Blackberry PRD-09695-004 Technical Overview - Page 15

Card Reader and the BlackBerry device or computer. By default, the secure pairing PIN is 8 characters long and is case-sensitive. If your organization uses BlackBerry Smart Card Reader version 2.0 and later and BlackBerry® Device Software version 5.0 and later, you can change the length of the secure pairing PIN using the Minimum PIN Entry Mode IT policy rule. BlackBerry Smart Card Reader version 2.0 and later and BlackBerry Device Software version 5.0 and later support alphanumeric characters. Performing the Bluetooth pairing process and the secure pairing process on a BlackBerry device A user can start a Bluetooth® pairing process and a secure pairing process by clicking Connect on the BlackBerry® Smart Card Reader options screen on a BlackBerry device. If the user is running BlackBerry® Device Software version 4.0 and later on the BlackBerry device, the user can start the secure pairing process by trying an action on the BlackBerry device that requires the smart card (for example, importing certificates, signing or decrypting a message, or turning on two-factor authentication). If the user is running BlackBerry Device Software version 4.0.2 and later on the BlackBerry device, trying an action on the BlackBerry device that requires the smart card can also start the Bluetooth pairing process. For more information, see the BlackBerry Smart Card Reader Getting Started Guide. Performing the Bluetooth pairing process and the secure pairing process on a computer A user must manually connect to the BlackBerry® Smart Card Reader from the BlackBerry Smart Card Reader Options dialog box on the computer to start the Bluetooth® pairing process. When the Bluetooth pairing is established, the computer automatically prompts the user to perform the secure pairing process. For more information see the BlackBerry Smart Card Reader Getting Started Guide. Reconnecting to a BlackBerry device or computer automatically The BlackBerry® Smart Card Reader is designed to reconnect automatically to a BlackBerry device or computer that it has previously connected with and if it has not deleted the Bluetooth® encryption key or secure pairing PIN. You can configure the Disable Auto Reconnect To BlackBerry Smart Card Reader IT policy rule to prevent the BlackBerry Smart Card Reader from reconnecting to the BlackBerry device or computer automatically. Turning off the automatic reconnection feature is designed to increase the battery life of the BlackBerry device. Initial key establishment protocol used in the secure pairing process The initial key establishment protocol uses the ECDH algorithm to negotiate numerous algorithms that are used in subsequent secure pairing PIN and connection key exchanges, including the following algorithms: • the elliptic curve used by future ECDH exchanges • the encryption algorithm and hash algorithms used by the encryption and authentication processes on the application layer The initial key establishment protocol is designed to use 521-bit Random Curve. The initial key establishment protocol is designed to negotiate to use AES-256 and SHA-256 for application layer encryption and authentication, and SHA-512 for IT policy authentication. For more information, see "BlackBerry Smart Card Reader supported algorithms". Initial key establishment protocol process 1. The BlackBerry® device or computer sends an initial echo of the value 0xC1F34151520CC9C2 to the BlackBerry® Smart Card Reader to confirm that a Bluetooth® connection to the BlackBerry Smart Card Reader exists and to verify that both sides understand the protocol. 2. The BlackBerry Smart Card Reader receives the initial echo and replies with an echo transmission of the same value. 3. The BlackBerry device or computer receives the echo and replies to the BlackBerry Smart Card Reader with a request for a list of supported algorithms. 15