We have put together this FAQ to address specific queries related to the FIPS versions of the Bouncy Castle Cryptographic APIs.
The FAQ covers general FIPS inquiries, as well as those specifically concerning the Java FIPS version and the C# .NET version. Moreover, if you are considering certification and require assistance, we offer a list of individuals and organizations we have collaborated with, including FIPS consultants and FIPS-accredited labs.
A FIPS (Federal Information Processing Standards) certified Cryptographic API, such as the one provided by Bouncy Castle, refers to a cryptographic library that has been validated against the standards set forth by the National Institute of Standards and Technology (NIST) in the United States. These standards ensure that cryptographic algorithms and modules meet specific security requirements, making them suitable for use in government and sensitive commercial applications.
Bouncy Castle's FIPS-certified Cryptographic API offers a high level of assurance regarding the security and reliability of cryptographic operations. Previously certified to FIPS 140-2, the Bouncy Castle APIs now adhere to the stringent guidelines outlined in the FIPS 140-3 standard which is recognized internationally for its rigorous testing and validation procedures.
You may need to use Bouncy Castle FIPS certified Cryptographic APIs in scenarios where regulatory compliance or security mandates dictate the use of validated cryptographic modules. For instance, if you’re developing software for government agencies, financial institutions, or healthcare organizations that are subject to regulatory frameworks.
Additionally, industries with stringent security needs, such as defense, aerospace, and critical infrastructure, often require the use of FIPS-validated cryptographic modules.
The most recent release for the Bouncy Castle FIPS module for Java is 2.0.0 and labeled BC-FJA 2.0.0. BC-FJA 2.0.0 has been issued NIST certificate #4743.
The most recent release for the Bouncy Castle FIPS module for C# .NET is 1.0.2 and labeled BC-FNA 1.0.2. BC-FNA 1.0.2 has been issued NIST certificate #4416.
This is the current list of people/organisations we've worked with at some level. The main thing they have in common is they've shown the sensibility (and even humor) required to work with an Open Source effort like Bouncy Castle and regimes like that of FIPS 140-2, FIPS 140-3 and Common Criteria.
If you are trying to work out the ordering, the list is alphabetical. If you would like to be on the list and you are not, contact us at office@bouncycastle.org. Putting the list together proved trickier than we thought, we apologize in advance if we've left someone off who should be on it.
Contact:
Jake Nelson
jnelson@corsec.com
Corsec Security, Inc.
13921 Park Center Rd #460,
Herndon, VA 20171
United States of America
Contact:
Mark Minnoch
mark@keypair.us
KeyPair Consulting
987 Osos Street
San Luis Obispo, CA 93401
United States of America
Contact:
Randall Steck
rsteck@symsysresearch.com
Symbiotic Systems Research
5618 Bloomfield Drive, Suite #1
Alexandria, VA 22312
United States of America