Parameters that the BBM Enterprise
key exchange uses
BBM Enterprise
key exchange usesThe description of the
BBM Enterprise
key exchange uses the following
labels:
Parameter |
Description |
|---|---|
A, B |
The two key exchange participants (A initiator, B
recipient) |
X A , XB |
Versions of X belonging to A and B |
PIN AB |
BlackBerry PIN value for A and B |
Version AB |
The highest supported protocol version by each
party |
S AB |
Public portion of EC-SPEKE exchange
values |
S' AB |
Private portion of EC-SPEKE exchange
values |
Ksign AB |
Public portion of signing key |
K'sign AB |
Private portion of signing key |
Kenc AB |
Public portion of encryption key |
K'enc AB |
Private portion of encryption key |
K enc |
Symmetric encryption key protecting the
confidentiality of the key exchange |
K mac |
Symmetric key protecting the integrity of the key
exchange |
nonce |
Initialization Vector nonce associated with
encryption using K enc |
ENCMAC {K enc , Kmac , IV} (data) |
Symmetric encryption with K enc followed by the addition of a MAC of the ciphertext
with Kmac |
DECMAC {K enc , Kmac , IV} (data) |
The inverse of ENCMAC: verification of the MAC
with K mac , followed by decryption of the
authenticated ciphertext using Kenc |
KDF (aux, secret) |
A standard KDF function |
EC-SPEKE-GEN (secret) |
Generates a non-deterministic key pair based on a
shared secret |
EC-DH (private, public) |
Generates a raw shared secret with ECDH |
EC-GEN () |
Generates a new random Elliptic Curve key
pair |
K proof |
A symmetric key used for proving possession of
the private key |
EC-SIGN {secret} (data) |
A public key signature on a hash using
ECDSA |
MAC {secret} (data) |
Calculates a MAC keyed with secret on
data |
T3, T4 |
Message authentication tags for messages #3 and
#4 |
SS AB |
The EC-SPEKE shared secret value between A and
B |
F |
The prefix value used for cryptographic
separation between usages of the same key between different BBM applications, protocol versions, and
sessions |
S |
Shared secrets, shared in-band out-of-band (for
details, see Key exchange process) |
|| |
Indicates concatenation |
(X, Y) |
Indicates separation of concatenated
values |
Data flow: Detailed BBM Enterprise
key exchange process
BBM Enterprise
key exchange process- Each device generates a long-lived encryption key pair and a signing key pair.
- The initiator’s device generates:(KsignA, K'signA) = EC-GEN () (KencA, K'encA) = EC-GEN ()
- The recipient’s device generates:(KsignB, K'signB) = EC-GEN () (KencB, K'encB) = EC-GEN ()
- The initiator chooses or autogenerates a secret password. This shared password is sent automatically in-band or is sent manually out-of-band to the recipient using an SMS text message, email, phone call, or in person. For details, see Key exchange process.
- The initiator sends the firstBBMmessage, which is an invitation that contains the initiator's contact information and the highest version ofBBM Enterprisethat they support.
The initiator’s invitation message (Message #1) is: (VersionVersion = 0 p = KDF ("EC-SPEKE Password", F || S), forget S, where sizeof(p) = 256 bits (SA, S'A) = EC-SPEKE-GEN (p), forget p invite_id = 64-bit nonceA, invite_id, PINA, SA) - The recipient responds to the invitation and provides the highest version ofBBM Enterprisethat the recipient supports, proof that they know the secret password, and the recipient's long-lived public encryption and signing keys.
The recipient’s response message (Message #2) is: (VersionVersion = 0 p = KDF ("EC-SPEKE Password", F || S), forget S, where sizeof(p) = 256 bits (SB, S'B) = EC-SPEKE-GEN (p), forget p Version = MIN (VersionA, VersionB) SSAB= EC-DH (S'B, SA) (Kenc, Kmac, nonce) = KDF ("BBM Enterprise Key Exchange", F || SSAB) Message #2 payload = P2 = (invite_id, KsignB, KencB) Message #2 payload signature = S2 = EC-SIGN {K'signB} (F || versionB|| P2 || SA|| SB) Message #2 encrypted payload = E2 = ENCMAC {Kenc, Kmac, nonce} (P2 || S2)B, SB, E2) - The initiator responds to the acceptance and provides proof that they know the secret password, the initiator's long-lived public encryption and signing keys, and proof that the initiator's private keys correspond to the public keys that the initiator claims to own.
The initiator’s response message (Message #3) is: E3Version = MIN (VersionA, VersionB) Increment password_attempts. If (password_attempts > 5) then abort. SSAB= EC-DH (S'_A, S_B) (Kenc, Kmac, nonce) = KDF ("BBM Enterprise Key Exchange", F || SSAB) (P2, S2) = DECMAC {Kenc, Kmac, nonce} (E2) (Ksign_B,Kenc_B) = P2 Verify signature S2. KencAB= EC-DH (K'encA, KencB) Kproof= KDF ("K_proof", F || KencAB), where sizeof(Kproof) = 256 bits Message #3 Auth Tag = T3 = MAC {Kproof} (F || KsignB|| KencB) Message #3 payload = P3 = (KsignA, KencA, T3) Message #3 payload signature = S3 = EC-SIGN {K'signA} (F || P3 || SB|| SA|| KsignB|| KencB) Message #3 encrypted payload = E3 = ENCMAC {Kenc, Kmac, nonce}(P3 || S3) - The recipient responds with proof that they own the recipient's private keys.
The initiator’s response message (Message #4) is: E4(P3, S3) = DECMAC {Kenc, Kmac, nonce} (E3) (KsignA, KencA, T3') = P3 Verify signature S3. KencAB= EC-DH (K'enc_B, KencA) Kproof' = KDF ("K_proof", F || KencAB), where sizeof (Kproof) = 256 bits T3 = MAC {Kproof'} (F || KsignB|| KencB) Check T3 == T3' Message #4 Auth Tag = T4 = MAC {Kproof'}(F || KsignA|| KencA) E4 = ENCMAC {Kenc, Kmac, nonce} (T4) - After the initiator verifies the final message from the recipient, each party knows the other’s public keys and that they belong to someone who knows both the associated private keys and the secret password.T4' = DECMAC {Kenc, Kmac, nonce} (Message #4) Check T4' against MAC {Kproof} (F || KsignA|| KencA)
After the key exchange is completed, the security of messages no longer depends on the
secrecy of the passphrase or the ephemeral key pairs. The public keys for encryption and
signing are stored for each contact and the contact is confirmed as the owner of the
private keys.