Blackberry PRD-09695-004 Technical Overview - Page 21

Process flow: Protecting the content encryption key using two-factor content protection

Get Blackberry PRD-09695-004 - SMART Card Reader PDF manuals and user guides
UPC - 097738554967
View all Blackberry PRD-09695-004 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 21 highlights

factor content protection mandatory or optional, or to prevent a user from configuring it, you can use the Two-factor Content Protection Usage IT policy rule. After you or a user turns on two-factor content protection, to unlock the BlackBerry device, a user must type the BlackBerry device password and the smart card PIN on the login screen in the appropriate fields. If you or a user turns on two-factor content protection, you cannot change the BlackBerry device password using the BlackBerry Administration Service. Only the user can change the BlackBerry device password on the BlackBerry device. BlackBerry® Device Software version 5.0 and later and BlackBerry® Smart Card Reader version 2.0 and later support two-factor content protection. You must verify that the IT policies that you can use to manage two-factor content protection are available on your organization's BlackBerry® Enterprise Server. BlackBerry Enterprise Server version 5.0 SP1 and later includes the IT policies that you require to manage two-factor content protection. Process flow: Protecting the content encryption key using two-factor content protection 1. You or a user turns on two-factor content protection. 2. The BlackBerry® device performs the following actions: a. generates a random 256-bit secret key for the smart card authenticator module b. uses the secret key for the smart card authenticator module and the BlackBerry device password to generate a 256-bit ephemeral key The BlackBerry device encrypts the ECC private key and content protection key using the ephemeral key, and stores the keys in the BlackBerry device memory. c. generates a 256-bit pseudorandom number d. computes the SHA-256 hash of the pseudorandom number and uses it to encrypt the secret key for the smart card authenticator module, and stores the secret key in the BlackBerry device memory e. encrypts the pseudorandom number using the public key in the certificate that you configured for use with two-factor content protection, and stores the public key in the BlackBerry device memory f. discards the pseudorandom number, SHA-256 hash of the pseudorandom number, ephemeral key, and key for the smart card user authenticator module after it completes the protection process for the ECC private key and content protection key 3. When the BlackBerry device locks, the BlackBerry device discards the ECC private key and content protection key. 4. When a user unlocks the BlackBerry device, the BlackBerry device retrieves the encrypted copy of the pseudorandom number from the BlackBerry device memory and sends it to the smart card authenticator. 5. The smart card authenticator decrypts the encrypted copy of the pseudorandom number that was stored in the BlackBerry device memory. 6. The BlackBerry device performs the following actions: a. retrieves the encrypted copy of the key for the smart card authenticator module from the BlackBerry device memory and decrypts it using the SHA-256 hash of the pseudorandom number b. uses the key for the smart card authenticator module and the BlackBerry device password to generate a 256-bit ephemeral key c. uses the 256-bit ephemeral key to decrypt the ECC private key and content protection key d. repeats steps 2c to 2f The BlackBerry device generates a new pseudorandom number each time the user unlocks the BlackBerry device. For more information about how the content protection key protects user data, see the BlackBerry Enterprise Solution Security Technical Overview. 21

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
factor content protection mandatory or optional, or to prevent a user from configuring it, you can use the Two-factor
Content Protection Usage IT policy rule. After you or a user turns on two-factor content protection, to unlock the
BlackBerry device, a user must type the BlackBerry device password and the smart card PIN on the login screen in
the appropriate fields.
If you or a user turns on two-factor content protection, you cannot change the BlackBerry device password using the
BlackBerry Administration Service. Only the user can change the BlackBerry device password on the BlackBerry
device.
BlackBerry® Device Software version 5.0 and later and BlackBerry® Smart Card Reader version 2.0 and later support
two-factor content protection. You must verify that the IT policies that you can use to manage two-factor content
protection are available on your organization’s BlackBerry® Enterprise Server. BlackBerry Enterprise Server version
5.0 SP1 and later includes the IT policies that you require to manage two-factor content protection.
Process flow: Protecting the content encryption key using two-factor content protection
1.
You or a user turns on two-factor content protection.
2.
The BlackBerry® device performs the following actions:
a.
generates a random 256-bit secret key for the smart card authenticator module
b.
uses the secret key for the smart card authenticator module and the BlackBerry device password
to generate a 256-bit ephemeral key
The BlackBerry device encrypts the ECC private key and content protection key using the
ephemeral key, and stores the keys in the BlackBerry device memory.
c.
generates a 256-bit pseudorandom number
d.
computes the SHA-256 hash of the pseudorandom number and uses it to encrypt the secret key
for the smart card authenticator module, and stores the secret key in the BlackBerry device
memory
e.
encrypts the pseudorandom number using the public key in the certificate that you configured for
use with two-factor content protection, and stores the public key in the BlackBerry device
memory
f.
discards the pseudorandom number, SHA-256 hash of the pseudorandom number, ephemeral
key, and key for the smart card user authenticator module after it completes the protection
process for the ECC private key and content protection key
3.
When the BlackBerry device locks, the BlackBerry device discards the ECC private key and content protection
key.
4.
When a user unlocks the BlackBerry device, the BlackBerry device retrieves the encrypted copy of the
pseudorandom number from the BlackBerry device memory and sends it to the smart card authenticator.
5.
The smart card authenticator decrypts the encrypted copy of the pseudorandom number that was stored in
the BlackBerry device memory.
6.
The BlackBerry device performs the following actions:
a.
retrieves the encrypted copy of the key for the smart card authenticator module from the
BlackBerry device memory and decrypts it using the SHA-256 hash of the pseudorandom number
b.
uses the key for the smart card authenticator module and the BlackBerry device password to
generate a 256-bit ephemeral key
c.
uses the 256-bit ephemeral key to decrypt the ECC private key and content protection key
d.
repeats steps 2c to 2f
The BlackBerry device generates a new pseudorandom number each time the user unlocks the BlackBerry device.
For more information about how the content protection key protects user data, see the
BlackBerry Enterprise
Solution Security Technical Overview
.
21