Blackberry PRD-09695-004 Technical Overview - Page 24

Application layer protocol encryption and authentication

By default, each data packet that a BlackBerry® device or computer and the BlackBerry® Smart Card Reader send

between them is authenticated and encrypted using the following methods:

•

authenticated with HMAC using the negotiated SHA algorithm

•

encrypted with AES of the negotiated key size using CBC mode

The following diagram shows the anatomy of a data packet formatted for transmission over the application layer:

The connection key protocol opens a shared connection key

CK

from which the BlackBerry device or computer and

the BlackBerry Smart Card Reader derive the four session keys that they use on the application layer to protect the

data that they send between them.

Connection session key

Value

Description

KeySendEnc

SHA-256(

CK

||

S1

)

This key is the AES-256 key that the BlackBerry device, the

computer, or the BlackBerry Smart Card Reader generates

to encrypt the data that it sends to the other party over the

application layer.

The other party must use KeyRecEnc to respond to

KeySendEnc.

KeyRecEnc

SHA-256(

CK

||

S2

)

This key is the AES-256 key that the BlackBerry device, the

computer, or the BlackBerry Smart Card Reader generates

to decrypt the data that it receives from the other party

over the application layer.

KeySendAuth

SHA-256(

CK

||

S3

)

This key is the HMAC authentication key that the

BlackBerry device, the computer, or the BlackBerry Smart

Card Reader generates to authenticate the data that it

sends to the other party over the application layer.

The other party must use KeyRecAuth to respond to

KeySendAuth.

KeyRecAuth

SHA-256(

CK

||

S4

)

This key is the HMAC authentication key that the

BlackBerry device, the computer, or the BlackBerry Smart

Card Reader generates to authenticate the data that it

receives from the other party over the application layer.

Note

:

S1

,

S2

,

S3

, and

S4

are hard-coded strings that the BlackBerry device or computer and the BlackBerry Smart

Card Reader use in the key derivation to prevent calculating session keys that are the same as each other.

24

Section	Page
BlackBerry Smart Card Reader	4
Authenticating a user using a smart card	4
Integrating a smart card with existing secure messaging technology	4
New in this release	5
System requirements	6
System architecture	7
BlackBerry Enterprise Solution security	8
Protecting Bluetooth connections on a BlackBerry device	8
Managing a Bluetooth enabled BlackBerry device	8
Restricting Bluetooth technology on a Bluetooth enabled computer	9
Bluetooth security measures on the BlackBerry Smart Card Reader	9
BlackBerry Smart Card Reader security	10
Control Bluetooth connections from third-party applications	11
Managing the BlackBerry Smart Card Reader	12
Opening an encrypted and authenticated connection to the BlackBerry Smart Card Reader	14
Secure pairing PIN	14
Performing the Bluetooth pairing process and the secure pairing process on a BlackBerry device	15
Performing the Bluetooth pairing process and the secure pairing process on a computer	15
Reconnecting to a BlackBerry device or computer automatically	15
Initial key establishment protocol used in the secure pairing process	15
Initial key establishment protocol process	15
Connection key establishment protocol used in the secure pairing process	16
Connection key establishment protocol process	17
Encrypting and authenticating data on the application layer	18
Two-factor authentication	18
Turning on two-factor authentication on a BlackBerry device	18
Confirming that a BlackBerry device is bound to the correct smart card	19
Unbinding the smart card from a BlackBerry device	19
Configuring two-factor authentication on a computer	19
Proximity authentication	20
Locking a BlackBerry device when the BlackBerry Smart Card Reader moves out of Bluetooth technology range	20
Configuring a BlackBerry device to use a specific BlackBerry Smart Card Reader	20
Two-factor content protection	20
Process flow: Protecting the content encryption key using two-factor content protection	21
BlackBerry Smart Card Reader supported algorithms	22
Connection key establishment protocol errors	23
Application layer protocol encryption and authentication	24
BlackBerry Smart Card Reader shared cryptosystem parameters	25
Examples of attacks that the BlackBerry Smart Card Reader security protocols are designed to prevent	26
Eavesdropping	26
Impersonating a BlackBerry device or computer	26
Man-in-the-middle attack	26
Offline attack	26
Offline dictionary attack	27
Online dictionary attack	27
Small subgroup attack	27
Smart card binding information	28
BlackBerry Smart Card Reader reset process	29
Related resources	30
Glossary	31
Provide feedback	32

Blackberry PRD-09695-004 Technical Overview - Page 24

Application layer protocol encryption and authentication, Connection session key, Value, Description

Page 24 highlights