u blackberry 10 os v1r2 overview
DESCRIPTION
ÂTRANSCRIPT
BLACKBERRY
SECURITY TECHNICAL IMPLEMENTATION GUIDE
Developed by BlackBerry
UNCLASSIFIED
UNCLASSIFIED
BLACKBERRY 10 OS
SECURITY TECHNICAL IMPLEMENTATION GUIDE
(STIG)
OVERVIEW
Version 1, Release 2
25 October 2013
BlackBerry Ltd. in coordination with DISA
for the DoD
SECURITY TECHNICAL IMPLEMENTATION GUIDE
in coordination with DISA
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
ii
UNCLASSIFIED
Trademark Information
Names, products, and services referenced within this document may be the trade names,
trademarks, or service marks of their respective owners. References to commercial vendors and
their products or services are provided strictly as a convenience to our users, and do not
constitute or imply endorsement by DISA FSO or any non-Federal entity, event, product,
service, or enterprise.
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
iii
UNCLASSIFIED
TABLE OF CONTENTS
Page
1. INTRODUCTION..................................................................................................................1
1.1 Background ..........................................................................................................................1
1.2 Authority ..............................................................................................................................1
1.3 Scope ....................................................................................................................................1
1.4 Vulnerability Severity Category Code Definitions ..............................................................1
1.5 SRG Compliance Reporting .................................................................................................4
1.6 SRG and STIG Distribution .................................................................................................4
1.7 Document Revisions ............................................................................................................5
2. BLACKBERRY 10 OS COMPLIANCE REQUIREMENTS ...........................................6
2.1 Mobility Policy STIG and CMD Policy STIG .....................................................................6
2.2 BlackBerry Device Service ..................................................................................................6
2.3 BlackBerry Balance .............................................................................................................6
2.4 BlackBerry Bridge ...............................................................................................................6
2.5 BlackBerry Smart Card Reader ............................................................................................7
3. BLACKBERRY 10 DEVICE SECURITY INFORMATION ...........................................8
3.1 BlackBerry Architecture ......................................................................................................8
3.2 Access Control .....................................................................................................................9
3.2.1 Password Lock for Device and Work Space .................................................................9
3.2.2 Mandatory Access Control ..........................................................................................10
3.3 Configuration Management ...............................................................................................10
3.3.1 IT Policy ......................................................................................................................11
3.3.2 Over-the-air Provisioning ............................................................................................11
3.3.3 Software Configurations ..............................................................................................11
3.3.4 Profiles .........................................................................................................................11
3.4 Identification and Authentication .......................................................................................11
3.4.1 Password ......................................................................................................................11
3.4.2 Certificates ...................................................................................................................12
3.5 Media Protection ................................................................................................................12
3.6 System and Services Acquisition .......................................................................................12
3.7 System and Communications Protection ...........................................................................12
3.7.1 Cryptographic Support .................................................................................................13
3.7.1.1 Public Key Cryptography ..................................................................................... 13
3.7.2 System Protection ........................................................................................................13
3.7.2.1 Protection of Work and Personal Data.................................................................. 13
3.7.2.2 Permissions and Access Rights ............................................................................. 13
3.7.3 Communications Protection .........................................................................................14
3.7.3.1 Wi-Fi ..................................................................................................................... 14
3.7.3.2 VPN....................................................................................................................... 14
3.7.3.3 Bluetooth ............................................................................................................... 14
3.7.3.4 Proxy ..................................................................................................................... 15
3.8 System and Information Integrity ......................................................................................15
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
iv
UNCLASSIFIED
APPENDIX A: ACRONYMS .....................................................................................................16
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
v
UNCLASSIFIED
LIST OF TABLES
Page
Table 1-1: Vulnerability Severity Category Code Definitions ....................................................... 2
Table 3-1: BlackBerry Device Service Components ...................................................................... 8
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
vi
UNCLASSIFIED
LIST OF FIGURES
Page
Figure 3-1: BlackBerry Device Service Architecture ..................................................................... 8
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
vii
UNCLASSIFIED
This page intentionally left blank.
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
1
UNCLASSIFIED
1. INTRODUCTION
1.1 Background
The BlackBerry 10 OS Security Technical Implementation Guide (STIG) provides the technical
security policies, configuration requirements, and implementation details for the use of the
BlackBerry 10 OS under the management of a securely configured BlackBerry Device Service
(BDS) server. Guidance for the Mobile Device Management (MDM) component resides in the
BlackBerry Enterprise Service 10.1.x BlackBerry Device Service STIG.
1.2 Authority
DoD Directive (DoDD) 8500.1 requires that “all IA and IA-enabled IT products incorporated
into DoD information systems shall be configured in accordance with DoD-approved security
configuration guidelines” and tasks Defense Information Systems Agency (DISA) to “develop
and provide security configuration guidance for IA and IA-enabled IT products in coordination
with Director, NSA.” This document is provided under the authority of DoDD 8500.1.
Although SRGs and STIGs implement an applicable subset of IA controls for specific types of
systems, all applicable IA controls must be applied to information systems. The current DoD IA
controls are specified in DoDI 8500.2. Draft DoDI 8500.02aa states that “All DoD ISs and
platform IT systems, including non-National Security System (NSS), shall be categorized in
accordance with CNSSI 1253, and implement a corresponding set of security controls that are
published in National Institute of Standards and Technology (NIST) Special Publication (SP)
800-53.” SRGs and derived STIGs are based on NIST SP 800-53.
1.3 Scope
This document is a requirement for all DoD-administered systems and all systems connected to
DoD networks. These requirements are designed to assist Security Managers (SMs), Information
Assurance Managers (IAMs), Information Assurance Officers (IAOs), and System
Administrators (SAs) with configuring and maintaining security controls. This guidance supports
DoD system design, development, implementation, certification, and accreditation efforts.
1.4 Vulnerability Severity Category Code Definitions
Severity Category Codes (referred to as CAT) are a measure of vulnerabilities used to assess a
facility or system security posture. Each security policy specified in this document is assigned a
Severity Code of CAT I, II, or III.
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
2
UNCLASSIFIED
Table 1-1: Vulnerability Severity Category Code Definitions
DISA Category Code
Guidelines Examples of DISA Category Code Guidelines
CAT
I
Any vulnerability, the exploitation
of which will, directly and
immediately result in loss of
Confidentiality, Availability, or
Integrity.
Includes BUT NOT LIMITED to the following
examples of direct and immediate loss:
1. May result in loss of life, loss of facilities, or
equipment, which would result in mission
failure.
2. Allows unauthorized access to security or
administrator level resources or privileges.
3. Allows unauthorized disclosure of, or access
to, classified data or materials.
4. Allows unauthorized access to classified
facilities.
5. Allows denial of service or denial of access,
which will result in mission failure.
6. Prevents auditing or monitoring of cyber or
physical environments.
7. Operation of a system/capability which has not
been approved by the appropriate Designated
Accrediting Authority (DAA).
8. Unsupported software where there is no
documented acceptance of DAA risk.
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
3
UNCLASSIFIED
DISA Category Code
Guidelines Examples of DISA Category Code Guidelines
CAT
II
Any vulnerability, the exploitation
of which has a potential to result in
loss of Confidentiality, Availability,
or Integrity.
Includes BUT NOT LIMITED to the following
examples that have a potential to result in loss:
1. Allows access to information that could lead to
a CAT I vulnerability.
2. Could result in personal injury, damage to
facilities, or equipment which would degrade
the mission.
3. Allows unauthorized access to user or
application level system resources.
4. Could result in the loss or compromise of
sensitive information.
5. Allows unauthorized access to Government or
Contractor owned or leased facilities.
6. May result in the disruption of system or
network resources degrading the ability to
perform the mission.
7. Prevents a timely recovery from an attack or
system outage.
8. Provides unauthorized disclosure of or access
to unclassified sensitive, Personally
Identifiable Information (PII), or other data or
materials.
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
4
UNCLASSIFIED
DISA Category Code
Guidelines Examples of DISA Category Code Guidelines
CAT
III
Any vulnerability, the existence of
which degrades measures to protect
against loss of Confidentiality,
Availability, or Integrity.
Includes BUT NOT LIMITED to the following
examples that provide information which could
potentially result in degradation of system
information assurance measures or loss of data:
1. Allows access to information that could lead to
a CAT II vulnerability.
2. Has the potential to affect the accuracy or
reliability of data pertaining to personnel,
resources, operations, or other sensitive
information.
3. Allows the running of any applications,
services or protocols that do not support
mission functions.
4. Degrades a defense in depth systems security
architecture.
5. Degrades the timely recovery from an attack or
system outage.
6. Indicates inadequate security administration.
7. System not documented in the site’s C&A
Package/System Security Plan (SSP).
8. Lack of document retention by the Information
Assurance Manager (IAM) (i.e., completed
user agreement forms).
1.5 SRG Compliance Reporting
All technical NIST SP 800-53 requirements were considered while developing this STIG.
Requirements that are applicable and configurable are included in this STIG. A compliance
report marked For Official Use Only (FOUO) is available for those items that did not meet
requirements. This report is available to component DAA personnel for risk assessment purposes
by request via email to [email protected].
1.6 SRG and STIG Distribution
Parties within the DoD and Federal Government's computing environments can obtain the
applicable SRGs and STIGs from the Information Assurance Support Environment (IASE)
website. This site contains the latest copies of any SRG, as well as STIGs, scripts, and other
related security information. The Non-classified Internet Protocol Router Network (NIPRNet)
Uniform Resource Locator (URL) for the IASE website is http://iase.disa.mil/.
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
5
UNCLASSIFIED
1.7 Document Revisions
Comments or proposed revisions to this document should be sent via email to
[email protected]. DISA Field Security
Operations (FSO) will coordinate all change requests with the relevant DoD organizations before
inclusion in this document. Approved changes will be made in accordance with the DISA FSO
maintenance release schedule.
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
6
UNCLASSIFIED
2. BLACKBERRY 10 OS COMPLIANCE REQUIREMENTS
2.1 Mobility Policy STIG and CMD Policy STIG
General mobility policy requirements are listed in the Mobility Policy STIG and are applicable to
all mobile systems used in the DoD. Commercial Mobile Device (CMD) policy requirements are
listed in the CMD Policy STIG and are applicable to all CMDs used in the DoD. Both STIGs can
be downloaded from http://iase.disa.mil/stigs/net_perimeter/wireless/wireless_pol.html.
2.2 BlackBerry Device Service
The BlackBerry Device Service component of the BlackBerry Enterprise Service 10 is the
Mobile Device Management for enterprise mobility management of BlackBerry 10 OS. BDS
allows enterprise security administrators to enforce security policy (e.g., password usage and
rules), publish enterprise profiles (e.g., Wi-Fi, VPN, etc.), and manage (e.g., change work
password and wipe the work space) BlackBerry 10 devices. Under management of BDS, all
enterprise data traffic is routed through the enterprise, applying enterprise network controls and
traceability. The BlackBerry 10 OS STIG covers the use of BlackBerry 10 devices only when
activated with the BDS. The BlackBerry 10 devices used in DoD must be activated on, and
managed by, the BDS.
2.3 BlackBerry Balance
BlackBerry 10 OS is designed to allow users to use BlackBerry 10 devices for both work and
personal use. BlackBerry Balance technology distinguishes and separates work and personal data
on the device. DoD data is stored and processed in the work space only while device users
manage their personal data in the personal space. The DISA SRG requirements apply only to the
work space protecting DoD information, and the BlackBerry 10 OS STIG contains guidance for
securing the work space, unless otherwise specified within this document.
2.4 BlackBerry Bridge
BlackBerry Bridge allows users to pair a BlackBerry smartphone and BlackBerry PlayBook
tablet. When paired, users are able to use the BlackBerry PlayBook to access the Internet using
the BlackBerry smartphone’s connection, control the BlackBerry PlayBook tablet remotely using
the BlackBerry smartphone, and share files and data between the devices.
A tablet and a smartphone perform Bluetooth pairing and BlackBerry Bridge pairing processes to
open an encrypted and authenticated connection, utilizing ECDH and AES-256. All data
transferred from the smartphone to the tablet is stored temporarily and protected using XTS-
AES-256. The data from the BlackBerry smartphone remains separated between personal and
work spaces using BlackBerry Balance technology and is deleted when the Bridge connection is
terminated.
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
7
UNCLASSIFIED
2.5 BlackBerry Smart Card Reader
The BlackBerry Smart Card Reader (SCR) allows users to access hardware-based tokens
embedded in the DoD Common Access Card (CAC). The BlackBerry 10 smartphone must be
paired with the BlackBerry SCR version 2 to correctly integrate with the CAC. For BlackBerry
SCR running unsupported software versions, an update package is available from the BlackBerry
Support website. Support for the SCR is available by default in BlackBerry OS version 10.2.
However, for devices running BlackBerry OS version 10.1, the Smart Card Services application
must be downloaded from the support website and included in a software configuration on the
BDS server for deployment. Once deployed to the BlackBerry device, the Smart Card settings
panel is available in the Security and Privacy menu on the handheld device. BlackBerry 10
devices are only compatible with BlackBerry Smart Card Readers running SCRv2.
The BlackBerry SCR and BlackBerry 10 smartphone perform secure Bluetooth pairing to open
an encrypted and authenticated connection, utilizing ECDH and AES-256. Once the initial
pairing is completed, all data transferred from the smartphone to the SCR is encrypted and
authenticated on the application layer using AES 256 in CBC mode to encrypt the data and
keyed HMAC with SHA-512 to protect data. The BlackBerry SCR also supports two-factor
authentication, which binds the BlackBerry smartphone or computer to the installed smart card.
After the BlackBerry smartphone or computer binds to the smart card, it requires that smart card
to authenticate the user. More information on BlackBerry Smart Card Reader functionality and
configuration, as well as details on the secure pairing process, can be found in the BlackBerry
Smart Card Reader Version 2.0 Security Technical Overview document, available on the support
website.
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
8
UNCLASSIFIED
3. BLACKBERRY 10 DEVICE SECURITY INFORMATION
3.1 BlackBerry Architecture
Figure 3-1: BlackBerry Device Service Architecture
Table 3-1: BlackBerry Device Service Components
Component Description
BlackBerry Administration
Service
The BlackBerry Administration Service is used to manage the
BlackBerry Device Service and the user accounts and devices that
are associated with it. Through this utility it is possible to manage
user accounts and assign groups, administrative roles, software
configurations, email profiles, and IT policies to user accounts.
The BlackBerry Administration Service connects to the
BlackBerry Configuration Database. BlackBerry Configuration
Database
The BlackBerry Configuration Database is a relational database
that contains user account information and configuration
information (such as connection details) that the BlackBerry
Device Service components use.
BlackBerry Mail Store
Service
The BlackBerry Mail Store Service connects to the Microsoft
Active Directory and retrieves user information that the
BlackBerry Administration Service requires to activate user
accounts. User accounts can only be added to the BlackBerry
Device Service if the user account exists in the corresponding
Microsoft Active Directory.
Enterprise Management The Enterprise Management Web Service is a set of web services
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
9
UNCLASSIFIED
Web Service that communicate commands, configuration information, IT
policies, VPN profiles, Wi-Fi profiles, and email profiles between
the BlackBerry Administration Service and the Enterprise
Management Agent on the devices.
BlackBerry MDS
Connection Service
The BlackBerry MDS Connection Service provides a secure
connection between the Enterprise Management Agent on the
devices and the Enterprise Management Web Service in the
BlackBerry Device Service. The connection is used when the
device is not connected to a work Wi-Fi network or VPN.
BlackBerry Dispatcher The BlackBerry Dispatcher maintains a connection with the
BlackBerry Infrastructure over the Internet. The BlackBerry
Dispatcher is responsible for compressing and encrypting, and
decrypting and decompressing, data that travels over the Internet
to and from the devices.
BlackBerry Web Desktop
Manager
The BlackBerry Web Desktop Manager is a web application that
permits users to activate and manage devices.
Microsoft Active Directory The BlackBerry Mail Store Service obtains, from the Microsoft
Active Directory, user account information required to create user
accounts in the BlackBerry Device Service.
Work Wi-Fi network After a device is activated on the BlackBerry Device Service,
communication between the BlackBerry Device Service and the
device can occur over an organization’s Wi-Fi network when the
device is within a wireless coverage area and enabled for access
as may be required by the organizational network security
policies.
External Wi-Fi access point Depending on the organization's network configuration,
communication can occur between the BlackBerry Device Service
and devices that are located outside the firewall and connected to
the Internet over an external Wi-Fi connection.
Firewall The BlackBerry Device Service requires an outbound-initiated,
bidirectional connection through port 3101 on the firewall and
over the Internet to the BlackBerry Infrastructure to transport data
to and from the devices.
Internet The Internet transports data between the BlackBerry Infrastructure
and the BlackBerry Device Service. Depending on the network
configuration, the devices may also communicate with the
BlackBerry Device Service using a VPN connection over the
Internet.
3.2 Access Control
3.2.1 Password Lock for Device and Work Space
The BlackBerry 10 devices feature password lock mechanisms to protect the personal and work
data. The work space password through BlackBerry Balance protects DoD data stored in the
work space of the device, whereas the personal data is protected with the device password. When
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
10
UNCLASSIFIED
locked, the OS hides what was previously visible on the screen and remains in this state until the
user is authenticated using the device password.
With the work space password set, the work space is locked when the user directly initiates the
lock on the work space, after the configured time of inactivity, or when the device is instructed
by a BDS administrator.
A BlackBerry 10 device user is allowed a maximum number of attempts to unlock the device and
the work space, preventing an adversary from bypassing the password lock by brute force. By
default, the maximum number of password attempts is set at 10. However, this value for the
work space can be configured on the BDS. When the maximum allowed number of attempts to
unlock the device is reached, BlackBerry 10 OS performs a security wipe, deleting all data in
storage. On the other hand, when the maximum number of attempts to unlock the work space is
reached, the OS wipes and removes the work space on the BlackBerry 10 device.
The BDS can also enforce rules on the work space password, such as length, complexity, age,
and history. The work space password the user creates on the BlackBerry 10 device must be at
least 8 characters, and contain at least:
- 1 uppercase letter
- 1 lowercase letter
- 1 number
- 1 special character
When activated on the BDS, the BlackBerry 10 user will be forced to create a password which
satisfies these rules.
3.2.2 Mandatory Access Control
BlackBerry 10 OS enforces mandatory access control (MAC) policies to prohibit any
application, user, or process from modifying software in the trusted computing base. It also
enforces a MAC to prohibit any application from accessing the private data or code of another
application.
3.3 Configuration Management
Enterprise-related configurations of BlackBerry 10 devices are configured on the BDS.
Administrators can create and manage configurations on the BDS, and assign them to a single
user or group of users. The configurations consist of IT policies, software configurations, and
Wi-Fi, VPN, and email profiles. As part of enterprise activation, the BDS sends the assigned
configuration to the device. Changes to the assigned configuration are also published to the
device automatically. Configurations from the BDS harden the security posture of the
BlackBerry 10 devices, as well as prevent misconfigurations that may arise.
BDS administrators can also remotely control access to BlackBerry 10 devices. Administrators
can remotely set a new device password and lock the device, or wipe all device data or only the
work space data.
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
11
UNCLASSIFIED
3.3.1 IT Policy
IT Policies are used to control and manage BlackBerry 10 devices from the BDS. IT Policies
consist of IT Policy rules, which are used to centrally configure and control device behavior and
enforce these rules. When a rule is specified, the applicable configuration is grayed out on the
device, prohibiting the device user from modifying or disabling it. For example, when an IT
Policy rule is set to enforce a password-protected lock feature for the work space or the full
device by the administrator, the device user cannot disable this feature on the BlackBerry 10.
3.3.2 Over-the-air Provisioning
Over-the-air (OTA) provisioning of BlackBerry 10 devices from the BDS is through a secure
communication channel using bi-directional PKI-based cryptographic authentication methods
when the device is activated. The provisioning data in transit is protected using both transport
layer encryption (using AES-256) and TLS. The BlackBerry 10 device and the BDS generate
message keys to protect the integrity of the data sent to each other.
3.3.3 Software Configurations
Work applications on BlackBerry 10 devices can be managed by the BDS. System administrators
can create, manage, and assign software configurations that consist of applications for
organizational use. Applications can be assigned as required or as optional applications.
Required applications are installed on BlackBerry 10 devices during activation and cannot be
removed by the device user, whereas optional applications are available for download and install
through the “BlackBerry World - Work” application in the work space, and can be removed
later. The applications cannot be modified, unless they are updated from the BDS. Each
application is signed by Research In Motion, and the integrity of the application is validated
during install and startup.
3.3.4 Profiles
BDS administrators can create and manage profiles for BlackBerry 10 devices. Email, SCEP,
Wi-Fi, and VPN profiles can be configured and published to device users from a centrally
managed source.
3.4 Identification and Authentication
3.4.1 Password
There are two password protection mechanisms on the BlackBerry 10 device. Users must
authenticate using:
- A device password to access the personal space
- A work space password to access the work space
The use of a work space password and its rules are enforced by the BDS. The user must create
(at minimum) a 4-digit password without complexity for the device to protect the personal space.
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
12
UNCLASSIFIED
Administrators can enforce work space password rules, such as required character set, maximum
age, minimum length, and history. However, BlackBerry 10 OS does not require device users to
change at least two characters whenever the work space password is changed, and does not
prevent the password from containing sequential numbers. Device users should follow this
requirement to mitigate this until such feature is implemented by BlackBerry. Passwords are
stored on the device encrypted using XTS-AES-256. Passwords used to authenticate to work or
personal accounts are always transmitted in secure channels, never in clear text, and are obscured
on the screen as they are entered on the device.
3.4.2 Certificates
Certificates on the BlackBerry 10 device are used to authenticate using the public key when
connecting to remote information systems, and with organizational resources such as a
messaging server, Wi-Fi network, or VPN. When authenticating using certificates, the certificate
is validated by constructing a certification path with status information to a trust anchor. The OS
also verifies the certificate’s revocation status before verifying its authenticity. During this
process, the BlackBerry 10 device alerts the user and provides the option to deny acceptance of
the certificate when:
- The certificate is invalid
- The certificate is issued from an untrusted certificate authority
- The revocation status of the certificate cannot be verified
All private key materials in the key store are encrypted using AES-256 and stored in the
encrypted domain of the file system. Files in the encrypted domain are protected by a hierarchy
of encryption keys, stemming from the KEK embedded in the processor during the
manufacturing process.
3.5 Media Protection
BlackBerry 10 devices support micro SD cards. The media card storage is considered to be in the
personal space, and BlackBerry Balance prevents DoD data from being transferred from the
work space to the personal space, including the media card. It is optional to encrypt the media
card in order to protect the user’s personal data. The security wipe procedure in BlackBerry 10
OS does not wipe the removable media. However, if the media card is encrypted, the security
wipe procedure wipes the encryption key that protects the media card. Because the media card is
encrypted, without the encryption key, the media card will become inaccessible.
3.6 System and Services Acquisition
Due to the dual persona nature of BlackBerry 10 devices, use of only DoD approved software or
applications is enforced on the work space only. BlackBerry 10 users are able to download and
install any publicly available application from BlackBerry World for personal usage. BDS
administrators must prohibit the use of Development Mode to ensure device users can download
and install applications from BlackBerry World only.
3.7 System and Communications Protection
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
13
UNCLASSIFIED
3.7.1 Cryptographic Support
BlackBerry 10 utilizes Cryptographic Kernel v5.6, a FIPS 140-2 validated cryptographic module,
to protect data on the device and in transit. The cryptographic module is also used to protect data
for VPN, Bluetooth, and Wi-Fi communications, as well as to protect the certificate store and for
key management and digital signature implementations. The cryptographic module utilizes AES-
256 encryption to protect data at rest and in transit for communicating with DoD resources via
the BDS.
3.7.1.1 Public Key Cryptography
BlackBerry 10 supports software-based and hardware-based asymmetric key technology.
Certificates are used for the Web, Wi-Fi, VPN profiles, etc. and can be managed by the BDS.
BDS administrators can use SCEP Profiles to publish required DoD certificates, including DoD
root and intermediate, and client certificates to be stored in the enterprise certificate store in the
work space of the BlackBerry 10 device. In order to access hardware-based tokens embedded in
the DoD Common Access Card, the device must be paired with a BlackBerry Smart Card
Reader. In BlackBerry 10 OS version 10.1, this can be achieved by deploying the “Smart Card
Subsystem” application from BlackBerry Device Service.
3.7.2 System Protection
3.7.2.1 Protection of Work and Personal Data
Data on BlackBerry 10 is stored in personal and work file systems. BlackBerry Balance
technology distinguishes and separates personal and work applications and data and stores them
in their respective file systems. The work file system consists of work apps and data and is
encrypted by default. The personal file system consists of personal apps and data with optional
encryption support, which can be enforced from the BDS. XTS-AES-256 encryption is utilized
to protect both file systems.
3.7.2.2 Permissions and Access Rights
3.7.2.2.1 Device User
BlackBerry 10 OS assigns a user account to the device user with limited privileges. The device
user is therefore prohibited from directly administering UIDs, file permissions, and system
configuration files, and from starting and stopping system processes.
3.7.2.2.2 Applications
As previously stated, BlackBerry Balance technology distinguishes and separates personal and
work applications and data. Inherently, a personal application has read-write access to its private
data and files in the personal file system, but does not have any access to work data. By default, a
work application has read-write access to its private data and files in the work file system, and
read-only access to files in the personal file system. “Work App Access to Shared Files in the
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
14
UNCLASSIFIED
Personal Space” rule must be set to “Disallow” in BlackBerry Device Service to achieve
complete separation of work and personal data.
Applications on BlackBerry 10 OS can be installed from the BlackBerry World application store
front. While applications for the personal space consist of all publicly available apps in
BlackBerry World, BDS administrators have the ability to publish a whitelist of applications for
the work space, thus preventing use of non-DoD applications (i.e., IM systems) in the work
space, and can publish apps directly from the BDS in the DoD network. All applications
published in BlackBerry World are scanned and monitored for malicious behavior, and signed by
the RIM signing authority, which can be verified by BlackBerry 10 OS during install and launch,
and this binding of the digital signature to the application remains until the application is deleted
or updated. If the integrity of the application cannot be verified, BlackBerry 10 OS notifies the
user.
To ensure applications are given only the permissions that DoD has authorized, the device user
must inspect to verify proper permissions are given for each application. Applications on
BlackBerry 10 OS are launched and executed on user direction only.
3.7.3 Communications Protection
Network connections are terminated by the OS when an application requests the termination,
including when the application is closed, or after a DoD defined time period of inactivity forcing
BlackBerry 10 to lock. See Section 3.1 for details on enabling device lock after a specified
period of inactivity.
BlackBerry 10 OS does not allow remote activation of applications or functions without explicit
user instructions. The OS does not contain the capability to filter traffic based on IP address and
port. However, because work traffic is routed through BlackBerry MDS Connection Service,
network traffic to BlackBerry 10 can be filtered within the DoD organization.
3.7.3.1 Wi-Fi
The Wi-Fi module on BlackBerry 10 OS is WPA2 certified for both enterprise and personal use,
and can be configured to use EAP-TLS authentication and AES-CCMP encryption for
connecting and authenticating to DoD networks. For DoD Wi-Fi networks, BDS administrators
are required to create a work Wi-Fi profile to enforce use of these security types. Remote access
to the BlackBerry 10 device via Wi-Fi must be prohibited.
3.7.3.2 VPN
The VPN client on BlackBerry 10 OS can be configured to utilize IPSec, SSL/TLS, and
certificates to authenticate and connect to DoD networks. VPN profiles, which include these
configurations, must be managed and published from the BDS. Once published, the user is
required to use BDS configured gateway and authentication types.
3.7.3.3 Bluetooth
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
15
UNCLASSIFIED
The Bluetooth module on BlackBerry 10 devices cannot be turned off by BDS administrators,
due to the dual persona nature of the device. However, BDS administrators can configure
“Transfer Work Contacts Using Bluetooth PBAP or HFP”, “Transfer Work Files Using
Bluetooth OPP”, and “Transfer Work Messages Using Bluetooth MAP” IT Policy rules to
“Disallow” to protect DoD data from Bluetooth usage.
When pairing with a device, the Bluetooth module prohibits any data transfer prior to Bluetooth
mutual authentication, which utilizes Bluetooth 4.0 authentication techniques with a combination
of public key cryptography and passkey, mitigating risk.
3.7.3.4 Proxy
If a DoD proxy server must be used, a proxy profile must be created on the BDS. The proxy
profile then can be assigned to Wi-Fi and VPN profiles, forcing traffic to flow through the proxy
server.
3.8 System and Information Integrity
The integrity of BlackBerry 10 OS is verified during boot up. If an integrity check failure has
been detected during this process, the OS does not boot, preventing a potentially malicious code
from executing.
Information about the OS can be obtained on the device from the “Settings” menu by selecting
“About”. Information such as the OS version is also reported to the BDS. When OS updates
(including security patches to remediate flaws) are published, device users receive a notification
of the availability, and upon user initiation, the updates are downloaded and installed.
BlackBerry 10 device users are required to update the operating system to the latest DoD
approved software, currently at version10.1.
The internal clock of BlackBerry 10 OS must be synchronized with an authoritative time server.
There are two separate browsers on BlackBerry 10 OS, one each for personal and work spaces.
While the work space browser directs all its traffic through DoD infrastructure, the personal
space browser does not. The personal space browser cannot be removed at this time.
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
16
UNCLASSIFIED
APPENDIX A: ACRONYMS
AES Advanced Encryption Standard
BDS BlackBerry Device Service
BES BlackBerry Enterprise Service
C&A Certification and Accreditation
CAC Common Access Card
CAT Severity Category Code
CCMP Counter Cipher Mode with Block Chaining Message
Authentication Code Protocol
CMD Commercial Mobile Device
CNSS Committee on National Security Systems
CNSSI Committee on National Security Systems Instruction
DAA Designated Accrediting Authority
DISA Defense Information Systems Agency
DoD Department of Defense
DoDD DoD Directive
EAP Extensible Authentication Protocol
ECDH Elliptic curve Diffie-Hellman
FIPS Federal Information Processing Standard
FOUO For Official Use Only
FSO Field Security Operations
HFP Hands-Free Profile
IA Information Assurance
IAM Information Assurance Manager
IAO Information Assurance Officer
IASE Information Assurance Support Environment
IM Instant Messaging
IP Internet Protocol
IPSec Internet Protocol Security
IT Information Technology
k 210
or 1024
m 220
or 1048576
MAC Mission Assurance Category
Mandatory Access Control
MAP Message Access Profile
MDM Mobile Device Management
MDS Mobile Data System
NIPRNet Non-classified Internet Protocol Router Network
NIST National Institute of Standards and Technology
NSA National Security Agency
OPP Object Push Profile
OS Operating System
OTA Over-the-air
PBAP Phone Book Access Profile
UNCLASSIFIED BlackBerry 10 OS Overview, V1R2 DISA Field Security Operations
25 October 2013 Developed by BlackBerry Ltd. in coordination with DISA for the DoD
17
UNCLASSIFIED
PII Personally Identifiable Information
PIN Personal Identification Number
PKI Public Key Infrastructure
SA System Administrator
SCEP Simple Certificate Enrollment Protocol
SM Security Manager
SP Special Publication
SRG Security Requirement Guide
SSL Secure Sockets Layer
SSP System Security Plan
STIG Security Technical Implementation Guide
TLS Transport Layer Security
UID User ID
URL Uniform Resource Locator
VPN Virtual Private Network
WPA Wi-Fi Protected Access