The BlackBerry® Enterprise Solution uses symmetric key cryptography to encrypt and decrypt data sent between the BlackBerry Enterprise Server and the BlackBerry smartphone.

BlackBerry Enterprise Server 4.0 to 5.0 for Microsoft® Exchange and IBM® Lotus® Domino® allow system administrators to set either Triple Data Encryption Standard (Triple DES), Advanced Encryption Standard (AES), or both Triple DES and AES for use with BlackBerry transport layer encryption. Triple DES and AES are industry standard encryption algorithms. The BlackBerry Enterprise Solution uses Triple DES (112-bit keys) or AES (256-bit keys) to encrypt and decrypt the data sent between the BlackBerry Enterprise Server and the BlackBerry smartphone.

Note: All versions of the BlackBerry Enterprise Server for Novell® GroupWise® support AES encryption only. The IBM Lotus Domino server and the Microsoft Exchange Server perform all message storage and specific user data storage in their environments. In the Novell GroupWise server environment, the Post Office Agent stores messages and user data. See the BlackBerry Enterprise Solution Security Technical Overview for more information.

Recommendation

Research In Motion recommends setting the BlackBerry Enterprise Server to use AES transport layer encryption for all communication with BlackBerry smartphones.

AES was created through a competition to design an algorithm with a better combination of security and performance than Triple DES. It is recognized throughout much of the security industry as the successor to Triple DES, and is also currently approved by the United States Committee on National Security Systems (CNSS) for protecting top secret government information. For more information, see the CNSS web site.

There are currently no publicized cryptanalytic attacks, other than brute-force, against systems protected by AES. A brute-force attack against an AES-256 system is nearly impossible with current technology. Even with a network of 100 billion computers each running continuously at 100 GHz, it would take over 1047 years to break a single AES-256 key by brute force.

Selecting an encryption type on the BlackBerry Enterprise Server

A system administrator with appropriate database permissions can select an encryption type in the BlackBerry Manager to specify the algorithm(s) that encrypt and decrypt all data communication between the BlackBerry Enterprise Server and all BlackBerry smartphones on the BlackBerry Enterprise Server.

Checking the encryption type on a BlackBerry smartphone

BlackBerry smartphone users can perform the following steps to verify the type of encryption used to protect the data in transit between their BlackBerry smartphones and the BlackBerry Enterprise Server:

1. On the BlackBerry smartphone Home screen, click Options.
2. Click Security or Security Options.
3. Click General Settings.
4. Scroll to the bottom of the screen. Under Services, the BlackBerry service specifies the type of encryption used (such as AES or 3DES).

Note: 3DES represents Triple DES encryption.

Software requirements for BlackBerry encryption algorithms

• BlackBerry® Enterprise Server 4.0 to 5.0
• BlackBerry smartphones

In the BlackBerry Enterprise Server debug logs, event [30223] contains the settings for each BlackBerry smartphone user:

[30223] (11/28 01:50:57):{0x1548} {Grant,IC,Ian,JUCT R} User settings: id=1BAE, email=ian.c.grant@testbes.rim.net.com, device=12345678, routing=S1234567, agent=004, ext=1, keys=(3:3:0)

The 'keys' information identifies the encryption used for the current, previous, and pending encryption keys (in that order). The possible values can be one of the following:

• 3 for Triple Data Encryption Standard (Triple DES)
• A for Advanced Encryption Standard (AES)
• U for Unknown encryption
• 0 for Pending

In the example above, both the current and previous encryption keys are Triple DES, and the third key is in the Pending state.