FIPS FAQ
We have put together this FAQ to address specific queries related to the FIPS versions of the Bouncy Castle Cryptographic APIs.
Find your answers
The FAQ covers general FIPS inquiries, as well as those specifically concerning the Java FIPS version and the C# .NET version. Moreover, if you are considering certification and require assistance, we offer a list of individuals and organizations we have collaborated with, including FIPS consultants and FIPS-accredited labs.
General Questions
What is a FIPS certified Cryptographic API like Bouncy Castle and when do I need it?
A FIPS (Federal Information Processing Standards) certified Cryptographic API, such as the one provided by Bouncy Castle, refers to a cryptographic library that has been validated against the standards set forth by the National Institute of Standards and Technology (NIST) in the United States. These standards ensure that cryptographic algorithms and modules meet specific security requirements, making them suitable for use in government and sensitive commercial applications.
Bouncy Castle's FIPS-certified Cryptographic API offers a high level of assurance regarding the security and reliability of cryptographic operations. It adheres to the stringent guidelines outlined in the FIPS 140-2 standard, and it is being certified according to FIPS 140-3 as we speak, which is recognized internationally for its rigorous testing and validation procedures.
You may need to use Bouncy Castle FIPS certified Cryptographic APIs in scenarios where regulatory compliance or security mandates dictate the use of validated cryptographic modules. For instance, if you’re developing software for government agencies, financial institutions, or healthcare organizations that are subject to regulatory frameworks.
Additionally, industries with stringent security needs, such as defense, aerospace, and critical infrastructure, often require the use of FIPS-validated cryptographic modules.
How to do I join the early access program?
What extras do I get with the early access program?
We want to do a private validation of some, or all, of the APIs, what do we do?
When we told our developers about our plans to do a certification, they disappeared into the server room and didn't come out! We think they're hiding under the floor, is there anyone who can help?
Our developers are already experienced but we do not have an existing relationship with a testing lab, are there any you have worked with?
So you really are funding this effort with a mixture of support contracts, donations, and sponsorships?
Are there any other compelling reasons for getting a support contract?
I am still not quite there with the support contract, can I still report an issue?
Java FIPS Questions
What are the current release details for the Bouncy Castle FIPS certified APIs for Java?
The most recent release for the Bouncy Castle FIPS module for Java is 1.0.2.4 and labeled BC-FJA 1.0.2.4. BC-FJA 1.0.2.4 has been issued NIST certificate #4616.
Where can I find the Bouncy Castle FIPS certified APIs for Java?
What JVMs are the APIs currently certified for?
Are there any versions for Android?
Is there a roadmap for future Java FIPS releases?
C# .NET FIPS Questions
What are the current release details for the Bouncy Castle FIPS certified APIs for C# .NET?
The most recent release for the Bouncy Castle FIPS module for C# .NET is 1.0.2 and labeled BC-FNA 1.0.2. BC-FNA 1.0.2 has been issued NIST certificate #4416.
Where can I find the Bouncy Castle FIPS certified APIs for C# .NET?
What Common Language Runtime (CLR) are APIs for C# .NET targeted at?
Is there a roadmap for future C# .NET releases?
FIPS CONSULTANTS AND ACCREDITED LABS
This is the current list of people/organisations we've worked with at some level. The main thing they have in common is they've shown the sensibility (and even humor) required to work with an Open Source effort like Bouncy Castle and regimes like that of FIPS 140-2, FIPS 140-3 and Common Criteria.
If you are trying to work out the ordering, the list is alphabetical. If you would like to be on the list and you are not, contact us at office@bouncycastle.org. Putting the list together proved trickier than we thought, we apologize in advance if we've left someone off who should be on it.
FIPS Consultants
Contact:
Jake Nelson
jnelson@corsec.com
Corsec Security, Inc.
13921 Park Center Rd #460,
Herndon, VA 20171
United States of America
Contact:
Mark Minnoch
mark@keypair.us
KeyPair Consulting
987 Osos Street
San Luis Obispo, CA 93401
United States of America
Contact:
Randall Steck
rsteck@symsysresearch.com
Symbiotic Systems Research
5618 Bloomfield Drive, Suite #1
Alexandria, VA 22312
United States of America