06-10-2009, 06:10 PM
|
 |
Proprietor
|
|
Join Date: Nov 2008
Posts: 2,237
|
|
KB05429 - Recommendation on the use of Triple DES or AES for BlackBerry transport
KB05429 - Recommendation on the use of Triple DES or AES for BlackBerry transport layer.
Environment
- BlackBerry® Enterprise Server software version 4.0 and later
Overview
The BlackBerry® Enterprise Solution uses symmetric key cryptography to encrypt and decrypt data sent between the BlackBerry Enterprise Server and the BlackBerry smartphone.
BlackBerry Enterprise Server software version 4.0 and later for Microsoft® Exchange and IBM® Lotus® Domino® allow the system administrator to set either Triple Data Encryption Standard (Triple DES), Advanced Encryption Standard (AES), or both Triple DES and AES for use with BlackBerry transport layer encryption. Triple DES and AES are industry standard encryption algorithms. The BlackBerry Enterprise Solution uses Triple DES (112-bit keys) or AES (256-bit keys) to encrypt and decrypt the data sent between the BlackBerry Enterprise Server and the BlackBerry smartphone.
Note: All versions of the BlackBerry Enterprise Server software for Novell® GroupWise® support AES encryption only. The IBM Lotus Domino server and the Microsoft Exchange server perform all message storage and specific user data storage in their environments. In the Novell GroupWise server environment, the Post Office Agent stores messages and user data. See the BlackBerry Enterprise Solution Security Technical Overview for more information.
Recommendation
Research In Motion recommends setting the BlackBerry Enterprise Server to use AES transport layer encryption for all communication with BlackBerry smartphones.
AES was created through a competition to design an algorithm with a better combination of security and performance than Triple DES. It is recognized throughout much of the security industry as the successor to Triple DES, and is also currently approved by the United States Committee on National Security Systems (CNSS) for protecting top secret government information. For more information, see the CNSS web site.
There are currently no publicized cryptanalytic attacks, other than brute-force, against systems protected by AES. A brute-force attack against an AES-256 system is nearly impossible with current technology. Even with a network of 100 billion computers each running continuously at 100 GHz, it would take over 1047 years to break a single AES-256 key by brute force.
Selecting an encryption type on the BlackBerry Enterprise Server
A system administrator with appropriate database permissions can select an encryption type in the BlackBerry Manager to specify the algorithm(s) that encrypt and decrypt all data communication between the BlackBerry Enterprise Server and all BlackBerry smartphones on the BlackBerry Enterprise Server.
| Triple DES | - Default encryption method on BlackBerry Enterprise Server software version 4.0 or later for Microsoft Exchange and IBM Lotus Domino
- Allows use of the Triple DES algorithm
| | AES | - Default encryption method on the BlackBerry Enterprise Server software version 4.0 or later for Novell GroupWise
- Enables use of the AES algorithm
| | Triple DES and AES | - Allows use of both the Triple DES and the AES algorithm
- Provides Triple DES encryption on BlackBerry devices that do not support AES (BlackBerry smartphones running BlackBerry® Device Software versions earlier than 4.0, BlackBerry® Connect™ devices, and BlackBerry® Built-In™ devices)
- Provides AES encryption by default on BlackBerry smartphones that support AES
|
Checking the encryption type on a BlackBerry smartphone
BlackBerry smartphone users can perform the following steps to verify the type of encryption used to protect the data in transit between their BlackBerry smartphones and the BlackBerry Enterprise Server:
- On the BlackBerry smartphone Home screen, click Options.
- Click Security or Security Options.
- Click General Settings.
- Scroll to the bottom of the screen. Under Services, the BlackBerry service specifies the type of encryption used (such as AES or 3DES).
Note: 3DES represents Triple DES encryption.
Software requirements for BlackBerry encryption algorithms
| Triple DES | Any version | Any version | Any version | | AES | 4.0 or later | 4.0 or later | 4.0 or later |
Additional Information
In the BlackBerry Enterprise Server debug logs, event [30223] contains the settings for each BlackBerry smartphone user:
[30223] (11/28 01:50:57):{0x1548} {Grant,IC,Ian,JUCT R} User settings: id=1BAE, email=ian.c.grant@testbes.rim.net.com, device=12345678, routing=S1234567, agent=004, ext=1, keys=(3:3:0)
The 'keys' information identifies the encryption used for the current, previous, and pending encryption keys (in that order). The possible values can be one of the following:
- 3 for Triple Data Encryption Standard (Triple DES)
- A for Advanced Encryption Standard (AES)
- U for Unknown encryption
- 0 for Pending
In the example above, both the current and previous encryption keys are Triple DES, and the third key is in the Pending state.
__________________
http://blog.port3101.org/hdawg/
The views expressed by me on Port3101 and its affiliated sites are my own and do not necessarily reflect the views of my employer.
|
Linear Mode
