S/MIME-protected messages
S/MIME-protected message basics
About signing and encrypting messages
If your email account uses a BlackBerry® Enterprise Server that supports this feature, you can digitally sign or encrypt messages to add another
level of security to email messages and PIN messages that you send from your BlackBerry device. Digital signatures are designed to help
recipients verify the authenticity and integrity of messages that you send. When you digitally sign a message using your private key, recipients
use your public key to verify that the message is from you and that the message has not been changed.
Encryption is designed to keep messages confidential. When you encrypt a message, your device uses the recipient’s public key to encrypt the
message. Recipients use their private key to decrypt the message.
To send an encrypted PIN message, you must have a PIN and an email address for the contact in your contact list. Your device uses the email
address in your contact list to locate a PGP® key or certificate for the contact.
Sign or encrypt a message
You can sign or encrypt email messages and PIN messages.
1.
When composing a message, change the Encoding field.
2. If necessary, change the Classification field.
Encrypt a message with a pass phrase
Your BlackBerry® device can encrypt email messages and PIN messages using a pass phrase shared between the sender and recipient.
1.
In an unsent message, set the Encoding field to Encrypt or Sign and Encrypt.
2. Press the Menu key.
User Guide
Messages
77
3. Click Options.
4. Set the Use Password-Based Encryption field to Yes.
5. In the Allowed Content Ciphers section, select the check box beside one or more allowed content ciphers.
6. If you are signing the message, in the Signing Options section, select a certificate.
7. Press the Menu key.
8. Click Save.
9. Type your message.
10. Press the Menu key.
11. Click Send.
12. Type a pass phrase to encrypt the message.
13. Confirm the pass phrase.
14. Click OK.
Using a secure method, let the recipient know what the pass phrase is.
Attach a certificate to a message
You can attach a certificate to email messages and PIN messages.
1.
When composing a message, press the Menu key.
2. Click Attach Certificates.
3. Highlight a certificate.
4. Press the Menu key.
5. Click Continue.
Download the certificate used to sign or encrypt a message
If a certificate is not included in a received message or is not already stored in the key store on your BlackBerry® device, you can download the
certificate.
1.
In a message, highlight the encryption indicator or a digital signature indicator.
2. Press the Menu key.
3. Click Fetch Sender’s Certificate.
Add a certificate from a message
1.
In a message, highlight a digital signature indicator.
2. Press the Menu key.
3. Click Import Sender’s certificate.
Add a certificate from an attachment
1.
In a message, click the certificate attachment.
2. Click Retrieve Certificate Attachment.
3. Click the certificate.
4. Click Import Certificate.
User Guide
Messages
78
Attachment indicators in S/MIME-protected messages
:
The message includes a certificate attachment.
:
The message includes multiple certificate attachments.
:
The message includes a certificate server attachment.
Add connection information for a certificate server from a message
1.
In a message, highlight the certificate server indicator.
2. Press the Menu key.
3. Click Import Server.
View the certificate used to sign or encrypt a message
1.
In a message, highlight the encryption status indicator or a digital signature indicator.
2. Press the Menu key.
3. Click Display Sender's Certificate or Display Encryption Certificate.
View encryption information for a weakly encrypted message
1.
In a weakly encrypted message, highlight the encryption status indicator.
2. Press the Menu key.
3. Click Encryption Details.
S/MIME-protected message status
Digital signature indicators for S/MIME protected messages
:
Your BlackBerry® device verified the digital signature.
:
Your device cannot verify the digital signature.
:
Your device requires more data to verify the digital signature.
User Guide
Messages
79
:
Your device trusts the certificate chain.
:
The sender’s email address does not match the email address of the certificate subject, or the sender’s certificate is revoked, is not trusted,
cannot be verified, or is not on your device.
:
The certificate is weak, the certificate status is not current, or your device requires more data to verify the trust status of the certificate.
:
The sender’s certificate is expired.
Encryption status indicators
Your administrator sets whether messages that you receive are considered to be strong or weak.
:
The message is strongly encrypted.
:
The message is weakly encrypted.
Check the status of a certificate or certificate chain
If a certificate is included in a received message, or is already stored in the key store on your BlackBerry® device, you can check the status of
the sender's certificate, or you can check the status of the sender's certificate and all other certificates in the certificate chain.
1.
In a message, highlight a digital signature indicator.
2. Press the Menu key.
3. Click Check Sender’s Certificate or Check Sender’s Cert Chain.
S/MIME-protected message options
Change your signing or encryption certificate
Your BlackBerry® device uses your encryption certificate to encrypt messages in the sent items folder and includes your encryption certificate
in messages that you send so that recipients can encrypt their reply messages.
1.
On the Home screen or in a folder, click the Options icon.
2. Click Security Options.
3. Click S/MIME.
4. In the Signing Options section or the Encryption Options section, change the Certificate field.
5. Press the Menu key.
User Guide
Messages
80
6. Click Save.
Change options for downloading attachments in encrypted messages
1.
On the Home screen or in a folder, click the Options icon.
2. Click Security Options.
3. Click S/MIME.
4. Perform one of the following actions:
• To download attachments in encrypted messages automatically, change the Retrieve Encrypted Attachment Information field to
Automatically.
• To download attachments in encrypted messages manually, change the Retrieve Encrypted Attachment Information field to
Manually.
• To prevent your BlackBerry® device from downloading attachments in encrypted messages, change the Retrieve Encrypted
Attachment Information field to Never.
5. Press the Menu key.
6. Click OK.
Change the default signing and encryption option
Your BlackBerry® device is designed to use the default signing and encryption option when you send a message to a contact that you have not
sent a message to or received a message from previously. If you have sent a message to or received message from the contact previously, your
device tries to use the signing and encryption option that was used for the last message.
1.
On the Home screen or in a folder, click the Options icon.
2. Click Security Options.
3. Click S/MIME or PGP.
4. Change the Default Encoding field.
5. Press the Menu key.
6. Click Save.
About message classifications
If your BlackBerry® device is associated with an email account that uses a BlackBerry® Enterprise Server that supports this feature and your
administrator turns on message classifications, the BlackBerry Enterprise Server applies a minimum set of security actions to each message
that you compose, forward, or reply to, based on the classification that you assign to the message. Your administrator specifies the message
classifications that you can use.
If you receive a message that uses message classifications, you can view the abbreviation for the classification in the subject line of the message
and the full description for the classification in the body of the message. You can also view the abbreviation and full description for the
classification for a sent message in the sent items folder.
Change the default message classification
To perform this task, your email account must use a BlackBerry® Enterprise Server that supports this feature and your administrator must turn
on message classifications.
User Guide
Messages
81
Your BlackBerry device is designed to use the default message classification when you send a message to a contact that you have not sent a
message to or received a message from previously. If you have sent a message to or received a message from the contact previously, your device
tries to use the message classification that was used for the last message.
1.
On the Home screen or in a folder, click the Options icon.
2. Click Advanced Options.
3. Click Default Services.
4. Change the Default Classification field.
5. Press the Menu key.
6. Click Save.
Change the size of S/MIME indicators in messages
1.
On the Home screen or in a folder, click the Options icon.
2. Click Security Options.
3. Click S/MIME.
4. Change the Message Viewer Icons field.
5. Press the Menu key.
6. Click Save.
Change the encryption algorithms for S/MIME-protected messages
If a message has multiple recipients, your BlackBerry® device uses the first selected encryption algorithm in the list that all recipients are known
to support.
1.
On the Home screen or in a folder, click the Options icon.
2. Click Security Options.
3. Click S/MIME.
4. Select the check box beside one or more encryption algorithms.
5. Press the Menu key.
6. Click Save.
Request delivery notification for signed S/MIME-protected messages
1.
On the Home screen or in a folder, click the Options icon.
2. Click Security Options.
3. Click S/MIME.
4. Change the Request S/MIME Receipts field to Yes.
5. Press the Menu key.
6. Click Save.
Turn off the prompt that appears before an S/MIME-protected message is truncated
1.
On the Home screen or in a folder, click the Options icon.
2. Click Security Options.
3. Click S/MIME.
4. Change the Warn about truncated messages field to No.
User Guide
Messages
82
5. Press the Menu key.
6. Click Save.
To turn on the prompt again, change the Warn about truncated messages field to Yes.
Turn off the prompt that appears when you use an S/MIME certificate that is not recommended for use
1.
On the Home screen or in a folder, click the Options icon.
2. Click Security Options.
3. Click S/MIME.
4. Change the Warn about problems with my certificates field to No.
5. Press the Menu key.
6. Click Save.
To turn on the prompt again, change the Warn about problems with my certificates field to Yes.
S/MIME-protected message troubleshooting
Some signing and encryption options are not available on my device
Try performing the following actions:
• Verify that the email account that you are using supports all signing and encryption options.
• If you use message classifications, verify that the message classification supports the signing or encryption options that you want. Try
using a different message classification.
I cannot open an attachment in an encrypted message
The attachment information might not be available on the BlackBerry® Enterprise Server, your administrator might have set options to prevent
you from opening attachments in encrypted messages, or you might have received the message from an email account that does not support
attachments in encrypted messages.
You cannot open an attachment in a PGP® protected message that was encrypted using the OpenPGP format by an IBM® Lotus Notes® client
working with PGP® Desktop Professional or that was encrypted by the PGP® Universal Server.