Question
I wish to know if my Android App is FIPS 140-2 compliant if it uses only the crypto algorithms provided here? I use SpongyCastle to implement these algorithms.
Edit: A generalised question : Can open-source libraries like BouncyCastle/SpongyCastle be used in a module that can be FIPS Certified?
Solution
Bouncy Castle is not FIPS 140-2 certified, so therefore SpongyCastle is not certified. Mocana's NanoCrypto has a FIPS 140-2 certification for a few specific android OS/hardware combinations.
Generally speaking, FIPS 140-2 certification requires quite a lot of money, so don't expect an open-source library (other than OpenSSL) to be FIPS certified
OTHER TIPS
Certifications cost a non negligible amount of money especially for open source projects, however BouncyCastle has now a FIPS 140-2 certified version.
Certifications can be searched on csrc.nist.gov
https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&ModuleName=Bouncy+Castle&CertificateStatus=Active&ValidationYear=0
e.g.
https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3514
other resources
https://www.bouncycastle.org/fips_faq.html
https://www.bouncycastle.org/fips-java/BCFipsIn100.pdf
https://stackoverflow.com/questions/14159435
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian