[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] FIPS 140 validated crypto module on Android?

On Sun, Nov 15, 2020, at 7:06 PM, Michael Nelson via cryptography wrote:
> We need a FIPS 140-2 validated crypto module on Android mobile devices 
> to do some simple encryption. Does anyone know of an available such 
> module?
> One issue for the provider is of course that there are many hardware 
> platforms/models -- Samsung, Motorola, Google Pixel, etc. There are 
> also many versions of the OS.
> Ideally, there would be some module that was validated on most, or at 
> least some, of the current configurations, and the module validation 
> would be updated regularly for the newer phones/OS-versions.
> The NIST website lists the OpenSSL fips library on the "historical" 
> list. There are about 15 Android-related configurations ending with 
> Android 5.0 in 2018. So that is out. It doesn't exist, but 
> hypothetically the sort of thing that would be suitable is: an OpenSSL 
> fips build that ran on most current Android phones, was validated on 
> some of them, and for which the validation deltas were done once a year 
> or something.It doesn't have to be OpenSSL.
> Any pointers?


Bouncy castle seems exactly what you want. FIPS 140-2 level 1 certified, Java or C#.
Both languages see major use on Android.

As an aside, I'd suggest avoiding doing native code work on Android. It is possible
but the platform was not meant for it.
The cryptography mailing list
cryptography AT metzdowd.com