Sie sind auf Seite 1von 9

Wireless Data Security

End-to-end Encryption

The BlackBerry Enterprise Solution offers two transport encryption options, Advanced Encryption Standard (AES) and Triple Data Encryption Standard (Triple DES)*, for all data transmitted between BlackBerry Enterprise Server and BlackBerry smartphones. Private encryption keys are generated in a secure, two-way authenticated environment and are assigned to each BlackBerry smartphone user. Each secret key is stored only in the user's secure enterprise account (i.e., Microsoft Exchange, IBM Lotus Domino or Novell GroupWise) and on their BlackBerry smartphone and can be regenerated wirelessly by the user. Data sent to the BlackBerry smartphone is encrypted by BlackBerry Enterprise Server using the private key retrieved from the user's mailbox. The encrypted information travels securely across the network to the smartphone where it is decrypted with the key stored there. Data remains encrypted in transit and is never decrypted outside of the corporate firewall.

HTTPS Secure Data Access BlackBerry MDS Services act as a secure gateway between the wireless network and corporate intranets and the Internet. They leverage the BlackBerry AES or Triple DES* encryption transport and also enable HTTPS connections to application servers. BlackBerry smartphones support HTTPS communication in one of two modes, depending on corporate security requirements: Proxy Mode: An SSL/TLS connection is created between BlackBerry Enterprise Server and the application server on behalf of BlackBerry smartphones. Data from the application server is then AES or Triple DES* encrypted and sent over the wireless network to BlackBerry smartphones. End-to-End Mode: Data is encrypted over SSL/TLS for the entire connection between BlackBerry smartphones and the application server, making End-to-End Mode connections most appropriate for applications where only the transaction end-points are trusted.

Strong two-factor authentication to protected services. Provision applications and software tokens through the BlackBerry Enterprise Server. Support for Dynamic Seed Provisioning (CT-KIP). Back up and restore software tokens to/from the BlackBerry Enterprise Server. BlackBerry Enterprise Server IT Policies to centrally manage application policies. Local language support for English, Spanish, Italian, French, German, and Japanese Support for software tokens that emulate the authentication experience of users with RSA hardware fobs.

Security Protocols used by BlackBerry.


Network Authentication BlackBerry MDS supports NTLM (NT Lan Manager) and Kerberos network authentication protocols. NTLM is supported for Microsoft Windows NT Server 4.0 and Microsoft Windows 2000 in a single domain, and multiple domain configuration. NTLM uses a challenge-response mechanism for authentication, in which users are able to prove their identities without sending a password to the Server. Kerberos is an authentication system developed at the Massachusetts Institute of Technology (MIT). It is supported for Windows 2000 in a single domain and multiple domain configuration. Kerberos enables two parties to exchange private information across an open network. It works by assigning a unique key (called a ticket) to each user that logs on to the network. The ticket is then embedded in messages to identify the sender of the message. Lightweight Third-Party Authentication (LTPA) Cookies are used for IBM Lotus Domino and IBM Websphere Servers. Internet users can log in to an IBM Lotus Domino or Websphere Server and access any other Domino or Websphere Server in the same domain name system (DNS) that is enabled for Single Sign-On (SSO).

Proxy Authentication
BlackBerry MDS has automatic proxy authentication. The user name and password to log in to the proxy server are stored to avoid authenticating for each request. This reduces the number of requests to access a page from the BlackBerry device. The default setting is for proxy authentication on the device. The user enters credentials on the device in either<user_name>@<domain> and<password> format, or<domain\user_name> and <password> format. Proxy authentication is a more secure option. Proxies can be dynamically configured for a given URL if the following conditions are met: The Proxy Auto-Configuration (PAC) file is hosted on a web server that is accessible via direct connection to the BlackBerry Enterprise Server. The BlackBerry Enterprise Server with BlackBerry MDS 4.1 must be running on a computer with Windows 2000 Server Service Pack 4installed.

The Role of RSA SecurID Authentication.


Organizations can further enhance the security of BlackBerry devices by integrating the BlackBerry Enterprise Solution with solutions from RSA Security. RSA Securitys products help organizations protect private information and manage the identities of people, devices and applications accessing and exchanging that information. RSA SecurID two-factor authentication is based on something you know and something you have, providing a much more reliable level of user authentication than reusable passwords. It is the only solution that automatically changes user passwords every 60 seconds. RSA SecurID authentication has been on the market for over 15 yearswith no reported security breaches. RSA SecurID authentication tokens provide hacker-resistant two-factor authentication, resulting in easy-to-use and effective user identification. Based on RSA Securitys patented time synchronization technology, authentication tokens generate a simple, one-time authentication code that changes every 60 seconds. To access resources protected by the RSA SecurID system, users simply combine their secret Personal Identification Numbers (PINs)something they alone knowwith the token codes generated by their authenticatorssomething they carry. The result is a unique, one-time-use passcode that is used to positively identifyor authenticatethe user. If the code is validated by the RSA SecurID system, the user is granted access to the protected resource. If it is not recognized, the user is denied access. Organizations worldwide already rely on RSA SecurID solutions for two-factor authentication from their desktop or from a remote PC. RSA Security offers hardware tokens that can fit in a wallet or are small enough to attach to a keychain.

Integrating RSA SecurID Two Factor Authentication with Blackberry Solutions.


Software authentication tokens offer users a major convenience by merging RSA SecurID authentication technology onto a users BlackBerry device. This approach allows the user to benefit from two-factor authentication without the need to carry a separate hardware authenticator, and it provides major advantages to the enterprise.

Companies that have already deployed BlackBerry devices can add two-factor authentication to augment security. Organizations that have already implemented two-factor authentication can extend their solutions to support mobile users. They can leverage their existing RSA SecurID infrastructure to allow mobile users access to applications via their BlackBerry devices.

Companies evaluating mobile security options can deploy a joint solution from RIM and RSA Security to protect information and access while providing access to critical enterprise information.

Remote Access via Two-Factor Authentication.

Employees can avoid the need to carry a standalone hardware token to authenticate to the corporate network while on the road or working from home. For example, a user could rely on the software token in a BlackBerry device to gain remote access via two-factor authentication for a PC accessing enterprise applications. Users can enter something they knowtheir PINsand something they havethe constantly changing token codes on their BlackBerry devices. This allows users to easily gain remote access without the need to carry a hardware token. It allows the enterprise to reduce the costs of managing, distributing and maintaining tokens, and it also allows the enterprise to protect information and applications from access by unauthorized users.

Users can rely on a BlackBerry device with a two-factor authentication token to gain secure mobile access to intranet applications Mobile users enter their PINs and the constantly changing codes on their BlackBerry devices to gain time-synchronous access to applications. RSA Authentication Manager authenticates legitimate users, and they gain secure mobile access to the information they need to do their jobs.