I am working with someone at DISA to bring the current Blackberry STIG checklist up to date.

Currently in the checklist, there is a requirement to have a user sync their device with the Desktop manager every 30 days to update the Master Encryption key. This was for older devices before 4.1. Now with 4.1, this is all done wirelessly.

Because this needs to be official, I need to state why and how this is being done. I know it is somewhat automatic and you can still connect the device to the BES and do it or manually do it from the device but I need the exact wording.

I am looking at the Security Guide for BES 4.1.5 and from what I have read, does not specifically mention that it automatically regenerates the key over the air.

Any docs that you can provide to me would be much appreciated.

Thanks,

Thomas

Every 30 days the BES sends a command to the BB to update it's Encryption Key. Once it has been done the BB sends the ACK back to the BES. As far as I know it's 30 days from activation or the last encryption key update.

So as far as flow goes:

1. BES sends the update command

2. HH receives command and updates the key

3. BB sends acknowledgement

I'm not sure if this can be seen in the logs, wouldn't surprise me. Someone here might know what log line to search for.

You must be referring to "hdawg, resident log whore".

logs?!??!?! where?!?!??!?!

gibson is spot on with the process ...

well ... since I've been taunted on my log love ... here you go:

KB05429 - Recommendation on the use of Triple DES or AES for BlackBerry transport layer encryption

The end of the KB Article explains what log entries to look for and what they mean.

If you want to see the actual encryption keys, they're in the BESMgmt database in the UserConfig table.

Thanks hdawg but kb05429 only speaks about 3DES and AES encryption but not the actual Wireless Encryption Key regeneration process.

i had no clue about that...i guess i ain't a talking blackberry encyclopedia like my profile says.

gibson explained the process.

You may be able to get more logging detail by increasing the debug log level ... if you need more than has been stated here I'd give RIM a call and talk with TSupport.