Blackberry PRD-09695-004 Technical Overview

Blackberry PRD-09695-004 - SMART Card Reader Manual

Get Blackberry PRD-09695-004 - SMART Card Reader PDF manuals and user guides
UPC - 097738554967
View all Blackberry PRD-09695-004 manuals
Add to My Manuals
Save this manual to your list of manuals

Blackberry PRD-09695-004 manual content summary:

  • Blackberry PRD-09695-004 | Technical Overview - Page 1
    BlackBerry Smart Card Reader Version 2.0 Security Technical Overview
  • Blackberry PRD-09695-004 | Technical Overview - Page 2
    20 Two-factor content protection ...20 Process flow: Protecting the content encryption key using two-factor content protection 21 BlackBerry Smart Card Reader supported algorithms 22 Connection key establishment protocol errors ...23 Application layer protocol encryption and authentication 24
  • Blackberry PRD-09695-004 | Technical Overview - Page 3
    in-the-middle attack ...26 Offline attack...26 Offline dictionary attack...27 Online dictionary attack...27 Small subgroup attack ...27 Smart card binding information...28 BlackBerry Smart Card Reader reset process...29 Related resources ...30 Glossary ...31 Provide feedback ...32 Legal notice ...33
  • Blackberry PRD-09695-004 | Technical Overview - Page 4
    devices with the BlackBerry® Smart Card Reader, users must install a smart card driver, the BlackBerry Smart Card Reader driver on their BlackBerry devices, and, optionally, a smart card authenticator module. The S/MIME Support Package for BlackBerry smartphones supports smart card use and includes
  • Blackberry PRD-09695-004 | Technical Overview - Page 5
    authentication method that permits a user to unlock a BlackBerry® device using a BlackBerry device password and a BlackBerry® Smart Card Reader when the BlackBerry Smart Card Reader is located within Bluetooth® technology range of the BlackBerry device. Proximity authentication does not require the
  • Blackberry PRD-09695-004 | Technical Overview - Page 6
    requirements The BlackBerry® Smart Card Reader supports the following software and BlackBerry devices: BlackBerry Enterprise Server software • BlackBerry® Enterprise Server version 4.0 SP2 and later for Microsoft® Exchange (with the S/MIME IT Policy Pack imported) • BlackBerry Enterprise Server
  • Blackberry PRD-09695-004 | Technical Overview - Page 7
    Reader supports using certificates that a PKI generates with a BlackBerry device. The BlackBerry Smart Card Reader cannot communicate with the BlackBerry® Enterprise Server directly. When the BlackBerry device pushes an IT policy to the BlackBerry Smart Card Reader, the BlackBerry Smart Card Reader
  • Blackberry PRD-09695-004 | Technical Overview - Page 8
    occur, the BlackBerry Enterprise Solution is designed to prevent third parties, including wireless service providers, from BlackBerry device to prompt the user to type the BlackBerry device password to turn on Bluetooth support • require the BlackBerry device to prompt the user to type the BlackBerry
  • Blackberry PRD-09695-004 | Technical Overview - Page 9
    process to reconnect to the BlackBerry Smart Card Reader. If that BlackBerry device was the last BlackBerry device to connect to the BlackBerry Smart Card Reader before the user reset the BlackBerry Smart Card Reader, the BlackBerry Smart Card Reader restores the backed-up Bluetooth encryption
  • Blackberry PRD-09695-004 | Technical Overview - Page 10
    to connect to the BlackBerry Smart Card Reader after the BlackBerry Smart Card Reader resets must create the BlackBerry Smart Card Reader password. This password helps protects the encryption keys on the BlackBerry Smart Card Reader in the same way that the BlackBerry device password protects the
  • Blackberry PRD-09695-004 | Technical Overview - Page 11
    -party code onto the BlackBerry Smart Card Reader. When RIM manufactures the BlackBerry Smart Card Reader, it installs a public key into the secure boot ROM of the BlackBerry Smart Card Reader and uses the corresponding private key to sign the BlackBerry Smart Card Reader operating system. When RIM
  • Blackberry PRD-09695-004 | Technical Overview - Page 12
    locks when a user removes the smart card from a smart card reader or disconnects a smart card reader from the BlackBerry device. If you want to use this rule, you must verify that the smart card reader driver that your organization uses supports smart card removal detection. You can use Windows
  • Blackberry PRD-09695-004 | Technical Overview - Page 13
    specifies the maximum time, in minutes, of inactivity over a Bluetooth connection between the BlackBerry Smart Card Reader and a BlackBerry device that the BlackBerry device and the BlackBerry Smart Card Reader wait before deleting the secure pairing information. This rule specifies the maximum time
  • Blackberry PRD-09695-004 | Technical Overview - Page 14
    Server Policy Reference Guide. Opening an encrypted and authenticated connection to the BlackBerry Smart Card Reader Before the BlackBerry® Smart Card Reader and a BlackBerry device or computer can open an encrypted and authenticated connection between them, the BlackBerry Smart Card Reader and the
  • Blackberry PRD-09695-004 | Technical Overview - Page 15
    . For more information, see the BlackBerry Smart Card Reader Getting Started Guide. Performing the Bluetooth pairing process and the secure pairing process on a computer A user must manually connect to the BlackBerry® Smart Card Reader from the BlackBerry Smart Card Reader Options dialog box on the
  • Blackberry PRD-09695-004 | Technical Overview - Page 16
    list for a match with one of its own supported algorithms. • If a match is not available, the BlackBerry device or computer sends an error to the BlackBerry Smart Card Reader and stops processing the list. • If a match exists, the BlackBerry device or computer begins the key establishment process by
  • Blackberry PRD-09695-004 | Technical Overview - Page 17
    the initial key establishment protocol negotiated to send the selected algorithms and a seed to the BlackBerry Smart Card Reader. 4. The BlackBerry Smart Card Reader performs the following calculation to select a short-term key (Y): • selects random y, 1 < y < r - 1 • calculates Y = yP • where P is
  • Blackberry PRD-09695-004 | Technical Overview - Page 18
    is encrypted and authenticated on the application layer by keys that they derive from the shared connection key. By default, the BlackBerry device or computer and the BlackBerry Smart Card Reader use AES 256 in CBC mode to encrypt the data and keyed HMAC with SHA-512 to protect data, but they can
  • Blackberry PRD-09695-004 | Technical Overview - Page 19
    authentication with the installed smart card and deletes the smart card binding information from the BlackBerry device. Configuring two-factor authentication on a computer For information about configuring a computer to require the user to connect to a supported smart card reader from the Windows
  • Blackberry PRD-09695-004 | Technical Overview - Page 20
    , you must change the value of the Allowed Authentication Mechanisms IT policy rule to Proximity. BlackBerry® Device Software version 5.0 and later and BlackBerry Smart Card Reader version 2.0 and later support proximity authentication. You must verify that the IT policies that you can use to manage
  • Blackberry PRD-09695-004 | Technical Overview - Page 21
    device password using the BlackBerry Administration Service. Only the user can change the BlackBerry device password on the BlackBerry device. BlackBerry® Device Software version 5.0 and later and BlackBerry® Smart Card Reader version 2.0 and later support two-factor content protection. You
  • Blackberry PRD-09695-004 | Technical Overview - Page 22
    BlackBerry Smart Card Reader supported algorithms Algorithm type elliptic curve (default) encryption hash Algorithm • key establishment protocol is designed to negotiate to use the AES-256 algorithm unless the BlackBerry device or the computer requires a different algorithm. • SHA-512 • SHA-256 •
  • Blackberry PRD-09695-004 | Technical Overview - Page 23
    key establishment protocol errors During the connection key establishment protocol process, if an error occurs on the BlackBerry® device, the computer, or the BlackBerry® Smart Card Reader, that party sends an error code to the other party negotiating the connection key. The following errors
  • Blackberry PRD-09695-004 | Technical Overview - Page 24
    ( CK || S2 ) SHA-256( CK || S3 ) KeyRecAuth SHA-256( CK || S4 ) Description This key is the AES-256 key that the BlackBerry device, the computer, or the BlackBerry Smart Card Reader generates to encrypt the data that it sends to the other party over the application layer. The other party must use
  • Blackberry PRD-09695-004 | Technical Overview - Page 25
    is the secure pairing PIN value that appears in the BlackBerry Smart Card Reader window. The secure pairing PIN must be known only to the authorized user of the BlackBerry device or computer and the BlackBerry Smart Card Reader until the protocol completes. This parameter is the secure pairing
  • Blackberry PRD-09695-004 | Technical Overview - Page 26
    the device transport key by solving the ECDH problem. This calculation is equivalent to solving the DH problem, which is considered computationally infeasible. Impersonating a BlackBerry device or computer An impersonation of the BlackBerry® Smart Card Reader occurs when a user with malicious intent
  • Blackberry PRD-09695-004 | Technical Overview - Page 27
    of z corresponds to solving the discrete logarithm problem, which is computationally infeasible, for S. Offline dictionary BlackBerry® device, the computer, or the BlackBerry® Smart Card Reader to determine if a key is the correct secure pairing PIN. The BlackBerry Smart Card Reader supports
  • Blackberry PRD-09695-004 | Technical Overview - Page 28
    that the BlackBerry® Smart Card Reader requires • the binding information format • the smart card type (for the Common Access Card, this string is "GSA CAC") • the name of a Java class that the smart card code requires • a unique 64-bit identifier that the smart card provides • a smart card label
  • Blackberry PRD-09695-004 | Technical Overview - Page 29
    • deletes all secure pairing information • deletes all user settings • deletes the connection password • unbinds the IT policy from the BlackBerry Smart Card Reader The BlackBerry Smart Card Reader unbinds the IT policy by deleting the IT policy public key from the NV store so that it can receive
  • Blackberry PRD-09695-004 | Technical Overview - Page 30
    Card Reader • pairing the BlackBerry device or the computer with the BlackBerry Smart Card Reader • troubleshooting • understanding BlackBerry Enterprise Server IT policy rules and application control policy rules • using IT policies and application control policies • installing the S/MIME Support
  • Blackberry PRD-09695-004 | Technical Overview - Page 31
    Glossary AES Advanced Encryption Standard API application programming interface CBC cipher block chaining ECDH Elliptic Curve Diffie-Hellman HMAC keyed-hash message authentication code LAN local area network LED light-emitting diode NIST National Institute of Standards and Technology NV nonvolatile
  • Blackberry PRD-09695-004 | Technical Overview - Page 32
    Provide feedback To provide feedback on this deliverable, visit www.blackberry.com/docsfeedback. 32
  • Blackberry PRD-09695-004 | Technical Overview - Page 33
    to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry® Internet Service. Check with your service provider for availability, roaming arrangements
  • Blackberry PRD-09695-004 | Technical Overview - Page 34
    BlackBerry® Enterprise Server, BlackBerry® Desktop Software, and/or BlackBerry® Device Software. The terms of use of any RIM product or service (www.apache.org/licenses/). For more information, see the NOTICE.txt file included with the software. Research In Motion Limited 295 Phillip Street Waterloo
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
BlackBerry Smart Card Reader
Version 2.0
Security Technical Overview