BlackBerry 10 OS must enforce complexity requirements for the authentication to access private keys saved in the key certificate stores.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-39315 | BB10-00-003320 | SV-51137r1_rule | Medium |
| Description |
|---|
| The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and can pretend to be the authorized user. Allowing unauthenticated access to private keys can enable an adversary in possession of the device to decrypt messages encrypted with the public key and to digitally sign data, thereby potentially enabling an adversary to impersonate the user in any application that uses that private key for user authentication. Requiring complexity requirements for the authentication to access keys saved in the certificate store protects sensitive information. A weak password may enable an adversary to crack it, and give it the ability to use the private key to decrypt sensitive information or improperly impersonate the user of the device. |
| STIG | Date |
|---|---|
| BlackBerry 10 OS Security Technical Implementation Guide | 2014-08-27 |
Details
| Check Text ( C-46570r2_chk ) |
|---|
| From either the Work Space or Personal Space, navigate to "Settings -> BlackBerry Balance" and ensure "Work Password" is set to "On" and grayed out. Otherwise, this is a finding. |
| Fix Text (F-44293r2_fix) |
|---|
| On BlackBerry Device Service, set "Password Required for Work Space" IT Policy rule to "Yes". |