If the BlackBerry Device Service server includes a mobile email management capability, the email client S/MIME encryption algorithm must be 3DES or AES. When AES is used, AES 128 bit encryption key length is the minimum requirement; AES 256 desired.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
BBDS-00-000132	BBDS-00-000132	BBDS-00-000132_rule		Medium

Description
Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement states that S/MIME must utilize a 3DES or AES encryption algorithm.

STIG	Date
BlackBerry Device Service 6.2 STIG	2013-05-03

Details

Check Text ( C-BBDS-00-000132_chk )
Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to configure the encryption algorithms used to encrypt S/MIME protected email messages. If this function is not present, this is a finding. The "Allowed Content Ciphers" profile setting specifies the encryption algorithms that a BlackBerry device can use to encrypt S/MIME-protected email messages. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.

Check Text ( C-BBDS-00-000132_chk )

Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to configure the encryption algorithms used to encrypt S/MIME protected email messages. If this function is not present, this is a finding.

The "Allowed Content Ciphers" profile setting specifies the encryption algorithms that a BlackBerry device can use to encrypt S/MIME-protected email messages.

IT policy rules can be specified per group or per user.

To add an IT policy to a group:
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group.
2. Click Manage groups.
3. Click the name of the group.
4. Click Edit group.
5. Click the Policies tab.
6. In the IT policy list, select the IT policy.
7. Click Save all.

To add an IT policy to a user account:
1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
2. Click Manage users.
3. Search for a user account.
4. In the search results, select the check box for the user account.
5. In the Add to user configuration list, click Set IT policy.
6. In the IT policy drop-down list, select the IT policy.
7. Click Save.

For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide.

Fix Text (F-BBDS-00-000132_fix)
Configure the centrally managed BlackBerry Device Service server security policy rule to specify the encryption algorithms used to encrypt S/MIME protected email messages with 3DES or AES encryption.