Title

The BlackBerry Device Service server must enforce the email client S/MIME encryption algorithm to be 3DES or AES256 via centrally managed policy. (Cat II impact)

Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement states that S/MIME must utilize a 3DES or AES encryption algorithm.

Check Content

Review the BlackBerry Device Service server policy configuration to determine whether the encryption algorithms used to encrypt S/MIME protected email messages are 3DES or AES256. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix Text

Configure the centrally managed BlackBerry Device Service server policy rule to enforce the email client S/MIME encryption algorithm to be 3DES or AES256 via centrally managed policy. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Profiles > Manage email profiles > <Profile Name> > Email profile settings" and verify "Allowed content ciphers" is set to "AES (256-bit), or "Triple DES."

Additional Identifiers

Rule ID:

Vulnerability ID: V-48513

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.