Blackberry ENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL Specifications

BlackBerry Enterprise Service 10BlackBerry Device Service SolutionVersion: 10.1Security TechnicalOverview

• Install and manage your organization's applications on devices• Protect your organization's data and applications on devices Component De

Event Device type Descriptioncan use either the "Delete all device data andremove device" or "Delete only the organizationdata and remo

Work space only wipeTo protect your organization's data on BlackBerry Balance devices, including BlackBerry PlayBook tablets, these devicesdelete

Device Spaces users can backup/restore Software to useBlackBerry Balance device (excludingBlackBerry PlayBook tablet)• Work space• Personal space• Bla

EncryptionDevices use encryption to protect the following:• Work space data• Personal space data• Media card dataWork dataDevices protect work data by

Users can also turn on media card encryption using the Media Card Encryption option in the Security and Privacy settingson the device.Related informat

• Trying an action on the device that requires the smart card (for example, importing certificates, signing or decrypting amessage, or turning on two-

• You or a user wipes the device. During this process, the device deletes the smart card binding information from devicememory. When the process compl

The BlackBerry 10 OSThe BlackBerry 10 OS is the microkernel operating system of the BlackBerry 10 device. Microkernel operating systemsimplement the m

How the BlackBerry 10 OS uses sandboxingto protect app dataThe BlackBerry 10 OS uses a security mechanism called sandboxing to separate and restrict t

How the BlackBerry 10 device managespermissions for appsThe authorization manager is the part of the BlackBerry 10 OS that evaluates requests from app

Component DescriptionBlackBerry Infrastructure The BlackBerry Infrastructure validates SRP information and controls the IPPPtraffic that travels outsi

corresponding public keys to verify that the digital signature is correct. If it is correct, the boot ROM code runs theBlackBerry 10 OS.Before the Bla

Security mechanism DescriptionRobust heap implementations The heap implementation includes a defense mechanism against the deliberatecorruption of the

The BlackBerry PlayBook OSThe BlackBerry PlayBook OS is the microkernel operating system of the BlackBerry PlayBook tablet. Microkernel operatingsyste

How the BlackBerry PlayBook OS usessandboxing to protect app dataThe BlackBerry PlayBook OS uses a security mechanism called sandboxing to separate an

How the BlackBerry PlayBook tabletmanages permissions for appsThe authorization manager is the part of the BlackBerry PlayBook OS that evaluates reque

corresponding public keys to verify that the digital signature is correct. If it is correct, the boot ROM code runs the PlayBookOS.Before the PlayBook

Security mechanism DescriptionStack cookies Stack cookies are a form of buffer overflow protection that helps preventattackers from executing arbitrar

Protecting the data that theBlackBerry Device Servicestores in your organization'senvironmentData that the BlackBerry ConfigurationDatabase store

Best practice: Protecting the data that theBlackBerry Configuration Database storesBest practice DescriptionAudit connections to the Microsoft SQLServ

Best practice DescriptionProtect the Microsoft SQL Serverinstallation from Internet-based attacks.Consider the following guidelines:• Require Windows

How the BlackBerry DeviceService and the BlackBerryInfrastructure authenticatewith each otherThe BlackBerry Infrastructure and BlackBerry Device Servi

Cryptographic algorithms,codes, protocols, and librariesthat devices supportBlackBerry devices support the following types of cryptographic algorithms

Algorithm Key length (in bits) ModesDES 56 CBC, CFB, ECB, OFBDESX 184 CBC, CFB, ECB, OFBRC2 up to 256 CBC, CFB, ECB, OFBRC4 up to 256 —Triple DES 112,

Message authentication codesCodes Key length (in bits)AES-XCBC-MAC 128CMAC-AES 28, 192, 256HMAC-MD5 128HMAC-SHA-1 160HMAC-SHA-2 224, 256, 384, 512HMAC

Key agreement algorithmsAlgorithm Supported curve or key length (in bits)DH 1024, 2048, 3072ECDH secp192r1, secp256r1, secp384r1, secp521r1,sect163k1,

• WPA-Personal• WPA-Enterprise• WPA2-Personal• WPA2-EnterpriseCipher suites that a device supports foropening SSL/TLS connectionsA device supports var

• TLS_ECDH_ECDSA_WITH_RC4_128_SHA• TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA• TLS_ECDH_RSA_WITH_AES_128_CBC_SHA• TLS_ECDH_RSA_WITH_AES_256_CBC_SHA• TLS_ECDH_

Cryptographic Libraries• BlackBerry OS Cryptographic Library• OpenSSLVPN cryptographic supportProtocolAuthenticationtypesIKE IPSecDH groupIKE IPSec ci

Cryptographic protocol Encryption EAP outer method EAP inner methodWPA2 TKIP, CCMP (AES) PEAP, EAP-TTLS, EAP-FAST,EAP-TLS, EAP-AKA, EAP-SIMMSCHAPv2, E

Product documentationTo read the following guides or additional related materials, visit blackberry.com/go/serverdocs.Resource DescriptionIntroducing

Resource DescriptionBlackBerry Enterprise Service 10Configuration Guide• Instructions for how to configure server components before you startadministe

Data flow: Authenticating the BlackBerryDevice Service with the BlackBerryInfrastructure1. The BlackBerry Device Service sends a data packet that cont

Resource DescriptionBlackBerry Bridge App SecurityTechnical Overview• Description of how work data is protected on devices when you use theBlackBerry

GlossaryA2DP Advanced Audio Distribution ProfileACL An access control list (ACL) is a list of permissions that are associated with an object, such as

DRBG deterministic random bit generatorDSA Digital Signature AlgorithmEAP Extensible Authentication ProtocolEAP-AKA Extensible Authentication Protocol

HTTP Hypertext Transfer Protocol over Secure Sockets LayerHTTPS Hypertext Transfer Protocol over Secure Sockets LayerIEEE Institute of Electrical and

OFB output feedbackOPP Object Push ProfilePAC Protected Access CredentialPAN Personal Area NetworkingPAP Password Authentication ProtocolPBAP Phone Bo

SPP Serial Port ProfileSRP Server Routing ProtocolSSL Secure Sockets LayerTCP Transmission Control ProtocolTCP MD5 Transmission Control Protocol messa

Legal notice©2013 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research In Motion®, and related trademarks,names, and logos are

HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEMTHAT IS THE SUBJECT OF THE CLAIM.TO THE MAXIMUM EXTEN

Certain features outlined in this documentation require a minimum version of BlackBerry Enterprise Server, BlackBerryDesktop Software, and/or BlackBer

How the BlackBerry Device Service protectsa TCP/IP connection to the BlackBerryInfrastructureAfter the BlackBerry Device Service and the BlackBerry In

How devices connect to theBlackBerry Device ServiceDevices can connect to the BlackBerry Device Service and access your organization’s network using a

By default, the Enterprise Management Agent on the device can use all of these communication methods to connect to theBlackBerry Device Service and o

Encryption type Descriptioncertificate with each server. The server might use SSL or TLS, depending how itis set up.AES encryption Encrypts the data t

BlackBerry Infrastructure connectionIn a BlackBerry Infrastructure connection, a device connects to your organization’s resources through any wireles

Securing the communication betweendevices and your organization’s networkDevices permit work apps and personal apps (on BlackBerry Balance devices) t

Published: 2013-05-14SWD-20130514151546118

Controlling how work and personal apps connect to your organization's network, 57Controlling the network connections that work and personal apps

How the BlackBerry Device Servicemanages email messagesDevices use Microsoft ActiveSync to synchronize email messages, calendar entries, and contacts

Data flow: Opening a TLS connection between theBlackBerry Infrastructure and a device1. A device sends a request to the BlackBerry Infrastructure to o

Devices store device transport keys in a keystore database in flash memory. The keystore database prevents an attackerfrom copying the device transpor

Data flow: Generating a message key on a deviceA device uses the DRBG function to generate a message key.To generate a message key, the device perform

The BlackBerry Device Service stores a copy of the seed in a file. When the BlackBerry Device Service restarts, it readsthe seed from the file and use

How a device and the BlackBerry Device Serviceprotect sensitive Wi-Fi informationTo permit a device to access a Wi-Fi network, you must send sensitive

Data flow: Authenticating a device with a work Wi-Fi network using theIEEE 802.1X standardIf you configured a wireless access point to use the IEEE 80

server. EAP-TLS authentication uses the TLS encrypted tunnel and a client certificate to send the credentials of the deviceto the authentication serve

For PEAP authentication, EAP-TLS authentication, or EAP-TTLS authentication to be successful, the device must trust thecertificate of the authenticati

Contents1 About BlackBerry Device Service solution security ... 7BlackBerry De

Activating devicesWhen you or a user activates a device, you create the work space on the device, associate the work space with a useraccount in the B

the BlackBerry Infrastructure. If you register the activation information, the user's account information, including theirusername, activation pa

a Types the user ID, activation password, and the Enterprise Management Web Service web address (if necessary) onthe deviceb For a work space only act

a Establish a mutually authenticated TLS connection by verifying both the client certificate and the server certificatefor the Enterprise Management W

b For a work space only activation, accepts the organization notice, which outlines the terms and conditions that theuser must agree to3. If the activ

c Stores the client certificate and the enterprise management root certificate in its keystore11. The Enterprise Management Agent and Enterprise Manag

Data flow: Activating a device using theBlackBerry Web Desktop Manager1. You perform the following actions:a Add a user account to the BlackBerry Devi

e Sends the encrypted CSR and HMAC to the Enterprise Management Web Service11. The Enterprise Management Web Service performs the following actions:a

Managing certificates ondevicesA certificate is a digital document that binds the identity and public key of a certificate subject. Each certificate h

• To set up a TLS connection between the BlackBerry Device Service and a device so that the BlackBerry Device Servicecan activate the device and send

5 Managing certificates on devices ... 38Certificates

certificate. You can use the Automatic Renewal SCEP profile setting to configure how many days before the certificateexpires that automatic renewal oc

d Adds the computed signature response to the PKCS#10 CSRe Encrypts the PKCS#10 CSR using PKCS#7 enveloped data format and the CA public keyf Sends th

Folder DescriptionDevices running BlackBerry 10 OS version 10.0 also use certificates in this folder toauthenticate with your work messaging server if

Using IT policies to manageBlackBerry Device ServicesecurityYou can use IT policies to control and manage devices in your organization's environm

Resolving IT policy conflictsIf you add a user account to multiple groups, multiple IT policies can be added to the user account. You can control howt

Using BlackBerry Balance tosecure BlackBerry 10 devicesin your organization’senvironment for work use andpersonal useYour organization can use BlackBe

that the user was using before the device was activated on the BlackBerry Device Service are available to the user in thepersonal space on the device.

How devices classify work and personal data and appsBlackBerry Balance devices running BlackBerry 10 can distinguish between data that is for work use

Description App• SMS text messaging (with access to work contactsexcept if prevented by the "Personal Apps Access toWork Contacts" IT policy

How devices are designed to prevent BlackBerry Runtime for Androidapps from accessing work data and appsBlackBerry Balance devices running BlackBerry

Controlling app connections ...

How devices protect personal dataBlackBerry Balance devices running BlackBerry 10 allow the encryption of personal files on devices.You can use the &q

Protecting work data on devices with password rulesTo secure work content and resources in the work space, when BlackBerry 10 devices are activated on

Item DescriptionWork app data Work data that is associated with work apps on the deviceWork Wi-Fi profiles Work Wi-Fi profiles that the user configure

When users are in the work space on devices, they see the work space wallpaper. If you do not send a work spacewallpaper image to devices, users can s

Related informationTransferring work data from devices using Bluetooth, 55Managing how apps open links in the work and personal spaces ondevicesIn gen

Managing data transferred to and from a device using NFCData that a BlackBerry Balance device running BlackBerry 10 receives from another device using

Devices use the Bluetooth MAP to send messages to another Bluetooth enabled device. To prevent a user from using theBluetooth MAP to send messages fro

Related informationBack up and restore, 101Controlling how work and personal appsconnect to your organization's networkThe BlackBerry Device Serv

By default, work apps can use the Wi-Fi profiles or VPN profiles that are stored on the device to connect to yourorganization's network and can

The "Work Network Usage for Personal Apps" IT policy rule controls what interfaces are available to apps that are in thepersonal space. If

How the BlackBerry 10 device prevents the exploitation of memory corruption ... 11014 The

If the "Work Network Usage for Personal Apps" IT policy rule is set to Disallow, personal apps attempt to connect to yourorganization'

You can use IT policy rules to prevent or protect connections to your organization’s network:• Prevent personal apps from using your organization’s

If the "Work Network Usage for Personal Apps" IT policy rule is set to Allow, users can still prevent all apps in the personalspace from usi

Using BlackBerry Balance tosecure BlackBerry PlayBooktablets in your organization’senvironment for work useYour organization can use BlackBerry Balanc

Tablets encrypt data stored in the personal file system if you set the "Personal Space Data Encryption" IT policy rule to Yesor if the user

Data flow: Generating a work space key when the “Two-factor EncryptionKey Generation” IT policy rule is set to YesIf you set the "Two-factor Encr

Controlling when BlackBerry PlayBook tablets deleteall data in the work spaceTo protect your organization's data on a BlackBerry PlayBook tablet,

Item DescriptionIT policy IT policy that is associated with your organizationDevice transport key References to the device transport key, which preven

What happens when a user updates orcreates files on a BlackBerry PlayBooktabletThe BlackBerry PlayBook tablet helps protect data when a user performs

Some apps, such as Documents To Go, can run in work mode or personal mode. If the user opens an attachment in a workemail message or work calendar ent

About BlackBerry DeviceService solution securityBlackBerry Device Service solution securityThe BlackBerry Device Service solution consists of various

Comparison of work and personal appsWork apps Personal appsWork apps can view and change work data.Work apps can view but not change personal data.Per

How a BlackBerry PlayBook tablet is designed toprevent BlackBerry Runtime for Android apps fromaccessing work data or appsTablets consider Android app

If a user uses the browser to connect to web servers that support NTLM using a work Wi-Fi network or a work VPN network,the tablet supports NTLMv1 aut

Securing work space onlydevicesYou can activate devices using the work space only option. These devices contain only one space that is considered a wo

Classifying dataAll data and apps on work space only devices are classified as work resources, even when users use the devices forpersonal tasks like

Related informationMedia cards, 103Password protectionPassword protection on work space only devices is not optional. To secure work data on these dev

• Hotspot Browser• NFC• User-Created VPN Profiles• Wi-FiFor more information about these IT policy rules, see the BlackBerry Device Service Policy and

• Bluetooth File Transfer Using OBEX• Bluetooth HFP• Bluetooth MAP• Bluetooth PAN• Bluetooth SPPFor more information about these IT policy rules, see

For more information about these IT policy rules, see the BlackBerry Device Service Policy and Profile Reference Guide.Related informationBlackBerry W

• Roaming• Voice dictation• Voice controlFor more information about these IT policy rules, see the BlackBerry Device Service Policy and Profile Refere

Device security featuresFeature DescriptionProtection of data between theBlackBerry Device Service and adeviceThe BlackBerry Device Service protects d

Controlling app connectionsThe BlackBerry Device Service controls how apps on work space only devices connect to your organization’s network.Because w

By default, work apps can use Wi-Fi profiles, VPN profiles, or the BlackBerry Device Service to connect to yourorganization's network. If you wa

Security Technical Overview Securing work space only devices82

Managing app availability ondevicesYou can use the BlackBerry Device Service to install and manage work apps in the work space on devices. Work apps c

Preventing users from installing apps usingdevelopment toolsApp developers can use development tools to test apps that they are developing by installi

Extending messaging securityon BlackBerry 10 devicesYou can extend messaging security for the BlackBerry Device Service solution and permit BlackBerry

Extending messaging security onBlackBerry 10 devices using S/MIMEprotectionYou can extend messaging security for the BlackBerry Device Service and per

S/MIME profile setting DescriptionEncrypted S/MIME messages You can make encryption of outgoing messages allowed, required, ordisallowed:• Allowed: us

S/MIME Messagesprofile settingEncrypted S/MIMEMessages profilesettingDigitallySigned S/MIMEMessagesprofile settingS/MIME options on device Encoding dr

S/MIME Messagesprofile settingEncrypted S/MIMEMessages profilesettingDigitallySigned S/MIMEMessagesprofile settingS/MIME options on device Encoding dr

Feature DescriptionProtection of application data usingsandboxingThe BlackBerry 10 OS and PlayBook OS use sandboxing to separate and restrictthe capab

Item DescriptionS/MIME public keyWhen a user sends an email message from a device, thedevice uses the S/MIME public key of the recipient toencrypt the

d Sends the encrypted message to the BlackBerry Device Service2. If the device is connected to the BlackBerry Infrastructure, the BlackBerry Device Se

Protecting dataThe BlackBerry Device Service and BlackBerry devices offer security features to protect user information, including:• Passwords• Securi

Rule settings Resultpolicy rules in the Password rule group apply to the workspace password.Users have the option to use their work space password ast

Device type Conditions ResultBlackBerry Balance (excludingBlackBerry PlayBook tablets)• Device has a work spacepassword• Device does not have a fullde

Device type Conditions Result• Device has a work spacepassword• You enforce the work spacepassword as the full devicepassword using the "ApplyWor

The Enterprise Management Web Service stores a unique private key for each device that is activated on the EnterpriseManagement Web Service.4. The dev

Data flow: When you change the work space password on a BlackBerryPlayBook tablet1. You send the "Specify new device password and lock device&quo

If the "Two-factor Encryption Key Generation" IT policy rule is set to Yes, the tablet uses the current password toderive the current interm

On BlackBerry 10 devices, certain apps, such as apps that display navigation information, slideshows, and videos, canextend the security timeout. By d