Encrypting data that the BlackBerry Enterprise Server and a BlackBerry device send to each other

To encrypt data that is in transit between the BlackBerry® Enterprise Server and a BlackBerry device in your organization, the BlackBerry® Enterprise Solution uses BlackBerry transport layer encryption. BlackBerry transport layer encryption is designed to encrypt data from the time that a BlackBerry device user sends a message from the BlackBerry device to when the BlackBerry Enterprise Server receives the message, and from the time that the BlackBerry Enterprise Server sends a message to when the BlackBerry device receives the message.

Before the BlackBerry device sends a message, it compresses and encrypts the message using the device transport key. When the BlackBerry Enterprise Server receives a message from the BlackBerry device, the BlackBerry Dispatcher decrypts the message using the device transport key, and then decompresses the message.

Algorithms that the BlackBerry Enterprise Solution uses to encrypt data

The BlackBerry® Enterprise Solution uses AES or Triple DES as the symmetric key cryptographic algorithm for encrypting data. By default, the BlackBerry® Enterprise Server uses the strongest algorithm that both the BlackBerry Enterprise Server and the BlackBerry device support for BlackBerry transport layer encryption.

If you configure the BlackBerry Enterprise Server to support AES and Triple DES, by default, the BlackBerry Enterprise Solution generates device transport keys using AES encryption. If a BlackBerry device uses BlackBerry® Device Software version 3.7 or earlier or BlackBerry® Desktop Software version 3.7 or earlier, the BlackBerry Enterprise Solution generates the device transport keys of the BlackBerry device using Triple DES.

How the BlackBerry Enterprise Solution uses AES to encrypt data

By default, when a BlackBerry® device supports AES, the BlackBerry® Enterprise Solution uses AES for BlackBerry transport layer encryption. The BlackBerry Enterprise Solution uses AES in CBC mode to generate the message keys and device transport keys. The keys consist of 256 bits of data.

BlackBerry® Enterprise Server version 4.0 or later, BlackBerry® Device Software version 4.0 or later, and BlackBerry® Desktop Software version 4.0 or later support AES.

For more information about how the BlackBerry Enterprise Server uses AES for BlackBerry transport layer encryption to communicate with BlackBerry devices, visit www.blackberry.com/support to read article KB05429.

How the BlackBerry Enterprise Solution uses Triple DES to encrypt data

The BlackBerry® Enterprise Solution uses a two-key Triple DES encryption algorithm to generate message keys and device transport keys. In the three iterations of the DES algorithm, the first 56-bit key in outer CBC mode encrypts the data, the second 56-bit key decrypts the data, and the first key encrypts the data again.

The BlackBerry Enterprise Solution stores the message keys and device transport keys as 128-bit binary strings with each parity bit in the least significant bit of each of the 8 bytes of key data. The message keys and device transport keys have overall key lengths of 112 bits and include 16 bits of parity data.

All versions of the BlackBerry® Enterprise Server, BlackBerry® Device Software, and BlackBerry® Desktop Software support Triple DES.

For more information about Triple DES, see Federal Information Processing Standard - FIPS PUB 81 [3].


Was this information helpful? Send us your comments.