BlackBerry Enterprise Server for Microsoft ExchangeVersion: 5.0Service Pack: 4Security Technical Overview
New in this releaseThe table lists the updated security features for the BlackBerry Enterprise Server 5.0 SP4 that are described in this document.Feat
Kerberos services. The Kerberos keys permit the BlackBerry Administration Service to verify the Kerberos service tickets that browsers send during sin
3. The browser retrieves the TGT of the administrator or user from the ticket cache on the computer that the administrator or user is using.The browse
Activating a deviceWhen a user activates a BlackBerry device, the BlackBerry Enterprise Solution authenticates the user and associates the device with
Data flow: Activating a device over the wireless network1. A user opens the activation application on the BlackBerry device, and types the appropriate
Managing certificates on a devicePurpose of certificates on a deviceA certificate is a digital document that binds the identity and public key of a ce
Configuring BlackBerry devices to enroll certificates over the wireless networkYou can configure the BlackBerry Enterprise Server to permit BlackBerry
• Custom Microsoft Certificate Authority Certificate Template• Distinguished Name Components• Key Algorithm• Key Length• Microsoft Certificate Authori
Data flow: Enrolling a certificate when the certification authority approves certificate requests automaticallyAfter a BlackBerry device receives an I
a verifies the certificate by checking whether the public key matches the public key that is stored in the BlackBerry Configuration Databaseb sends th
b after the certification authority administrator approves the certificate request, issues the certificate, and sends the certificate to the user in a
OverviewBlackBerry Enterprise Solution securityThe BlackBerry Enterprise Solution consists of various products and components that are designed to ext
9. The BlackBerry MDS Connection Service sends a status update to the device and sends the certificate request to the certification authority that is
Protecting BlackBerry Device Software updatesProtecting BlackBerry Device Software updates over the wireless networkYou can update the BlackBerry Devi
How the BlackBerry Enterprise Solution protects BlackBerry Device Software updates over the wireless network using IT policies and content protectionT
How a device validates a BlackBerry Device Software update over the wireless networkWhen a BlackBerry device receives a BlackBerry Device Software upd
computer. To protect the cryptographic services data, the device encrypts the cryptographic services data using a BlackBerry services key.The device s
Data flow: Backing up cryptographic services data using the BlackBerry Desktop Manager1. A user connects a BlackBerry device to the BlackBerry Desktop
Extending messaging security to a deviceIf your organization's messaging environment supports highly secure messaging technology such as PGP encr
PGP public keys and PGP private keysThe PGP Support Package for BlackBerry smartphones uses public key cryptography with PGP public keys and PGP priva
Encryption algorithms that the device supports for PGP encryptionWhen you turn on PGP encryption, the default value of the PGP Allowed Content Ciphers
d sends the message that is encrypted using BlackBerry transport layer encryption and PGP encryption to the BlackBerry Enterprise Server2. The BlackBe
Security features of the BlackBerry Enterprise SolutionFeature Descriptiondata protection The BlackBerry Enterprise Solution is designed to protect da
Extending messaging security using S/MIME encryptionYou can extend messaging security for the BlackBerry Enterprise Solution and permit a BlackBerry d
Item DescriptionS/MIME certificate When a user sends an email message or PIN message from a BlackBerry device, the device uses the S/MIME certificate
• An S/MIME-enabled application did not use a weak algorithm to generate the digital signatures on the email messages that the device receives.• The c
3. The recipient decrypts the S/MIME-encrypted message using the S/MIME private key or a password that the sender provides.Data flow: Receiving an S/M
Extending messaging security using IBM Notes encryptionBy default, if your organization's environment includes IBM Notes API version 7.0 or later
How the BlackBerry Messaging Agent protects the password for an IBM Notes .id fileAfter a user imports an IBM Notes .id file and the password for the
4. The BlackBerry Messaging Agent on the BlackBerry Enterprise Server decrypts the cached password for the Notes .id file and validates the password t
Extending messaging security for attachmentsThe BlackBerry Enterprise Server supports attachments in PGP protected messages and S/MIME-protected messa
Data flow: Viewing an attachment that is encrypted using S/MIME encryption, PGP/MIME encryption, or OpenPGP encryption1. The BlackBerry device sends t
c Sends the email message to the BlackBerry Enterprise Server3. The BlackBerry Enterprise Server sends the email to the recipient's inbox.Data fl
Architecture: BlackBerry Enterprise SolutionThe BlackBerry Enterprise Solution consists of various components that permit you to extend your organizat
c Appends all of the attachments from the original message, any new message attachments, and the original message body to the new messaged If the user
Configuring two-factor authentication and protecting Bluetooth connectionsBlackBerry Smart Card ReaderThe BlackBerry Smart Card Reader is an accessory
• unlock the BlackBerry device and access BlackBerry services and PKI applications using two-factor authentication• digitally sign and encrypt email m
If the device is running BlackBerry Device Software version 3.6, the smart card information that the device displays when it prompts the user to inser
The User Authenticator API permits a developer to add a field to the password dialog box on the BlackBerry device for the authentication method. You c
d stores the encrypted content protection key and encrypted ECC private keys in the device memorye generates a 256-bit pseudorandom numberf computes t
Protecting Bluetooth connections on a deviceBluetooth wireless technology permits a Bluetooth enabled BlackBerry device to open a wireless connection
Wi-Fi enabled devicesWi-Fi enabled BlackBerry devices permit users with qualifying data plans to access BlackBerry services over a mobile network, Wi-
Type Descriptionpermit VPN connections through the firewall. You can configure a home Wi-Fi network with layer 2 security and password authentication.
Feature DescriptionYou can verify with your organization's wireless service provider that your organization's service plan supports access t
Component DescriptionBlackBerry Administration Service The BlackBerry Administration Service is a BlackBerry Enterprise Server component that connects
Protecting a connection between a Wi-Fi enabled device and an enterprise Wi-Fi networkA Wi-Fi enabled BlackBerry device is designed to connect to ente
How an SSL connection between a Wi-Fi enabled device and the BlackBerry Infrastructure protects dataAn SSL connection between a Wi-Fi enabled BlackBer
• SSL_DHE_RSA_WITH_DES_CBC_SHA• SSL_DH_anon_WITH_RC4_128_MD5• SSL_DHE_DSS_WITH_DES_CBC_SHA• SSL_RSA_WITH_DES_CBC_SHA• SSL_DH_anon_WITH_3DES_EDE_CBC_SH
• TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA• TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA• TLS_RSA_EXPORT_WITH_DES40_CBC_SHA• TLS_DH_anon_WITH_DES_CBC_SHA• TLS_D
Using a VPN with a deviceIf your organization’s environment includes VPNs, such as an IPSec VPN, you can configure a Wi-Fi enabled BlackBerry device t
Using a segmented network to reduce the spread of malware on an enterprise Wi-Fi network that uses a VPNWhen a Wi-Fi enabled BlackBerry device connect
UI settingVPN-1 PowerCisco VPN 3000 Series ConcentratorVPN Firewall BrickNetScreenNortel Networks ContivitySecure Computing SidewinderSymantec Raptor
Supported configurations for the Cisco VPN 3000 Series ConcentratorThe following table describes the configurations that BlackBerry 7.1 supports for t
Configuration setting Configuration 1 Configuration 2 Configuration 3 Configuration 4Gateway Credential (PSK): Password (Group Password)X XXAuth Crede
Configuration setting Configuration 1 Configuration 2Gateway Credential (PSK): Password (Group Password) X XXAuth Credential (PSK): Username XXAuth Cr
Component DescriptionBlackBerry Attachment Service The BlackBerry Attachment Service is a BlackBerry Enterprise Server component that converts support
Configuration setting Configuration 1IKE: Cipher 3DESIKE: Hash HMAC MD5IPSec: Crypto and Hash Suite 3DES-MD5NAT timeout DefaultSupported configuration
Wi-Fi network or Wi-Fi hotspot. After the BlackBerry device connects to the enterprise Wi-Fi network or Wi-Fi hotspot, the user can browse to an HTML
Data flow: Generating a token code for a software token1. An RSA administrator uses the RSA Authentication Manager to import a seed as a soft token fi
Layer 2 security methods that a device supportsYou can configure a Wi-Fi enabled BlackBerry device to use security methods for layer 2 (also known as
For more information about configuring WEP encryption, see the BlackBerry Enterprise Server Administration Guide.WPA authenticationThe IEEE 802.1X sta
IEEE 802.1X standardThe IEEE 802.1X standard defines a generic authentication framework that a Wi-Fi enabled BlackBerry device and an enterprise Wi-Fi
Data flow: Authenticating a Wi-Fi enabled device with a work Wi-Fi network using the IEEE 802.1X standardIf you configured a wireless access point to
EAP authentication methods that a Wi-Fi enabled device supportsLEAP authenticationLEAP authentication is designed to improve WEP authentication. You c
The device supports EAP-TLS authentication when the authentication server and client use certificates that meet specific requirements for authenticati
Encryption keys that a Wi-Fi enabled device supports for use with layer 2 security methodsA Wi-Fi enabled BlackBerry device supports AES-CCMP encrypti
Component DescriptionBlackBerry Enterprise Server uses the connection to send email messages inside your organization's firewall.BlackBerry Infra
Using certificates with PEAP authentication, EAP-TLS authentication, or EAP-TTLS authenticationIf your organization uses PEAP authentication, EAP-TLS
Controlling applications on a deviceCreating an application for a smartphoneAn application developer can create an application for BlackBerry smartpho
For more information about using IT policy rules, visit www.blackberry.com/go/serverdocs to see the BlackBerry Enterprise Server Policy Reference Guid
"Not permitted", a game that is installed on a smartphone may not be able to send high scores back to a central server since the game is not
Permission Category Default setting Description• Prompt (BlackBerry Device Software 6.0 and earlier)Internet Connections• Allow (BlackBerry 7 and late
Permission Category Default setting DescriptionRecording Interactions Prompt A user can set whether applications can take screen shots of the smartpho
Application permissions for applications that users install as trusted applications on a smartphoneSome applications that a user installs on a BlackBe
Permitting an application to encode data on a smartphoneA developer can use the Transcoder API to create an encoding scheme for data that a BlackBerry
Removing add-on applications from a deviceYou can create a software configuration to remove all add-on applications that are preloaded on a BlackBerry
• Prompt user: the device displays a message that provides the user with the option to Allow or Deny the application's request to access NFC feat
Component DescriptionBlackBerry Router The BlackBerry Router is a BlackBerry Enterprise Server component that connects to the wireless network to send
RIM Cryptographic APIThe RIM Cryptographic API that is on a BlackBerry device and in the BlackBerry Java Development Environment consists of a Java in
Algorithm Key length (bits)RC5 0 to 2040Skipjack 80Triple DES 112 and 168Stream encryption algorithms that the RIM Cryptographic API supportsThe RIM C
Algorithm Key length (bits) TypeECDH 160 to 571 (Elliptic Curve) discrete logarithmECMQV 160 to 571 (Elliptic Curve) discrete logarithmKEA 1024 discre
Message authentication codes that the RIM Cryptographic API supportsCode Key length (bits)CBC-MAC variable (block cipher key length)HMAC variableMessa
Cipher suites for the key establishment algorithm that the RIM Cryptographic API supportsDirect mode SSL Direct mode TLS WTLSDH_anon DH_anon RSA _768,
Hash algorithms that the RIM Cryptographic API supportsDirect mode SSL Direct mode TLS WTLSMD5 MD5 SHASHA-1 SHA-1 SHA-40, SHA-80, MD5, MD5-40, MD5-80L
Related resourcesResource InformationBlackBerry Enterprise Server Feature and Technical Overview • understanding BlackBerry Enterprise Server architec
Resource InformationBlackBerry Java Development Environment Development Guide • using controlled APIs• using code signaturesBlackBerry Smart Card Read
Resource Information• risks of using Bluetooth wireless technology on mobile deviceswww.blackberry.com/security• understanding BlackBerry Enterprise S
Glossary3GPP Third Generation Partnership ProjectAdvanced Security SD cardAn Advanced Security SD card is a media card that complies with the Advanced
Keys on a deviceThe BlackBerry Enterprise Solution generates keys that are designed to protect the data that is stored on a BlackBerry device and the
BlackBerry MVS BlackBerry Mobile Voice SystemBlackBerry transport layer encryptionBlackBerry transport layer encryption (formerly known as standard Bl
DRBG deterministic random bit generatorDSA Digital Signature AlgorithmDSML Directory Service Markup LanguageDSML-enabled serverA BlackBerry device use
flash memory The flash memory is an internal file system on a BlackBerry device that stores application data and user data.GAN generic access networkG
IT policy public key The IT policy public key is a key that a BlackBerry device uses to authenticate the IT policy that the BlackBerry Enterprise Serv
OAEP Optimal Asymmetric Encryption PaddingOCSP Online Certificate Status ProtocolOFB output feedbackPAC proxy auto-configurationPBX Private Branch Exc
S/MIME Secure Multipurpose Internet Mail ExtensionsSEMA Simple Electromagnetic AnalysisSHA Secure Hash AlgorithmSIM Subscriber Identity ModuleSMS Shor
WTLS Wireless Transport Layer SecuritySecurity Technical Overview Glossary186
Legal notice©2014 BlackBerry. All rights reserved. BlackBerry® and related trademarks, names, and logos are the property of BlackBerry Limited and are
QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO
Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not instal
Key Descriptioncontent protection key The content protection key encrypts user data on the device when the device is locked.device transport key The d
Published: 2014-01-17SWD-20140117135425071
Device transport keysThe device transport key encrypts the message keys that help protect the data sent between a BlackBerry Enterprise Server and Bla
State DescriptionThe messaging server and BlackBerry Configuration Database store the previous device transport key that the BlackBerry Enterprise Ser
• device transport keys in binary form with tags that indicate whether the status of the device transport keys is pending (0x6002 tag), current (0x600
Characteristics Descriptionlong-term public keys exchanged The wireless activation process verifies that the BlackBerry Enterprise Server and device c
A user can also generate a device transport key using the BlackBerry Desktop Manager. By default, the BlackBerry Enterprise Server sends a request to
Each message key consists of random data that is designed to make it difficult for a third party to decrypt, re-create, or duplicate the message key.T
1. Retrieves random data from multiple sources to generate the seed using a technique that the device derives from the initialization function of the
Data flow: Turning on content protection using a BlackBerry Enterprise ServerYou can turn on content protection using a BlackBerry Enterprise Server w
3. Prompts the user to type the device password4. Derives an ephemeral 256-bit AES encryption key from the device password, using PKCS #55. Uses the e
Principal encryption keysWhen you or a user turns on content protection for device transport keys, a BlackBerry device generates a principal encryptio
Contents1 New in this release...
A device that has a PIN encryption key that is specific to your organization can perform the following actions:• can only encrypt PIN messages sent to
Encrypting data that the BlackBerry Enterprise Server and a device send to each otherTo encrypt data that is in transit between the BlackBerry Enterpr
How the BlackBerry Enterprise Solution uses AES to encrypt dataBy default, when a BlackBerry device supports AES, the BlackBerry Enterprise Solution u
Data flow: Running a masking operation during subsequent AES calculations when content protection is turned onA BlackBerry device performs the followi
All versions of the BlackBerry Enterprise Server, BlackBerry Device Software, and BlackBerry Desktop Software support Triple DES.For more information
Data flow: Sending an email message from a device using BlackBerry transport layer encryption 1. A sender sends an email message from a BlackBerry de
Managing BlackBerry Enterprise Solution securityUsing an IT policy to manage BlackBerry Enterprise Solution securityYou can use an IT policy to contro
Preconfigured IT policy DescriptionDefault This policy includes all the standard IT policy rules that are set on the BlackBerry Enterprise Server.Indi
Using IT policy rules to manage BlackBerry Enterprise Solution securityYou can use IT policy rules to customize and control the actions that the Black
Method DescriptionApply one IT policy to the user account The BlackBerry Enterprise Server applies one of the group IT policies to the user account. Y
Using IT administration commands to protect a lost or stolen device...
Scenario RuleA user account belongs to multiple groups. You assign multiple IT policies to the groups but do not assign an IT policy to the user accou
Scenario Rulerule as blank (which means that it uses the default value of Yes). You assign the second group IT policy B, which has the Allow Browser I
Best practice Descriptionnotify the user that you turned on the ability of the device to report its location to the BlackBerry Enterprise Server.Using
IT administration command DescriptionYou can send this command to a device that you want to distribute to another user in your organization, or to a d
f permanently deletes K 5. The device performs the following actions:a selects d randomlyb calculates D = dPc stores D in flash memoryd calculates K =
Using a segmented network to help prevent the spread of malwareTo help prevent the spread of malware in your organization’s network, you can use firew
Configuring the IT Policy Viewer icon on a deviceThe IT policy viewer permits a BlackBerry device user to view IT policy rules that were configured fo
Device storage spaceThe BlackBerry device storage space consists of various sections that store BlackBerry device user data and sensitive information
Changing when a device cleans the device memoryBy default, the memory cleaner application runs on a BlackBerry device when the device is inactive for
When a device overwrites data in the device memoryA BlackBerry device continually runs the memory cleaner application during the based garbage collect
Encrypting the device transport key on a locked device...
• if you reset the device to the factory default settings, the IT policy that is stored on the device• if a user selects the Include third party appli
IT policy rule DescriptionSecure Wipe Delay After IT Policy ReceivedThis rule specifies the length of time (in hours) after a device receives an IT po
The device can bind to another BlackBerry Enterprise Server at a later time. The device does not use the memory-scrub process to overwrite the IT poli
3. writes 0xCC to each byte (1100 11002)4. writes all bytes to 0x00 (0000 00002)5. writes 0x55 to each byte (0101 01012)6. writes all bytes to 0x00 (0
Securing devices in your organization’s environment for personal use and work useYour organization might want to permit BlackBerry device users to use
data, you must configure the "Is access to the corporate data API allowed" application control policy rule. The device checks this rule to d
Data and applications that a device classifies for personal useA BlackBerry device classifies the following data and applications for personal use:• e
Preventing a user from pasting work data into a personal applicationTo help prevent a BlackBerry device user from pasting work data into a personal ap
Prevent a user from using the work contact list in personal email accounts and personal calendarsBy default, a BlackBerry device does not prevent a Bl
data and personal data on a computer using the BlackBerry Desktop Software and BlackBerry Web Desktop Manager. The user can restore the data to the de
How a BlackBerry Enterprise Server and the BlackBerry Infrastructure authenticate with each other...89What happens whe
require that a personal device remove only work data when the device receives the Delete only the organization data and remove device IT administrativ
Data flow: Deleting only work data from a deviceWhen you delete only work data from a BlackBerry device using the Delete all organizational device dat
Managing third-party applications on a smartphone that a user uses for personal purposesBy default, a BlackBerry smartphone classifies all application
prevent add-on applications such as Facebook for BlackBerry smartphones and MySpace for BlackBerry smartphones from accessing the work calendar and wo
Protecting data on a deviceEncrypting user data on a locked deviceIf you or a BlackBerry device user turns on content protection, you or the user can
To make content protection optional or to prevent an administrator or a user from turning on content protection for a device that is running BlackBerr
device locks. If the device does not complete the re-encryption process before the user unlocks the device, the device resumes re-encryption when it l
• connects to the BlackBerry Infrastructure• resumes serial bypass connections• receives data from the BlackBerry Enterprise ServerResetting a device
Cryptosystem parameters that the remote password reset cryptographic protocol usesThe BlackBerry Enterprise Server and BlackBerry device are designed
The first time that the user opens the password keeper on the device, the user must create the password keeper password. The password keeper encrypts
Battery power requirements for BlackBerry Device Software updates over the wireless network ...112Data flow: Preparing t
To generate an encryption key, the BlackBerry device performs the following actions:1. generates an AES-256 encryption key2. stores the encryption key
How a device protects its operating system and the BlackBerry Device SoftwareEach time a user turns on a BlackBerry device, specific components on the
Protecting the data that the BlackBerry Enterprise Server stores in your organization's environmentWhere the BlackBerry Enterprise Server stores
Messaging environment Storage locationMicrosoft Exchange The BlackBerry Enterprise Server stores user data in hidden folders in the Microsoft Exchange
Best practice Description• At a minimum, write failed connection attempts to the Microsoft SQL Server log file and review the log file regularly.• Whe
Best practice Description• Use NTFS for the Microsoft SQL Server because it is more stable and recoverable than FAT file systems, and NTFS permits sec
A device stores the digitally signed IT policy and the IT policy public key in the NV store in flash memory. When the device stores the IT policy and
Protecting communication with a deviceOpening a direct connection between a device and a BlackBerry RouterA BlackBerry device can use the BlackBerry R
• A device can provide all email messaging services and data services using the BlackBerry Router protocol except for activation over the wireless net
To perform either of these impersonation attacks, the potentially malicious user must send the device transport key value (also known as s) to the Bla
Data flow: Turning on two-factor content protection...
c sends RD and KeyID to the BlackBerry Enterprise Server4. The BlackBerry Enterprise Server performs the following actions:a calculates that as RD app
yBP + eBRB ≠ hP• The BlackBerry Router does not accept the connection request if the BlackBerry Router calculates the following:yBP + eBRB ≠ yDP + eDR
4. The BlackBerry Router performs one of the following actions:• The BlackBerry Router closes the authenticated connection to the BlackBerry device on
Best practice: Protecting plain text messages that a device sends over the wireless networkPlain text messages include SMS text messages, MMS messages
Best practice DescriptionTo apply this best practice, you can use the Firewall Block Incoming Messages IT policy rule.Require a user to verify whether
Protecting HTTP connections from a device to content servers and application servers using HTTPSIf a third-party application on a BlackBerry device ca
Warning message DescriptionWeak Crypto Algorithm Your organization considers the algorithm that is used in the certificate chain to be weak.Permitting
• Stop: the user should select this option if the user wants to close the connection between the device and the website.• Details: the user should sel
BlackBerry Enterprise Server. When the BlackBerry Infrastructure becomes available again, the BlackBerry Enterprise Server resends messages that it di
Protecting communications in your organization's environmentHow a BlackBerry Enterprise Server and the BlackBerry Infrastructure authenticate wit
Specifying the resources that applications can access on a device...1
What happens when a BlackBerry Enterprise Server and the BlackBerry Infrastructure open an initial connectionAfter a BlackBerry Enterprise Server and
Data flow: Authenticating a BlackBerry Enterprise Server with the BlackBerry Infrastructure1. The BlackBerry Enterprise Server sends a data packet tha
Messaging server DescriptionA user who activates a BlackBerry device when the device is connected to a computer can encrypt data that is in transit be
Synchronization Service, and BlackBerry MVS share a communication password. The BlackBerry Messaging Agent and BlackBerry Dispatcher share a different
a uses a shared secret password (also known as the communication password) and the ECDH protocol with a 521-bit curve to create a device transport key
environment and authenticate and authorize users. The Kerberos protocol is designed to permit the BlackBerry MDS Connection Service to verify user acc
How the BlackBerry MDS Connection Service uses Kerberos to help protect your organization's resourcesBlackBerry MDS Connection Service integrated
1. The BlackBerry device user navigates to a resource on your organization’s intranet or on a file share (for example, a web page or shared file) usi
Protecting your organization’s resources when you configure BlackBerry Administration Service single sign-onYou can configure the BlackBerry Administr
Component DescriptionBlackBerry Administration Service The BlackBerry Administration Service permits you to manage the BlackBerry Domain, which includ
Comments to this Manuals