[Cryptography] FIPS 140 validated crypto module on Android?

[Michael Nelson]

Sid Spry wrote:
"Bouncy castle..."
"I'd suggest avoiding doing native code work on Android."

Kevin W. Wall wrote:
"I'm pretty sure that Bouncy Castle is the default Java Cryptography Extension (JCE) used on Android platform."

Thanks for your input Sid, Kevin.

I had thought that the team I'm helping leaned towards OpenSSL, because as their desktop product used it, but they are open to a Java crypto library on Android. I agree, C on Android is not a first choice...

So yes, Bouncy Castle is included with Android. As the Wikipedia link from Sid says, to avoid name clashes when installing a FIPS 140-2 build, there is a build called Stripy Castle. But one can't just drop that in and inherit the official validation of Bouncy Castle on the platforms/configurations listed in its certificate/security-policy. FIPS 140 has the concepts of Vendor Affirmed, and User Affirmed, for various different configurations, and they entail various subtleties. I'll have to dig in further, sigh. I would have thought that some vendor would make a FIPS 140-2 module for Android. You'd think that there'd be a market.

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20201122/769fbc1d/attachment.htm>