Support for the BlackBerry Enterprise Solution

The BlackBerry solution is designed to allow users to securely send and receive email on the go.

Questions about data security and end-to-end information transfer between the BlackBerry Wireless Handheld™ and the BlackBerry Enterprise Server™ are the most crucial issues for a company to consider when investigating a wireless email solution. On this page, we've provided technical information covering security for TCP port 3101, encryption/decryption of data and the placement of the BlackBerry Enterprise Server™ within Microsoft Exchange and Lotus Domino environments.

Security for TCP port 3101

The BlackBerry Enterprise Server™ maintains a constant, direct TCP/IP level connection to the wireless network via the internet, through a firewall that operates through TCP port 3101. This allows for smooth, continuous delivery of data to and from the handheld device.

Since this is an outbound initiated connection from the BlackBerry Enterprise Server™ to the wireless network, only established traffic will be allowed to return from the wireless network to the BlackBerry Enterprise Server™. The BlackBerry Enterprise Server™ runs as a service and it only accepts data that it can decrypt using a valid encryption key. All other data arriving on this port will be dropped.

The wireless network requires the BlackBerry Enterprise Server™ to be authenticated by providing a hash of its unique SRP ID and authentication key to the wireless network before any data can be transmitted. If the BlackBerry Enterprise Server™ fails to authenticate with the wireless network then no connection is allowed.

Encryption between BlackBerry handhelds and the BlackBerry Enterprise Server™

All traffic through TCP port 3101 is encrypted using 3DES. 3DES is the industry standard for data encryption and is most often used to provide data confidentiality for VPNs on the Internet.

BlackBerry encryption uses symmetric key encryption. A copy of the randomly generated key is kept in either the user’s hidden folder in their mailbox on Exchange servers or profiles database on Lotus Notes servers and on their assigned handheld. The user will be prompted to regenerate a new key every 30 days when the device is cradled.

When an email is composed and sent from the handheld, it is 3DES encrypted using the user’s key prior to data being sent over the air. When it reaches the BlackBerry Enterprise Server™ it is then decrypted using their key and passed on to email platform for sending. The reverse applies when an email is sent to the handheld. The air interface is also encrypted using a GSM standard encryption protocol.

The BlackBerry Enterprise Server™ acts as the conduit between the handhelds and email platform. No data or encryption keys are kept on the BlackBerry Enterprise Server™.

NOTE: By default, data is unencrypted between the BlackBerry Enterprise Server™, Exchange and Lotus Domino Servers. To enable encryption for Exchange you should use IPSEC between the Exchange server and BlackBerry Enterprise Server™ and configure the Lotus Domino Server for encryption. Refer to your vendor’s documentation for details.

PIN to PIN messaging

Each BlackBerry Wireless Handheld™ is uniquely identified by a PIN. Instead of sending a message to a recipient’s email address, the message is sent directly to the PIN of the handheld. This bypasses the BlackBerry Enterprise Server™ and email servers.

In the PIN messaging model, all handhelds share a common encryption key that is loaded during manufacturing. Because the same key is found on all devices it is not considered secret. Although the PIN message is 3DES encrypted, the key to decrypt the message is available to everyone with a BlackBerry handheld and therefore the message is not considered scrambled between source and destination handhelds.

Depending on which version of BlackBerry Enterprise Server™ and handheld software you are using, PIN to PIN messaging can be disabled using IT Policy Manager.

Network placement of the BlackBerry Enterprise Server™

The BlackBerry Enterprise Server™ should always, when possible, be placed on the same subnet as the email platform as failure to do so can result in unreliable message delivery.

It is not recommended, nor supported to place the BlackBerry Enterprise Server™ in a DMZ due to the amount of firewall changes that have to take place to support this type of configuration. It also serves no purpose being there since all connectivity to and from the BlackBerry Enterprise Server™ is outbound initiated.

BlackBerry security for Microsoft Exchange

The BlackBerry solution is designed to interoperate with the Microsoft Exchange Server and does not alter normal Exchange functionality in any way. The Microsoft Exchange Server continues to send, receive, deliver and store email messages, while the BlackBerry Enterprise Server™ acts as a conduit to transfer message to and from the handheld. No mail is stored on the BlackBerry Enterprise Server™.

The BlackBerry Enterprise Server™ uses existing Microsoft Exchange Server security by creating hidden folders in the Exchange mailboxes to store important BlackBerry user-related information. Therefore, the BlackBerry Administration account (normally BlackBerry Enterprise Server™_ADMIN) must have an enabled mailbox.

In addition to the BlackBerry administration mailbox, Exchange mailboxes associated with BlackBerry users are used to store individual BlackBerry information.

Bes_admin mail box details

This mail box contains the following administrative information:

• BlackBerry Enterprise Server™ names
• BlackBerry user lists
• SRP ID (network connection information)
• Authentication keys

Note: A hash of the SRP ID and authentication key is created and used to authenticate the BlackBerry Enterprise Server™ on the wireless network.

BlackBerry user’s mailbox details

This mailbox contains the following BlackBerry user’s information:

• User statistics
• Personal identification number (PIN) of the user's handheld

Unique 3DES key for encrypting and decrypting

After communication with the Microsoft Exchange Server is established, the BlackBerry Enterprise Server™ instructs the Microsoft Exchange Server to monitor BlackBerry user mailboxes for new mail items. When a BlackBerry user receives a new message in their inbox, the Microsoft Exchange Server notifies the BlackBerry Enterprise Server™ in the same way that Microsoft Outlook is notified, through Messaging Application Programming Interface (MAPI). The BlackBerry Enterprise Server™ retrieves a text copy of the message and compares the message to the IT-defined filters and user-defined filters. If the message meets the criteria for delivery, the message is compressed, encrypted and sent to the handheld.

The BlackBerry Enterprise Server™ does not duplicate or change messages that are stored on the Microsoft Exchange Server, it simply forwards from the BlackBerry user’s inbox. When receiving a message from the handheld, the BlackBerry Enterprise Server™ decrypts and decompresses the message using the sender’s unique key. After it is decrypted, the message is placed in the user’s outbox for delivery by the Microsoft Exchange server.

BlackBerry security for Lotus Domino

The BlackBerry solution is designed to operate with the Lotus Domino Server and does not alter normal Domino functionality in any way. The Lotus Domino Server continues to receive, deliver and store all email messages, while the BlackBerry Enterprise Server™ acts as a conduit to transfer messages to and from the handheld. No mail is stored on the BlackBerry Enterprise Server™.

The BlackBerry Enterprise Server™ uses existing Lotus Domino Server security by using Lotus Domino databases to store important BlackBerry information. BlackBerry information is stored within the trusted Lotus Domino environment and utilizes the Access Control Lists (ACL) feature within Lotus Domino to restrict access to the databases.

These databases leverage existing Lotus Domino Environment security features. Specifically, the security on individual databases is controlled by the database ACL. Also, some fields that require more security are encrypted within the database.

The BlackBerry Enterprise Server™ and Lotus Domino Server communicate using the same Remote Procedure Call (RPC) contained within Lotus Notes. Lotus Notes RPC enables seamless communication between the BlackBerry Enterprise Server™ and BlackBerry -related Lotus Domino databases and Lotus Domino Server and allows the BlackBerry Enterprise Server™ to monitor many user mailboxes for new mail. The BlackBerry Enterprise Server™ recognizes new messages using the Lotus Notes RPC polling method.

The BlackBerry Enterprise Server™ must be installed in the same Lotus Notes Named Network and Lotus Domino Domain as the Lotus Domino mail servers that it will support. Upon installation the following three Lotus Domino databases types are created and used for the purpose of sending and receiving messages.

1. BlackBerry Outbox.nsf: This database acts as the outbound queue for wireless email. The BlackBerry Outbox.nsf tracks all messages that are delivered to the wireless network and verifies that the messages read their destination. Each message that is sent by the BlackBerry Enterprise Server™ writes message information such as message ID, date and message status to the BlackBerry Outbox.nsf database. Only the message header and not the entire message is written to this database.
2. BlackBerry Profiles.nsf: This database stores important configuration information for each BlackBerry user. The information that is stored includes the following:

• Handheld PIN
• User’s encryption key
• Link to the user’s BlackBerry state database
• Other information to manage the flow of messages to and from the user’s handheld

3. BlackBerry state database: Each user has a uniquely named BlackBerry state database that contains tracking information for each message. When the BlackBerry Enterprise Server™ processes a message it is recorded in the state database. This establishes a correlation between the original message in the user’s inbox and the same message on the user’s handheld. This database is critical to the operation of the BlackBerry Enterprise Server™.

BlackBerry security and the Mobile Data Service

The Mobile Data Service is an integrated feature of the BlackBerry Enterprise Server™. The BlackBerry Enterprise Server™ uses the Mobile Data Service to provide HTTP connectivity between the wireless network and enterprise Intranet or Internet. Essentially Mobile Data Service offers services to connect with corporate data, applications and content.

Communication between the handheld and corporate network is encrypted with 3DES and utilises TCP port 3101. SSL or TLS can also be used for additional security when using HTTP.

The handheld supports HTTPS in one of two modes depending on corporate security requirements:

1. Proxy mode SSL/TLS: The BlackBerry Enterprise Server™ sets up the SSL/TLS connection of behalf of the handheld. Communication over the wireless network between the handheld and BlackBerry Enterprise Server™ is not encrypted using SSL/TLS, but it is still encrypted using 3DES. A point exists behind the corporate firewall where data is not encrypted.
2. Handheld direct mode SSL/TLS: Data is encrypted over SSL/TLS for the entire connection between the handheld and origin server. This is designed to be very secure because data remains encrypted. This connection mode is supported for third party applications.

Which SSL/TLS option a network uses depends on the level of trust for the intermediate points in the connection. In proxy mode SSL, the user experiences faster response times, but the corporate IT administrator must be trusted with the data. Handheld direct mode SSL/TLS is appropriate when only the endpoints of the transaction are trusted (e.g. banking services).

Note: Handheld direct mode SSL is only supported for third party applications running on BlackBerry Wireless Handheld™ version 3.6 and later.