[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] FIPS 140 validated crypto module on Android?



On Sun, Nov 15, 2020, at 7:06 PM, Michael Nelson via cryptography wrote:
> We need a FIPS 140-2 validated crypto module on Android mobile devices 
> to do some simple encryption. Does anyone know of an available such 
> module?
> 
> One issue for the provider is of course that there are many hardware 
> platforms/models -- Samsung, Motorola, Google Pixel, etc. There are 
> also many versions of the OS.
> 
> Ideally, there would be some module that was validated on most, or at 
> least some, of the current configurations, and the module validation 
> would be updated regularly for the newer phones/OS-versions.
> 
> The NIST website lists the OpenSSL fips library on the "historical" 
> list. There are about 15 Android-related configurations ending with 
> Android 5.0 in 2018. So that is out. It doesn't exist, but 
> hypothetically the sort of thing that would be suitable is: an OpenSSL 
> fips build that ran on most current Android phones, was validated on 
> some of them, and for which the validation deltas were done once a year 
> or something.It doesn't have to be OpenSSL.
> 
> Any pointers?
> 

https://en.wikipedia.org/wiki/Bouncy_Castle_(cryptography)#Certified_releases

Bouncy castle seems exactly what you want. FIPS 140-2 level 1 certified, Java or C#.
Both languages see major use on Android.

As an aside, I'd suggest avoiding doing native code work on Android. It is possible
but the platform was not meant for it.
_______________________________________________
The cryptography mailing list
cryptography AT metzdowd.com
https://www.metzdowd.com/mailman/listinfo/cryptography