Blackberry PRD-09695-004 Security Guide - Page 14

BlackBerry Smart Card Reader 14 device or computer deletes the secure pairing information using BlackBerry Enterprise Server IT policy rules for the BlackBerry Smart Card Reader. Performing the Bluetooth pairing process and the secure pairing process on the BlackBerry device The user can start the Bluetooth pairing process and the secure pairing process automatically by clicking Connect on the BlackBerry Smart Card Reader options screen on the BlackBerry device. If the user is running BlackBerry Device Software Version 4.0 or later on the BlackBerry device, the user can start the secure pairing process by trying an action on the BlackBerry device that requires the smart card (for example, importing certificates, signing or decrypting a message, or turning on two-factor authentication). If the user is running BlackBerry Device Software Version 4.0.2 or later on the BlackBerry device, trying an action on the BlackBerry device that requires the smart card can also start the Bluetooth pairing process. See the BlackBerry Smart Card Reader Getting Started Guide for more information. Performing the Bluetooth pairing process and the secure pairing process on the computer The user must manually connect to the BlackBerry Smart Card Reader from the BlackBerry Smart Card Reader Options dialog on the computer to start the Bluetooth pairing process. When the Bluetooth pairing is established, the computer automatically prompts the user to perform the secure pairing process. See the BlackBerry Smart Card Reader Getting Started Guide for more information. Reconnecting to the BlackBerry device or computer automatically The BlackBerry Smart Card Reader is designed to reconnect automatically to a BlackBerry device or computer with which it has previously connected and for which it has not deleted the Bluetooth encryption key or secure pairing key. You can set the Disable Auto Reconnect To BlackBerry Smart Card Reader IT policy rule to prevent the BlackBerry device or computer from reconnecting to the BlackBerry Smart Card Reader automatically. Turning off the automatic reconnection feature is designed to increase the battery life of the BlackBerry device. Initial key establishment protocol used in the secure pairing process The initial key establishment protocol uses the ECDH algorithm to negotiate numerous algorithms for use in subsequent secure pairing key and connection key exchanges, including the following algorithms: • the elliptic curve used by future ECDH exchanges (The initial key establishment protocol is designed to negotiate to use 521-bit Random Curve.) • the encryption algorithm and hash algorithms used by the encryption and authentication processes on the application layer (The initial key establishment protocol is designed to negotiate to use AES-256 and SHA256 for application layer encryption and authentication, and SHA-512 for IT policy authentication.) See "Appendix A: BlackBerry Smart Card Reader supported algorithms" on page 20 for more information. Initial key establishment protocol process 1. The BlackBerry device or computer sends an initial echo of the value 0xC1F34151520CC9C2 to the BlackBerry Smart Card Reader to confirm that a Bluetooth connection to the BlackBerry Smart Card Reader exists and to verify that both sides understand the protocol. 2. The BlackBerry Smart Card Reader receives the initial echo and replies with an echo transmission of the same value. 3. The BlackBerry device or computer receives the echo and replies to the BlackBerry Smart Card Reader with a request for a list of supported algorithms. 4. The BlackBerry Smart Card Reader creates a list of all of the algorithms that it supports and sends the supported algorithms list to the BlackBerry device or computer. 5. The BlackBerry device or computer searches the list for a match with one of its own supported algorithms. www.blackberry.com