Skip Navigation
  1. BlackBerry Docs
  2. BBM Enterprise
  3. BBM Enterprise security note
  4. How BBM Enterprise protects messages
  5. BBM Enterprise key usage

BBM Enterprise
 key usage

BBM Enterprise
 uses two types of cryptographic keys: 
identity keys
 and 
chat keys
.  Each user has two long-lived public and private key pairs know as their identity keys.  One of the key pairs in this set is used to sign messages from the user, and one is used to create secure peer-to-peer encryption contexts between two users. The public identity keys must be shared with other users, while the private identity keys must only be held by the clients of the user that owns them.
When a 
BBM Enterprise
 user wants to start communicating with another 
BBM Enterprise
 user, the two users must first exchange their public identity keys.  Before exchanging keys, 
BBM Enterprise
 first performs an EC-SPEKE exchange with the other user, who must prove their identity by providing a passphrase generated by the initiator.  This EC-SPEKE exchange establishes a trusted ephemeral cryptographic context within which the users' identity keys are then exchanged. For more information, see Key exchange process.
When a 
BBM Enterprise
 user starts a chat with another 
BBM Enterprise
 user, 
BBM Enterprise
 creates a new random 
chat key
 that is used to protect the metadata and messages of that chat.  Chat messages are encrypted using a per-message key generated by combining the chat key with a message counter, nonce, and other information using ANSI-X9.63-KDF.  All participant endpoints within a chat must share the chat key, and it must be protected from users and clients that do not belong to the chat. 
BBM Enterprise
 shares the chat key with another user by sending a protected 
identity message
.
Identity messages are messages exchanged between two users outside of a chat (for instance, an invitation to join a chat from one user to another). Identity messages are encrypted using a per-message key generated by both the sender and recipient: the remote identity's public encryption key and the local identity's private encryption key are used to generate a ECDH secp521r1 528-bit shared secret. This shared secret is combined with the message counter and nonce to make a secret that is used to derive a key using ANSI-X9.63-KDF. 
Each 
BBM Enterprise
 identity and chat message is signed using ECDSA with the sender's signing key pair and verified by the receiver.
Diagram showing how keys are used in BBM Enterprise.