The Legion of the Bouncy Castle - FIPS Resources Page

• Entry
• FIPS FAQ
• Java FIPS Release
• C# .NET FIPS Release 
• Donate

FIPS Frequently Asked Questions and Resources

Welcome to our FIPS FAQ and Resources Page.

• General Questions
• Java Related Questions
• C# Related Questions
• FIPS Consultants
• FIPS Accredited Labs

Frequently Asked Questions

General Questions

1. Q 1. How to do I join the early access program?
    
   In general the best way to join is by getting a support contract, if you are specifically interested in a particular release, early access is also provided to people donating 10000 USD or more to sponsor the release. Sponsors are also provided with bragging rights if they want them.

2. Q 2. What extras do I get with the early access program?
    
   Apart from access to the latest source of the FIPS API as it evolves and the right to use it, you also get access to the full source for both the CAVP and operations test harnesses, the original documentation, and some various other tools we have found useful.

3. Q 3. We want to do a private validation of some, or all, of the APIs, what do we do?
    
   You will need a support contract and to pay a rebrand fee. This will give you an authority letter for NIST granting permission to do the rebrand, access to consulting time for any issues you might have, as well as all the features of the early access program. Speak to your lab, if you don't have a lab already, or are unsure what to do next, read on.

4. Q 4. When we told our developers about our plans to do a certification, they disappeared into the server room and didn't come out! We think they're hiding under the floor, is there anyone who can help?
    
   Yes, see our list of FIPS consultants. After you have selected one, the news you are getting some help, plus the smell of freshly brewed coffee is normally enough to get people back into the light.

5. Q 5. Our developers are already experienced but we do not have an existing relationship with a testing lab, are there any you have worked with?
    
   Yes, see our list of FIPS accredited testing labs.

6. Q 6. So you really are funding this effort with a mixture of support contracts, donations, and sponsorships?
    
   Yep. We're a legion and diversity is strength!

7. Q 7. Are there any other compelling reasons for getting a support contract?
    
   As it happens there are. We have found two things that distinguish our support contract holders from our regular user base. Developers with access to a support contract are more likely to raise an issue with us early rather than try and muddle through, and developers with access to a support contract also take a more active interest in the beta releases, both FIPS and non-FIPS. The second one is useful as it means any issues or shortfalls in the beta are able to be fixed while the updates are still in beta. The first one is a real cost saver as it does not lead to us receiving emails starting with "Our development team has spent (some number of) weeks trying to work out..." It is much cheaper to have a support contract!

8. Q 8. I am still not quite there with the support contract, can I still report an issue?
    
   Sure. Please comtact us on feedback-crypto@bouncycastle.org We can also provide a PGP key if you believe the issue is a security concern or otherwise requires it.

Java Related Questions

1. Q 1. What are the current release details for the Bouncy Castle FIPS certified APIs for Java?
    
   The most recent release for the Bouncy Castle FIPS module for Java is 1.0.2.4 and labeled BC-FJA 1.0.2.4. BC-FJA 1.0.2.4 has been issued NIST certificate #4616

2. Q 2. Where can I find the Bouncy Castle FIPS certified APIs for Java?
    
   The current and previous Java FIPS releases are at https://www.bouncycastle.org/fips-java

3. Q 3. What JVMs are the APIs currently certified for?
    
   The current APIs are certified for Java 1.7, Java 1.8, and Java 1.11.

4. Q 4. Are there any versions for Android?
    
   FIPS on Android is a little complex - the FIPS module needs to be installed on the device in order for all the start up tests to be run correctly. Based on the widely respected "org.spongycastle" trick, we have actual FIPS modules in the package "org.stripycastle" for Lollipop, Marshmallow, Nougat, and Oreo.

   We also have an "org.spongycastle" packaging with some start up tests disabled that can used in an application. Note: this last one is FIPS derived not FIPS compliant.

   The Android releases are currently only available under the early access program.

5. Q 5. Is there a roadmap for future Java releases?
    
   Yes, you can find some more details on our Java FIPS roadmap page.

C# .NET Related Questions

1. Q 1. What are the current release details for the Bouncy Castle FIPS certified APIs for C# .NET?
    
   The most recent release for the Bouncy Castle FIPS module for C# .NET is 1.0.2 and labeled BC-FNA 1.0.2. BC-FNA 1.0.2 has been issued NIST certificate #4416

2. Q 2. Where can I find the Bouncy Castle FIPS certified APIs for C# .NET?
    
   The current and previous C# .NET FIPS releases are at https://www.bouncycastle.org/fips-csharp

3. Q 3. What Common Language Runtime (CLR) are APIs for C# .NET targeted at?
    
   The base CLR for the C# .NET FIPS is CLR 4.

4. Q 4. Is there a road map for future C# .NET releases?
    
   Yes, you can find some more details on our C# .NET FIPS roadmap page.

FIPS Consultants and Accredited Labs

This is the current list of people/organisations we've worked with at some level. The main thing they have in common is they've shown the sensibility (and even humor) required to work with an Open Source effort like Bouncy Castle and regimes like that of FIPS 140-2 and Common Criteria.

If you are trying to work out the ordering, the list is alphabetical. If you would like to be on the list and you are not, contact us at office@bouncycastle.org. Putting the list together proved trickier than we thought, we apologize in advance if we've left someone off who should be on it.

FIPS Consultants

Corsec Security, Inc.

Contact:

Jake Nelson jnelson@corsec.com Corsec Security, Inc. 13921 Park Center Rd #460, Herndon, VA 20171 United States of America

KeyPair Consulting

Contact:

Mark Minnoch mark@keypair.us KeyPair Consulting 987 Osos Street San Luis Obispo, CA 93401 United States of America

Symbiotic Systems Research

Contact:

Randall Steck rsteck@symsysresearch.com Symbiotic Systems Research 5618 Bloomfield Drive, Suite #1 Alexandria, VA 22312 United States of America

FIPS Accredited Labs

Acumen Security

Contact:

Josh Kolstad joshua.kolstad@intertek.com Laboratory Manager, Acumen Security 18504 Office Park Dr Montgomery Village, MD 20886 United States of America

ADVANCED DATA SECURITY

Contact:

Eugene Polulyakh ep@adseclab.com Laboratory Director ADVANCED DATA SECURITY 1933 O'Toole Way San Jose, CA 95131 United States of America

ÆGISOLVE, INC.

Contact:

Travis Spann tspann@aegisolve.com Laboratory Director ÆGISOLVE, INC. 415 Fairchild Dr. Mountain View, CA. 94043 United States of America

Lightship Security, Inc.

Contact:

Jason Lawlor jason.lawlor@lightshipsec.com Lightship Security 302 - 135 Rideau Street, Ottawa, ON K1N 5X4 Canada

Teron Labs

Contact:

Juan Gonzalez juan@teronlabs.com Laboratory Director Teron Labs Unit 3, 10 Geils Court Deakin, ACT 2600 Australia

UL

Contact:

Gerrit Kruitbosch Gerrit.Kruitbosch@ul.com UL - InfoGard Laboratories 709 Fiero Lane, Suite 25 San Luis Obispo, CA 93401 United States of America