4

I wish to know if my Android App is FIPS 140-2 compliant if it uses only the crypto algorithms provided here? I use SpongyCastle to implement these algorithms.

Edit: A generalised question : Can open-source libraries like BouncyCastle/SpongyCastle be used in a module that can be FIPS Certified?

MediumOne
  • 804
  • 3
  • 11
  • 28

2 Answers2

5

Bouncy Castle is not FIPS 140-2 certified, so therefore SpongyCastle is not certified. Mocana's NanoCrypto has a FIPS 140-2 certification for a few specific android OS/hardware combinations.

Generally speaking, FIPS 140-2 certification requires quite a lot of money, so don't expect an open-source library (other than OpenSSL) to be FIPS certified

Peter Elliott
  • 3,273
  • 16
  • 30
  • "certified" isn't necessarily the same as "compliant", though. I do believe SpongyCastle is compliant, although that may not be true forever. – mfsiega Jan 04 '13 at 15:23
  • That's not true. compliance with FIPS 140-2 requires an independent certification of the software package. BouncyCastle hasn't undergone this certification. check out [this post](http://security.stackexchange.com/questions/4122/question-of-importance-of-fips-in-security-implementations) from the security StackExchange, it explicitly calls out BouncyCastle as not FIPS 140-2 certified. – Peter Elliott Jan 04 '13 at 15:33
  • Suppose that I create a java crypto library, which inturn uses BouncyCastle, to be used in my App. Can I get this library FIPS 140-2 Certified even with the money that's required? – MediumOne Jan 04 '13 at 15:37
  • 4
    @MediumOne: there is no inherent reason why an open source library cannot be FIPS 140-2 certified. It is a question of complying with the FIPS 140-2 spec and paying for a successful evaluation. – President James K. Polk Jan 04 '13 at 18:35
  • 3
    From OpenSSL "New FIPS 140-2 validations (of any type) are slow (6-12 months is typical), expensive (US$50,000 is probably typical for an uncomplicated validation), and unpredictable (completion dates are not only uncertain when first beginning a validation, but remain so during the process)." Being an author of a common criteria certified product, I can tell you that 50K is pretty cheap, and is extremely unlikely to include man-hours spend on it. – Maarten Bodewes Jan 05 '13 at 00:23
1

Certifications cost a non negligible amount of money especially for open source projects, however BouncyCastle has now a FIPS 140-2 certified version.

Certifications can be searched on csrc.nist.gov
https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&ModuleName=Bouncy+Castle&CertificateStatus=Active&ValidationYear=0

e.g.
https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3514

other resources
https://www.bouncycastle.org/fips_faq.html
https://www.bouncycastle.org/fips-java/BCFipsIn100.pdf

Matteo Mazza
  • 75
  • 1
  • 8