FIPS 140-2 Level 1 Certification

Question

I have a custom Android device. I need to protect the data-at-rest with FIPS certified (140-2 Level 1) cryptographic module. I have several questions

1. If such cryptographic module exist in open source?
2. While saving data in sql-lite my custom application will use the certified cryptographic module. What happens if user download some application which does not use the certified cryptographic module to store data.
3. Is there a ballpark $ and time estimates for getting a cryptographic module certified? Can I start the certification process directly with any of these labs (http://csrc.nist.gov/groups/STM/testing_labs/index.html) or do I need to through some 3rd party?

TIA

Answer 1

1. OpenSSL has been FIPS certified. But if you are going through FIPS certification on your device, you can use whatever crypto library you want. During the certification process, you will undergo algorithm testing on the crypto library's algorithms, and that will certify the library for your device. You may have to modify the library to make it FIPS compliant, even if you use OpenSSL.

2. Then it's the user's fault, not yours. You'll publish in your public security policy that your device is FIPS compliant if the user uses only FIPS-certified components.

3. $40,000+. You don't need a 3rd party, but it's helpful if you've never done it before and they'll also answer questions like these for you. Add another $40,000+ for the third party. Expect a minimum of 6 months, and this is after algorithm and functional testing of your module.