Welcome to Port3101.org : Your BES Connection Mark forums read | View Forum Leaders
Port3101.org : Your BES Connection



Reply
LinkBack Thread Tools Display Modes
Policy Rule Question #2
 
  #1 (permalink)  
Old 08-19-2009, 03:02 PM
d_fisher's Avatar
BES Guru
 
Join Date: Dec 2008
Location: Columbus, OH
Posts: 247
Default Policy Rule Question #2

Have another policy rule that I have questions about. Our security group wants us to set the content protection strength rule. I obviously reviewed the IT policy rule but also checked out the BES 5.0 Security Technical Overview. I have a couple concerns about how this rule might effect the BlackBerry in real world situations
  1. How does setting the rule to Strong/Stronger/Strongest effect the end-users experience? If slower, how significant is the slow down?
  2. Is the slow down all the time or only when unlocking the device?
  3. Does this effect the functionality of applications or BT devices?
  4. Does this cause any support issues? I know some previously existed.
As always, thanks to everyone for taking the time to respond.

-Doug


Quote:
Content Protection Strength IT policy rule

Description

This rule specifies the cryptography strength that a BlackBerry® device uses to encrypt content that it receives while it is locked. When you specify a value, the content protection feature is turned on.

Default values

The default value in the Advanced security and Advanced security (disallow application downloads) IT policies is strong.
The default value in all other preconfigured IT policies is a null value.

Usage

Configure this rule to Strong to use a 160-bit ECC public key. This key provides good security and good performance and is adequate for most situations.
Configure this rule to Stronger to use a 283-bit ECC public key. This key provides better security but slower performance than the Strong setting.
Configure this rule to Strongest to use a 571-bit ECC public key. This key provides the highest level of security but the slowest performance of the three settings.

Dependencies

A BlackBerry device uses this rule only if you configure the Password Required IT policy rule to Yes.
If you cofigure this rule to Strong or Stronger, configure the Minimum Password Length IT policy rule to 12 characters. If you configure the content protection strength to Strongest, instruct the user to create a password of at least 21 characters. These password lengths maximize the encryption strength that the longer ECC keys are designed to provide.
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 08-19-2009, 04:51 PM
Sith_Apprentice's Avatar
Super Moderator
 
Join Date: Dec 2008
Posts: 1,056
Default

1. How does setting the rule to Strong/Stronger/Strongest effect the end-users experience? If slower, how significant is the slow down?

The response of the device on unlocking is MUCH slower on the Strongest setting. To unlock, when Content Protection is enabled, takes up to 7 seconds in my experience. On older devices (prior to Bold) the wiping of said devices takes up to 3 hours as well. so if a user forgets their password x number of times and it wipes, they are SOL for up to 3 hours. The device does however wipe, then scrub to DoD standards

2. Is the slow down all the time or only when unlocking the device?

There is a very small slowdown during operation at all times, though most users will not notice. The unlocking is the pain.


3. Does this effect the functionality of applications or BT devices?

I do not allow Bluetooth devices in my environment (excluding the CAC reader) so I cannot comment on this, though I seriously doubt Bluetooth would have any noticeable difference. (Encryption on BT is seperate)



4. Does this cause any support issues? I know some previously existed.

The only one I have come across is the user wiping their device/complaining about the sluggishness to unlock. On devices not running 4.5+ and BES prior to 4.1.6, you could NOT reset the password for a user when content protection was enabled (could not translate plain text to encrypted text and back). These issues have been resolved with the above listed software versions.


Let me know what additional questions you have. Also, the above list is from BES 4.1.5+, prior versions did not have that robust an encryption.
__________________

Last edited by Sith_Apprentice; 08-19-2009 at 04:57 PM.
Reply With Quote
  #3 (permalink)  
Old 08-19-2009, 07:40 PM
d_fisher's Avatar
BES Guru
 
Join Date: Dec 2008
Location: Columbus, OH
Posts: 247
Default

Perfect, this is exactly what I was looking for. Thanks!
Reply With Quote
  #4 (permalink)  
Old 08-19-2009, 11:54 PM
Otto's Avatar
Proprietor
 
Join Date: Nov 2008
Location: Atlanta, GA
Posts: 2,033
Blog Entries: 14
Default

Wow, I believe that was the best explanation of said policy that I've seen to date. Good job, Sith!
__________________
BCSA (4.1, 5.0) | BCSD (4.1, 5.0)

The views expressed by me on Port3101.org are my own and do not necessarily reflect the views of my employer.
Reply With Quote
  #5 (permalink)  
Old 08-20-2009, 11:39 AM
d_fisher's Avatar
BES Guru
 
Join Date: Dec 2008
Location: Columbus, OH
Posts: 247
Default

One last question about this policy.
Quote:
If you configure this rule to Strong or Stronger, configure the Minimum Password Length IT policy rule to 12 characters. If you configure the content protection strength to Strongest, instruct the user to create a password of at least 21 characters. These password lengths maximize the encryption strength that the longer ECC keys are designed to provide.
Are you required to set the password requirement to 12 or 21 character when using this rule? I saw verbage from BlackBerry in a different location that recommended the longer passwords. So is it a recommendation or a requirement? The password change would be a huge change for out users (currently only require 4 characters).

Doug
Reply With Quote
  #6 (permalink)  
Old 08-20-2009, 12:14 PM
Sith_Apprentice's Avatar
Super Moderator
 
Join Date: Dec 2008
Posts: 1,056
Default

No, it is not a requirement it is recommended.
__________________
Reply With Quote
  #7 (permalink)  
Old 08-20-2009, 12:14 PM
Sith_Apprentice's Avatar
Super Moderator
 
Join Date: Dec 2008
Posts: 1,056
Default

Quote:
Originally Posted by Otto View Post
Wow, I believe that was the best explanation of said policy that I've seen to date. Good job, Sith!
Thank you sir. Blog away
__________________
Reply With Quote
  #8 (permalink)  
Old 08-20-2009, 12:49 PM
AUTiger92's Avatar
BES Expert
 
Join Date: Jan 2009
Location: Alabama
Posts: 82
Default

FYI the wiping will take longer than 3 hours. If you have 8700 series, then you can take the day off. I've seen the 8830s take more like 4 hours.
__________________
AUTIGER92
Exchange\Blackberry Admin
4 - BES Servers (4.1.6), 3 Exchange Organizations,
~1800 BB Users, and a headache.
War Eagle!!
Reply With Quote
  #9 (permalink)  
Old 08-21-2009, 11:18 AM
BES Administrator
 
Join Date: Apr 2009
Location: YYZ
Posts: 17
Default

Doesn't content protection also disable address book lookup for incoming calls when the device is locked?

You have to carefully revie the need for content protection. If your devices are password protected already, you can't get to the info unless you know the password.
Reply With Quote
  #10 (permalink)  
Old 08-21-2009, 03:02 PM
d_fisher's Avatar
BES Guru
 
Join Date: Dec 2008
Location: Columbus, OH
Posts: 247
Default

Quote:
Originally Posted by CanuckBB View Post
Doesn't content protection also disable address book lookup for incoming calls when the device is locked?
Are the address books automatically encrypted once content protection is turned on? I thought that it falls under a different policy rule, Force Include Address Book In Content Protection. Maybe I am not reading this one correctly. Does it mean the address book is encrypted automatically but the user can disable it after the fact? -OR- Is the address book NOT encrypted but the user can enable it?

Quote:
Description
This rule specifies whether a user can choose to encrypt the contact list on a BlackBerry® device when content protection is turned on.
By default, when you turn on content protection, the BlackBerry device is designed to encrypt the user data on the BlackBerry device, including the contact list, when it is locked but the user can choose to turn off content protection for the contact list.

Default value
The default value is No. A user can choose whether the contact list is encrypted when content protection is turned on. By default, when content protection is turned on, call display and Bluetooth contacts transfer do not work when the BlackBerry device is locked unless the user changes the Include contact list field in the Security options on the BlackBerry device.

Usage
Change this rule to Yes to prevent a user from choosing whether content protection includes contacts when a BlackBerry device is locked. In the Security options, a user cannot change the Include contact list field. Call display and Bluetooth contacts transfer do not work when the BlackBerry device is locked.
Reply With Quote
  #11 (permalink)  
Old 08-21-2009, 09:11 PM
Sith_Apprentice's Avatar
Super Moderator
 
Join Date: Dec 2008
Posts: 1,056
Default

Address books are not included unless forced. Also, I wipe devices daily 8820s take roughly 2 hours 20 minutes, 8700c will take just over 3 hours 15 min, Bolds will take 20-30 minutes. I have never had a device take longer than 40 minutes
__________________
Reply With Quote
  #12 (permalink)  
Old 09-14-2009, 01:35 AM
BES Administrator
 
Join Date: Feb 2009
Location: I come from a land down under where beer does flow and men chunder
Posts: 42
Default

Content Protection is a major pain. I would not implement it if you have a choice.

I believe it is an unnecessary overhead. The risk of someone obtaining a BlackBerry & having the tools to decrypt data from the chipset is very low.

Below are some issues I came across with content protection:

1. BlackBerry is slower to respond - When you lock the handheld, the BlackBerry will start to encrypt data, initially this may take quite some time. While the BlackBerry is encrypting data, an open Padlock icon will be displayed in the status bar at the top of the screen. When the BlackBerry is finished encrypting data, the Padlock icon will appear closed. The BlackBerry will continue to encrypt new data received over the air whilst locked.

2. If the Address Book is included - contacts can not be accessed using the "Place Call" option due to the address book being encrypted whilst the BlackBerry is locked.

Once the address book is excluded, note that when placing a call from the locked screen it will no longer display the call log (as the call log is still encrypted), but you can still type alpha characters to search for contacts in the address book.

3. An additional advantage of removing the content protection on the Address Book is to enable caller identification of incoming calls when the device is locked. Previously when locked, the BlackBerry would display "Unknown Caller" even if the callers details are in the address book (because the address book was encrypted & could not be accessed when locked).

4. Extends the time of wiping a device from 5 minutes to approximately 1 hour. This increases the amount of time it takes for us to get a BlackBerry reconfigured for our customers.

5. Forgotten passwords - Restricts our ability to send a remote command to change the password on a BlackBerry.

6. SMS messages over 160 characters are split into multiple parts is due to content protection. This only occurs when the BlackBerry is locked & the data is encrypted (blue closed padlock appears in status bar). All data received during this state is encrypted until unlocked. Hence additional portions of the SMS cannot be added to the first portion of the SMS when delivered. Multi part SMS messages received whilst the BlackBerry is unlocked are merged into one message.

One exception would be if an SMS was received just after the BlackBerry was locked but had not yet encrypted the SMS message database (the blue padlock in the status bar would appear unlocked).
Reply With Quote
  #13 (permalink)  
Old 09-14-2009, 09:17 AM
d_fisher's Avatar
BES Guru
 
Join Date: Dec 2008
Location: Columbus, OH
Posts: 247
Default

Quote:
Originally Posted by devans View Post
Content Protection is a major pain. I would not implement it if you have a choice.
Unfortunatlly, I no longer have a choice. Our security group has made it a requirement that content protection is enabled. They don't care what strength we use, just as long as its enabled. Obviously, we are going to use the weakest (STRONG) and only go stronger if required at a later date.

Quote:
Originally Posted by devans View Post
2. If the Address Book is included - contacts can not be accessed using the "Place Call" option due to the address book being encrypted whilst the BlackBerry is locked.

Once the address book is excluded, note that when placing a call from the locked screen it will no longer display the call log (as the call log is still encrypted), but you can still type alpha characters to search for contacts in the address book.

3. An additional advantage of removing the content protection on the Address Book is to enable caller identification of incoming calls when the device is locked. Previously when locked, the BlackBerry would display "Unknown Caller" even if the callers details are in the address book (because the address book was encrypted & could not be accessed when locked).
Fortunatly, we are not being required to protect the address book so we shouldn't be affected by those issues.

Quote:
Originally Posted by devans View Post
4. Extends the time of wiping a device from 5 minutes to approximately 1 hour. This increases the amount of time it takes for us to get a BlackBerry reconfigured for our customers.
Hopefully this won't be the case on the STRONG setting. We still need to perform some testing. May have to change our procedures from the help desk. Currently they will wipe and reactivate while on the phone phone with the customer. That will not be realistic if the wipes take an hour.

Quote:
Originally Posted by devans View Post
5. Forgotten passwords - Restricts our ability to send a remote command to change the password on a BlackBerry.
This shouldn't be a problem going forward. KM12826

Came across another issue with content protection the other day. When its enabled you can't enable debug logging on the handheld. See KB05349 for details. This won't be an every day problem but I was just asked by RIM last week to provide them some logs. If content protection was enabled I would not have been able to do it.

Doug

Last edited by d_fisher; 09-14-2009 at 09:30 AM.
Reply With Quote
  #14 (permalink)  
Old 09-14-2009, 08:02 PM
Sith_Apprentice's Avatar
Super Moderator
 
Join Date: Dec 2008
Posts: 1,056
Default

We have content protection and I reset passwords daily (users are idiots). Soon I will not have to worry about this as we are going to entirely CAC logon which is fantastic for me. I dont have to worry about resets.
__________________
Reply With Quote
  #15 (permalink)  
Old 09-14-2009, 08:06 PM
BES Administrator
 
Join Date: Feb 2009
Location: I come from a land down under where beer does flow and men chunder
Posts: 42
Default

A work around I discovered was to apply the blank' Default' IT Policy to the handheld, disable Content Protection on the handheld, & then wipe the device. Reassign the correct IT Policy before reactivating.

P.S. A word of warning - a couple of years back when I was running a 4.0.6 BES & we decided to unlock Content Protection for all via the IT Policies, we had a major issue with at least half the fleet getting an App 205 error the next time the handheld was reset. Make sure the users disable Content Protection on the handheld straight away. Having to delete & recreate user accounts, & reload the device software on 200+ devices was not fun! Hopefully the same problem would not occur in a 4.1.6 or 5.0 environment with later device software.
Reply With Quote
  #16 (permalink)  
Old 09-16-2009, 10:35 AM
AUTiger92's Avatar
BES Expert
 
Join Date: Jan 2009
Location: Alabama
Posts: 82
Default

Quote:
Originally Posted by Sith_Apprentice View Post
We have content protection and I reset passwords daily (users are idiots). Soon I will not have to worry about this as we are going to entirely CAC logon which is fantastic for me. I dont have to worry about resets.
Users aren't too happy when they find out they've locked their CAC pin and have to jump through some hoops to get it unlocked. (I almost feel bad for snickering)
__________________
AUTIGER92
Exchange\Blackberry Admin
4 - BES Servers (4.1.6), 3 Exchange Organizations,
~1800 BB Users, and a headache.
War Eagle!!
Reply With Quote
  #17 (permalink)  
Old 09-18-2009, 01:11 PM
BES Administrator
 
Join Date: Apr 2009
Location: YYZ
Posts: 17
Default

Quote:
Originally Posted by d_fisher View Post
Unfortunatlly, I no longer have a choice. Our security group has made it a requirement that content protection is enabled. They don't care what strength we use, just as long as its enabled. Obviously, we are going to use the weakest (STRONG) and only go stronger if required at a later date.

Have you tried to explain the performance hits, and that unlike a laptop HDD, once a Berry is password protected, you can't get at the data without the password?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
KB20674 - How to use the Restrict Outgoing Cellular Calls IT policy rule to block 411 Joolie Featured BlackBerry KB Articles 0 05-05-2010 02:15 PM
KB15510 - How to disable the video camera feature using an IT Policy rule hdawg Featured BlackBerry KB Articles 0 08-30-2009 12:34 PM
Policy Rule Question d_fisher Port 3101: The BES Admin Bar & Grill 6 08-10-2009 03:19 PM
KB16396 - How to import IT policy rule definitions for Application Center hdawg Featured BlackBerry KB Articles 0 05-26-2009 11:31 AM
Need Clarification of an IT Policy Rule d_fisher Port 3101: The BES Admin Bar & Grill 4 04-03-2009 09:01 PM


All times are GMT -4. The time now is 07:49 PM.
Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2019, vBulletin Solutions, Inc.


 

SEO by vBSEO 3.3.2 PL2