If the BlackBerry Device Service server includes a mobile email management capability, the email client S/MIME encryption algorithm must be 3DES or AES. When AES is used, AES-128 bit encryption key length is the minimum requirement; AES-256 is desired.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-38959	BBDS-00-000132	SV-50764r2_rule		Medium

Description
Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement states that S/MIME must utilize a 3DES or AES encryption algorithm.

STIG	Date
BlackBerry Enterprise Service v10.1.x BlackBerry Device Service STIG	2014-10-06

Details

Check Text ( C-46439r2_chk )
Review the BlackBerry Device Service server policy configuration to determine whether the encryption algorithms used to encrypt S/MIME protected email messages are 3DES or AES-256. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Profiles > Manage email profiles > > Email profile settings" and verify "Allowed content ciphers" is set to "AES (256-bit)", or "Triple DES". Otherwise, this is a finding.

Check Text ( C-46439r2_chk )

Review the BlackBerry Device Service server policy configuration to determine whether the encryption algorithms used to encrypt S/MIME protected email messages are 3DES or AES-256.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Profiles > Manage email profiles > > Email profile settings" and verify "Allowed content ciphers" is set to "AES (256-bit)", or "Triple DES". Otherwise, this is a finding.

Fix Text (F-43915r2_fix)
Configure the centrally managed BlackBerry Device Service server policy rule to specify the encryption algorithms used to encrypt S/MIME protected email messages.