Skip Navigation
  1. BlackBerry Docs
  2. BBM Enterprise
  3. BBM Enterprise security note
  4. How BBM Enterprise protects messages
  5. BBM Enterprise standards and algorithms

BBM Enterprise
 standards and algorithms

BBM Enterprise
 uses FIPS 140-2 validated cryptographic libraries to ensure that it satisfies the security requirements for protecting unclassified information as defined by the Federal Information Processing Standards.
BBM Enterprise
 uses ECC because it offers significant advantages over the most widely used alternative,
RSA
.
BlackBerry
 uses the ECC implementation that is offered by
Certicom
, which is a wholly owned subsidiary of
BlackBerry
.
Certicom
 has been developing standards-based cryptography for over 25 years.
Certicom
 is the acknowledged worldwide leader in ECC, offering the most security per bit of any known public key scheme. For example, a 160-bit ECC key and a 1024-bit RSA key offer a similar level of security. A 512-bit ECC key provides the same level of security as a 15,360-bit RSA key.

BBM Enterprise
 standards

BBM Enterprise
 uses the following standards for signing, encrypting, and hashing, which meet or exceed the NIST Suite B cryptographic guidelines:
  • Digital signature standard FIPS 186-4: provides a means of guaranteeing the authenticity and non-repudiation of messages
  • AES symmetric encryption standard FIPS 197: uses agreed symmetric keys to guarantee the confidentiality of messages
  • HMAC standard FIPS 198-1: based on SHA2-256 and uses agreed symmetric keys to guarantee the integrity of messages
  • Cryptographic key generation standard NIST SP 800-133: generates the cryptographic keys that are needed to employ algorithms that provide confidentiality and integrity protection for messages
  • Secure Hash standard FIPS 180-4: provides preimage and collision resistant hash functions that are required for secure HMACs, digital signatures, key derivation, and key exchange

BBM Enterprise
 algorithms and functions

To protect the connection between 
BBM Enterprise
 users during a chat, 
BBM Enterprise
 users exchange public signing and encryption keys using an in-band or out-of-band shared secret and EC-SPEKE. For details, see Key exchange process. These keys are then used to encrypt and digitally sign messages between the devices. 
BBM Enterprise
 uses the following algorithms that are based on NIST standards with 256-bit equivalent security:
  • EC-SPEKE: securely exchanges a symmetric key by protecting the exchange with a password
  • KDF: securely derives message keys from shared secrets
  • One-Pass DH: using one user’s private key and another user’s public key, derives a new shared secret between the users
The algorithms and associated key strengths that 
BBM Enterprise
 implements are:
  • AES-256 for symmetric encryption
  • ECDSA with NIST curve P-521 for signing
  • One-Pass ECDH with NIST curve P-521 for symmetric key agreement
  • SHA2-512 for hashing and key derivation
  • SHA2-256-128 HMAC for message authentication codes
BBM Enterprise
 voice and video calling uses SRTP media streaming and implements the following algorithms and associated key strengths:
  • AES-256 in GCM mode for symmetric encryption
  • 112-bit salting keys
  • BBM Enterprise
     messaging for symmetric key transfer
  • SHA1 80-bit tag for message authentication and integrity