Blackberry ENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL User's Guide

BlackBerry Enterprise Server for Microsoft ExchangeVersion: 5.0Service Pack: 4Security Technical Overview

New in this releaseThe table lists the updated security features for the BlackBerry Enterprise Server 5.0 SP4 that are described in this document.Feat

Kerberos services. The Kerberos keys permit the BlackBerry Administration Service to verify the Kerberos service tickets that browsers send during sin

3. The browser retrieves the TGT of the administrator or user from the ticket cache on the computer that the administrator or user is using.The browse

Activating a deviceWhen a user activates a BlackBerry device, the BlackBerry Enterprise Solution authenticates the user and associates the device with

Data flow: Activating a device over the wireless network1. A user opens the activation application on the BlackBerry device, and types the appropriate

Managing certificates on a devicePurpose of certificates on a deviceA certificate is a digital document that binds the identity and public key of a ce

Configuring BlackBerry devices to enroll certificates over the wireless networkYou can configure the BlackBerry Enterprise Server to permit BlackBerry

• Custom Microsoft Certificate Authority Certificate Template• Distinguished Name Components• Key Algorithm• Key Length• Microsoft Certificate Authori

Data flow: Enrolling a certificate when the certification authority approves certificate requests automaticallyAfter a BlackBerry device receives an I

a verifies the certificate by checking whether the public key matches the public key that is stored in the BlackBerry Configuration Databaseb sends th

b after the certification authority administrator approves the certificate request, issues the certificate, and sends the certificate to the user in a

OverviewBlackBerry Enterprise Solution securityThe BlackBerry Enterprise Solution consists of various products and components that are designed to ext

9. The BlackBerry MDS Connection Service sends a status update to the device and sends the certificate request to the certification authority that is

Protecting BlackBerry Device Software updatesProtecting BlackBerry Device Software updates over the wireless networkYou can update the BlackBerry Devi

How the BlackBerry Enterprise Solution protects BlackBerry Device Software updates over the wireless network using IT policies and content protectionT

How a device validates a BlackBerry Device Software update over the wireless networkWhen a BlackBerry device receives a BlackBerry Device Software upd

computer. To protect the cryptographic services data, the device encrypts the cryptographic services data using a BlackBerry services key.The device s

Data flow: Backing up cryptographic services data using the BlackBerry Desktop Manager1. A user connects a BlackBerry device to the BlackBerry Desktop

Extending messaging security to a deviceIf your organization's messaging environment supports highly secure messaging technology such as PGP encr

PGP public keys and PGP private keysThe PGP Support Package for BlackBerry smartphones uses public key cryptography with PGP public keys and PGP priva

Encryption algorithms that the device supports for PGP encryptionWhen you turn on PGP encryption, the default value of the PGP Allowed Content Ciphers

d sends the message that is encrypted using BlackBerry transport layer encryption and PGP encryption to the BlackBerry Enterprise Server2. The BlackBe

Security features of the BlackBerry Enterprise SolutionFeature Descriptiondata protection The BlackBerry Enterprise Solution is designed to protect da

Extending messaging security using S/MIME encryptionYou can extend messaging security for the BlackBerry Enterprise Solution and permit a BlackBerry d

Item DescriptionS/MIME certificate When a user sends an email message or PIN message from a BlackBerry device, the device uses the S/MIME certificate

• An S/MIME-enabled application did not use a weak algorithm to generate the digital signatures on the email messages that the device receives.• The c

3. The recipient decrypts the S/MIME-encrypted message using the S/MIME private key or a password that the sender provides.Data flow: Receiving an S/M

Extending messaging security using IBM Notes encryptionBy default, if your organization's environment includes IBM Notes API version 7.0 or later

How the BlackBerry Messaging Agent protects the password for an IBM Notes .id fileAfter a user imports an IBM Notes .id file and the password for the

4. The BlackBerry Messaging Agent on the BlackBerry Enterprise Server decrypts the cached password for the Notes .id file and validates the password t

Extending messaging security for attachmentsThe BlackBerry Enterprise Server supports attachments in PGP protected messages and S/MIME-protected messa

Data flow: Viewing an attachment that is encrypted using S/MIME encryption, PGP/MIME encryption, or OpenPGP encryption1. The BlackBerry device sends t

c Sends the email message to the BlackBerry Enterprise Server3. The BlackBerry Enterprise Server sends the email to the recipient's inbox.Data fl

Architecture: BlackBerry Enterprise SolutionThe BlackBerry Enterprise Solution consists of various components that permit you to extend your organizat

c Appends all of the attachments from the original message, any new message attachments, and the original message body to the new messaged If the user

Configuring two-factor authentication and protecting Bluetooth connectionsBlackBerry Smart Card ReaderThe BlackBerry Smart Card Reader is an accessory

• unlock the BlackBerry device and access BlackBerry services and PKI applications using two-factor authentication• digitally sign and encrypt email m

If the device is running BlackBerry Device Software version 3.6, the smart card information that the device displays when it prompts the user to inser

The User Authenticator API permits a developer to add a field to the password dialog box on the BlackBerry device for the authentication method. You c

d stores the encrypted content protection key and encrypted ECC private keys in the device memorye generates a 256-bit pseudorandom numberf computes t

Protecting Bluetooth connections on a deviceBluetooth wireless technology permits a Bluetooth enabled BlackBerry device to open a wireless connection

Wi-Fi enabled devicesWi-Fi enabled BlackBerry devices permit users with qualifying data plans to access BlackBerry services over a mobile network, Wi-

Type Descriptionpermit VPN connections through the firewall. You can configure a home Wi-Fi network with layer 2 security and password authentication.

Feature DescriptionYou can verify with your organization's wireless service provider that your organization's service plan supports access t

Component DescriptionBlackBerry Administration Service The BlackBerry Administration Service is a BlackBerry Enterprise Server component that connects

Protecting a connection between a Wi-Fi enabled device and an enterprise Wi-Fi networkA Wi-Fi enabled BlackBerry device is designed to connect to ente

How an SSL connection between a Wi-Fi enabled device and the BlackBerry Infrastructure protects dataAn SSL connection between a Wi-Fi enabled BlackBer

• SSL_DHE_RSA_WITH_DES_CBC_SHA• SSL_DH_anon_WITH_RC4_128_MD5• SSL_DHE_DSS_WITH_DES_CBC_SHA• SSL_RSA_WITH_DES_CBC_SHA• SSL_DH_anon_WITH_3DES_EDE_CBC_SH

• TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA• TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA• TLS_RSA_EXPORT_WITH_DES40_CBC_SHA• TLS_DH_anon_WITH_DES_CBC_SHA• TLS_D

Using a VPN with a deviceIf your organization’s environment includes VPNs, such as an IPSec VPN, you can configure a Wi-Fi enabled BlackBerry device t

Using a segmented network to reduce the spread of malware on an enterprise Wi-Fi network that uses a VPNWhen a Wi-Fi enabled BlackBerry device connect

UI settingVPN-1 PowerCisco VPN 3000 Series ConcentratorVPN Firewall BrickNetScreenNortel Networks ContivitySecure Computing SidewinderSymantec Raptor

Supported configurations for the Cisco VPN 3000 Series ConcentratorThe following table describes the configurations that BlackBerry 7.1 supports for t

Configuration setting Configuration 1 Configuration 2 Configuration 3 Configuration 4Gateway Credential (PSK): Password (Group Password)X XXAuth Crede

Configuration setting Configuration 1 Configuration 2Gateway Credential (PSK): Password (Group Password) X XXAuth Credential (PSK): Username XXAuth Cr

Component DescriptionBlackBerry Attachment Service The BlackBerry Attachment Service is a BlackBerry Enterprise Server component that converts support

Configuration setting Configuration 1IKE: Cipher 3DESIKE: Hash HMAC MD5IPSec: Crypto and Hash Suite 3DES-MD5NAT timeout DefaultSupported configuration

Wi-Fi network or Wi-Fi hotspot. After the BlackBerry device connects to the enterprise Wi-Fi network or Wi-Fi hotspot, the user can browse to an HTML

Data flow: Generating a token code for a software token1. An RSA administrator uses the RSA Authentication Manager to import a seed as a soft token fi

Layer 2 security methods that a device supportsYou can configure a Wi-Fi enabled BlackBerry device to use security methods for layer 2 (also known as

For more information about configuring WEP encryption, see the BlackBerry Enterprise Server Administration Guide.WPA authenticationThe IEEE 802.1X sta

IEEE 802.1X standardThe IEEE 802.1X standard defines a generic authentication framework that a Wi-Fi enabled BlackBerry device and an enterprise Wi-Fi

Data flow: Authenticating a Wi-Fi enabled device with a work Wi-Fi network using the IEEE 802.1X standardIf you configured a wireless access point to

EAP authentication methods that a Wi-Fi enabled device supportsLEAP authenticationLEAP authentication is designed to improve WEP authentication. You c

The device supports EAP-TLS authentication when the authentication server and client use certificates that meet specific requirements for authenticati

Encryption keys that a Wi-Fi enabled device supports for use with layer 2 security methodsA Wi-Fi enabled BlackBerry device supports AES-CCMP encrypti

Component DescriptionBlackBerry Enterprise Server uses the connection to send email messages inside your organization's firewall.BlackBerry Infra

Using certificates with PEAP authentication, EAP-TLS authentication, or EAP-TTLS authenticationIf your organization uses PEAP authentication, EAP-TLS

Controlling applications on a deviceCreating an application for a smartphoneAn application developer can create an application for BlackBerry smartpho

For more information about using IT policy rules, visit www.blackberry.com/go/serverdocs to see the BlackBerry Enterprise Server Policy Reference Guid

"Not permitted", a game that is installed on a smartphone may not be able to send high scores back to a central server since the game is not

Permission Category Default setting Description• Prompt (BlackBerry Device Software 6.0 and earlier)Internet Connections• Allow (BlackBerry 7 and late

Permission Category Default setting DescriptionRecording Interactions Prompt A user can set whether applications can take screen shots of the smartpho

Application permissions for applications that users install as trusted applications on a smartphoneSome applications that a user installs on a BlackBe

Permitting an application to encode data on a smartphoneA developer can use the Transcoder API to create an encoding scheme for data that a BlackBerry

Removing add-on applications from a deviceYou can create a software configuration to remove all add-on applications that are preloaded on a BlackBerry

• Prompt user: the device displays a message that provides the user with the option to Allow or Deny the application's request to access NFC feat

Component DescriptionBlackBerry Router The BlackBerry Router is a BlackBerry Enterprise Server component that connects to the wireless network to send

RIM Cryptographic APIThe RIM Cryptographic API that is on a BlackBerry device and in the BlackBerry Java Development Environment consists of a Java in

Algorithm Key length (bits)RC5 0 to 2040Skipjack 80Triple DES 112 and 168Stream encryption algorithms that the RIM Cryptographic API supportsThe RIM C

Algorithm Key length (bits) TypeECDH 160 to 571 (Elliptic Curve) discrete logarithmECMQV 160 to 571 (Elliptic Curve) discrete logarithmKEA 1024 discre

Message authentication codes that the RIM Cryptographic API supportsCode Key length (bits)CBC-MAC variable (block cipher key length)HMAC variableMessa

Cipher suites for the key establishment algorithm that the RIM Cryptographic API supportsDirect mode SSL Direct mode TLS WTLSDH_anon DH_anon RSA _768,

Hash algorithms that the RIM Cryptographic API supportsDirect mode SSL Direct mode TLS WTLSMD5 MD5 SHASHA-1 SHA-1 SHA-40, SHA-80, MD5, MD5-40, MD5-80L

Related resourcesResource InformationBlackBerry Enterprise Server Feature and Technical Overview • understanding BlackBerry Enterprise Server architec

Resource InformationBlackBerry Java Development Environment Development Guide • using controlled APIs• using code signaturesBlackBerry Smart Card Read

Resource Information• risks of using Bluetooth wireless technology on mobile deviceswww.blackberry.com/security• understanding BlackBerry Enterprise S

Glossary3GPP Third Generation Partnership ProjectAdvanced Security SD cardAn Advanced Security SD card is a media card that complies with the Advanced

Keys on a deviceThe BlackBerry Enterprise Solution generates keys that are designed to protect the data that is stored on a BlackBerry device and the

BlackBerry MVS BlackBerry Mobile Voice SystemBlackBerry transport layer encryptionBlackBerry transport layer encryption (formerly known as standard Bl

DRBG deterministic random bit generatorDSA Digital Signature AlgorithmDSML Directory Service Markup LanguageDSML-enabled serverA BlackBerry device use

flash memory The flash memory is an internal file system on a BlackBerry device that stores application data and user data.GAN generic access networkG

IT policy public key The IT policy public key is a key that a BlackBerry device uses to authenticate the IT policy that the BlackBerry Enterprise Serv

OAEP Optimal Asymmetric Encryption PaddingOCSP Online Certificate Status ProtocolOFB output feedbackPAC proxy auto-configurationPBX Private Branch Exc

S/MIME Secure Multipurpose Internet Mail ExtensionsSEMA Simple Electromagnetic AnalysisSHA Secure Hash AlgorithmSIM Subscriber Identity ModuleSMS Shor

WTLS Wireless Transport Layer SecuritySecurity Technical Overview Glossary186

Legal notice©2014 BlackBerry. All rights reserved. BlackBerry® and related trademarks, names, and logos are the property of BlackBerry Limited and are

QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO

Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not instal

Key Descriptioncontent protection key The content protection key encrypts user data on the device when the device is locked.device transport key The d

Published: 2014-01-17SWD-20140117135425071

Device transport keysThe device transport key encrypts the message keys that help protect the data sent between a BlackBerry Enterprise Server and Bla

State DescriptionThe messaging server and BlackBerry Configuration Database store the previous device transport key that the BlackBerry Enterprise Ser

• device transport keys in binary form with tags that indicate whether the status of the device transport keys is pending (0x6002 tag), current (0x600

Characteristics Descriptionlong-term public keys exchanged The wireless activation process verifies that the BlackBerry Enterprise Server and device c

A user can also generate a device transport key using the BlackBerry Desktop Manager. By default, the BlackBerry Enterprise Server sends a request to

Each message key consists of random data that is designed to make it difficult for a third party to decrypt, re-create, or duplicate the message key.T

1. Retrieves random data from multiple sources to generate the seed using a technique that the device derives from the initialization function of the

Data flow: Turning on content protection using a BlackBerry Enterprise ServerYou can turn on content protection using a BlackBerry Enterprise Server w

3. Prompts the user to type the device password4. Derives an ephemeral 256-bit AES encryption key from the device password, using PKCS #55. Uses the e

Principal encryption keysWhen you or a user turns on content protection for device transport keys, a BlackBerry device generates a principal encryptio

Contents1 New in this release...

A device that has a PIN encryption key that is specific to your organization can perform the following actions:• can only encrypt PIN messages sent to

Encrypting data that the BlackBerry Enterprise Server and a device send to each otherTo encrypt data that is in transit between the BlackBerry Enterpr

How the BlackBerry Enterprise Solution uses AES to encrypt dataBy default, when a BlackBerry device supports AES, the BlackBerry Enterprise Solution u

Data flow: Running a masking operation during subsequent AES calculations when content protection is turned onA BlackBerry device performs the followi

All versions of the BlackBerry Enterprise Server, BlackBerry Device Software, and BlackBerry Desktop Software support Triple DES.For more information

Data flow: Sending an email message from a device using BlackBerry transport layer encryption 1. A sender sends an email message from a BlackBerry de

Managing BlackBerry Enterprise Solution securityUsing an IT policy to manage BlackBerry Enterprise Solution securityYou can use an IT policy to contro

Preconfigured IT policy DescriptionDefault This policy includes all the standard IT policy rules that are set on the BlackBerry Enterprise Server.Indi

Using IT policy rules to manage BlackBerry Enterprise Solution securityYou can use IT policy rules to customize and control the actions that the Black

Method DescriptionApply one IT policy to the user account The BlackBerry Enterprise Server applies one of the group IT policies to the user account. Y

Using IT administration commands to protect a lost or stolen device...

Scenario RuleA user account belongs to multiple groups. You assign multiple IT policies to the groups but do not assign an IT policy to the user accou

Scenario Rulerule as blank (which means that it uses the default value of Yes). You assign the second group IT policy B, which has the Allow Browser I

Best practice Descriptionnotify the user that you turned on the ability of the device to report its location to the BlackBerry Enterprise Server.Using

IT administration command DescriptionYou can send this command to a device that you want to distribute to another user in your organization, or to a d

f permanently deletes K 5. The device performs the following actions:a selects d randomlyb calculates D = dPc stores D in flash memoryd calculates K =

Using a segmented network to help prevent the spread of malwareTo help prevent the spread of malware in your organization’s network, you can use firew

Configuring the IT Policy Viewer icon on a deviceThe IT policy viewer permits a BlackBerry device user to view IT policy rules that were configured fo

Device storage spaceThe BlackBerry device storage space consists of various sections that store BlackBerry device user data and sensitive information

Changing when a device cleans the device memoryBy default, the memory cleaner application runs on a BlackBerry device when the device is inactive for

When a device overwrites data in the device memoryA BlackBerry device continually runs the memory cleaner application during the based garbage collect

Encrypting the device transport key on a locked device...

• if you reset the device to the factory default settings, the IT policy that is stored on the device• if a user selects the Include third party appli

IT policy rule DescriptionSecure Wipe Delay After IT Policy ReceivedThis rule specifies the length of time (in hours) after a device receives an IT po

The device can bind to another BlackBerry Enterprise Server at a later time. The device does not use the memory-scrub process to overwrite the IT poli

3. writes 0xCC to each byte (1100 11002)4. writes all bytes to 0x00 (0000 00002)5. writes 0x55 to each byte (0101 01012)6. writes all bytes to 0x00 (0

Securing devices in your organization’s environment for personal use and work useYour organization might want to permit BlackBerry device users to use

data, you must configure the "Is access to the corporate data API allowed" application control policy rule. The device checks this rule to d

Data and applications that a device classifies for personal useA BlackBerry device classifies the following data and applications for personal use:• e

Preventing a user from pasting work data into a personal applicationTo help prevent a BlackBerry device user from pasting work data into a personal ap

Prevent a user from using the work contact list in personal email accounts and personal calendarsBy default, a BlackBerry device does not prevent a Bl

data and personal data on a computer using the BlackBerry Desktop Software and BlackBerry Web Desktop Manager. The user can restore the data to the de

How a BlackBerry Enterprise Server and the BlackBerry Infrastructure authenticate with each other...89What happens whe

require that a personal device remove only work data when the device receives the Delete only the organization data and remove device IT administrativ

Data flow: Deleting only work data from a deviceWhen you delete only work data from a BlackBerry device using the Delete all organizational device dat

Managing third-party applications on a smartphone that a user uses for personal purposesBy default, a BlackBerry smartphone classifies all application

prevent add-on applications such as Facebook for BlackBerry smartphones and MySpace for BlackBerry smartphones from accessing the work calendar and wo

Protecting data on a deviceEncrypting user data on a locked deviceIf you or a BlackBerry device user turns on content protection, you or the user can

To make content protection optional or to prevent an administrator or a user from turning on content protection for a device that is running BlackBerr

device locks. If the device does not complete the re-encryption process before the user unlocks the device, the device resumes re-encryption when it l

• connects to the BlackBerry Infrastructure• resumes serial bypass connections• receives data from the BlackBerry Enterprise ServerResetting a device

Cryptosystem parameters that the remote password reset cryptographic protocol usesThe BlackBerry Enterprise Server and BlackBerry device are designed

The first time that the user opens the password keeper on the device, the user must create the password keeper password. The password keeper encrypts

Battery power requirements for BlackBerry Device Software updates over the wireless network ...112Data flow: Preparing t

To generate an encryption key, the BlackBerry device performs the following actions:1. generates an AES-256 encryption key2. stores the encryption key

How a device protects its operating system and the BlackBerry Device SoftwareEach time a user turns on a BlackBerry device, specific components on the

Protecting the data that the BlackBerry Enterprise Server stores in your organization's environmentWhere the BlackBerry Enterprise Server stores

Messaging environment Storage locationMicrosoft Exchange The BlackBerry Enterprise Server stores user data in hidden folders in the Microsoft Exchange

Best practice Description• At a minimum, write failed connection attempts to the Microsoft SQL Server log file and review the log file regularly.• Whe

Best practice Description• Use NTFS for the Microsoft SQL Server because it is more stable and recoverable than FAT file systems, and NTFS permits sec

A device stores the digitally signed IT policy and the IT policy public key in the NV store in flash memory. When the device stores the IT policy and

Protecting communication with a deviceOpening a direct connection between a device and a BlackBerry RouterA BlackBerry device can use the BlackBerry R

• A device can provide all email messaging services and data services using the BlackBerry Router protocol except for activation over the wireless net

To perform either of these impersonation attacks, the potentially malicious user must send the device transport key value (also known as s) to the Bla

Data flow: Turning on two-factor content protection...

c sends RD and KeyID to the BlackBerry Enterprise Server4. The BlackBerry Enterprise Server performs the following actions:a calculates that as RD app

yBP + eBRB ≠ hP• The BlackBerry Router does not accept the connection request if the BlackBerry Router calculates the following:yBP + eBRB ≠ yDP + eDR

4. The BlackBerry Router performs one of the following actions:• The BlackBerry Router closes the authenticated connection to the BlackBerry device on

Best practice: Protecting plain text messages that a device sends over the wireless networkPlain text messages include SMS text messages, MMS messages

Best practice DescriptionTo apply this best practice, you can use the Firewall Block Incoming Messages IT policy rule.Require a user to verify whether

Protecting HTTP connections from a device to content servers and application servers using HTTPSIf a third-party application on a BlackBerry device ca

Warning message DescriptionWeak Crypto Algorithm Your organization considers the algorithm that is used in the certificate chain to be weak.Permitting

• Stop: the user should select this option if the user wants to close the connection between the device and the website.• Details: the user should sel

BlackBerry Enterprise Server. When the BlackBerry Infrastructure becomes available again, the BlackBerry Enterprise Server resends messages that it di

Protecting communications in your organization's environmentHow a BlackBerry Enterprise Server and the BlackBerry Infrastructure authenticate wit

Specifying the resources that applications can access on a device...1

What happens when a BlackBerry Enterprise Server and the BlackBerry Infrastructure open an initial connectionAfter a BlackBerry Enterprise Server and

Data flow: Authenticating a BlackBerry Enterprise Server with the BlackBerry Infrastructure1. The BlackBerry Enterprise Server sends a data packet tha

Messaging server DescriptionA user who activates a BlackBerry device when the device is connected to a computer can encrypt data that is in transit be

Synchronization Service, and BlackBerry MVS share a communication password. The BlackBerry Messaging Agent and BlackBerry Dispatcher share a different

a uses a shared secret password (also known as the communication password) and the ECDH protocol with a 521-bit curve to create a device transport key

environment and authenticate and authorize users. The Kerberos protocol is designed to permit the BlackBerry MDS Connection Service to verify user acc

How the BlackBerry MDS Connection Service uses Kerberos to help protect your organization's resourcesBlackBerry MDS Connection Service integrated

1. The BlackBerry device user navigates to a resource on your organization’s intranet or on a file share (for example, a web page or shared file) usi

Protecting your organization’s resources when you configure BlackBerry Administration Service single sign-onYou can configure the BlackBerry Administr

Component DescriptionBlackBerry Administration Service The BlackBerry Administration Service permits you to manage the BlackBerry Domain, which includ