerry Smart Card Reader
  • Advanced Security SD cards
  • Two-factor authentication
    • Verifying that a device is bound to a smart card
    • Process flow: Turning on two-factor authentication using a smart card
    • Creating two-factor authentication methods
  • Two-factor content protection
    • Process flow: Turning on two-factor content protection
  • Unbinding a smart card from a device
  • Protecting Bluetooth connections on a device
    • Using CHAP to open a Bluetooth connection between the BlackBerry Desktop Software and a device
• Wi-Fi enabled devices
  • Types of Wi-Fi networks
  • Security features of a Wi-Fi enabled device
  • Protecting a connection between a Wi-Fi enabled device and an enterprise Wi-Fi network
  • How a Wi-Fi enabled device can connect to the BlackBerry Infrastructure
    • How an SSL connection between a Wi-Fi enabled device and the BlackBerry Infrastructure protects data
    • Process flow: Opening an SSL connection between the BlackBerry Infrastructure and a Wi-Fi enabled device
    • Cipher suites that a Wi-Fi enabled device supports for opening SSL connections and TLS connections
  • Managing how a device connects to an enterprise Wi-Fi network
  • How the BlackBerry Enterprise Solution protects sensitive Wi-Fi information
  • Using a VPN with a Wi-Fi enabled device
    • Permitting a Wi-Fi enabled device to log in to a VPN concentrator
    • Using a segmented network to reduce the spread of malware on an enterprise Wi-Fi network that uses a VPN
    • Supported UI settings for VPN concentrators
      • Supported configurations for the Cisco VPN 3000 Series Concentrator
      • Supported configurations for the Cisco PIX Firewall
      • Supported configurations for the Cisco IOS Easy VPN
      • Supported configurations for the Secure Computing Sidewinder
      • Supported configurations for Nortel Networks Contivity
  • Using a captive portal to connect to an enterprise Wi-Fi network or Wi-Fi hotspot
  • Protecting a connection between a Wi-Fi enabled device and an enterprise Wi-Fi network using RSA authentication
    • Process flow: Generating a token code for a software token
• Layer 2 security methods that a Wi-Fi enabled device supports
  • WEP encryption
  • PSK protocol
  • IEEE 802.1X standard
    • Caching a PMK when using the IEEE 802.1X standard
    • Process flow: Authenticating a Wi-Fi enabled device with an enterprise Wi-Fi network using the IEEE 802.1X standard
  • EAP authentication methods that a Wi-Fi enabled device supports
    • LEAP authentication
    • PEAP authentication
    • EAP-TLS authentication
    • EAP-TTLS authentication
    • EAP-FAST authentication
    • EAP-SIM authentication
  • Encryption keys that a Wi-Fi enabled device supports for use with layer 2 security methods
  • EAP authentication methods that a device supports the use of CCKM with
  • Using certificates with PEAP authentication, EAP-TLS authentication, or EAP-TTLS authentication
• Controlling applications on a device
  • Creating a third-party application for a device
  • Specifying the resources that third-party applications can access on a device
    • Using application control policy rules to specify whether a user can install a third-party application on a device
    • Managing BlackBerry Java Applications on a device using code signing
  • Permitting a third-party application to encode data on a device
  • Removing third-party applications when a user deletes all device data
  • Controlling which applications can access NFC features on a device
  • Controlling which applications can access the secure element on a device
• RIM Cryptographic API
  • Cryptographic algorithms and cryptographic codes that the RIM Cryptographic API supports
    • Symmetric block algorithms that the RIM Cryptographic API supports
    • Stream encryption algorithms that the RIM Cryptographic API supports
    • Asymmetric encryption algorithms that the RIM Cryptographic API supports
    • Key agreement scheme algorithms that the RIM Cryptographic API supports
    • Signature scheme algorithms that the RIM Cryptographic API supports
    • Key generation algorithms that the RIM Cryptographic API supports
    • Message authentication codes that the RIM Cryptographic API supports
    • Message digest codes that the RIM Cryptographic API supports
  • TLS and WTLS protocols that the RIM Cryptographic API supports
    • Cipher suites for the key establishment algorithm that the RIM Cryptographic API supports
    • Symmetric algorithms that the RIM Cryptographic API supports
    • Hash algorithms that the RIM Cryptographic API supports
  • Limitations of RIM Cryptographic API support for cipher suites for the key establishment algorithm
• Related resources
• Glossary
• Provide feedback
• Legal notice