Extending messaging security on BlackBerry 10 devices using S/MIME protection

You can extend messaging security for the BlackBerry Device Service solution and permit users to send and receive S/MIME-protected email messages on BlackBerry 10 devices. Digitally signing or encrypting messages adds another level of security to email messages that users send or receive from their devices. If they use a work email account that supports S/MIME-protected messages on devices, users can digitally sign or encrypt messages using S/MIME encryption. When a device is activated on the BlackBerry Device Service, you can require the device to sign, encrypt, or sign and encrypt messages using S/MIME encryption when users send email messages using a work email address.

Digital signatures help recipients verify the authenticity and integrity of messages that users send. When a user digitally signs a message with their private key, recipients use the sender's public key to verify that the message is from the sender and that the message has not changed.

Encryption keeps messages confidential. When a user encrypts a message, the device uses the recipient's public key to encrypt the message. The recipient's device uses the recipient's private key to decrypt the message.

Users can store their private keys on their devices or a smart card. For devices that are running BlackBerry 10 OS version 10.2.1 or later, you can use the BlackBerry Device Service to configure LDAP-enabled server settings and send them to devices so that devices can automatically retrieve the recipient's public key and users don't need to import public keys from work email messages manually. You can require that devices use either simple authentication or Kerberos to authenticate with LDAP-enabled servers. If you require that devices use Kerberos authentication, if a valid TGT is available on a user's device, the user isn't prompted for login information.

Users don't have to install additional software on devices to support S/MIME protection. Users can configure S/MIME preferences on devices in the BlackBerry Hub settings, including choosing certificates and encoding methods. Users can manage certificates on their devices in the Security and Privacy section of the System Settings.

BlackBerry 10 devices support attachments in S/MIME-protected email messages. Users can view, send, and forward attachments in S/MIME-protected email messages.

Users can configure the S/MIME settings on the device to send either clear-signed messages that any email application can open, or opaque-signed messages that only email applications that support encryption can open.

If devices do not have S/MIME support turned on, devices cannot send signed or encrypted email messages. To send encrypted email messages, a user must have the recipient's public key on their device. To read encrypted email messages, a user must have their private key on their device or on a smart card. If users do not have their private keys on their devices, the devices cannot read S/MIME-encrypted messages, and the devices display the message, "Unable to decode the message because you do not have the corresponding private key."