Blackberry PRD-09695-004 Security Guide - Page 15

Connection key establishment protocol used in the secure pai

Get Blackberry PRD-09695-004 - SMART Card Reader PDF manuals and user guides
UPC - 097738554967
View all Blackberry PRD-09695-004 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 15 highlights

BlackBerry Smart Card Reader 15 If a match is not available, the BlackBerry device or computer sends an error to the BlackBerry Smart Card Reader and stops processing the list. If a match exists, the BlackBerry device or computer begins the key establishment process by sending a pairing request using the selected algorithms and a 64-byte seed to the BlackBerry Smart Card Reader. 6. The BlackBerry Smart Card Reader verifies the selected algorithms. 7. The BlackBerry Smart Card Reader performs the following calculation to select a short-term key (Y): selects random y, 1 < y < r - 1 calculates Y = yS 8. The BlackBerry Smart Card Reader sends Y to the BlackBerry device or computer. 9. The BlackBerry device or computer performs the following calculations to select a short-term key (X): selects random x, 1 < x < r - 1 calculates X = xS calculates the master encryption key (MK) using the following information: Parameter Value K xY = xyS H1 SHA-512 (sent data packets) H2 SHA-512 (received data packets) calculates H = H1 + H2 calculates MK = SHA-256( H || K ) 10. The BlackBerry device sends X to the BlackBerry Smart Card Reader. 11. The BlackBerry Smart Card Reader calculates MK using the following information: Parameter K H1 H2 H MK Value yX = yxS SHA-512 (sent data packets) SHA-512 (received data packets) H1 + H2 SHA-256 ( H || K ) 12. The initial key establishment protocol completes; the BlackBerry device or computer and the BlackBerry Smart Card Reader share a master encryption key. See "Appendix D: BlackBerry Smart Card Reader shared cryptosystem parameters" on page 23 for more information about variables used in this process. Connection key establishment protocol used in the secure pairing process After the initial key establishment protocol process completes successfully, the BlackBerry device or computer and the BlackBerry Smart Card Reader share a master encryption key. They must then establish a connection key to use to send data between them. The connection key establishment protocol starts from the secure pairing key s using SPEKE, letting a BlackBerry device or computer establish long-term public keys and a strong, cryptographically protected connection with a BlackBerry Smart Card Reader. The connection key establishment protocol uses the ECDH (elliptic curve) algorithm that the initial key establishment protocol negotiates. The ECDH algorithm provides perfect forward secrecy, which uses the key that protects data to prevent the protocol from deriving previous or subsequent encryption keys. Each run of the connection key establishment protocol uses a unique, random, ephemeral key pair to create the new connection key. The BlackBerry Smart Card Reader discards the ephemeral key pair after establishing the connection key. www.blackberry.com

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
BlackBerry Smart Card Reader
15
If a match is not available, the BlackBerry device or computer sends an error to the BlackBerry Smart Card
Reader and stops processing the list.
If a match exists, the BlackBerry device or computer begins the key establishment process by sending a
pairing request using the selected algorithms and a 64-byte seed to the BlackBerry Smart Card Reader.
6.
The BlackBerry Smart Card Reader verifies the selected algorithms.
7.
The BlackBerry Smart Card Reader performs the following calculation to select a short-term key (
Y
):
selects random
y
, 1 <
y
< r – 1
calculates
Y
=
yS
8.
The BlackBerry Smart Card Reader sends
Y
to the BlackBerry device or computer.
9.
The BlackBerry device or computer performs the following calculations to select a short-term key (
X
):
selects random
x
, 1 <
x
< r – 1
calculates
X
=
xS
calculates the master encryption key (
MK
) using the following information:
Parameter
Value
K
xY
=
xyS
H1
SHA-512 (sent data packets)
H2
SHA-512 (received data packets)
calculates
H
=
H1
+
H2
calculates
MK
= SHA-256(
H
||
K
)
10.
The BlackBerry device sends
X
to the BlackBerry Smart Card Reader.
11.
The BlackBerry Smart Card Reader calculates
MK
using the following information:
Parameter
Value
K
yX
=
yxS
H1
SHA-512 (sent data packets)
H2
SHA-512 (received data packets)
H
H1
+
H2
MK
SHA-256 (
H
||
K
)
12.
The initial key establishment protocol completes; the BlackBerry device or computer and the BlackBerry
Smart Card Reader share a master encryption key.
See “Appendix D: BlackBerry Smart Card Reader shared cryptosystem parameters” on page 23 for more
information about variables used in this process.
Connection key establishment protocol used in the secure pairing process
After the initial key establishment protocol process completes successfully, the BlackBerry device or computer
and the BlackBerry Smart Card Reader share a master encryption key. They must then establish a connection key
to use to send data between them. The connection key establishment protocol starts from the secure pairing key
s
using SPEKE, letting a BlackBerry device or computer establish long-term public keys and a strong,
cryptographically protected connection with a BlackBerry Smart Card Reader.
The connection key establishment protocol uses the ECDH (elliptic curve) algorithm that the initial key
establishment protocol negotiates. The ECDH algorithm provides perfect forward secrecy, which uses the key
that protects data to prevent the protocol from deriving previous or subsequent encryption keys. Each run of the
connection key establishment protocol uses a unique, random, ephemeral key pair to create the new connection
key. The BlackBerry Smart Card Reader discards the ephemeral key pair after establishing the connection key.
www.blackberry.com