Embed Size (px)
Citation preview
SecuSUITE for Enterprise
Security Note
Page 2 of 22
Contents About this guide ....................................................................................................................... 3
System requirements ............................................................................................................... 4
Using SecuSUITE for Enterprise ................................................................................................ 5
How SecuSUITE for Enterprise protects your voice communication and text messages ........ 6
SecuSUITE for Enterprise components ................................................................................ 7
SecuSUITE infrastructure ................................................................................................. 7
Components ..................................................................................................................... 8
Customer requirements ................................................................................................... 9
SecuSUITE for Enterprise procedures .................................................................................. 9
Overview .......................................................................................................................... 9
User account creation in the administration portal ........................................................ 9
Initial app registration .................................................................................................... 10
User perspective of the initial app registration ......................................................... 10
Initial app registration details .................................................................................... 11
Key establishment for secure calls ................................................................................. 13
SecuSUITE secure text messaging .................................................................................. 14
SecuSUITE for Enterprise security mechanisms ................................................................. 15
SecuSUITE app secure keystore ..................................................................................... 15
App– authentication ...................................................................................................... 16
Secure Contact ........................................................................................................... 16
PKI .................................................................................................................................. 17
SCA server-embedded CA .......................................................................................... 17
SCA server certificates ............................................................................................... 17
SIP server certificates ................................................................................................. 17
App certificates .......................................................................................................... 17
Key technical data .............................................................................................................. 18
Mobile device platforms ................................................................................................ 18
Bearers and voice codec ................................................................................................ 18
Layers of encryption ....................................................................................................... 18
System Performance ...................................................................................................... 19
Page 3 of 22
About this guide SecuSUITE for Enterprise is the first cross-platform solution for secure mobile
communication. It provides end-to-end secure mobile voice communication and text
messaging using IP-based mobile data connections, such as EDGE, UMTS/HSPA, LTE, and
Wi-Fi.
SecuSUITE for Enterprise uses the proven anti-eavesdropping solution from SecuSUITE for
BlackBerry 10, a solution deployed by governments, and pushes it further to additional
mobile device platforms and standards, such as NIAP protection profiles and Suite B
cryptography. This guide describes how SecuSUITE for Enterprise ensures secure voice
communication and text messaging for users of BlackBerry 10, iOS, and Android devices.
This guide is intended for senior IT professionals who are responsible for evaluating the
product and planning its deployment, as well as anyone who’s interested in learning more
about SecuSUITE for Enterprise security features. After you read this guide, you should
understand how SecuSUITE for Enterprise protects your voice communication and text
messaging.
Page 4 of 22
System requirements To use SecuSUITE for Enterprise, you can choose from mobile devices with the following
operating systems:
Device Requirements
BlackBerry 10 BlackBerry 10 OS version 10.3.2 and later (Version 10.3.2 and later provides full integration in the phone app.)
Work space only and Work and personal - Regulated activation types are supported. On regulated devices, the app runs in the work space.
iOS iOS 7 and later
Android Android 4.3 and later
To manage users with the SecuSUITE for Enterprise administration portal, only a computer
with internet access is required.
Users can download the SecuSUITE for Enterprise app from the online store for their
devices, or an administrator can push the app to devices using an EMM solution (for
example, BES12). To use SecuSUITE for Enterprise with iOS and Android devices only, an
EMM solution is not required.
Your organization can purchase the required SecuSUITE for Enterprise annual subscriptions
from BlackBerry or an authorized reseller. For more information, visit
http://uk.blackberry.com/enterprise/products/secusuite-enterprise.html.
Page 5 of 22
Using SecuSUITE for Enterprise SecuSUITE for Enterprise is BlackBerry’s solution for organizations that want to achieve
secure mobile communication across multiple mobile device platforms.
SecuSUITE provides end-to-end secure mobile voice communication and text messaging,
using IP-based mobile data connections such as EDGE, UMTS/HSPA, LTE, and Wi-Fi.
Voice and data communication are encrypted using AES-128.
Supported mobile device platforms are iOS, Android, and BlackBerry 10. Further platforms
are considered for future releases based on market need.
SecuSUITE is a software solution. Its security features on the one hand and the usability,
performance, and simplicity in deployment and maintenance on the other hand are
designed to meet the needs of the organization, the administrator, and the end user.
Mobile devices with the SecuSUITE for Enterprise app communicate using an independent
and secure infrastructure provided by Secusmart. The infrastructure is hosted by
BlackBerry.
Page 6 of 22
How SecuSUITE for Enterprise protects your voice communication and text messages End-to-end encrypted voice communication over IP (based on the NIAP Protection
Profile for Voice over IP applications and Suite B cryptography) using AES-128 for voice encryption and static ephemeral Elliptic Curve Diffie-Hellmann (ECDHE) for key agreement.
Secure Text Messaging, protected by S/MIME encryption using static ephemeral ECDH (ECDHE) for key agreement. The text messages are transferred in standard SIP messages through the TLS connection to the SIP server. If a contact is temporarily unreachable, the server stores and later forwards the message to the recipient.
Self-contained SecuSUITE for Enterprise app on the mobile device that provides its own secure storage for keys and certificates as configuration and metadata:
Static and ephemeral key pairs are stored in the secure storage (keystore) and all critical cryptographic operations related to the private keys are executed within the keystore engine.
Keying material is extracted from the secure storage only when needed for a cryptographic operation and is removed from RAM afterwards.
Sensitive data such as app configuration is stored in encrypted format and can only be accessed from the legitimate user of the app.
The content encryption key for the secure storage is protected by a 256-bit AES encryption key that is derived from the application’s user password, which is known only to the end user.
On BlackBerry 10 devices, the solution uses the existing work data protection.
Secure authentication of the caller and callee based on S/MIME user certificates exchanged in the key agreement phase.
Protected registration process and authentication of the app using encrypted S/MIME messages that are transferred via SIP messages between the backend (SCA server) and appthe app. Additionally, the TCP connection between the app and backend is secured by a TLS v1.2 connection.
Secure Session Initiation Protocol (SIP) by exchanging SIP messages with the SIP server through a TLS v1.2 connection, providing encryption and mutual authentication to the backend infrastructure. The SIP stack on the mobile appdevice is an integral part of the app.
Page 7 of 22
SecuSUITE for Enterprise components
The components of the SecuSUITE for Enterprise solution are:
A web portal for managing app users: The SecuSUITE for Enterprise administration portal allows a subscriber to create and edit users who can download and register the app on their devices.
To support BlackBerry 10 device users, BES12 or BES10 is required.
SecuSUITE for Enterprise app: The app provides end-to-end encrypted voice communication and text messaging, using data connections like EDGE, UMTS/HSPA, LTE, or WiFi
Mobile devices (BlackBerry 10, Android, iOS) running the SecuSUITE for Enterprise app
Independent, secure SecuSUITE for Enterprise infrastructure hosted by BlackBerry: The infrastructure consists of the SCA, SIP, and RTP proxy servers, including the administration portal.
SecuSUITE infrastructure
The SecuSUITE infrastructure is hosted on BlackBerry premises.
The SecuSUITE infrastructure is responsible for:
Subscriber management
Initial authentication of the SecuSUITE for Enterprise app on devices
Establishing secure connections between app users
Forwarding end-to-end encrypted voice stream and text messaging data
Page 8 of 22
Components
The fundamental logical components of the SecuSUITE infrastructure and their
responsibilities are:
Secure Client Authentication (SCA) server: Every participating device must register to the SCA first. The SCA server authenticates users and enrolls required app and user certificates as well as app configuration and SIP credentials in a secure way. Only devices that have been enrolled by the SCA server can connect to the SIP server and establish end-to-end encrypted communication to other SecuSUITE for Enterprise users. At the start of the initial registration process, the app initiates a TLS connection to the SCA server (server authentication). The SCA server authenticates the app using activation and validation codes that are provided to the end-user using a second channel. The app generates keys and corresponding certificate signing requests and sends these requests to the SCA server. The SCA server creates the app certificates, signs them, and sends these back to the app, together with the app’s SIP configuration. The permanent connections established subsequently to SCA server and SIP server are mutually authenticated TLS connections The essential element of the SCA is the built-in PKI that creates all certificates required by the SecuSUITE for Enterprise app.
Page 9 of 22
Session Border Controller (SBC) including SIP server and RTP proxy:
Signaling: The Session Initiation Protocol (SIP) together with TLS is used to establish the secure connection between the mobile devices. The use of a TLS connection, providing encryption and mutual authentication, ensures that the devices connect with authorized SIP servers only and phone numbers that users call are protected against disclosure.
Media data: The Real-time Transport Protocol proxy actually relays the encrypted data stream between two communication parties.
Customer requirements
SecuSUITE for Enterprise annual subscription purchased from the BlackBerry Enterprise Store
Computer with internet access to log in to the administration portal. The administration portal provides functions to manage the mobile users. Administrators access the administration portal, which is part of the infrastructure, using HTTPS.
For BlackBerry 10 devices, BES12 or BES10
Users’ devices (iOS, Android, or BlackBerry 10 devices are supported).
SecuSUITE for Enterprise procedures
Overview
An administrator creates user accounts in the administration portal.
The SecuSUITE for Enterprise app registers with the SecuSUITE server.
The SecuSUITE app establishes a continuous connection to the SIP server to make and receive secure calls in SecuSUITE.
The SecuSUITE app sets up and terminates secure calls.
The SecuSUITE app sends and receives secure text messages.
User account creation in the administration portal
1. The administrator creates a new user account in the administration portal with the
following information:
First and last name
Mobile number
Email address
2. The administrator invites the user.
An invitation email is sent to the user.
Page 10 of 22
The invitation email includes an activation code that allows the user to start the registration process.
Initial app registration
Purpose: The SecuSUITE for Enterprise app receives SIP settings and certificates so that it can setup and receive secure calls.
Actors: App, SCA server with embedded CA, database
When: App connects to the SecuSUITE backend for the first time
User perspective of the initial app registration
1. Install the SecuSUITE for Enterprise app from an online store.
2. Open the SecuSUITE app.
3. On iOS and Android devices, set the password for app. The password must contain:
9 characters
One uppercase and one lowercase character
One numeric character
4. Enter the unique activation code (received in an email).
5. Wait for an SMS message with a validation code (sent by the SCA server).
6. Enter the validation code (Android devices automatically fetch the code from the SMS
message).
7. Wait for the initial registration process to complete.
Page 11 of 22
Figure: 1 App Activation showing the role of the Administration Portal
Initial app registration details
1. The SecuSUITE for Enterprise app running on a mobile device initiates a TLS connection
to SCA server (the first connection is server-authenticated TLS v1.2).
2. The SCA server authenticates the app on the SIP layer (digest access authentication).
3. The app generates two temporary key pairs (one for authentication, one for
encryption) and sends the temporary public keys to SCA server.
4. The SCA server sends two S/MIME certificates (one with SCA server‘s public key for
authentication, one with SCA server‘s public key for encryption) to the app.
5. The SCA server sends initial app configuration data.
6. The SCA server sends an SMS message with OTP to the app.
Page 12 of 22
7. The following certificates are enrolled:
VoIP TLS certificate
VoIP S/MIME authentication certificate
VoIP S/MIME encryption certificate
SCA S/MIME authentication certificate
SCA S/MIME encryption certificate
SCA TLS certificate
The certificates are enrolled in the following way (using TLS certificate as an example):
The app requests and gets CSR generation information (“certificate template”) from SCA server.
The app creates a EC key pair and prepares a certificate signing request for the VoIP TLS Certificate and sends this to SCA server.
The SCA server’s embedded CA creates and signs the certificate.
The SCA server returns the signed VoIP TLS Certificate to app.
8. The app requests and gets its SIP settings from the SCA server.
Page 13 of 22
Key establishment for secure calls
The key establishment for secure calls is based on SDES/SRTP, which defines that SRTP keys
are transmitted within the SIP INVITE flow within the SDES crypto attribute. To enable end-
to-end encrypted and authenticated transmission of the SRTP keys, the crypto attribute is
protected by an encrypted and signed S/MIME container using ECDHE to agree on shared
crypto secrets.
To apply the ECDHE scheme during call set-up, the public S/MIME certificates are
exchanged as well during the SIP session initiation.
1. Alice sends a SIP INVITE message to Bob
Alice’s SIP INVITE message includes Alice‘s public VoIP S/MIME encryption certificate.
2. Bob’s app generates its Uplink SRTP key and related salt and creates an S/MIME
container based on:
An ephemeral key pair
Alice’s public S/MIME encryption key
Bob’s private S/MIME signing key
3. Bob‘s device sends a SIP 200 OK message that includes:
Bob‘s public VoIP S/MIME encryption certificate
Bob’s SDP body
Bob’s encrypted SRTP key and ephemeral public key (within the S/MIME container)
4. Alice’s app generates its Uplink SRTP key and related salt and creates an S/MIME
container based on:
An ephemeral key pair
Bob’s public S/MIME encryption key
Alice’s private S/MIME signing key
5. Alice’s app returns the SIP ACK message that includes:
Alice’s SDP message
Alice’s encrypted SRTP key and ephemeral public key (both within the S/MIME container)
6. Alice and Bob decrypt the received S/MIME container and use the resulting SRTP key to
decrypt the incoming SRTP voice stream.
Page 14 of 22
SecuSUITE secure text messaging
In addition to secure voice, the SecuSUITE for Enterprise app provides end-to-end
encrypted text messaging capabilities. The message payloads are transmitted in encrypted
and signed S/MIME containers using one-pass ECDHE for key establishment (similar to the
voice encryption).
Text messages are first signed using ECDSA and then encapsulated to an (encrypted)
EnvelopedData container according to RFC 5751/6318.
Page 15 of 22
SecuSUITE for Enterprise security mechanisms
SecuSUITE app secure keystore
The SecuSUITE for Enterprise app stores secrets permanently in a secure keystore. The
stored secrets are encrypted and can be authenticated.
The keystore holds:
A content encryption key for securing other app data (for example, the SIP authentication password)
Private keys for decryption and signing
Public certificates keystore
The keystore engine derives the encryption and authentication keys from the application
password using Password-Based Key Derivation Function 2 (PBKDF2) according to RFC2898,
2000.
For encryption, the engine applies AES 256 in CBC mode. The related initialization vector
(IV) is stored together with the encrypted data.
For message authentication, the app applies HMAC-SHA256 to the encrypted data plus the
IV and stores the resulting MAC tag together with the encrypted data and the IV in the
corresponding keystore instance.
The app password that the user creates during the app registration process secures the
keystore. When the keystore is locked, neither secure calls nor access to sensitive data in
the app is possible.
An auto PIN procedure decreases the number of password inputs the user has to execute
for opening the secure keystore again. Ideally, the user needs to enter the password only
once when the app starts up because the auto PIN procedure allows the app to open the
locked domain without user interaction.
On BlackBerry 10 devices, the keystore is stored in the protected work space.
Page 16 of 22
App– authentication
Secure Contact
1. Bob calls Alice for the first time using the SecuSUITE for Enterprise app.
2. When the call is set up, Bob (app B) sends the VoIP encryption certificate to Alice (app
A).
3. From the certificate Alice knows that Bob is a SecuSUITE user because Bob possesses
the corresponding private key. Alice cannot identify Bob from the certificate because
the SecuSUITE certificates only certify users as SecuSUITE users but not the individual
identity of a user1. Alice can receive calls from any legitimate SecuSUITE user.
4. When Alice sends her SRTP master uplink key and salt to Bob, she needs to encrypt
them. With the static public key in Bob‘s certificate, Alice creates an ephemeral DH
secret (together with Alice’s private key from a key pair which Alice has just created for
this message only) that is used in the encryption process.
5. Bob can only calculate the same DH secret if Bob has the private key for the public key
from the certificate that Bob sent to Alice.
6. Without the DH secret, Bob cannot decode Alice‘s SRTP master uplink key and salt, so
he cannot decode Alice’s SRTP/SRTCP stream. Therefore, Alice can be sure that only
legitimate users of SecuSUITE can receive her voice data.
7. A secure call can therefore be established only when both particpants have
corresponding S/MIME encryption certificates and private keys (with the certificates
certified by the SCA server-embedded CA).
8. But the ability to setup a call does not prove an identity. So how does Alice know that
she is really talking to Bob?
9. From the evolving conversation, Alice can confirm that it is Bob on the other end: For
example, she can identify his voice, and the person on the line is talking like Bob,
behaving naturally and reacting immediately to unforeseeable questions.
10. If Alice has never met Bob before, she might just believe that Bob is who he claims to
be because the conversation gives enough evidence.
11. After the call ends, Alice can save Bob as a secure contact. This binds the received
unique certificate to Bob‘s identity in Alice‘s contact list for future calls.
12. When Alice receives a call from Bob next time, the SIP INVITE will contain Bob’s VoIP
S/MIME encryption certificate. The app can check the certificate against the stored
1 Actually app certificates contain some user identity information in the Subject Alternative Name
(e.g. “[email protected]”)
Page 17 of 22
certificates in Alice’s secure contact list, and if there is a match, Bob’s contact name
can be displayed.
PKI
SCA server-embedded CA
The CA is embedded with SCA server. The first-level CA (root CA), the SCA server-
embedded CA certificate, is self-signed.
The CA provides information (XML messages) to the app to create app certificates during
Initial App Registration procedure. It signs certificate signing requests (CSR) which the app
has created during Initial App Registration procedure.
SHA 256 is used for hashing, and ECDSA is used for signing.
SCA server certificates
The SCA server-embedded CA certificate is
Configured in SCA server and SIP server
Hardcoded in app app
Self-signed (the SCA server-embedded CA is first-level CA)
The SCA server has certificates signed by SCA server-embedded CA for
SCA TLS
S/MIME authentication
S/MIME encryption
SIP server certificates
The SIP server has certificates signed by SCA server-embedded CA for VoIP TLS. They are
used by the app to authenticate the SIP server (similar to SCA server).
App certificates
The SecuSUITE for Enterprise app has certificates signed by the SCA server-embedded CA
for
SCA TLS
VoIP TLS
SCA S/MIME authentication
SCA S/MIME encryption
VoIP S/MIME authentication
Page 18 of 22
VoIP S/MIME encryption
Key technical data
Mobile device platforms
Platform Supported versions
BlackBerry 10 10.3.2 (and later) to show the full integration in the phone app
Work space only or regulated, in case of regulated the app only runs in the work perimeter.
iOS 7 (and later)
Android 4.3 (and later)
Bearers and voice codec
Bearer type VoIP over EDGE, 3G, HSPA, LTE, Wi-Fi
Bearer prioritization Wi-Fi over mobile bearer: as per mobile device settings
Layers of encryption
Connection Layer Comment
Device to SCA server
TLS Server authenticated TLS v1.2 for initial connection2,
mutually authenticated TLS v1.2 for subsequent
permanent connection
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
cipher suite as defined in RFC 5289 with ECC NIST P-256
curve as defined in FIPS PUB 186-4
S/MIME ECDHE S/MIME scheme according to RFC 5751/6318 for
encryption and signing of all SCA protocol messages
2 Note: Apps are authenticated via the activation and validation code
Page 19 of 22
Connection Layer Comment
Device to SIP server
TLS Mutually authenticated TLS v1.2
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
cipher suite as defined in RFC 5289 with ECC NIST P-256
curve as defined in FIPS PUB 186-4
SIP Digest
Authentication
SIP digest authentication as defined in RFC 3261
Device to device
SDES Security Descriptions for Media Streams (SDES) as
defined in RFC 4568 to provide key information for the
SRTP connection
The SDES body is furthermore encrypted using S/MIME
ECDHE key agreement according to RFC 5751/6318
SRTP Secure Real-Time Transport Protocol (SRTP) as defined in
RFC 3711, applying AES_CM_128_HMAC_SHA1_80 cipher
suite as defined in RFC 4568 for voice stream end-to-end
encryption
S/MIME ECDHE S/MIME scheme according to RFC 5751/6318 for
text message end-to-end encryption and signing
System Performance
Measure Value
Device-to-device voice delay < 350 ms
Call setup and key agreement < 4s
Page 20 of 22
Legal notice
©2016 BlackBerry. All rights reserved. Trademarks, including but not limited to BLACKBERRY, EMBLEM DESIGN, SECUSMART, SECUSMART & DESIGN , and SECUSUITE are the trademarks or registered trademarks of BlackBerry Limited, its subsidiaries and/or affiliates, the exclusive rights to which are expressly reserved.
Android and Google Play are trademarks of Google Inc. iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. iOS® is used under license by Apple Inc. LTE is a trademark of European Telecommunications Standards Institute (ETSI). UMTS is a trademark of European Telecommunications Standards Institute (ETSI).Wi-Fi is a trademark of the Wi-Fi Alliance.
This documentation including all documentation incorporated by reference herein such as documentation provided or made available on the BlackBerry website provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of BlackBerry technology in generalized terms. BlackBerry reserves the right to periodically change information that is contained in this documentation; however, BlackBerry makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all.
This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or third-party websites (collectively the "Third Party Products and Services"). BlackBerry does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the third party in any way.
EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING
Page 21 of 22
TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.
THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.
IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.
Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry® Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with BlackBerry's products and services may require one
Page 22 of 22
or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with BlackBerry's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with BlackBerry.
The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION.
BlackBerry Enterprise Software incorporates certain third-party software. The license and copyright information associated with this software is available at http://worldwide.blackberry.com/legal/thirdpartysoftware.jsp.
BlackBerry Limited
2200 University Avenue East
Waterloo, Ontario
Canada N2K 0A7
BlackBerry UK Limited
200 Bath Road
Slough, Berkshire SL1 3XE
United Kingdom
Published in Canada
