BlackBerry PRD-09695-004 manual

BlackBerry Smart Card Reader Ve r s i o n 2.0 Securi ty T echnical Ov erview[...]

Con ten ts BlackBerry Smart Card Reader ................................................................................................... ............................. 4 Authenticating a user using a smart card ....................................................................................... ................... 4 Integrating a smart card wi[...]

BlackBerry Smart Card Reader sh ared cryptosystem parameters .................................................................... .2 5 Examples of attacks that the BlackBerry S mart Card Re ader security protocols are designed to prevent .. 26 Eavesdropping ............................................................................................[...]

BlackBerry Smart Car d R eader The BlackBerry® Smart Card Reader is an accessory that, when used in proximity to certain Bluetooth® enabled BlackBerry devices and computers, permits users to authen ticate with their smart cards and log in to Bluetooth enabled BlackBerry devices and computers. The BlackBerry Smart Card Reader is de signed to perfo[...]

New in this r elease Feature Description proximity authentication Proximity authentication is an authentication method that permits a user to unlock a BlackBerry® device using a BlackBerry device password and a BlackBerry® Smart Card Reader when the BlackBerry Smart Card Reader is located within Bluetooth® technology range of the BlackBerry devi[...]

System r equir emen ts The BlackBerry® Smart Card Reader supports th e following software and BlackBerry devices: BlackBerry Enterprise Server software Computer BlackBerry devices • BlackBerry® Enterprise Server version 4.0 SP2 and later for Microsoft® Exchange (with the S/MIME IT Policy Pack imported) • BlackBerry Enterprise Server version [...]

System ar chi tectur e The BlackBerry® Smart Card Reader is designed to conne ct to a Bluetooth® enabled BlackBerry device and a Bluetooth enabled computer. The BlackBerry Smart Card R eader supports using certificates tha t a PKI generates with a BlackBerry device. The BlackBerry Smart Card Reader cannot communicate with the BlackBerry® Enterpr[...]

BlackBerry En terprise Solution securi ty The BlackBerry® Enterprise Solution is designed to encrypt da ta that is in transit at a ll points between a BlackBerry device and the BlackBerry® Enterprise Server to help protec t your organization from data loss or alteration. Only the BlackBerry Enterprise Server and the BlackBerry device ca n decrypt[...]

Restricting Bluetooth technology on a Bluetooth enabled computer On a Bluetooth® enabled computer, when a Bluetooth wirele ss adaptor exists and is turned on, the computer also installs Bluetooth drivers (and a personal area networking device, optionally) for that wireless adaptor. To prevent a user who does not have administrator privileges and e[...]

BlackBerry Smart Car d R eader securi ty The BlackBerry® Smart Card Reader is designed to prevent offline and online dictionary attacks using the following security methods. Security method Description authentication of connections The BlackBerry Smart Card Reader uses processes designed to perform the following actions: • pair the BlackBerry Sm[...]

11 Security method Description code signing Before a user can run a permitted th ird-party application th at uses the controlled APIs on the BlackBerry device, the Res earch In Motion signing authority system must use public key cryptography to au thorize and authenticate the application code. The BlackBerry Smart Card Reader uses code signing to p[...]

• prevent third-party applications that have obtained a digital signature from the Research In Motion signing authority system from using the BlackBerry device controlled APIs to do anything other than access persistent storage of user data and communicate with other applications You can configure application control policy rules so that all Blue[...]

13 IT policy rule Description Maximum Connection Heartbeat Period This rule specifies the maximum h eartbeat period, in seconds. During each heartbeat period, the paired Blac kBerry device or computer sends a heartbeat, which the BlackBerry Smart Card Reader acknowledges. If either side does not send or acknowledge a heartbeat in the maximum heartb[...]

14 IT policy rule Description Maximum PC Long Term Timeout This rule specifies the maximum time, in hours, after a computer and the BlackBerry Smart Card Reader open the secure pairing connection between them that th e computer and the BlackBerry Smart Card Reader delete the secure pairing information. Maximum PC Bluetooth Traffic Inactivity Timeou[...]

Card Reader and the BlackBerry device or computer. By default, the secure pairing PIN is 8 characters long and is case-sensitive. If your organization uses BlackBerry Smart Card Reader version 2.0 and later and BlackBerry® Device Software version 5.0 and later, you can change the length of the secure pairing PIN using the Minimum PIN Entry Mode IT[...]

4. The BlackBerry Smart Card Reader creates a list of all the algorithms that it supports and sends the supported algorithms list to the BlackBerry device or computer. 5. The BlackBerry device or computer searches the list for a match with one of its own supported algorithms. • If a match is not available, the BlackBerry device or computer sends [...]

The connection key establishment protoc ol uses the ECDH algorithm that th e initial key establishment protocol negotiates. The ECDH algorithm provides Perfect Forward Secrecy, which uses the key that protects data to prevent the protocol from deriving previous or subsequent encryp tion keys. Each run of the connection key establishment protocol us[...]

For more information about variables used in this process, see “ BlackBerry Smart Card Reader shared cryptosystem parameters ”. The connection key establishment protocol can stop at any point if an error occurs. For more information, see “ Connection key establishment protocol errors ”. Encrypting and authen tica ting da ta on the applica t[...]

• The BlackBerry device binds to the installed smart ca rd automatically by storing the smart card binding information in a BlackBerry device NV store location, which is designed to be inaccessible to the user. For more information, see “Smart card binding information ”. Confirming that a BlackBerry device is bound t o the correct smart card [...]

P r oximi ty authen tica tion Proximity authentication is an authen tication method that permits a user to unlock a BlackBerry ® device using the BlackBerry device password and the BlackBerry® Smart Card Reader within Bluetooth® technology range of the BlackBerry device. To unlock a BlackBerry devi ce, the user moves the BlackBerry Smart Ca rd R[...]

factor content protection mandatory or optional, or to prev ent a user from configuring it, you can use the Two-factor Content Protection Usage IT policy rule. After you or a us er turns on two-factor content protectio n, to unlock the BlackBerry device, a user must type the BlackBerry device password and the smart card PIN on the login screen in t[...]

BlackBerry Smart Car d R eader supported algori thms Algorithm type Algorithm elliptic curve (default) • 571-bit Koblitz Curve (EC571K1) • 521-bit Random Curve (EC521 R1) • 283-bit Koblitz Curve (EC283K1) • 256-bit Random Curve (EC256R 1) • 160-bit Random Curve (EC160 R1) The initial key establishment protocol is designed to negotiate to [...]

Connection k ey establishmen t pr otocol err ors During the connection key establishment protocol process, if an error occurs on the BlackBerry® device, the computer, or the BlackBerry® Smart Card Reader, that party sends an error c ode to the other party negotiating the connection key. The following errors might occur: • negative length • ba[...]

Applica tion la y er pr otocol encryption and authen tica tion By default, each data packet that a BlackBerry® device or computer and the BlackBerry® Smart Card Reader send between them is authenticated and encrypted using the following methods: • authenticated with HMAC using the negotiated SHA algorithm • encrypted with AES of the negotiate[...]

BlackBerry Smart Car d Reader shar ed cryptosystem parame ters The BlackBerry® Smart Card Reader and a BlackBerry device or computer with the BlackBerry Smart Card Reader software and drivers installed are designed to share the following cryptosystem parameters. Parameter Description E(Fq) This parameter is the NIST-appr oved 521-bit random ellipt[...]

Examples of a ttacks tha t the BlackBerry Smart Car d R eader securi ty pr otocols are designed to pr ev en t Eavesdropping An eavesdropping event occurs when a user with malici ous intent listens to the communication between the BlackBerry® Smart Card Reader and a BlackBerry device or co mputer. The goal of the user with malicious intent is to de[...]

yxS = yxzP , for some z such that S = zP . To calculate yxP from yzxP without knowledge of z corresponds to solving the discrete logarithm problem, which is computationally infeasible, for S . Offline dictionary attack An offline dictionary attack occurs when a user with malicious intent tries all possible passwords and determines the correct passw[...]

Smart car d binding informa tion When you or a user turns on two-factor authentication on a BlackBerry® device, the BlackBerry device binds to the installed smart card automatically by storing the following smart card binding information in a special BlackBerry device NV store location that is inaccessible to a user: • the name of a Java® class[...]

BlackBerry Smart Car d Reader r ese t process When a user resets the BlackBerry® Smart Card Reader, the BlackBerry Smart Card Reader performs the following actions: • backs up the Bluetooth® encryption key for the curre ntly connected BlackBerry device, if applicable • deletes all Bluetooth pairing information • deletes all secure pairing i[...]

R ela ted r esour ces Resource Information BlackBerry Enterprise Solution Security Technical Overview • preventing the decryption of information at an intermediate point between the BlackBerry® device and the BlackBerry® Enterprise Server or organization LAN • managing security settings for all BlackBerry devices • protecting data that is i[...]

Glossary AES Advanced Encryption Standard API application programming interface CBC cipher block chaining ECDH Elliptic Curve Diffie-Hellman HMAC keyed-hash message authentication code LAN local area network LED light-emitting diode NIST National Institute of Standards and Technology NV nonvolatile PIN personal identification number PKI Public Key [...]

P r ovide feedback To provide feedback on this deliverable, visit www.blackberry.com/docsfeedback . 32[...]

Legal notice Document ID: 25979072 version 3 ©2009 Research In Motion Limited. All righ ts reserved. BlackBerry®, RIM® , Research In Motion®, Sure Type®, SurePress™ and relate d trademar ks, names, and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world. Bluetooth is [...]

should not install or use Third Party Produc ts and Services until all necess ary licenses have been acqui red. Any Third Party Pr oducts and Services that are provided with RIM's products and services are provided as a convenience to you and are provided "AS IS" with no expres s or implied conditions, endorsements, guarante es, repr[...]