Skip Navigation
  1. BlackBerry Docs
  2. BBM Enterprise
  3. BBM Enterprise security note
  4. How BBM Enterprise protects messages
  5. BBM Enterprise key usage
  6. Key exchange process

Key exchange process

The 
BBM Enterprise
 key exchange process is protected by an EC-SPEKE passphrase.  Protecting the exchange of public identity keys with a passphrase is a unique property of 
BBM Enterprise
. The main purpose of this approach is provide a strong cryptographic promise between the initiator and the recipient of a key exchange so that 
BBM Enterprise
 users can be sure that they have the true, trusted keys for other users.  With trusted identity keys, users can trust that only intended recipients can join chats and receive messages.
To exchange keys, 
BBM Enterprise
 users must also exchange a shared secret, using one of the following options:
  • Automatic passphrase exchange
    : Auto passphrase is a default feature of 
    BBM Enterprise
     that allows users to exchange the required passphrase using an in-band mechanism instead of an out-of-band mechanism. The passphrase that users exchange is generated automatically. The passphrase is shared in-band, using a 
    BBM Enterprise
     message and requires no user interaction to set it up. The sender’s 
    BBM Enterprise
     app automatically generates a passphrase and sends it to the recipient to use as the passphrase. With auto passphrase, 
    BBM Enterprise
     seamlessly initiates key exchanges when first communicating with other users.
  • Manual passphrase exchange
    : With a manual passphrase exchange, the user who initiates the process sends a shared secret using an out-of-band mechanism, such as in person or using SMS or email. The shared secret can be a user-defined passphrase or it can be an auto-generated passphrase suggested by 
    BBM Enterprise
    .
    An attacker would have to compromise the shared secret exchange, which is made more difficult because the attacker doesn’t know when or how the secret will be shared. Because the secret is shared out-of-band, in order to compromise the key exchange, an attacker would need to intercept both the connection through the and the out-of-band channel outside of the 
    BlackBerry Infrastructure
     that the 
    BBM Enterprise
     users use to exchange the shared secret. Therefore no one, including 
    BlackBerry
    , can read or modify the 
    BBM Enterprise
     traffic without the ability to intercept the out-of-band channel in real time.
    To enable this option for all users, turn on an IT policy in the 
    BBM Enterprise
     user management console. Additionally, users with 
    BBM Enterprise
     version 1.8 can, at any time, use the "Share Passphrase" option in a 1:1 chat to start a manual passphrase key exchange with the chat participant, irrespective of the IT policy settings.
     
  • Manual key verification
    : Starting in 
    BBM Enterprise
     version 1.8, a manual key verification security measure is available to 
    BBM Enterprise
     users at all times. When the user manually verifies the fingerprint or scans the QR code directly from the other user's client in-person or by another secure means, 
    BBM Enterprise
     marks the user's copy of the keys as manually verified. Users can examine the manual key verification state of all other users, and users receive notifications when new keys are exchanged. When keys are exchanged using a manual passphrase exchange, 
    BBM Enterprise
     will automatically mark the keys as manually verified. Under an auto passphrase exchange policy, users can manually verify each other's keys by a QR code scan or visual comparison of their key fingerprint.