Security Guide. BlackBerry Enterprise Service 12. for BlackBerry. Version 12.0

Transcription

1 Security Guide BlackBerry Enterprise Service 12 for BlackBerry Version 12.0

2 Published: SWD

3 Contents Introduction... 7 About this guide...8 What is BES12?...9 Key features of BES Security features Hardware and OS security Hardware root of trust for BlackBerry devices The BlackBerry 10 OS...13 The file system Sandboxing Device resources App permissions...14 Verifying software Preventing memory corruption...15 Activating and managing devices Activating devices...18 Activation passwords User registration with the BlackBerry Infrastructure Data flow: Activating a BlackBerry 10 device Using IT policies to manage security...22 Data in transit...23 How devices communicate with BES12 and your resources...24 How devices connect to your resources...24 Protecting connections to work networks...29 Connecting to a VPN...29 Protecting Wi-Fi connections Protecting data in transit over the BlackBerry Infrastructure How BES12 authenticates with the BlackBerry Infrastructure...33 How devices connect to the BlackBerry Infrastructure...35 How BES12 and the BlackBerry Infrastructure protect your data Protecting device management data sent between BES12 and devices... 40

4 Providing devices with single sign-on access to your organization's network...42 Using Kerberos to provide single sign-on from devices...42 Considerations for networks with a DMZ Protecting connections to BES12 with the BlackBerry Router Using the BlackBerry Router or a proxy server with BES Installing BES12 in a DMZ...44 Protecting communication with devices using certificates Providing client certificates to devices...46 Using SCEP to enroll client certificates to devices...46 Sending CA certificates to devices...49 Protecting messages Controlling which devices can use Exchange ActiveSync Extending security Data at rest...55 Activation options Securing BlackBerry Balance devices Securing regulated BlackBerry Balance devices...57 How work and personal spaces are separated Securing work space only devices Encryption How devices protect personal data...60 How devices protect work data How devices classify apps and data...62 Passwords Changing passwords...65 Data wipe Controlling when devices delete all data in the work space...69 Full device wipe Work data wipe...72 Controlling messaging...74 Controlling access to content Controlling access to devices Controlling device features...78 Controlling security timeout Managing sharing of work and personal files using the "Share" option Ensuring device integrity...80 Controlling software... 80

5 Controlling voice control Controlling logging Setting a home screen message...81 Controlling network connections from devices Transferring work data from devices using Bluetooth...82 Managing data transferred to and from a device using NFC Controlling roaming BlackBerry Link protection...86 Authentication between devices and BlackBerry Link...86 Data protection between BlackBerry Link and devices...86 Back up and restore Remote media and file access architecture Smart cards Unbinding the current smart card from a device...88 Authenticating a user using a smart card...88 Managing how devices use smart cards Apps Managing apps Managing work apps on devices...92 BlackBerry World for Work Installing personal apps on devices Preventing users from installing apps using development tools Protecting a device from malicious apps How devices are designed to prevent BlackBerry Runtime for Android apps from accessing work apps and data...93 Managing how apps open links in the work and personal spaces on devices...94 Preventing users from using voice dictation within work apps on devices Preventing users from sharing work data on devices when sharing the screen during BBM Video chats Making apps unavailable on devices Controlling how apps connect to networks...96 Controlling how work apps connect to work networks Preventing personal apps from connecting to work networks Allowing work apps to connect to personal networks...98 Cryptography...99 Cryptography on devices Symmetric encryption algorithms Asymmetric encryption algorithms...100

6 Hash algorithms Message authentication codes Signature algorithms Key agreement algorithms Cryptographic protocols Cipher suites for SSL/TLS connections Cryptographic libraries VPN cryptographic support Wi-Fi cryptographic support BlackBerry OS device security Product documentation Provide feedback Glossary Legal notice...121

7 Introduction

8 Introduction About this guide 1 BES12 helps you manage BlackBerry 10, BlackBerry OS (version 5.0 to 7.1), ios, Android, and Windows Phone devices in your organization's environment. This guide describes how BES12 delivers a higher level of control and security to BlackBerry 10 devices. This guide is intended for senior IT professionals responsible for evaluating the product and planning its deployment, as well as anyone who's interested in learning more about BES12 solution security. After you read this guide, you should understand how BES12 can help protect data in transit, data at rest, and apps for your organization. 8

9 Introduction What is BES12? 2 BES12 is an EMM solution from BlackBerry. EMM solutions help you do the following: Manage mobile devices for your organization to protect business information Keep mobile workers connected with the information that they need Provide administrators with efficient business tools With BES12, you can manage the following device types: BlackBerry 10 BlackBerry OS (version 5.0 to 7.1) ios Android Windows Phone You can manage these devices from a single, simplified UI with industry-leading security. Key features of BES12 Feature Management of many types of devices Single, unified UI Trusted and secure experience Balance of work and personal needs Description You can manage BlackBerry 10, BlackBerry OS (version 5.0 to 7.1), ios, Android, and Windows Phone devices. You can view all devices in one place and access all management tasks in a single, web-based UI. You can share administrative duties with multiple administrators who can access the management console at the same time. Device controls give you precise management of how devices connect to your network, what capabilities are enabled, and what apps are available. Whether the devices are owned by your organization or your users, you can protect your organization's information. BlackBerry Balance and Secure Work Space technologies are designed to make sure that personal information and work information are kept separate and secure on devices. If the device is lost or the employee leaves the organization, you can delete only work-related information or all information from the device. 9

10 Introduction Security features Feature Description BlackBerry manufacturing security model BlackBerry's end-to-end manufacturing model ensures BlackBerry 10 device hardware integrity and that only genuine BlackBerry devices connect to the BlackBerry Infrastructure. BlackBerry 10 OS protection Administrative control Control over device access to your organization s network Protection of data in transit Protection of data at rest Cryptography FIPS certification for the BES12 server The BlackBerry 10 OS is tamper-resistant, resilient, and secure, and includes many security features that protect data, apps, and resources on devices. BES12 provides you with control over device behavior through features such as device activation, IT administration commands, IT policies, and profiles. BES12 allows you to send work Wi-Fi profiles and work VPN profiles to BlackBerry 10 devices so that you can control which devices can connect to your organization's network. Data in transit within the BES12 solution is protected using security features such as encryption, certificates, and mutually authenticated connections. Data at rest on BlackBerry 10 devices is protected using security features such as encryption, passwords, and data wiping. BlackBerry 10 devices support various types of cryptographic algorithms, codes, protocols, and APIs. Each BES12 instance encrypts all of the data that it stores directly and writes indirectly to files using a FIPS-validated cryptographic module. 10

11 Hardware and OS security Secure

12 Hardware and OS security Hardware root of trust for BlackBerry devices 3 BlackBerry ensures the integrity of BlackBerry device hardware and makes sure that counterfeit devices can't connect to the BlackBerry Infrastructure and use BlackBerry services. From the beginning of the product lifecycle, BlackBerry integrates security into every major component of the product design of devices. BlackBerry has enhanced its end-to-end manufacturing model to securely connect the supply chain, BlackBerry manufacturing partners, the BlackBerry Infrastructure, and BlackBerry devices, which allows BlackBerry to build trusted devices anywhere in the world. The BlackBerry manufacturing security model prevents counterfeit devices from impersonating authentic devices and makes sure that only genuine BlackBerry devices can connect to the BlackBerry Infrastructure. The BlackBerry Infrastructure uses device authentication to cryptographically prove the identity of the device that attempts to register with it. The BlackBerry manufacturing systems use the device s hardware-based ECC 521-bit key pair to track, verify, and provision each device as it goes through the manufacturing process. Only devices that complete the verification and provisioning processes can register with the BlackBerry Infrastructure. 12

13 Hardware and OS security The BlackBerry 10 OS 4 The BlackBerry 10 OS is the microkernel operating system of the BlackBerry 10 device. Microkernel operating systems implement the minimum amount of software in the kernel and run other processes in the user space that is outside of the kernel. Microkernel operating systems are designed to contain less code in the kernel than other operating systems. The reduced amount of code helps the kernel to avoid the vulnerabilities that are associated with complex code and to make verification easier. Verification is the process of evaluating a system for programming errors. Many of the processes that run in the kernel in a conventional operating system run in the user space of the OS. The OS is tamper-resistant. The kernel performs an integrity test when the OS starts and if the integrity test detects damage to the kernel, the device doesn t start. The OS is resilient. The kernel isolates a process in its user space if it stops responding and restarts the process without negatively affecting other processes. In addition, the kernel uses adaptive partitioning to prevent apps from interfering with or reading the memory used by another app. The OS is secure. The kernel validates requests for resources and an authorization manager controls how apps access the capabilities of the device, such as access to the camera, contacts, and device identifying information. The file system The BlackBerry 10 device file system runs outside of the kernel and keeps work data secure and separate from personal data. The file system is divided into the following areas: Base file system Work file system Personal file system (on devices with a personal space) The base file system is read-only and contains system files. Because the base file system is read-only, the BlackBerry 10 OS can check the integrity of the base file system and mitigate any damage done by an attacker who changed the file system. The work file system contains work apps and data. The device encrypts the files stored in the work space. On devices with a personal space, the personal file system contains personal apps and data. Apps that a user installed on the device from the BlackBerry World storefront are located in the personal file system. The device can encrypt the files stored in the personal file system. Sandboxing The BlackBerry 10 OS uses a security mechanism called sandboxing to separate and restrict the capabilities and permissions of apps that run on the device. Each app process runs in its own sandbox, which is a virtual container that consists of the memory and the part of the file system that the app process has access to at a specific time. 13

14 Hardware and OS security Each sandbox is associated with both the app and the space that it's used in. For example, an app can have one sandbox in the personal space and another sandbox in the work space; each sandbox is isolated from the other one. The OS evaluates the requests that an app s process makes for memory outside of its sandbox. If a process tries to access memory outside of its sandbox without approval from the OS, the OS ends the process, reclaims all of the memory that the process is using, and restarts the process without negatively affecting other processes. When the OS is installed, it assigns a unique group ID to each app. Two apps can't share the same group ID, and the OS doesn't reuse group IDs after apps are removed. An app s group ID remains the same when the app is upgraded. By default, each app stores its data in its own sandbox. The OS prevents apps from accessing file system locations that aren't associated with the app s group ID. An app can also store and access data in a shared directory, which is a sandbox that is available to any app that has access to it. When an app that wants to store or access files in the shared directory starts for the first time, the app prompts the user to allow access. Device resources The BlackBerry 10 OS manages the device's resources so that an app can't take resources from another app. The OS uses adaptive partitioning to reallocate unused resources to apps during typical operating conditions and enhance the availability of the resources to specific apps during peak operating conditions. App permissions The authorization manager is the part of the BlackBerry 10 OS that evaluates requests from apps to access the capabilities of the device. Capabilities include taking a photograph and recording audio. The OS invokes the authorization manager when an app starts to set the permissions for the capabilities that the app uses. When an app starts, it might prompt the user to allow access to a capability. The authorization manager can store a permission that the user grants and apply the permission the next time that the app starts. Verifying software Verifying the boot loader code The BlackBerry 10 device uses an authentication method that verifies that the boot loader code is permitted to run on the device. The manufacturing process installs the boot loader into the flash memory of the device and a public signing key into the processor of the device. The BlackBerry signing authority system uses a private key to sign the boot loader code. The device stores information that it can use to verify the digital signature of the boot loader code. When a user turns on a device, the processor runs internal ROM code that reads the boot loader from flash memory and verifies the digital signature of the boot loader code using the stored public key. If the verification process completes, the boot loader is permitted to run on the device. If the verification process can't complete, the device stops running. 14

15 Hardware and OS security Verifying the OS and file system If the boot loader code is permitted to run on a BlackBerry 10 device, the boot loader code verifies the BlackBerry 10 OS. The OS is digitally signed using EC 521 with a series of private keys. The boot loader code uses the corresponding public keys to verify that the digital signature is correct. If it's correct, the boot loader code runs the BlackBerry 10 OS. Before the OS mounts the read-only base file system, it runs a validation program that generates a SHA-256 hash of the base file system content, including all metadata. The program compares the SHA-256 hash to a SHA-256 hash that is stored outside the base file system. This stored hash is digitally signed using EC 521 with a series of private keys. If the hashes match, the validation program uses the corresponding public keys to verify the signature and the integrity of the stored hash. Verifying apps and software upgrades Once the base file system is validated, the BlackBerry 10 OS verifies existing apps by reading an app s XML file and verifying the assets of the app against the cryptographically signed hashes contained in the XML manifest. Each software upgrade and app for the BlackBerry 10 device is packaged in the BlackBerry Archive (BAR) format. This format includes SHA-2 hashes of each archived file, and an ECC signature that covers the list of hashes. When a user installs a software upgrade or app, the installation program verifies that the hashes and the digital signature are correct. The digital signatures for a BAR file also indicate the author of the software upgrade or app. The user can then decide whether to install the software based on its author. Because the device can verify the integrity of a BAR file, the device can download BAR files over an HTTP connection, which makes the download process faster than over a more secure connection. Preventing memory corruption BlackBerry 10 devices prevent exploitation of memory corruption in a number of different ways, including the security mechanisms listed in the following table: Security mechanism Non-executable stack and heap Stack cookies Robust heap implementations Description The stack and heap areas of memory are marked as non-executable. This means that a process can't execute machine code in these areas of the memory, which makes it more difficult for an attacker to exploit potential buffer overflows. Stack cookies are a form of buffer overflow protection that helps prevent attackers from executing arbitrary code. The heap implementation includes a defense mechanism against the deliberate corruption of the heap area of memory. The mechanism is designed to detect or mitigate the overwriting of in-band heap data structures so that a program can fail in a secure manner. The mechanism helps prevent attackers from executing arbitrary code via heap corruption. 15

16 Hardware and OS security Security mechanism Address space layout randomization (ASLR) Compiler-level source fortification Guard pages Description By default, the memory positions of all areas of a program are randomly arranged in the address space of a process. This mechanism makes it more difficult for an attacker to perform an attack that involves predicting target addresses to execute arbitrary code. The compiler GCC uses the FORTIFY_SOURCE option to replace non-secure code constructs where possible. For example, it might replace an unbounded memory copy with its bounded equivalent. If a process attempts to access a memory page, the guard page raises a one-time exception and causes the process to fail. These guard pages are placed strategically between memory used for different purposes, such as the standard program heap and the object heap. This mechanism helps prevent an attacker from causing a heap buffer overflow and changing the behavior of a process or executing arbitrary code with the permissions of the compromised process. 16

17 Activating and managing devices Simple

18 Activating and managing devices Activating devices 5 Device activation associates a BlackBerry 10 device with a user account in BES12 and establishes a secure communication channel between the device and BES12. BES12 allows multiple devices to be activated for the same user account. More than one active ios, Android, and BlackBerry 10 device can be associated with a user account. All device types consume a license when they are activated. BlackBerry 10 devices can be activated using one of three activation types. Activation type Work and personal - Corporate Work and personal - Regulated Work space only Description This option activates a BlackBerry Balance device that separates work and personal data. Your organization only has control over the work space. This option activates a regulated BlackBerry Balance device. These devices separate work and personal data but give you additional control over the features available on the device. This option activates a device that has a work space only. By default, a user can activate a device using any of the following connections: Over any Wi-Fi connection or mobile network using a VPN connection with a connection to the BlackBerry Infrastructure Over any Wi-Fi connection or mobile network through the BlackBerry Infrastructure Your organization's activation information is registered automatically with the BlackBerry Infrastructure. The username and your organization's BES12 server address is sent to and stored in the BlackBerry Infrastructure. If you turn off registration with the BlackBerry Infrastructure, then BES12 users also require the organization's BES12 server address to activate their devices. Users can activate their devices after they receive an activation message from BES12, or they can log in to BES12 Self- Service and request an activation password. When a user begins activation of a BlackBerry Balance or regulated BlackBerry Balance device, if the device has an existing work space, the device displays a warning message to indicate that the work data and work apps on the device will be deleted. When the user confirms that the device should be activated, the existing work space is deleted and a new work space is created. When a user begins activation of a work space only device, the device displays a warning message to indicate that all data on the device will be deleted. When the user confirms that the device should be activated, all data is deleted and the device restarts before the new work space is created. 18

19 Activating and managing devices After the activation process completes, BES12 can send apps, profiles, and IT policies to the device. If an profile is configured, the user can send and receive work messages using the device. For more information about activating and managing Android and ios devices, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Security Guide for ios, Android, and Windows Phone. Activation passwords You can specify how long an activation password remains valid before it expires. You can also specify the default password length for the automatically generated password that is sent to users in the activation message. The value that you enter for the activation period expiration appears as the default setting in the "Activation period expiration" field when you add a user account to BES12. The activation period expiration can be 1 minute to 30 days, and the length of the automatically generated password can be 4 to 16 characters. User registration with the BlackBerry Infrastructure User registration with the BlackBerry Infrastructure is a setting in the default activation settings that allows users to be registered with the BlackBerry Infrastructure when you add a user to BES12. Information sent to the BlackBerry Infrastructure is sent and stored securely. The benefit of registration is that users don't have to enter the server address when they are activating a device; they only need to enter their address and password. The Enterprise Management Agent on BlackBerry 10 devices then communicates with the BlackBerry Infrastructure to retrieve the server address. A secure connection is established with BES12 with minimal user input. You can turn off user registration with the BlackBerry Infrastructure if you don't want to send user information to BlackBerry. Data flow: Activating a BlackBerry 10 device 1. You perform the following actions: 19

20 Activating and managing devices a b c Add a user to BES12 as a local user account, or by using the account information retrieved from your company directory Assign an activation profile to the user Use one of the following options to provide the user with activation details: Automatically generate a device activation password and send an with activation instructions for the user Set a device activation password and communicate the username and password to the user directly or by Don't set a device activation password and communicate the BES12 Self-Service address to the user so that they can set their own activation password 2. The user performs the following actions: a b Types the username and activation password on the device For a "Work and personal - Regulated" or "Work space only" activation, accepts the organization notice, which outlines the terms and conditions that the user must agree to 3. If the activation is a "Work space only" activation, the device deletes all existing data and restarts. 4. The Enterprise Management Agent on the device performs the following actions: a b Establishes a connection to the BlackBerry Infrastructure Sends a request for activation information to the BlackBerry Infrastructure 5. The BlackBerry Infrastructure performs the following actions: a b c Verifies that the user is a valid, registered user Retrieves the BES12 address for the user Sends the address to the Enterprise Management Agent 6. The device performs the following actions: a b c Establishes a connection with BES12 Generates a shared symmetric key with BES12, using the activation password and EC-SPEKE. The shared symmetric key protects the CSR and response. Creates an encrypted CSR and HMAC as follows: Generates a key pair for the certificate Creates a PKCS#10 CSR that includes the public key of the key pair Encrypts the CSR using the shared symmetric key and AES-256 in CBC mode with PKCS#5 padding Computes an HMAC of the encrypted CSR using SHA-256 and appends it to the CSR 20

21 Activating and managing devices d Sends the encrypted CSR and HMAC to BES12 7. BES12 performs the following actions: a b c d e f g Verifies the HMAC of the encrypted CSR and decrypts the CSR using the shared symmetric key Retrieves the username, work space ID, and your organization s name from the BES12 database Packages a client certificate using the information it retrieved and the CSR that the device sent Signs the client certificate using the enterprise management root certificate Encrypts the client certificate, enterprise management root certificate, and the BES12 URL using the shared symmetric key and AES-256 in CBC mode with PKCS#5 padding Computes an HMAC of the encrypted client certificate, enterprise management root certificate, and the BES12 URL and appends it to the encrypted data Sends the encrypted data and HMAC to the device 8. The device performs the following actions: a b c Verifies the HMAC Decrypts the data it received from BES12 Stores the client certificate and the enterprise management root certificate in its keystore 9. BES12 performs the following actions: a b c d BES12 Core assigns the new device to a BES12 instance in the domain BES12 Core notifies the active BlackBerry Affinity Manager that a new device is assigned to the BES12 instance The active BlackBerry Affinity Manager notifies the BlackBerry Dispatcher on that BES12 instance that there is a new device The BlackBerry Dispatcher starts processing configuration data for the device 10. The device and the BlackBerry Dispatcher perform the following actions: a b Establish a mutually authenticated TLS connection by verifying both the client certificate and the server certificate for BES12 using the enterprise management root certificate Generate the device transport key using ECMQV and the authenticated long-term public keys from the client certificate and the server certificate for BES The device stores the device transport key in its keystore. 12. The BlackBerry Dispatcher stores the device transport key in the database and sends the IT policy, SRP information, profiles, and required apps to the device over TLS. 13. The device sends an acknowledgment over TLS to BES12, that it received and applied the IT policy and other data and has created the work space. The activation process is complete. The elliptic curve protocols used during the activation process use the NIST-recommended 521-bit curve. 21

22 Activating and managing devices Using IT policies to manage security 6 An IT policy is a set of rules that restrict or allow features and functionality on devices. IT policy rules can manage the security and behavior of devices. The device OS and device activation type determine which rules in an IT policy apply to a specific device. For example, depending on the device activation type, OS, and version, IT policy rules can be used to: Enforce password requirements on devices or the device work space Prevent users from using the camera Control connections that use Bluetooth wireless technology Force data encryption Only one IT policy can be assigned to each user account, and the assigned IT policy is sent to all of the user's devices. If you don't assign an IT policy to a user account or to a group that a user or device belongs to, BES12 sends the Default IT policy to the user's devices. You can rank IT policies to specify which policy is sent to devices if a user or a device is a member of two or more groups that have different IT policies and no IT policy is assigned directly to the user account. BES12 sends the highest ranked IT policy to the user's devices. For more information about assigning and ranking IT policies, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. BES12 automatically sends IT policies to devices when a user activates a device, when an assigned IT policy is updated, and when a different IT policy is assigned to a user or group. When a device receives a new or updated IT policy, the device applies the configuration changes in near real-time. All of the BlackBerry 10 IT policy rules available in BES12 apply to regulated BlackBerry Balance devices. Work space only devices and BlackBerry Balance devices ignore rules in the IT policy that are not applicable to those devices. For more information about specific IT policy rules, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Policy Reference Spreadsheet. 22

23 Data in transit

24 Data in transit How devices communicate with BES12 and your resources 7 Data sent between BlackBerry 10 devices and your resources is protected using various methods depending on the path that the data takes. Most data sent between your organization's mail, web, and content servers and BlackBerry 10 devices can travel directly over a work VPN or work Wi-Fi network or through BES12 and the BlackBerry Infrastructure. When BES12 sends device management data such as IT policies, profiles, or IT administration commands and required apps from your organization's network to BlackBerry 10 devices, it always sends the data through the BlackBerry Infrastructure, even when the device is connected to a work Wi-Fi network or work VPN. Regardless of the type of data and the path it takes, the data is encrypted and travels over mutually authenticated connections. The data can't be decrypted by the BlackBerry Infrastructure or at any other point in transit. How devices connect to your resources BlackBerry 10 devices can connect to your organization s resources (for example, mail servers, web servers, and content servers) using a number of communication methods. By default, devices try to connect to your organization s resources using the following communication methods, in order: 1. Work VPN profiles that you configure 2. Work Wi-Fi profiles that you configure 3. The BlackBerry Infrastructure and BES12 4. Personal VPN profiles and personal Wi-Fi profiles that a user configures on the device 24

25 Data in transit By default, work apps on the device can also use any of these communication methods to access the resources in your organization s environment. Securing the communication between apps and your organization s network BlackBerry 10 devices permit work apps and personal apps (on devices with a personal space) to use any available Wi-Fi profile or VPN profile to connect to your organization s network. If you configure Wi-Fi profiles or VPN profiles using BES12, you permit personal apps to access your organization s network. If the security requirements of your organization don't permit personal apps to access your organization s network, you can restrict connection options. You can use the "Allow work network usage for personal apps" IT policy rule to prevent personal apps from using your organization s network to connect to the Internet using your work Wi-Fi network or work VPN connection. You can also limit the communication methods that devices can use to connect to your organization's network through BES12 by limiting connectivity options to the BlackBerry MDS Connection Service and the BlackBerry Infrastructure. Personal apps can't use the BlackBerry MDS Connection Service and the BlackBerry Infrastructure to connect to your organization s network. Related information Controlling how apps connect to networks, on page 96 Securing data pushed to apps on devices 25

26 Data in transit The BlackBerry MDS Connection Service connects push applications hosted on your organization's application servers or web servers to apps on BlackBerry 10 devices. The BlackBerry MDS Connection Service sends push requests, received from push applications, through the BlackBerry Infrastructure to apps on BlackBerry 10 devices. You can permit only specific push applications to push data to BlackBerry 10 devices and you can turn on authentication to prevent the BlackBerry MDS Connection Service from sending data from unauthorized push applications. To protect the connection between push applications and the BlackBerry MDS Connection Service, you can use TLS. Push applications can use the self-signed certificate that is generated when you configure the BlackBerry MDS Connection Service keystore, or you can add a signed certificate from a trusted public CA to the keystore. For more information about the BlackBerry MDS Connection Service, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Configuration Guide. Types of encryption used for communication between devices and your resources Communication between a device and your organization s resources can use various types of encryption. The type of encryption used depends on the connection method. Encryption type Wi-Fi encryption (IEEE ) VPN encryption Description Wi-Fi encryption is used for data in transit between a device and wireless access point if the wireless access point was set up to use Wi-Fi encryption. VPN encryption is used for data in transit between a device and a VPN server. 26

27 Data in transit Encryption type SSL/TLS encryption Description SSL/TLS encryption is used for data in transit between a device and content server, web server, or mail server in your organization. The encryption for this connection must be set up separately on each server and uses a separate certificate with each server. The server might use SSL or TLS, depending on how it's set up. Work Wi-Fi connection encryption In a work Wi-Fi connection, a BlackBerry 10 device connects to your organization s resources using the settings that you configured in a Wi-Fi profile. Wi-Fi encryption is used if the wireless access point was set up to use it. VPN connection encryption In a VPN connection, a BlackBerry 10 device connects to your organization s resources through any wireless access point or a mobile network, your organization s firewall, and your organization s VPN server. Wi-Fi encryption is used if the wireless access point was set up to use it. 27

28 Data in transit BlackBerry Infrastructure connection encryption In a BlackBerry Infrastructure connection, a device connects to your organization s resources through any wireless access point, the BlackBerry Infrastructure, your organization's firewall, and BES12. Wi-Fi encryption is only used if the wireless access point was set up to use it. Related information Types of encryption used to send device management data to devices, on page 40 28

29 Data in transit Protecting connections to work networks 8 Connecting to a VPN If your organization s environment includes VPNs, such as IPsec VPNs or SSL VPNs, you can configure BlackBerry 10 devices to authenticate with a VPN to access your organization's network. A VPN provides an encrypted tunnel between a device and the network. A VPN solution consists of a VPN client on a device and a VPN concentrator. The device can use the VPN client to authenticate with the VPN concentrator, which acts as the gateway to your organization's network. Each device includes a built-in VPN client that supports several VPN concentrators. Depending on the VPN solution, a client app may need to be installed on the device. The VPN client on the device supports the use of strong encryption to authenticate itself with the VPN concentrator. It creates an encrypted tunnel between the device and the VPN concentrator that the device and your organization's network can use to communicate. Protecting Wi-Fi connections A device can connect to work Wi-Fi networks that use the IEEE standard. The IEEE i standard uses the IEEE 802.1X standard for authentication and key management to protect work Wi-Fi networks. The IEEE i standard specifies that organizations must use the PSK protocol or the IEEE 802.1X standard as the access control method for Wi-Fi networks. You can use Wi-Fi profiles to send Wi-Fi configuration information, including security settings and any required certificates to devices. Layer 2 security methods that a device supports You can configure a device to use security methods for layer 2 (also known as the IEEE link layer) so that the wireless access point can authenticate the device to allow the device and the wireless access point to encrypt the data that they send to each other. The device supports the following layer 2 security methods: WEP encryption (64-bit and 128-bit) IEEE 802.1X standard and EAP authentication using PEAP, EAP-TLS, EAP-TTLS, and EAP-FAST TKIP and AES-CCMP encryption for WPA-Personal, WPA2-Personal, WPA-Enterprise, and WPA2-Enterprise To support layer 2 security methods, the device has a built-in IEEE 802.1X supplicant. If a work Wi-Fi network uses EAP authentication, you can permit and deny device access to the work Wi-Fi network by updating your organization s central authentication server. You're not required to update the configuration of each access point. 29

30 Data in transit For more information about IEEE and IEEE 802.1X, see For more information about EAP authentication, see RFC IEEE 802.1X standard The IEEE 802.1X standard defines a generic authentication framework that a device and a work Wi-Fi network can use for authentication. The EAP framework is specified in RFC The device supports EAP authentication methods that meet the requirements of RFC 4017 to authenticate the device to the work Wi-Fi network. Some EAP authentication methods (for example, EAP-TLS, EAP-TTLS, EAP-FAST, or PEAP) use credentials to provide mutual authentication between the device and the work Wi-Fi network. The device is compatible with the WPA-Enterprise and WPA2-Enterprise specifications. Data flow: Authenticating a device with a work Wi-Fi network using the IEEE 802.1X standard If you configured a wireless access point to use the IEEE 802.1X standard, the access point permits communication using EAP authentication only. This data flow assumes that you configured a device to use an EAP authentication method to communicate with the access point. 1. The device associates itself with the access point that you configured to use the IEEE 802.1X standard. The device sends its credentials (typically a username and password) to the access point. 2. The access point sends the credentials to the authentication server. 3. The authentication server performs the following actions: a b c Authenticates the device on behalf of the access point Instructs the access point to permit access to the work Wi-Fi network Sends Wi-Fi credentials to the device to permit it to authenticate with the access point 4. The access point and device use EAPoL-Key messages to generate encryption keys (for example, WEP, TKIP, or AES- CCMP, depending on the EAP authentication method that the device uses). When the device sends EAPoL messages, the device uses the encryption and integrity requirements that the EAP authentication method specifies. When the device sends EAPoL-Key messages, the device uses the ARC4 algorithm or AES algorithm to provide integrity and encryption. After the access point and device generate the encryption key, the device can access the work Wi-Fi network. 30

31 Data in transit EAP authentication methods that devices support PEAP authentication PEAP authentication permits devices to authenticate with an authentication server and access a work Wi-Fi network. PEAP authentication uses TLS to create an encrypted tunnel between a device and the authentication server. It uses the TLS tunnel to send the authentication credentials of the device to the authentication server. Devices support PEAPv0 and PEAPv1 for PEAP authentication. Devices also support EAP-MS-CHAPv2 and EAP-GTC as secondphase protocols during PEAP authentication so that devices can exchange credentials with the work Wi-Fi network. To configure PEAP authentication, you must send a CA certificate that corresponds to the authentication server certificate to devices and enroll client certificates, if required. You can use SCEP to enroll client certificates on devices. For more information, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. EAP-TLS authentication EAP-TLS authentication uses a PKI to permit a device to authenticate with an authentication server and access a work Wi-Fi network. EAP-TLS authentication uses TLS to create an encrypted tunnel between the device and the authentication server. EAP-TLS authentication uses the TLS encrypted tunnel and a client certificate to send the credentials of the device to the authentication server. Devices support EAP-TLS authentication when the authentication server and the client use certificates that meet specific requirements. To configure EAP-TLS authentication, you must send a CA certificate that corresponds to the authentication server certificate to devices and enroll client certificates. You can use SCEP to enroll certificates on devices. For more information, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. For more information about EAP-TLS authentication, see RFC EAP-TTLS authentication EAP-TTLS authentication extends EAP-TLS authentication to permit a device and an authentication server to mutually authenticate. When the authentication server uses its certificate to authenticate with the device and open a protected connection to the device, the authentication server uses an authentication protocol over the protected connection to authenticate with the device. Devices support EAP-MS-CHAPv2, MS-CHAPv2, and PAP as second-phase protocols during EAP-TTLS authentication so that devices can exchange credentials with the work Wi-Fi network. To configure EAP-TTLS authentication, you must send a CA certificate that corresponds to the authentication server certificate to devices. For more information, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. 31

32 Data in transit How a device and BES12 protect sensitive Wi-Fi information To permit a device to access a Wi-Fi network, you must send sensitive Wi-Fi information such as encryption keys and passwords to the device using Wi-Fi profiles and VPN profiles. After the device receives the sensitive Wi-Fi information, the device encrypts the encryption keys and passwords and stores them in flash memory. BES12 encrypts the sensitive Wi-Fi information that it sends to the device and stores the sensitive Wi-Fi information in the BES12 database. You can help protect the sensitive Wi-Fi information in BES12 database using access controls and configuration settings. EAP-FAST authentication EAP-FAST authentication uses PAC to open a TLS connection to a device and verify the supplicant credentials of the device over the TLS connection. Devices support EAP-MS-CHAPv2 and EAP-GTC as second-phase protocols during EAP-FAST authentication so that devices can exchange authentication credentials with work Wi-Fi networks. Devices support the use of automatic PAC provisioning with EAP-FAST authentication only. For more information about EAP-FAST authentication, see RFC Supported EAP authentication methods when using CCKM BlackBerry 10 devices support the use of CCKM with all supported EAP authentication methods to improve roaming between wireless access points. Devices don't support the use of CCKM with the CKIP encryption algorithm or the AES-CCMP encryption algorithm. Using certificates with PEAP authentication, EAP-TLS authentication, or EAP-TTLS authentication If your organization uses PEAP authentication, EAP-TLS authentication, or EAP-TTLS authentication to protect the wireless access points for a work Wi-Fi network, a device must authenticate mutually with an access point using an authentication server. To generate the certificates that the device and authentication server use to authenticate with each other, you require a CA. For PEAP authentication, EAP-TLS authentication, or EAP-TTLS authentication to be successful, the device must trust the certificate of the authentication server. The device doesn't trust the certificate of the authentication server automatically. Each device stores a list CA certificates that it explicitly trusts. To trust the certificate of the authentication server, the device must store the CA certificate for the certificate of the authentication server. You can send CA certificates to every device and you can use SCEP to enroll client certificates on devices. For more information, visit docs.blackberry.com/bes12 to read the BlackBerry Enterprise Service 12 Administration Guide. 32

33 Data in transit Protecting data in transit over the BlackBerry Infrastructure 9 Data sent between BlackBerry 10 devices and your resources passes through the BlackBerry Infrastructure in the following circumstances: BES12 sends required apps and all device management data, such as IT policies, profiles, or IT administration commands, to devices through the BlackBerry Infrastructure, even when the device is connected to a work VPN or work Wi-Fi network. Data sent between a device and your organization's mail, web, and content servers travels through BES12 and the BlackBerry Infrastructure only when the device isn't connected to a work VPN or work Wi-Fi network. How BES12 authenticates with the BlackBerry Infrastructure To protect data in transit between BES12 and the BlackBerry Infrastructure, BES12 and the BlackBerry Infrastructure must authenticate with each other before they can transfer data. BES12 and the BlackBerry Infrastructure use different authentication methods, depending on the type of data being sent: When BES12 sends device management data to BlackBerry 10 devices through the BlackBerry Infrastructure, BES12 and the BlackBerry Infrastructure establish a mutually authenticated TLS connection that uses AES-256 to protect the data. When BES12 sends work data from your organization's mail, web, and content servers to BlackBerry 10 devices through the BlackBerry Infrastructure, BES12 uses SRP to authenticate with and connect to the BlackBerry Infrastructure. SRP is a proprietary point-to-point protocol that runs over TCP/IP. BES12 uses SRP to contact the BlackBerry Infrastructure and open a connection. When BES12 and the BlackBerry Infrastructure open a connection, they can perform the following actions: Authenticate with each other Exchange configuration information Send and receive data Data flow: Authenticating BES12 with the BlackBerry Infrastructure when sending work data 33

34 Data in transit 1. BES12 connects to the BlackBerry Infrastructure and initiates a TLS connection. 2. The BlackBerry Infrastructure sends an authentication certificate to BES BES12 performs the following actions: Verifies that the authentication certificate is signed by a trusted CA Verifies the name of the server in the BlackBerry Infrastructure to establish the TLS connection Sends a data packet that contains its unique SRP ID and SRP authentication key to the BlackBerry Infrastructure to claim the SRP ID 4. The BlackBerry Infrastructure sends a random challenge string to BES BES12 sends a challenge string to the BlackBerry Infrastructure. 6. The BlackBerry Infrastructure hashes the challenge string it received from BES12 with the SRP authentication key using HMAC with the SHA-1 algorithm. The BlackBerry Infrastructure sends the resulting 20-byte value to BES12 as a challenge response. 7. BES12 hashes the challenge string it received from the BlackBerry Infrastructure with the SRP authentication key, and sends the result as a challenge response to the BlackBerry Infrastructure. 8. The BlackBerry Infrastructure performs one of the following actions: Accepts the challenge response and sends a confirmation to BES12 to complete the authentication process and configure an authenticated SRP connection Rejects the challenge response If the BlackBerry Infrastructure rejects the challenge response, the authentication process isn't successful. The BlackBerry Infrastructure and BES12 close the SRP connection. If BES12 uses the same SRP authentication key and SRP ID to connect to (and then disconnect from) the BlackBerry Infrastructure five times in one minute, the BlackBerry Infrastructure deactivates the SRP ID to help prevent an attacker from using the SRP ID to create conditions for a DoS attack. Data flow: Authenticating BES12 with the BlackBerry Infrastructure when sending device management data 1. BES12 connects to the BlackBerry Infrastructure and initiates a TLS connection. 2. The BlackBerry Infrastructure sends an authentication certificate to BES12. 34