BlackBerry Enterprise Server Express for Microsoft Exchange Feature and Technical Overview

BlackBerry Enterprise Server Express for Microsoft Exchange Feature and Technical Overview

Feature and Technical Overview

BlackBerry Enterprise Solution security

BlackBerry Enterprise Solution security

4

The BlackBerry® Enterprise Solution consists of various products and components that are designed to extend your organization’s communication methods to BlackBerry devices. The BlackBerry Enterprise Solution is designed to help protect data that is in transit at all points between a device and the BlackBerry® Enterprise Server Express. To help protect data that is in transit over the wireless network, the BlackBerry Enterprise Server Express and device use symmetric key cryptography to encrypt the data sent between them. The BlackBerry Enterprise Solution is designed to prevent third parties, including wireless service providers, from accessing your organization's potentially sensitive information in a decrypted format.

The BlackBerry Enterprise Solution uses confidentiality, integrity, and authenticity, which are principles for information security, to help protect your organization from data loss or alteration.

Principles

confidentiality integrity authenticity

Description

The BlackBerry Enterprise Solution uses symmetric key cryptography to help make sure that only intended recipients can view the contents of email messages.

The BlackBerry Enterprise Solution uses symmetric key cryptography to help protect every email message that the device sends and to help prevent third parties from decrypting or altering the message data.

Only the BlackBerry Enterprise Server Express and the device know the value of the keys that they use to encrypt messages and recognize the format of a decrypted and decompressed message. The BlackBerry

Enterprise Server Express or the device rejects a message automatically if it is not encrypted with keys that they recognize as valid.

Before the BlackBerry Enterprise Server Express sends data to the device, the device authenticates with the BlackBerry Enterprise Server Express to prove that the device knows the device transport key that is used to encrypt data.

Security features of the BlackBerry Enterprise Solution

Feature

data protection

Description

The BlackBerry® Enterprise Solution is designed to protect data that is in transit between the BlackBerry® Enterprise Server Express and a BlackBerry device and data that is in transit between your organization’s messaging server and the email application on a user’s computer. The BlackBerry

Enterprise Solution encrypts data that is stored on the device and in the

BlackBerry Configuration Database. To help protect data that is stored on the device, you can require a user to authenticate to the device using a password, a smart card, or both.

39

Feature and Technical Overview

Encrypting data that the BlackBerry Enterprise Server Express and a BlackBerry device send to each other

Feature

encryption key protection control of device connections control of the behavior of the device and BlackBerry® Desktop Software

Description

The device is designed to protect the encryption keys that are stored on the device. The device encrypts the encryption keys when the device is locked.

The BlackBerry Enterprise Solution is designed to control the following connections:

• connections using Bluetooth® technology to and from the device

• connections from a Wi-Fi® enabled device to enterprise Wi-Fi networks

The BlackBerry Enterprise Solution is designed to control which devices can connect to the BlackBerry Enterprise Server Express.

To control the behavior of the device and BlackBerry Desktop Software, you can send IT administration commands, IT policies, and application control policies to the device. You can use IT administration commands, IT policies, and application control policies to perform the following actions:

• You can send IT administration commands to lock the device, permanently delete work data, permanently delete user information and application data, and return the device settings to the default values.

• You can send an IT policy to a device to change security settings. For example, you can use an IT policy to enforce the device password.

• You can send an application control policy to a device to control whether third-party applications are available and can connect to the device and whether third-party applications or add-on applications developed by Research In Motion can access work data.

Encrypting data that the BlackBerry Enterprise Server

Express and a BlackBerry device send to each other

To encrypt data that is in transit between the BlackBerry® Enterprise Server Express and a BlackBerry device in your organization, the BlackBerry® Enterprise Solution uses BlackBerry transport layer encryption. BlackBerry transport layer encryption is designed to encrypt data from the time that a BlackBerry device user sends a message from the

BlackBerry device to when the BlackBerry Enterprise Server Express receives the message, and from the time that the BlackBerry Enterprise Server Express sends a message to when the BlackBerry device receives the message.

Before the BlackBerry device sends a message, it compresses and encrypts the message using the device transport key. When the BlackBerry Enterprise Server Express receives a message from the BlackBerry device, the BlackBerry

Dispatcher decrypts the message using the device transport key, and then decompresses the message.

Algorithms that the BlackBerry Enterprise Solution uses to encrypt data

The BlackBerry® Enterprise Solution uses AES or Triple DES as the symmetric key cryptographic algorithm for encrypting data. By default, the BlackBerry® Enterprise Server Express uses the strongest algorithm that both the

BlackBerry Enterprise Server Express and the BlackBerry device support for BlackBerry transport layer encryption.

40

Feature and Technical Overview

Extending messaging security to a BlackBerry device

If you configure the BlackBerry Enterprise Server Express to support AES and Triple DES, by default, the BlackBerry

Enterprise Solution generates device transport keys using AES encryption. If a BlackBerry device uses BlackBerry®

Device Software version 3.7 or earlier or BlackBerry® Desktop Software version 3.7 or earlier, the BlackBerry

Enterprise Solution generates the device transport keys of the BlackBerry device using Triple DES.

How the BlackBerry Enterprise Solution uses AES to encrypt data

By default, when a BlackBerry® device supports AES, the BlackBerry® Enterprise Solution uses AES for BlackBerry transport layer encryption. The BlackBerry Enterprise Solution uses AES in CBC mode to generate the message keys and device transport keys. The keys consist of 256 bits of data.

BlackBerry® Device Software version 4.0 or later and BlackBerry® Desktop Software version 4.0 or later support AES.

For more information about how the BlackBerry Enterprise Server Express uses AES for BlackBerry transport layer encryption to communicate with BlackBerry devices, visit www.blackberry.com/support to read article KB05429.

How the BlackBerry Enterprise Solution uses Triple DES to encrypt data

The BlackBerry® Enterprise Solution uses a two-key Triple DES encryption algorithm to generate message keys and device transport keys. In the three iterations of the DES algorithm, the first 56-bit key in outer CBC mode encrypts the data, the second 56-bit key decrypts the data, and the first key encrypts the data again.

The BlackBerry Enterprise Solution stores the message keys and device transport keys as 128-bit binary strings with each parity bit in the least significant bit of each of the 8 bytes of key data. The message keys and device transport keys have overall key lengths of 112 bits and include 16 bits of parity data.

All versions of the BlackBerry® Enterprise Server Express, BlackBerry® Device Software, and BlackBerry® Desktop

Software support Triple DES.

For more information about Triple DES, see Federal Information Processing Standard - FIPS PUB 81 [3].

Extending messaging security to a BlackBerry device

If your organization's messaging environment supports highly secure messaging technology such as PGP® encryption or S/MIME encryption, you can configure the BlackBerry® Enterprise Solution to encrypt a message using PGP encryption or S/MIME encryption so that the message remains encrypted when the BlackBerry® Enterprise Server

Express forwards the message to the email applications of recipients. To extend messaging security, the sender and recipient must install highly secure messaging technology on the computers that host the email applications and on their BlackBerry devices, and you must configure the BlackBerry devices to use the highly secure messaging technology.

Encrypting user data on a locked BlackBerry device

If you or a BlackBerry® device user turns on content protection, you or the user can configure a locked BlackBerry device to encrypt stored user data and data that the locked BlackBerry device receives. When you or a user turns on content protection, a locked BlackBerry device is designed to use AES-256 encryption to encrypt stored data and an

ECC public key to encrypt data that the locked BlackBerry device receives.

41

Feature and Technical Overview

Managing BlackBerry device access to the BlackBerry Enterprise Server Express

For example, the locked BlackBerry device uses content protection to encrypt the following items:

• subject, location, meeting organizer, attendees, and any notes in all appointments or meeting requests

• all contact information in the contact list except for the contact title and category

• subject, email addresses of intended recipients, message body, and attachments in all email messages

• title and information that is included in the body of a note for all memos (also known as posted messages)

• subject and all information that is included in the body of tasks (also known as posted all day appointments)

• if you use software tokens, contents of the .sdtid file seed that is stored in flash memory

• all data that is associated with third-party applications that a user installs on the BlackBerry device

• in the BlackBerry® Browser, content that web sites or third-party applications push to the BlackBerry device, any web sites that the user saves on the BlackBerry device, and the browser cache

• all text that replaces the text automatically that the user types on the BlackBerry device

Managing BlackBerry device access to the BlackBerry

Enterprise Server Express

You can use the Enterprise Service Policy to control which BlackBerry® devices can connect to a BlackBerry® Enterprise

Server Express. By default, after you turn on the Enterprise Service Policy, the BlackBerry Enterprise Server Express permits connections from any BlackBerry device that you previously associated with the BlackBerry Enterprise Server

Express. The BlackBerry Enterprise Server Express also prevents connections from any BlackBerry device that you associate with the BlackBerry Enterprise Server Express after you turn on the Enterprise Service Policy.

You can configure an allowed list to determine which BlackBerry devices can access a BlackBerry Enterprise Server

Express. A BlackBerry device that meets the criteria that you specify in the allowed list can associate with the

BlackBerry Enterprise Server Express when the BlackBerry device activates over the wireless network.

You can define the following types of criteria:

• specific BlackBerry device PINs

• range of BlackBerry device PINs

• specific manufacturers

• specific BlackBerry device models

The BlackBerry Administration Service includes lists of permitted manufacturers and models of BlackBerry devices that you associated with the BlackBerry Enterprise Server Express previously.

You can permit a user to override the Enterprise Service Policy so that a BlackBerry device can connect to the

BlackBerry Enterprise Server Express even if you configure the allowed list with criteria that exclude that BlackBerry device.

42

Feature and Technical Overview

Using an IT policy to manage BlackBerry Enterprise Solution security

Using an IT policy to manage BlackBerry Enterprise

Solution security

You can use an IT policy to control and manage BlackBerry® devices, the BlackBerry® Desktop Software, and the

BlackBerry® Web Desktop Manager in your organization's environment. An IT policy consists of multiple IT policy rules that manage the security and behavior of the BlackBerry® Enterprise Solution. For example, you can use IT policy rules to manage the following security features and behaviors of the device:

• encryption (for example, encryption of user data and messages that the BlackBerry® Enterprise Server Express forwards to message recipients) and encryption strength

• use of a password or pass phrase

• protection of user data and device transport keys on the device

• control of device resources, such as the camera or GPS, that are available to third-party applications

The Default IT policy includes IT policy rules that are configured to indicate the default behavior of the device or

BlackBerry Desktop Software.

After a device user activates a device, the BlackBerry Enterprise Server Express automatically sends to the device the

IT policy that you assigned to the user account or group. By default, if you do not assign an IT policy to the user account or group, the BlackBerry Enterprise Server Express sends the Default IT policy. If you delete an IT policy that you assigned to the user account or group, the BlackBerry Enterprise Server Express automatically re-assigns the

Default IT policy to the user account and resends the Default IT policy to the device.

For more information, see the BlackBerry Enterprise Server Express Policy Reference Guide.

Using IT administration commands to protect a lost or stolen device

The BlackBerry® Enterprise Server Express includes IT administration commands that you can send over the wireless network to protect sensitive data on a BlackBerry device. You can use the commands to lock the device, permanently delete work data, permanently delete user information and application data, and return the device settings to the default values.

IT administration command

Specify new device password and lock device

Description

This command creates a new password and locks a device over the wireless network. You can communicate the new password to the user verbally when the BlackBerry device user locates the device. When the user unlocks the device, the device prompts the user to accept or reject the new password.

You can use this command if the device is lost. If you or a user turned on content protection and a device is running BlackBerry® Device Software

4.3.0 or later, you can use this command. If you or a user turned on twofactor content protection, you cannot use this command.

43

Feature and Technical Overview

Using IT administration commands to protect a lost or stolen device

IT administration command

Delete only the organization data and remove device

Delete all device data and remove device

Description

This command permanently deletes all work data that the device stores and removes the device from the BlackBerry Enterprise Server Express. All personal data remains on the device.

You can send this command to a personal device when a user no longer works at your organization and you want to delete work data from the device.

You can also specify whether you want to delete or disable a user account from the BlackBerry Enterprise Server Express after the device deletes all work data.

This command permanently deletes all user information and application data that the device stores. You can configure the following options when you use this command:

• specify a delay, in hours, that must occur before the device starts to delete all the user information and application data

• require the device to return to its factory default settings when it receives this command

• specify whether to permit the user to stop permanently deleting data from the device and making the device unavailable during the delay period

You can send this command to a device that you want to distribute to another user in your organization, or to a device that is lost and that the user might not recover.

You can also specify whether you want to delete or disable a user account from the BlackBerry Enterprise Server Express after the device deletes all user information and application data.

44

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Related manuals

Download PDF

advertisement

Table of contents