BC FIPS 1.X Spongy Version...

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

BC FIPS 1.X Spongy Version...

David Templar-2
OK,

Having spent a lot of time of this novel FIPS version and trying DEX (to
be uncompressed, not obfuscated, realtime load of jar, jar downloaded to
secure private data area  etc) - due to the fact that Android works
different to Desktop (where the jar is in the lib folder on
computer/JRE/JDK folder etc). The only way to get bc-fips-1.0.2.jar (and
later) is to either disable this initial checksum (and get NIST
certified again for that jar - if possible), or disable on the App side.

The very fact that that checksum on Android changes with each program
modification (as DEX is the boss) e.g. int x = 10; (added or removed)
will result in the bc-fips-1.0.2.jar failing as it is doing a checksum
against an ever-changing value!

Yes, I am aware of the process to create FIPS compliant Android devices
- it can be from easy (just importing the jar into the
/System/Framework/) to very hard - requiring a new ROM build for the JVM.

At present: As much as I would love original BCFIPS on all devices, the
past is a guide - we still do not have a full REAL implementation of
traditional BC installed on mass produced Android devices. BCFIPS Stripy
is rare. SpongyCastle took a holiday for a long time.

It is time to actually look at how to implement BCFIPS jar on a mass
produced device. Change HMAC.SHA256 in the BC jar and break signature,
change HAMC.SHA256 in the built Android .apk (cleaner and .jar is
intact), or some other way!

I am assuming the FIPS version is the future... if not?  The easy Spongy
version is to just disable this checksum check -  I would help/volunteer
but I have not read the tens of thousands of code and I am are there are
better in your team! :)

At present - the HMAC.SHA256 method seems to be the best "Spongy" version!

Whether you agree with the above or not - please do not ask why I am
spending tens of hours on this BCFIPS - just like many like to download
the latest upgrade, maybe my personality :)

--
Kind regards,

David Templar

This email is digitally signed to ensure authenticity.


Reply | Threaded
Open this post in threaded view
|

Re: BC FIPS 1.X Spongy Version...

Jonathan Buhacoff
I wrote a little tool called `mybc` to help with compiling a
custom-namespace version of BC from source.

You might be interested in it because you can choose which version of BC
you need, get the source yourself so you know it's good, and then use
the `mybc` tool to change the package names and the artifact name to
whatever you need. You don't need to wait for someone else to publish a
custom version and you don't need to trust someone else's build either.

I use it to compile a custom namespace version of BC for my Android app,
so that I can use new BC features without clashing with the older
version of BC that comes with Android.

I haven't tried the FIPS version, maybe try using the tool and see how
far you get?

https://github.com/jbuhacoff/nodejs-mybc-util

Jonathan


On 4/8/2020 5:43 AM, David Templar wrote:

> OK,
>
> Having spent a lot of time of this novel FIPS version and trying DEX
> (to be uncompressed, not obfuscated, realtime load of jar, jar
> downloaded to secure private data area  etc) - due to the fact that
> Android works different to Desktop (where the jar is in the lib folder
> on computer/JRE/JDK folder etc). The only way to get bc-fips-1.0.2.jar
> (and later) is to either disable this initial checksum (and get NIST
> certified again for that jar - if possible), or disable on the App side.
>
> The very fact that that checksum on Android changes with each program
> modification (as DEX is the boss) e.g. int x = 10; (added or removed)
> will result in the bc-fips-1.0.2.jar failing as it is doing a checksum
> against an ever-changing value!
>
> Yes, I am aware of the process to create FIPS compliant Android
> devices - it can be from easy (just importing the jar into the
> /System/Framework/) to very hard - requiring a new ROM build for the JVM.
>
> At present: As much as I would love original BCFIPS on all devices,
> the past is a guide - we still do not have a full REAL implementation
> of traditional BC installed on mass produced Android devices. BCFIPS
> Stripy is rare. SpongyCastle took a holiday for a long time.
>
> It is time to actually look at how to implement BCFIPS jar on a mass
> produced device. Change HMAC.SHA256 in the BC jar and break signature,
> change HAMC.SHA256 in the built Android .apk (cleaner and .jar is
> intact), or some other way!
>
> I am assuming the FIPS version is the future... if not?  The easy
> Spongy version is to just disable this checksum check -  I would
> help/volunteer but I have not read the tens of thousands of code and I
> am are there are better in your team! :)
>
> At present - the HMAC.SHA256 method seems to be the best "Spongy"
> version!
>
> Whether you agree with the above or not - please do not ask why I am
> spending tens of hours on this BCFIPS - just like many like to
> download the latest upgrade, maybe my personality :)
>