Blackberry ENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL Guide d'installation Page 1

BlackBerry Enterprise Solution Security Technical Overview for BlackBerry Enterprise Server Version 4.1 Service Pack 5 and BlackBerry Device Softwar

BlackBerry Enterprise Solution 10 Messaging server platform Messaging server storage location BlackBerry device storage location BlackBerry Enterpr

BlackBerry Enterprise Solution 11 Profiles database stores an account record containing the field RIMCurrentEncryptionKeyText, which stores the mast

BlackBerry Enterprise Solution 12 5. The BlackBerry Desktop Software uses the first 256 bits if it is generating the master encryption key using AE

BlackBerry Enterprise Solution 13 Process for generating message keys on the BlackBerry Enterprise Server The BlackBerry Enterprise Server is design

BlackBerry Enterprise Solution 14 7. The DSA PRNG function generates 128 pseudo-random bits for use with Triple DES and 256 pseudo-random bits for

BlackBerry Enterprise Solution 15 3. The locked BlackBerry device uses the ECC public key to encrypt data that it receives. Process for decrypting

BlackBerry Enterprise Solution 16 verifies that a BlackBerry message remains protected in transit to the BlackBerry Enterprise Server while the mess

BlackBerry Enterprise Solution 17 Standard BlackBerry message encryption Standard BlackBerry encryption is designed to encrypt messages that the Bla

BlackBerry Enterprise Solution 18 Permitting third-party applications to encode BlackBerry device data The BlackBerry Enterprise Server and the Blac

BlackBerry Enterprise Solution 19 The BlackBerry Enterprise Server is designed to maintain a constant, direct outbound TCP/IP connection to the wire

BlackBerry Enterprise Solution Contents Wireless security...

BlackBerry Enterprise Solution 20 The system administrator can install the BlackBerry Attachment Service on a remote computer and then place that co

BlackBerry Enterprise Solution 21 with Triple DES to encrypt PIN messages, every BlackBerry device can decrypt every PIN message that it receives be

BlackBerry Enterprise Solution 22 Turning off unsecured messaging The BlackBerry Enterprise Server administrator can turn off unsecured messaging to

BlackBerry Enterprise Solution 23 The BlackBerry device is designed to use the BlackBerry MDS Connection Service, which resides on the BlackBerry En

BlackBerry Enterprise Solution 24 algorithms to encrypt PGP messages. The BlackBerry Enterprise Server administrator can set the PGP Allowed Content

BlackBerry Enterprise Solution 25 4. The BlackBerry Enterprise Server removes the standard BlackBerry encryption and sends the S/MIME-encrypted mes

BlackBerry Enterprise Solution 26 Decrypting and reading messages on the BlackBerry device using Lotus Notes API 7.0 The BlackBerry® Enterprise Serv

BlackBerry Enterprise Solution 27 The encrypted Notes .id password remains stored in the BlackBerry Enterprise Server for IBM Lotus Domino messaging

BlackBerry Enterprise Solution 28 Database Message storage method BlackBerry profiles • stores important configuration information for each BlackB

BlackBerry Enterprise Solution 29 • external file encryption by encrypting specific files on the external memory device using AES The external file

BlackBerry Enterprise Solution BlackBerry architecture component security ...

BlackBerry Enterprise Solution 30 Item Description calendar • subject • location • organizer • attendees • notes included in the appointmen

BlackBerry Enterprise Solution 31 Protected storage of master encryption keys on a locked BlackBerry device If the BlackBerry Enterprise Server admi

BlackBerry Enterprise Solution 32 • periodically runs the memory cleaner application, which tells BlackBerry device applications to empty any cache

BlackBerry Enterprise Solution 33 BlackBerry architecture component security The BlackBerry Enterprise Server consists of services that provide func

BlackBerry Enterprise Solution 34 BlackBerry Enterprise Server The BlackBerry Enterprise Server is designed to establish a secure, two-way link betw

BlackBerry Enterprise Solution 35 Configuration option Recommendations shield your Microsoft SQL Server installation from Internet based attacks •

BlackBerry Enterprise Solution 36 Configuration option Recommendations Use a secure file system • Use NTFS for the Microsoft SQL Server because it

BlackBerry Enterprise Solution 37 Protecting the BlackBerry Enterprise Solution connections The BlackBerry Enterprise Server is designed to communic

BlackBerry Enterprise Solution 38 Step Action Description 3 The BlackBerry Enterprise Server sends a challenge string to the BlackBerry Infrastru

BlackBerry Enterprise Solution 39 Scenario Result The connection between the BlackBerry Enterprise Server and the BlackBerry Infrastructure termina

BlackBerry Enterprise Solution Controlling BlackBerry device behavior using IT policy rules ...

BlackBerry Enterprise Solution 40 For more information about the BlackBerry Router protocol and the authentication process, see “Masking operation p

BlackBerry Enterprise Solution 41 Step Action Description 6 The BlackBerry Enterprise Server sends data to the BlackBerry device. If wireless PIM

BlackBerry Enterprise Solution 42 Security measure Description The BlackBerry device initiates inbound connections using the BlackBerry Router to a

BlackBerry Enterprise Solution 43 2. The BlackBerry Desktop Software implementation of the secure channel technology uses the shared secret passwor

BlackBerry Enterprise Solution 44 message, the BlackBerry MDS Services security protocol encrypts and decrypts data that the BlackBerry device and t

BlackBerry Enterprise Solution 45 HTTPS protocol BlackBerry MDS encryption method Description Handheld mode TLS/SSL TLS and WTLS key establishment

BlackBerry Enterprise Solution 46 Authentication process for requests for wireless software upgrades When the BlackBerry Infrastructure sends a wire

BlackBerry Enterprise Solution 47 segmented network architecture, the system administrator can place the BlackBerry Enterprise Solution components i

BlackBerry Enterprise Solution 48 Accessing the BlackBerry Infrastructure Wi-Fi enabled BlackBerry devices can connect directly to the BlackBerry In

BlackBerry Enterprise Solution 49 Enterprise Wi-Fi network security technology Wi-Fi enabled BlackBerry device implementation Layer 2 security Set

BlackBerry Enterprise Solution Encryption algorithms that the BlackBerry device supports for use with layer 2 security methods ...83 EAP authenticatio

BlackBerry Enterprise Solution 50 After an authentication server permits the supported Wi-Fi enabled BlackBerry device to access the enterprise Wi-F

BlackBerry Enterprise Solution 51 Authentication method Description Wi-Fi enabled BlackBerry device implementation Using IEEE 802.11i with PSK Sm

BlackBerry Enterprise Solution 52 the authentication server certificate. For the supported Wi-Fi enabled BlackBerry devices to trust the authenticat

BlackBerry Enterprise Solution 53 users must authenticate with the WLAN Login application browser using login credentials that the system administra

BlackBerry Enterprise Solution 54 For more information, see the BlackBerry Smart Card Reader Security Technical Overview. Binding the smart card to

BlackBerry Enterprise Solution 55 Field Description Initialized indicates whether the BlackBerry device is authenticated with and bound to the sma

BlackBerry Enterprise Solution 56 Creating new IT policy rules to control custom applications Create new IT policy rules to control custom applicati

BlackBerry Enterprise Solution 57 The BlackBerry Enterprise Server administrator can define the following types of criteria: • specific, permitted

BlackBerry Enterprise Solution 58 connection. BlackBerry devices and the BlackBerry Desktop Software can use CHAP to send a challenge and subsequent

BlackBerry Enterprise Solution 59 How the BlackBerry device protects its operating system and the BlackBerry Device Software Each time a user turns

BlackBerry Enterprise Solution 6 This document describes the security features of the BlackBerry® Enterprise Solution and provides an overview of th

BlackBerry Enterprise Solution 60 • specify whether or not applications, including third-party applications, on the BlackBerry device can initiate

BlackBerry Enterprise Solution 61 Each third-party application requires authorization to run on the BlackBerry device. MIDlets (applications that us

BlackBerry Enterprise Solution 62 Remotely resetting the password of a content protected BlackBerry device The remote password reset cryptographic p

BlackBerry Enterprise Solution 63 IT policy rule Description Secure Wipe if Low Battery Set this IT policy rule to require that, if the BlackBerry

BlackBerry Enterprise Solution 64 do not exist on the BlackBerry device (in other words, if there is no connection between the BlackBerry Enterprise

BlackBerry Enterprise Solution 65 Related resources Resource Information BlackBerry Enterprise Server Feature and Technical Overview • BlackBerry

BlackBerry Enterprise Solution 66 Resource Information Garbage Collection in the BlackBerry Java Development Environment • cleaning BlackBerry dev

BlackBerry Enterprise Solution 67 Resource Information Visit www.blackberry.com/security. • information about BlackBerry Solution security www.bla

BlackBerry Enterprise Solution 68 Appendix A: RIM Crypto API Interface The RIM Crypto API on the BlackBerry device and in the BlackBerry JDE provid

BlackBerry Enterprise Solution 69 Key agreement scheme algorithms Algorithm Key length (bits) Type DH 512 to 4096 discrete logarithm KEA 1024 di

BlackBerry Enterprise Solution 7 Concept Description BlackBerry Enterprise Solution implementation authenticity enables the message recipient to

BlackBerry Enterprise Solution 70 Code Digest length (bits) RIPEMD-128, 160 128, 160 www.blackberry.com

BlackBerry Enterprise Solution 71 Appendix B: TLS and WTLS standards that the RIM Crypto API supports The TLS and WTLS protocol cipher suite compone

BlackBerry Enterprise Solution 72 Symmetric algorithms that the RIM Crypto API supports Direct mode SSL Direct mode TLS WTLS RC4 40 RC4 40 RC5 4

BlackBerry Enterprise Solution 73 Appendix C: Previous version of wired master encryption key generation Each time a BlackBerry Enterprise Server or

BlackBerry Enterprise Solution 74 Appendix D: BlackBerry device wipe process A BlackBerry device wipe is designed to delete and overwrite the BlackB

BlackBerry Enterprise Solution 75 4. Clears all bytes to 0xFF (1111 11112). 5. Writes 0x55 to each byte (0x0101 01012). 6. Clears all bytes to 0x

BlackBerry Enterprise Solution 76 Appendix E: Ephemeral AES encryption key derivation process The BlackBerry device uses an ephemeral 256-bit AES en

BlackBerry Enterprise Solution 77 Appendix F: Power and electromagnetic side-channel attacks and countermeasures The BlackBerry device implementatio

BlackBerry Enterprise Solution 78 How the AES algorithm creates S-Box tables The BlackBerry device permutes each AES S-Box entry randomly and masks

BlackBerry Enterprise Solution 79 Appendix G: BlackBerry Router protocol When the BlackBerry Enterprise Server and the BlackBerry device use the Bla

BlackBerry Enterprise Solution 8 Feature Description control BlackBerry device and BlackBerry Desktop Software functionality • Send wireless comma

BlackBerry Enterprise Solution 80 device. The attacker must send master encryption key value (s) to the BlackBerry Enterprise Server, which requires

BlackBerry Enterprise Solution 81 If the BlackBerry device accepts yB, the BlackBerry Enterprise Server and the BlackBerry device open an authentica

BlackBerry Enterprise Solution 82 Appendix H: Enterprise Wi-Fi security methods that the BlackBerry device supports EAP authentication methods that

BlackBerry Enterprise Solution 83 Authentication method Description BlackBerry device implementation EAP-TTLS EAP-TTLS is designed to extend EAP-

BlackBerry Enterprise Solution 84 Protocol Description Wi-Fi enabled BlackBerry device implementation TKIP TKIP is • part of the IEEE 802.11i ent

BlackBerry Enterprise Solution 85 VPN solution on the Wi-Fi enabled BlackBerry device The Wi-Fi enabled BlackBerry device has a built-in VPN client

BlackBerry Enterprise Solution 86 • RSA_WITH_RC4_128_MD5 • RSA_WITH_3DES_EDE_CBC_SHA • RSA_WITH_AES_128_CBC_SHA • RSA_WITH_AES_256_CBC_SHA • TL

BlackBerry Enterprise Solution 87 Appendix J: RSA SecurID software token tokencode generation process 1. An administrator uses the RSA Authenticati

BlackBerry Enterprise Solution 88 3. The BlackBerry device receives B and verifies that B is a valid public key. 4. The BlackBerry device performs

BlackBerry Enterprise Solution 89 Protocol process When the BlackBerry Enterprise Server administrator sends the Set a Password and Lock Handheld IT

BlackBerry Enterprise Solution 9 Feature Software versions supported Description The BlackBerry Enterprise Solution allows administrators to apply

BlackBerry Enterprise Solution 90 Part number: 17930884 Version 2 ©2008 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research

BlackBerry Enterprise Solution 91 Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to