Information on FIPS

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Information on FIPS

Dileep Dixith
Hi All,

We use  bcprov-jdk15on-1.54in our product. We want to understand whether this version is FIPS compliant?  If yes, can you provide ways to enable it.

If it is not FIPS enabled, let us know which version is FIPS enabled so that we can move to that version.


Regards,

Dileep Dixith

Reply | Threaded
Open this post in threaded view
|

RE: Information on FIPS

Eckenfels. Bernd
Hello,

The FIPS validated library is a different Provider jar, check out the web page: https://www.bouncycastle.org/fips_java_roadmap.html

Gruss
Bernd
--
http://www.seeburger.com
________________________________________
From: Dileep Dixith [[hidden email]]
Sent: Wednesday, April 25, 2018 04:33
To: [hidden email]
Subject: [dev-crypto] Information on FIPS

Hi All,

We use  bcprov-jdk15on-1.54in our product. We want to understand whether this version is FIPS compliant?  If yes, can you provide ways to enable it.

If it is not FIPS enabled, let us know which version is FIPS enabled so that we can move to that version.


Regards,

Dileep Dixith








SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.

Reply | Threaded
Open this post in threaded view
|

RE: Information on FIPS

Dileep Dixith
Hello,

We use only HMAC Message digest from Bouncy castle. In my view, HMAC implementation based on RFC2104 is FIPS compliant.

Sample Code is below:

publicbyte[] getHmacDigest(String algo, byte[] key, byte[] message)
                    throwsNoSuchAlgorithmException, InvalidKeyException
    {
        HMac hmac= newHMac(DigestFactory.getDigest(algo));
        byte[] resBuf= newbyte[hmac.getMacSize()];
        hmac.init(newKeyParameter(key));
        hmac.update(message, 0, message.length);
        hmac.doFinal(resBuf, 0);
        returnresBuf;
    }

We don't use any Bouncy castle Provider, TLS/SSL or any other encryption related functions.

Do we still need to use bc-fips.jar to be FIPS compliant. Whether bc-fips jar has any improvements to HMAC implementation to be FIPS compliant?

Regards,

Dileep Dixith
 Bangalore, 560071
Security Developer, Big Storage and MCStore India
 
IBM Systems & Technology Lab 
+91-80-41776741 
Mobile:+91-95-91345900 
e-mail:[hidden email] 






From:        "Eckenfels. Bernd" <[hidden email]>
To:        "[hidden email]" <[hidden email]>
Date:        25/04/2018 08:52 AM
Subject:        RE: [dev-crypto] Information on FIPS




Hello,



The FIPS validated library is a different Provider jar, check out the web page:
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bouncycastle.org_fips-5Fjava-5Froadmap.html&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=SnE70IYEUNxZwH73IXmh5DTJ9vux5W0yEzV85EqVViU&e=



Gruss

Bernd

--

https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.com&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=IqoqN_7iTHgu6NN6D7-2-fOhSLelNP2ohJjy1axOJTs&e=

________________________________________

From: Dileep Dixith [[hidden email]]

Sent: Wednesday, April 25, 2018 04:33

To: [hidden email]

Subject: [dev-crypto] Information on FIPS



Hi All,



We use  bcprov-jdk15on-1.54in our product. We want to understand whether this version is FIPS compliant?  If yes, can you provide ways to enable it.



If it is not FIPS enabled, let us know which version is FIPS enabled so that we can move to that version.





Regards,



Dileep Dixith

















SEEBURGER AG            Vorstand/SEEBURGER Executive Board:

Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker

Edisonstr. 1

D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:

Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner

Fax: 07252 / 96 - 2222

Internet:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.de&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=XW4MYeDgMc0vgSYAvudy6rL4R9ZvwagTalJf411XrHI&e=              Registergericht/Commercial Register:

e-mail: [hidden email]               HRB 240708 Mannheim





Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.





This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.







Reply | Threaded
Open this post in threaded view
|

RE: Information on FIPS

Eckenfels. Bernd
What is your definition of FIPS compliance? (I think there is none -especially not for applications-, so you cannot safely claim it).

If you need to announce ‚uses FIPS 140-2 level 1 validated cryptographic module‘ then yes you would need to use the BC FIPS JAR and switch the thread in approved mode. Or you can use JCE with the IBM FIPS validated software modules. If you want to claim ‚uses (only) FIPS 140-2 approved cryptographic Service of a non-validated implementation then you might be fine.

Gruss
Bernd
--
http://www.seeburger.com
________________________________________
From: Dileep Dixith [[hidden email]]
Sent: Thursday, April 26, 2018 05:09
To: Eckenfels. Bernd
Cc: [hidden email]
Subject: RE: [dev-crypto] Information on FIPS

Hello,

We use only HMAC Message digest from Bouncy castle. In my view, HMAC implementation based on RFC2104 is FIPS compliant.

Sample Code is below:

publicbyte[] getHmacDigest(String algo, byte[] key, byte[] message)
                    throwsNoSuchAlgorithmException, InvalidKeyException
    {
        HMac hmac= newHMac(DigestFactory.getDigest(algo));
        byte[] resBuf= newbyte[hmac.getMacSize()];
        hmac.init(newKeyParameter(key));
        hmac.update(message, 0, message.length);
        hmac.doFinal(resBuf, 0);
        returnresBuf;
    }

We don't use any Bouncy castle Provider, TLS/SSL or any other encryption related functions.

Do we still need to use bc-fips.jar to be FIPS compliant. Whether bc-fips jar has any improvements to HMAC implementation to be FIPS compliant?

Regards,
________________________________


Dileep Dixith
         Bangalore, 560071
[cid:_1_37DF188837DF133800115DF96525827B]

Security Developer, Big Storage and MCStore      India

IBM Systems & Technology Lab
+91-80-41776741
Mobile: +91-95-91345900
e-mail: [hidden email]
________________________________






From:        "Eckenfels. Bernd" <[hidden email]>
To:        "[hidden email]" <[hidden email]>
Date:        25/04/2018 08:52 AM
Subject:        RE: [dev-crypto] Information on FIPS
________________________________



Hello,



The FIPS validated library is a different Provider jar, check out the web page: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bouncycastle.org_fips-5Fjava-5Froadmap.html&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=SnE70IYEUNxZwH73IXmh5DTJ9vux5W0yEzV85EqVViU&e=



Gruss

Bernd

--

https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.com&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=IqoqN_7iTHgu6NN6D7-2-fOhSLelNP2ohJjy1axOJTs&e=

________________________________________

From: Dileep Dixith [[hidden email]]

Sent: Wednesday, April 25, 2018 04:33

To: [hidden email]

Subject: [dev-crypto] Information on FIPS



Hi All,



We use  bcprov-jdk15on-1.54in our product. We want to understand whether this version is FIPS compliant?  If yes, can you provide ways to enable it.



If it is not FIPS enabled, let us know which version is FIPS enabled so that we can move to that version.





Regards,



Dileep Dixith

















SEEBURGER AG            Vorstand/SEEBURGER Executive Board:

Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker

Edisonstr. 1

D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:

Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner

Fax: 07252 / 96 - 2222

Internet: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.de&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=XW4MYeDgMc0vgSYAvudy6rL4R9ZvwagTalJf411XrHI&e=              Registergericht/Commercial Register:

e-mail: [hidden email]               HRB 240708 Mannheim





Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.





This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.















SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.


ATT00001.gif (494 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Information on FIPS

Dileep Dixith
Hello,

Thanks for your information.

Let me revise my question:  Whether use of bc-fips.jar has any impact on HMAC implementation exists in bcprov-jdk15on-1.54.jar.

Regards,

Dileep Dixith
 Bangalore, 560071
Security Developer, Big Storage and MCStore India
 
IBM Systems & Technology Lab 
+91-80-41776741 
Mobile:+91-95-91345900 
e-mail:[hidden email] 






From:        "Eckenfels. Bernd" <[hidden email]>
To:        "[hidden email]" <[hidden email]>
Cc:        "[hidden email]" <[hidden email]>
Date:        26/04/2018 09:17 AM
Subject:        RE: [dev-crypto] Information on FIPS




What is your definition of FIPS compliance? (I think there is none -especially not for applications-, so you cannot safely claim it).

If you need to announce ‚uses FIPS 140-2 level 1 validated cryptographic module‘ then yes you would need to use the BC FIPS JAR and switch the thread in approved mode. Or you can use JCE with the IBM FIPS validated software modules. If you want to claim ‚uses (only) FIPS 140-2 approved cryptographic Service of a non-validated implementation then you might be fine.

Gruss
Bernd
--
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.com&d=DwIF-g&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=uIPpV29xVxb45xnJqR72qlB4gARN-dEF9g-WVJsFEpM&s=K11FueLuskyKK0QOyAl3o2Y45rTBsLnJog7dc7AWVJs&e=
________________________________________
From: Dileep Dixith [[hidden email]]
Sent: Thursday, April 26, 2018 05:09
To: Eckenfels. Bernd
Cc: [hidden email]
Subject: RE: [dev-crypto] Information on FIPS

Hello,

We use only HMAC Message digest from Bouncy castle. In my view, HMAC implementation based on RFC2104 is FIPS compliant.

Sample Code is below:

publicbyte[] getHmacDigest(String algo, byte[] key, byte[] message)
                   throwsNoSuchAlgorithmException, InvalidKeyException
   {
       HMac hmac= newHMac(DigestFactory.getDigest(algo));
       byte[] resBuf= newbyte[hmac.getMacSize()];
       hmac.init(newKeyParameter(key));
       hmac.update(message, 0, message.length);
       hmac.doFinal(resBuf, 0);
       returnresBuf;
   }

We don't use any Bouncy castle Provider, TLS/SSL or any other encryption related functions.

Do we still need to use bc-fips.jar to be FIPS compliant. Whether bc-fips jar has any improvements to HMAC implementation to be FIPS compliant?

Regards,
________________________________


Dileep Dixith
        Bangalore, 560071
[
<a href=cid:_1_37DF188837DF133800115DF96525827B>cid:_1_37DF188837DF133800115DF96525827B]

Security Developer, Big Storage and MCStore      India

IBM Systems & Technology Lab
+91-80-41776741
Mobile: +91-95-91345900
e-mail: [hidden email]
________________________________






From:        "Eckenfels. Bernd" <[hidden email]>
To:        "[hidden email]" <[hidden email]>
Date:        25/04/2018 08:52 AM
Subject:        RE: [dev-crypto] Information on FIPS
________________________________



Hello,



The FIPS validated library is a different Provider jar, check out the web page:
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bouncycastle.org_fips-5Fjava-5Froadmap.html&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=SnE70IYEUNxZwH73IXmh5DTJ9vux5W0yEzV85EqVViU&e=



Gruss

Bernd

--

https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.com&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=IqoqN_7iTHgu6NN6D7-2-fOhSLelNP2ohJjy1axOJTs&e=

________________________________________

From: Dileep Dixith [[hidden email]]

Sent: Wednesday, April 25, 2018 04:33

To: [hidden email]

Subject: [dev-crypto] Information on FIPS



Hi All,



We use  bcprov-jdk15on-1.54in our product. We want to understand whether this version is FIPS compliant?  If yes, can you provide ways to enable it.



If it is not FIPS enabled, let us know which version is FIPS enabled so that we can move to that version.





Regards,



Dileep Dixith

















SEEBURGER AG            Vorstand/SEEBURGER Executive Board:

Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker

Edisonstr. 1

D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:

Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner

Fax: 07252 / 96 - 2222

Internet:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.de&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=XW4MYeDgMc0vgSYAvudy6rL4R9ZvwagTalJf411XrHI&e=             Registergericht/Commercial Register:

e-mail: [hidden email]               HRB 240708 Mannheim





Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.





This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.















SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.de&d=DwIF-g&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=uIPpV29xVxb45xnJqR72qlB4gARN-dEF9g-WVJsFEpM&s=gQIHtQduwSI0K5mtc_VoxDNe2V-F4ym3cAaOd8O_Qd0&e=              Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.

[attachment "ATT00001.gif" deleted by Dileep Dixith/India/IBM]



Reply | Threaded
Open this post in threaded view
|

Re: Information on FIPS

Jon Eaves
My strongest advice is to test it.  Try both, have test cases relevant
to your application.

Cheers,
        -- jon


On 4/26/18 1:53 PM, Dileep Dixith wrote:

> Hello,
>
> Thanks for your information.
>
> Let me revise my question:  Whether use of bc-fips.jar has any impact on
> HMAC implementation exists in bcprov-jdk15on-1.54.jar.
>
> Regards,
> ------------------------------------------------------------------------
> *Dileep Dixith*
>  Bangalore, 560071
> Security Developer, Big Storage and MCStore  India
>
> IBM Systems & Technology Lab
> +91-80-41776741
> Mobile: +91-95-91345900
> e-mail: [hidden email]
> ------------------------------------------------------------------------
>
>
>
>
>
>
> From: "Eckenfels. Bernd" <[hidden email]>
> To: "[hidden email]" <[hidden email]>
> Cc: "[hidden email]" <[hidden email]>
> Date: 26/04/2018 09:17 AM
> Subject: RE: [dev-crypto] Information on FIPS
> ------------------------------------------------------------------------
>
>
>
> What is your definition of FIPS compliance? (I think there is none
> -especially not for applications-, so you cannot safely claim it).
>
> If you need to announce ‚uses FIPS 140-2 level 1 validated cryptographic
> module‘ then yes you would need to use the BC FIPS JAR and switch the
> thread in approved mode. Or you can use JCE with the IBM FIPS validated
> software modules. If you want to claim ‚uses (only) FIPS 140-2 approved
> cryptographic Service of a non-validated implementation then you might
> be fine.
>
> Gruss
> Bernd
> --
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.com&d=DwIF-g&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=uIPpV29xVxb45xnJqR72qlB4gARN-dEF9g-WVJsFEpM&s=K11FueLuskyKK0QOyAl3o2Y45rTBsLnJog7dc7AWVJs&e=
> ________________________________________
> From: Dileep Dixith [[hidden email]]
> Sent: Thursday, April 26, 2018 05:09
> To: Eckenfels. Bernd
> Cc: [hidden email]
> Subject: RE: [dev-crypto] Information on FIPS
>
> Hello,
>
> We use only HMAC Message digest from Bouncy castle. In my view, HMAC
> implementation based on RFC2104 is FIPS compliant.
>
> Sample Code is below:
>
> publicbyte[] getHmacDigest(String algo, byte[] key, byte[] message)
>                     throwsNoSuchAlgorithmException, InvalidKeyException
>     {
>         HMac hmac= newHMac(DigestFactory.getDigest(algo));
>         byte[] resBuf= newbyte[hmac.getMacSize()];
>         hmac.init(newKeyParameter(key));
>         hmac.update(message, 0, message.length);
>         hmac.doFinal(resBuf, 0);
>         returnresBuf;
>     }
>
> We don't use any Bouncy castle Provider, TLS/SSL or any other encryption
> related functions.
>
> Do we still need to use bc-fips.jar to be FIPS compliant. Whether
> bc-fips jar has any improvements to HMAC implementation to be FIPS
> compliant?
>
> Regards,
> ________________________________
>
>
> Dileep Dixith
>          Bangalore, 560071
> [cid:_1_37DF188837DF133800115DF96525827B]
>
> Security Developer, Big Storage and MCStore      India
>
> IBM Systems & Technology Lab
> +91-80-41776741
> Mobile: +91-95-91345900
> e-mail: [hidden email]
> ________________________________
>
>
>
>
>
>
> From:        "Eckenfels. Bernd" <[hidden email]>
> To:        "[hidden email]" <[hidden email]>
> Date:        25/04/2018 08:52 AM
> Subject:        RE: [dev-crypto] Information on FIPS
> ________________________________
>
>
>
> Hello,
>
>
>
> The FIPS validated library is a different Provider jar, check out the
> web page:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bouncycastle.org_fips-5Fjava-5Froadmap.html&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=SnE70IYEUNxZwH73IXmh5DTJ9vux5W0yEzV85EqVViU&e=
>
>
>
> Gruss
>
> Bernd
>
> --
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.com&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=IqoqN_7iTHgu6NN6D7-2-fOhSLelNP2ohJjy1axOJTs&e=
>
> ________________________________________
>
> From: Dileep Dixith [[hidden email]]
>
> Sent: Wednesday, April 25, 2018 04:33
>
> To: [hidden email]
>
> Subject: [dev-crypto] Information on FIPS
>
>
>
> Hi All,
>
>
>
> We use  bcprov-jdk15on-1.54in our product. We want to understand whether
> this version is FIPS compliant?  If yes, can you provide ways to enable it.
>
>
>
> If it is not FIPS enabled, let us know which version is FIPS enabled so
> that we can move to that version.
>
>
>
>
>
> Regards,
>
>
>
> Dileep Dixith
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
>
> Sitz der Gesellschaft/Registered Office:      Axel Haas, Michael
> Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
>
> Edisonstr. 1
>
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the
> SEEBURGER Supervisory Board:
>
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
>
> Fax: 07252 / 96 - 2222
>
> Internet:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.de&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=XW4MYeDgMc0vgSYAvudy6rL4R9ZvwagTalJf411XrHI&e= 
>             Registergericht/Commercial Register:
>
> e-mail: [hidden email] HRB 240708 Mannheim
>
>
>
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet
> ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes
> Material enthalten. Jegliche darin enthaltene Ansicht oder
> Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise
> die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der
> Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche
> Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher
> Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG
> noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren;
> es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren
> zu prüfen.
>
>
>
>
>
> This email is intended only for the recipient(s) to whom it is
> addressed. This email may contain confidential material that may be
> protected by professional secrecy. Any fact or opinion contained, or
> expression of the material herein, does not necessarily reflect that of
> SEEBURGER AG. If you are not the addressee or if you have received this
> email in error, any use, publication or distribution including
> forwarding, copying or printing is strictly prohibited. Neither
> SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for
> viruses; it is your responsibility to check this email and its
> attachments for viruses.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:      Axel Haas, Michael
> Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the
> SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.de&d=DwIF-g&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=uIPpV29xVxb45xnJqR72qlB4gARN-dEF9g-WVJsFEpM&s=gQIHtQduwSI0K5mtc_VoxDNe2V-F4ym3cAaOd8O_Qd0&e= 
>              Registergericht/Commercial Register:
> e-mail: [hidden email] HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet
> ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes
> Material enthalten. Jegliche darin enthaltene Ansicht oder
> Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise
> die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der
> Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche
> Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher
> Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG
> noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren;
> es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren
> zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is
> addressed. This email may contain confidential material that may be
> protected by professional secrecy. Any fact or opinion contained, or
> expression of the material herein, does not necessarily reflect that of
> SEEBURGER AG. If you are not the addressee or if you have received this
> email in error, any use, publication or distribution including
> forwarding, copying or printing is strictly prohibited. Neither
> SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for
> viruses; it is your responsibility to check this email and its
> attachments for viruses.
>
> [attachment "ATT00001.gif" deleted by Dileep Dixith/India/IBM]
>
>

Reply | Threaded
Open this post in threaded view
|

RE: Information on FIPS

Eckenfels. Bernd
In reply to this post by Dileep Dixith
The implementations calculate the same values. (The implementation is mostly the same). The FIPS version has some additional checks in regards to the state of self checks (and possibly type of keys passed in). However the implementation is not officially CAVP validated and the module is not CMVP validated.

BTW on a normal JVM with Sun or IBM JCE you would not need BC at all. On other platforms the BC-FIPS validation might not be valid yet. (Android is early access IMHO)

Gruss
Bernd
--
http://www.seeburger.com
________________________________________
From: Dileep Dixith [[hidden email]]
Sent: Thursday, April 26, 2018 05:53
To: Eckenfels. Bernd
Cc: [hidden email]
Subject: RE: [dev-crypto] Information on FIPS

Hello,

Thanks for your information.

Let me revise my question:  Whether use of bc-fips.jar has any impact on HMAC implementation exists in bcprov-jdk15on-1.54.jar.

Regards,
________________________________


Dileep Dixith
         Bangalore, 560071
[cid:_1_43EC514843EC4BF800155D196525827B]

Security Developer, Big Storage and MCStore      India

IBM Systems & Technology Lab
+91-80-41776741
Mobile: +91-95-91345900
e-mail: [hidden email]
________________________________






From:        "Eckenfels. Bernd" <[hidden email]>
To:        "[hidden email]" <[hidden email]>
Cc:        "[hidden email]" <[hidden email]>
Date:        26/04/2018 09:17 AM
Subject:        RE: [dev-crypto] Information on FIPS
________________________________



What is your definition of FIPS compliance? (I think there is none -especially not for applications-, so you cannot safely claim it).

If you need to announce ‚uses FIPS 140-2 level 1 validated cryptographic module‘ then yes you would need to use the BC FIPS JAR and switch the thread in approved mode. Or you can use JCE with the IBM FIPS validated software modules. If you want to claim ‚uses (only) FIPS 140-2 approved cryptographic Service of a non-validated implementation then you might be fine.

Gruss
Bernd
--
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.com&d=DwIF-g&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=uIPpV29xVxb45xnJqR72qlB4gARN-dEF9g-WVJsFEpM&s=K11FueLuskyKK0QOyAl3o2Y45rTBsLnJog7dc7AWVJs&e=
________________________________________
From: Dileep Dixith [[hidden email]]
Sent: Thursday, April 26, 2018 05:09
To: Eckenfels. Bernd
Cc: [hidden email]
Subject: RE: [dev-crypto] Information on FIPS

Hello,

We use only HMAC Message digest from Bouncy castle. In my view, HMAC implementation based on RFC2104 is FIPS compliant.

Sample Code is below:

publicbyte[] getHmacDigest(String algo, byte[] key, byte[] message)
                   throwsNoSuchAlgorithmException, InvalidKeyException
   {
       HMac hmac= newHMac(DigestFactory.getDigest(algo));
       byte[] resBuf= newbyte[hmac.getMacSize()];
       hmac.init(newKeyParameter(key));
       hmac.update(message, 0, message.length);
       hmac.doFinal(resBuf, 0);
       returnresBuf;
   }

We don't use any Bouncy castle Provider, TLS/SSL or any other encryption related functions.

Do we still need to use bc-fips.jar to be FIPS compliant. Whether bc-fips jar has any improvements to HMAC implementation to be FIPS compliant?

Regards,
________________________________


Dileep Dixith
        Bangalore, 560071
[cid:_1_37DF188837DF133800115DF96525827B]

Security Developer, Big Storage and MCStore      India

IBM Systems & Technology Lab
+91-80-41776741
Mobile: +91-95-91345900
e-mail: [hidden email]
________________________________






From:        "Eckenfels. Bernd" <[hidden email]>
To:        "[hidden email]" <[hidden email]>
Date:        25/04/2018 08:52 AM
Subject:        RE: [dev-crypto] Information on FIPS
________________________________



Hello,



The FIPS validated library is a different Provider jar, check out the web page: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bouncycastle.org_fips-5Fjava-5Froadmap.html&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=SnE70IYEUNxZwH73IXmh5DTJ9vux5W0yEzV85EqVViU&e=



Gruss

Bernd

--

https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.com&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=IqoqN_7iTHgu6NN6D7-2-fOhSLelNP2ohJjy1axOJTs&e=

________________________________________

From: Dileep Dixith [[hidden email]]

Sent: Wednesday, April 25, 2018 04:33

To: [hidden email]

Subject: [dev-crypto] Information on FIPS



Hi All,



We use  bcprov-jdk15on-1.54in our product. We want to understand whether this version is FIPS compliant?  If yes, can you provide ways to enable it.



If it is not FIPS enabled, let us know which version is FIPS enabled so that we can move to that version.





Regards,



Dileep Dixith

















SEEBURGER AG            Vorstand/SEEBURGER Executive Board:

Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker

Edisonstr. 1

D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:

Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner

Fax: 07252 / 96 - 2222

Internet: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.de&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=XW4MYeDgMc0vgSYAvudy6rL4R9ZvwagTalJf411XrHI&e=             Registergericht/Commercial Register:

e-mail: [hidden email]               HRB 240708 Mannheim





Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.





This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.















SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.de&d=DwIF-g&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=uIPpV29xVxb45xnJqR72qlB4gARN-dEF9g-WVJsFEpM&s=gQIHtQduwSI0K5mtc_VoxDNe2V-F4ym3cAaOd8O_Qd0&e=              Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.

[attachment "ATT00001.gif" deleted by Dileep Dixith/India/IBM]










SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.


Reply | Threaded
Open this post in threaded view
|

Re: Information on FIPS

David Hook-3

Yes, this is correct. The regular bcprov implementation is FIPS
compatible, it gets the same value.

If you need FIPS compliance you need to be using a FIPS module at a
minimum, possibly in "FIPS approved only" mode as well. I should also
point out that you have to make sure you are following the modules
security policy if you are trying to run in "FIPS approved only" mode as
well. Just because the module allows something does not necessarily mean
it is okay to do in the context you are doing it.

Regards,

David

On 26/04/18 14:12, Eckenfels. Bernd wrote:

> The implementations calculate the same values. (The implementation is mostly the same). The FIPS version has some additional checks in regards to the state of self checks (and possibly type of keys passed in). However the implementation is not officially CAVP validated and the module is not CMVP validated.
>
> BTW on a normal JVM with Sun or IBM JCE you would not need BC at all. On other platforms the BC-FIPS validation might not be valid yet. (Android is early access IMHO)
>
> Gruss
> Bernd
> --
> http://www.seeburger.com
> ________________________________________
> From: Dileep Dixith [[hidden email]]
> Sent: Thursday, April 26, 2018 05:53
> To: Eckenfels. Bernd
> Cc: [hidden email]
> Subject: RE: [dev-crypto] Information on FIPS
>
> Hello,
>
> Thanks for your information.
>
> Let me revise my question:  Whether use of bc-fips.jar has any impact on HMAC implementation exists in bcprov-jdk15on-1.54.jar.
>
> Regards,
> ________________________________
>
>
> Dileep Dixith
>          Bangalore, 560071
> [cid:_1_43EC514843EC4BF800155D196525827B]
>
> Security Developer, Big Storage and MCStore      India
>
> IBM Systems & Technology Lab
> +91-80-41776741
> Mobile: +91-95-91345900
> e-mail: [hidden email]
> ________________________________
>
>
>
>
>
>
> From:        "Eckenfels. Bernd" <[hidden email]>
> To:        "[hidden email]" <[hidden email]>
> Cc:        "[hidden email]" <[hidden email]>
> Date:        26/04/2018 09:17 AM
> Subject:        RE: [dev-crypto] Information on FIPS
> ________________________________
>
>
>
> What is your definition of FIPS compliance? (I think there is none -especially not for applications-, so you cannot safely claim it).
>
> If you need to announce ‚uses FIPS 140-2 level 1 validated cryptographic module‘ then yes you would need to use the BC FIPS JAR and switch the thread in approved mode. Or you can use JCE with the IBM FIPS validated software modules. If you want to claim ‚uses (only) FIPS 140-2 approved cryptographic Service of a non-validated implementation then you might be fine.
>
> Gruss
> Bernd
> --
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.com&d=DwIF-g&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=uIPpV29xVxb45xnJqR72qlB4gARN-dEF9g-WVJsFEpM&s=K11FueLuskyKK0QOyAl3o2Y45rTBsLnJog7dc7AWVJs&e=
> ________________________________________
> From: Dileep Dixith [[hidden email]]
> Sent: Thursday, April 26, 2018 05:09
> To: Eckenfels. Bernd
> Cc: [hidden email]
> Subject: RE: [dev-crypto] Information on FIPS
>
> Hello,
>
> We use only HMAC Message digest from Bouncy castle. In my view, HMAC implementation based on RFC2104 is FIPS compliant.
>
> Sample Code is below:
>
> publicbyte[] getHmacDigest(String algo, byte[] key, byte[] message)
>                    throwsNoSuchAlgorithmException, InvalidKeyException
>    {
>        HMac hmac= newHMac(DigestFactory.getDigest(algo));
>        byte[] resBuf= newbyte[hmac.getMacSize()];
>        hmac.init(newKeyParameter(key));
>        hmac.update(message, 0, message.length);
>        hmac.doFinal(resBuf, 0);
>        returnresBuf;
>    }
>
> We don't use any Bouncy castle Provider, TLS/SSL or any other encryption related functions.
>
> Do we still need to use bc-fips.jar to be FIPS compliant. Whether bc-fips jar has any improvements to HMAC implementation to be FIPS compliant?
>
> Regards,
> ________________________________
>
>
> Dileep Dixith
>         Bangalore, 560071
> [cid:_1_37DF188837DF133800115DF96525827B]
>
> Security Developer, Big Storage and MCStore      India
>
> IBM Systems & Technology Lab
> +91-80-41776741
> Mobile: +91-95-91345900
> e-mail: [hidden email]
> ________________________________
>
>
>
>
>
>
> From:        "Eckenfels. Bernd" <[hidden email]>
> To:        "[hidden email]" <[hidden email]>
> Date:        25/04/2018 08:52 AM
> Subject:        RE: [dev-crypto] Information on FIPS
> ________________________________
>
>
>
> Hello,
>
>
>
> The FIPS validated library is a different Provider jar, check out the web page: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bouncycastle.org_fips-5Fjava-5Froadmap.html&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=SnE70IYEUNxZwH73IXmh5DTJ9vux5W0yEzV85EqVViU&e=
>
>
>
> Gruss
>
> Bernd
>
> --
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.com&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=IqoqN_7iTHgu6NN6D7-2-fOhSLelNP2ohJjy1axOJTs&e=
>
> ________________________________________
>
> From: Dileep Dixith [[hidden email]]
>
> Sent: Wednesday, April 25, 2018 04:33
>
> To: [hidden email]
>
> Subject: [dev-crypto] Information on FIPS
>
>
>
> Hi All,
>
>
>
> We use  bcprov-jdk15on-1.54in our product. We want to understand whether this version is FIPS compliant?  If yes, can you provide ways to enable it.
>
>
>
> If it is not FIPS enabled, let us know which version is FIPS enabled so that we can move to that version.
>
>
>
>
>
> Regards,
>
>
>
> Dileep Dixith
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
>
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
>
> Edisonstr. 1
>
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
>
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
>
> Fax: 07252 / 96 - 2222
>
> Internet: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.de&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=XW4MYeDgMc0vgSYAvudy6rL4R9ZvwagTalJf411XrHI&e=             Registergericht/Commercial Register:
>
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
>
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
>
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.de&d=DwIF-g&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=uIPpV29xVxb45xnJqR72qlB4gARN-dEF9g-WVJsFEpM&s=gQIHtQduwSI0K5mtc_VoxDNe2V-F4ym3cAaOd8O_Qd0&e=              Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
> [attachment "ATT00001.gif" deleted by Dileep Dixith/India/IBM]
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: http://www.seeburger.de               Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
>
>



Reply | Threaded
Open this post in threaded view
|

Re: Information on FIPS

Dileep Dixith
Thanks David.

Our Product does not make use of any Bouncy Castle provider. For example: Java has JSSE2Provider and IBMJCEFIPSfor FIPS compliance.

We use IBMJCEFIPSfor Java FIPS compliance.

org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider is not used in our Product instead we just use HMAC implementation from bcprov utilities.

So, now to make sure our product as FIPS compliance, we need to enable the above Bouncy Castle FIPS provider?

Regards,

Dileep Dixith
 Bangalore, 560071
Security Developer, Big Storage and MCStore India
 
IBM Systems & Technology Lab 
+91-80-41776741 
Mobile:+91-95-91345900 
e-mail:[hidden email] 






From:        David Hook <[hidden email]>
To:        "[hidden email]" <[hidden email]>
Date:        26/04/2018 10:40 AM
Subject:        Re: [dev-crypto] Information on FIPS





Yes, this is correct. The regular bcprov implementation is FIPS
compatible, it gets the same value.

If you need FIPS compliance you need to be using a FIPS module at a
minimum, possibly in "FIPS approved only" mode as well. I should also
point out that you have to make sure you are following the modules
security policy if you are trying to run in "FIPS approved only" mode as
well. Just because the module allows something does not necessarily mean
it is okay to do in the context you are doing it.

Regards,

David

On 26/04/18 14:12, Eckenfels. Bernd wrote:

> The implementations calculate the same values. (The implementation is mostly the same). The FIPS version has some additional checks in regards to the state of self checks (and possibly type of keys passed in). However the implementation is not officially CAVP validated and the module is not CMVP validated.
>
> BTW on a normal JVM with Sun or IBM JCE you would not need BC at all. On other platforms the BC-FIPS validation might not be valid yet. (Android is early access IMHO)
>
> Gruss
> Bernd
> --
>
http://www.seeburger.com
> ________________________________________
> From: Dileep Dixith [[hidden email]]
> Sent: Thursday, April 26, 2018 05:53
> To: Eckenfels. Bernd
> Cc: [hidden email]
> Subject: RE: [dev-crypto] Information on FIPS
>
> Hello,
>
> Thanks for your information.
>
> Let me revise my question:  Whether use of bc-fips.jar has any impact on HMAC implementation exists in bcprov-jdk15on-1.54.jar.
>
> Regards,
> ________________________________
>
>
> Dileep Dixith
>          Bangalore, 560071
> [
<a href=cid:_1_43EC514843EC4BF800155D196525827B>cid:_1_43EC514843EC4BF800155D196525827B]
>
> Security Developer, Big Storage and MCStore      India
>
> IBM Systems & Technology Lab
> +91-80-41776741
> Mobile: +91-95-91345900
> e-mail: [hidden email]
> ________________________________
>
>
>
>
>
>
> From:        "Eckenfels. Bernd" <[hidden email]>
> To:        "[hidden email]" <[hidden email]>
> Cc:        "[hidden email]" <[hidden email]>
> Date:        26/04/2018 09:17 AM
> Subject:        RE: [dev-crypto] Information on FIPS
> ________________________________
>
>
>
> What is your definition of FIPS compliance? (I think there is none -especially not for applications-, so you cannot safely claim it).
>
> If you need to announce ‚uses FIPS 140-2 level 1 validated cryptographic module‘ then yes you would need to use the BC FIPS JAR and switch the thread in approved mode. Or you can use JCE with the IBM FIPS validated software modules. If you want to claim ‚uses (only) FIPS 140-2 approved cryptographic Service of a non-validated implementation then you might be fine.
>
> Gruss
> Bernd
> --
>
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.com&d=DwIF-g&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=uIPpV29xVxb45xnJqR72qlB4gARN-dEF9g-WVJsFEpM&s=K11FueLuskyKK0QOyAl3o2Y45rTBsLnJog7dc7AWVJs&e=
> ________________________________________
> From: Dileep Dixith [[hidden email]]
> Sent: Thursday, April 26, 2018 05:09
> To: Eckenfels. Bernd
> Cc: [hidden email]
> Subject: RE: [dev-crypto] Information on FIPS
>
> Hello,
>
> We use only HMAC Message digest from Bouncy castle. In my view, HMAC implementation based on RFC2104 is FIPS compliant.
>
> Sample Code is below:
>
> publicbyte[] getHmacDigest(String algo, byte[] key, byte[] message)
>                    throwsNoSuchAlgorithmException, InvalidKeyException
>    {
>        HMac hmac= newHMac(DigestFactory.getDigest(algo));
>        byte[] resBuf= newbyte[hmac.getMacSize()];
>        hmac.init(newKeyParameter(key));
>        hmac.update(message, 0, message.length);
>        hmac.doFinal(resBuf, 0);
>        returnresBuf;
>    }
>
> We don't use any Bouncy castle Provider, TLS/SSL or any other encryption related functions.
>
> Do we still need to use bc-fips.jar to be FIPS compliant. Whether bc-fips jar has any improvements to HMAC implementation to be FIPS compliant?
>
> Regards,
> ________________________________
>
>
> Dileep Dixith
>         Bangalore, 560071
> [
<a href=cid:_1_37DF188837DF133800115DF96525827B>cid:_1_37DF188837DF133800115DF96525827B]
>
> Security Developer, Big Storage and MCStore      India
>
> IBM Systems & Technology Lab
> +91-80-41776741
> Mobile: +91-95-91345900
> e-mail: [hidden email]
> ________________________________
>
>
>
>
>
>
> From:        "Eckenfels. Bernd" <[hidden email]>
> To:        "[hidden email]" <[hidden email]>
> Date:        25/04/2018 08:52 AM
> Subject:        RE: [dev-crypto] Information on FIPS
> ________________________________
>
>
>
> Hello,
>
>
>
> The FIPS validated library is a different Provider jar, check out the web page:
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bouncycastle.org_fips-5Fjava-5Froadmap.html&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=SnE70IYEUNxZwH73IXmh5DTJ9vux5W0yEzV85EqVViU&e=
>
>
>
> Gruss
>
> Bernd
>
> --
>
>
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.com&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=IqoqN_7iTHgu6NN6D7-2-fOhSLelNP2ohJjy1axOJTs&e=
>
> ________________________________________
>
> From: Dileep Dixith [[hidden email]]
>
> Sent: Wednesday, April 25, 2018 04:33
>
> To: [hidden email]
>
> Subject: [dev-crypto] Information on FIPS
>
>
>
> Hi All,
>
>
>
> We use  bcprov-jdk15on-1.54in our product. We want to understand whether this version is FIPS compliant?  If yes, can you provide ways to enable it.
>
>
>
> If it is not FIPS enabled, let us know which version is FIPS enabled so that we can move to that version.
>
>
>
>
>
> Regards,
>
>
>
> Dileep Dixith
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
>
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
>
> Edisonstr. 1
>
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
>
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
>
> Fax: 07252 / 96 - 2222
>
> Internet:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.de&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=XW4MYeDgMc0vgSYAvudy6rL4R9ZvwagTalJf411XrHI&e=            Registergericht/Commercial Register:
>
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
>
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
>
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.de&d=DwIF-g&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=uIPpV29xVxb45xnJqR72qlB4gARN-dEF9g-WVJsFEpM&s=gQIHtQduwSI0K5mtc_VoxDNe2V-F4ym3cAaOd8O_Qd0&e=             Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
> [attachment "ATT00001.gif" deleted by Dileep Dixith/India/IBM]
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet:
http://www.seeburger.de              Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
>
>






Reply | Threaded
Open this post in threaded view
|

RE: Information on FIPS

Eckenfels. Bernd
Hello,

In a IBM VM with the FIPS Provider installed you get a compliant and validated HMAC with the following code, no need for BCFips at all. You must follow the security policy ofm that provider (I.e. pass in at least 112 bit keys).

Mac hmac = Mac.getInstance(" HmacSHA256","IBMJCEFIPS");

Gruss
Bernd
--
http://www.seeburger.com
________________________________________
From: Dileep Dixith [[hidden email]]
Sent: Thursday, April 26, 2018 07:39
To: [hidden email]
Cc: [hidden email]
Subject: Re: [dev-crypto] Information on FIPS

Thanks David.

Our Product does not make use of any Bouncy Castle provider. For example: Java has JSSE2Provider and IBMJCEFIPSfor FIPS compliance.

We use IBMJCEFIPSfor Java FIPS compliance.

org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider is not used in our Product instead we just use HMAC implementation from bcprov utilities.

So, now to make sure our product as FIPS compliance, we need to enable the above Bouncy Castle FIPS provider?

Regards,
________________________________


Dileep Dixith
         Bangalore, 560071
[cid:_1_45974CB045974760001F22DD6525827B]

Security Developer, Big Storage and MCStore      India

IBM Systems & Technology Lab
+91-80-41776741
Mobile: +91-95-91345900
e-mail: [hidden email]
________________________________






From:        David Hook <[hidden email]>
To:        "[hidden email]" <[hidden email]>
Date:        26/04/2018 10:40 AM
Subject:        Re: [dev-crypto] Information on FIPS
________________________________




Yes, this is correct. The regular bcprov implementation is FIPS
compatible, it gets the same value.

If you need FIPS compliance you need to be using a FIPS module at a
minimum, possibly in "FIPS approved only" mode as well. I should also
point out that you have to make sure you are following the modules
security policy if you are trying to run in "FIPS approved only" mode as
well. Just because the module allows something does not necessarily mean
it is okay to do in the context you are doing it.

Regards,

David

On 26/04/18 14:12, Eckenfels. Bernd wrote:

> The implementations calculate the same values. (The implementation is mostly the same). The FIPS version has some additional checks in regards to the state of self checks (and possibly type of keys passed in). However the implementation is not officially CAVP validated and the module is not CMVP validated.
>
> BTW on a normal JVM with Sun or IBM JCE you would not need BC at all. On other platforms the BC-FIPS validation might not be valid yet. (Android is early access IMHO)
>
> Gruss
> Bernd
> --
> http://www.seeburger.com<http://www.seeburger.com/>
> ________________________________________
> From: Dileep Dixith [[hidden email]]
> Sent: Thursday, April 26, 2018 05:53
> To: Eckenfels. Bernd
> Cc: [hidden email]
> Subject: RE: [dev-crypto] Information on FIPS
>
> Hello,
>
> Thanks for your information.
>
> Let me revise my question:  Whether use of bc-fips.jar has any impact on HMAC implementation exists in bcprov-jdk15on-1.54.jar.
>
> Regards,
> ________________________________
>
>
> Dileep Dixith
>          Bangalore, 560071
> [cid:_1_43EC514843EC4BF800155D196525827B]
>
> Security Developer, Big Storage and MCStore      India
>
> IBM Systems & Technology Lab
> +91-80-41776741
> Mobile: +91-95-91345900
> e-mail: [hidden email]
> ________________________________
>
>
>
>
>
>
> From:        "Eckenfels. Bernd" <[hidden email]>
> To:        "[hidden email]" <[hidden email]>
> Cc:        "[hidden email]" <[hidden email]>
> Date:        26/04/2018 09:17 AM
> Subject:        RE: [dev-crypto] Information on FIPS
> ________________________________
>
>
>
> What is your definition of FIPS compliance? (I think there is none -especially not for applications-, so you cannot safely claim it).
>
> If you need to announce ‚uses FIPS 140-2 level 1 validated cryptographic module‘ then yes you would need to use the BC FIPS JAR and switch the thread in approved mode. Or you can use JCE with the IBM FIPS validated software modules. If you want to claim ‚uses (only) FIPS 140-2 approved cryptographic Service of a non-validated implementation then you might be fine.
>
> Gruss
> Bernd
> --
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.com&d=DwIF-g&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=uIPpV29xVxb45xnJqR72qlB4gARN-dEF9g-WVJsFEpM&s=K11FueLuskyKK0QOyAl3o2Y45rTBsLnJog7dc7AWVJs&e=
> ________________________________________
> From: Dileep Dixith [[hidden email]]
> Sent: Thursday, April 26, 2018 05:09
> To: Eckenfels. Bernd
> Cc: [hidden email]
> Subject: RE: [dev-crypto] Information on FIPS
>
> Hello,
>
> We use only HMAC Message digest from Bouncy castle. In my view, HMAC implementation based on RFC2104 is FIPS compliant.
>
> Sample Code is below:
>
> publicbyte[] getHmacDigest(String algo, byte[] key, byte[] message)
>                    throwsNoSuchAlgorithmException, InvalidKeyException
>    {
>        HMac hmac= newHMac(DigestFactory.getDigest(algo));
>        byte[] resBuf= newbyte[hmac.getMacSize()];
>        hmac.init(newKeyParameter(key));
>        hmac.update(message, 0, message.length);
>        hmac.doFinal(resBuf, 0);
>        returnresBuf;
>    }
>
> We don't use any Bouncy castle Provider, TLS/SSL or any other encryption related functions.
>
> Do we still need to use bc-fips.jar to be FIPS compliant. Whether bc-fips jar has any improvements to HMAC implementation to be FIPS compliant?
>
> Regards,
> ________________________________
>
>
> Dileep Dixith
>         Bangalore, 560071
> [cid:_1_37DF188837DF133800115DF96525827B]
>
> Security Developer, Big Storage and MCStore      India
>
> IBM Systems & Technology Lab
> +91-80-41776741
> Mobile: +91-95-91345900
> e-mail: [hidden email]
> ________________________________
>
>
>
>
>
>
> From:        "Eckenfels. Bernd" <[hidden email]>
> To:        "[hidden email]" <[hidden email]>
> Date:        25/04/2018 08:52 AM
> Subject:        RE: [dev-crypto] Information on FIPS
> ________________________________
>
>
>
> Hello,
>
>
>
> The FIPS validated library is a different Provider jar, check out the web page: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bouncycastle.org_fips-5Fjava-5Froadmap.html&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=SnE70IYEUNxZwH73IXmh5DTJ9vux5W0yEzV85EqVViU&e=
>
>
>
> Gruss
>
> Bernd
>
> --
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.com&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=IqoqN_7iTHgu6NN6D7-2-fOhSLelNP2ohJjy1axOJTs&e=
>
> ________________________________________
>
> From: Dileep Dixith [[hidden email]]
>
> Sent: Wednesday, April 25, 2018 04:33
>
> To: [hidden email]
>
> Subject: [dev-crypto] Information on FIPS
>
>
>
> Hi All,
>
>
>
> We use  bcprov-jdk15on-1.54in our product. We want to understand whether this version is FIPS compliant?  If yes, can you provide ways to enable it.
>
>
>
> If it is not FIPS enabled, let us know which version is FIPS enabled so that we can move to that version.
>
>
>
>
>
> Regards,
>
>
>
> Dileep Dixith
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
>
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
>
> Edisonstr. 1
>
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
>
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
>
> Fax: 07252 / 96 - 2222
>
> Internet: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.de&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=XW4MYeDgMc0vgSYAvudy6rL4R9ZvwagTalJf411XrHI&e=            Registergericht/Commercial Register:
>
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
>
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
>
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.de&d=DwIF-g&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=uIPpV29xVxb45xnJqR72qlB4gARN-dEF9g-WVJsFEpM&s=gQIHtQduwSI0K5mtc_VoxDNe2V-F4ym3cAaOd8O_Qd0&e=             Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
> [attachment "ATT00001.gif" deleted by Dileep Dixith/India/IBM]
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: http://www.seeburger.de<http://www.seeburger.de/>              Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
>
>













SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.


Reply | Threaded
Open this post in threaded view
|

Re: Information on FIPS

David Hook-3
In reply to this post by Dileep Dixith

Bernd is correct - if you're using IBMJCEFIPS and it already supports the algorithm there isn't any need to use Bouncy Castle as well - well at least not from the point of view of getting a SHA256Hmac. Simpler is always better with these things.

Regards,

David

On 26/04/18 15:39, Dileep Dixith wrote:
Thanks David.

Our Product does not make use of any Bouncy Castle provider. For example: Java has JSSE2Provider and IBMJCEFIPSfor FIPS compliance.

We use IBMJCEFIPSfor Java FIPS compliance.

org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider is not used in our Product instead we just use HMAC implementation from bcprov utilities.

So, now to make sure our product as FIPS compliance, we need to enable the above Bouncy Castle FIPS provider?

Regards,


Dileep Dixith
 Bangalore, 560071
Security Developer, Big Storage and MCStore  India

 
IBM Systems & Technology Lab  
+91-80-41776741  
Mobile: +91-95-91345900  
e-mail: [hidden email]  






From:        David Hook [hidden email]
To:        [hidden email] [hidden email]
Date:        26/04/2018 10:40 AM
Subject:        Re: [dev-crypto] Information on FIPS





Yes, this is correct. The regular bcprov implementation is FIPS
compatible, it gets the same value.

If you need FIPS compliance you need to be using a FIPS module at a
minimum, possibly in "FIPS approved only" mode as well. I should also
point out that you have to make sure you are following the modules
security policy if you are trying to run in "FIPS approved only" mode as
well. Just because the module allows something does not necessarily mean
it is okay to do in the context you are doing it.

Regards,

David

On 26/04/18 14:12, Eckenfels. Bernd wrote:
> The implementations calculate the same values. (The implementation is mostly the same). The FIPS version has some additional checks in regards to the state of self checks (and possibly type of keys passed in). However the implementation is not officially CAVP validated and the module is not CMVP validated.
>
> BTW on a normal JVM with Sun or IBM JCE you would not need BC at all. On other platforms the BC-FIPS validation might not be valid yet. (Android is early access IMHO)
>
> Gruss
> Bernd
> --
>
http://www.seeburger.com
> ________________________________________
> From: Dileep Dixith [[hidden email]]
> Sent: Thursday, April 26, 2018 05:53
> To: Eckenfels. Bernd
> Cc: [hidden email]
> Subject: RE: [dev-crypto] Information on FIPS
>
> Hello,
>
> Thanks for your information.
>
> Let me revise my question:  Whether use of bc-fips.jar has any impact on HMAC implementation exists in bcprov-jdk15on-1.54.jar.
>
> Regards,
> ________________________________
>
>
> Dileep Dixith
>          Bangalore, 560071
> [
<a href="cid:_1_43EC514843EC4BF800155D196525827B" moz-do-not-send="true">cid:_1_43EC514843EC4BF800155D196525827B]
>
> Security Developer, Big Storage and MCStore      India
>
> IBM Systems & Technology Lab
> +91-80-41776741
> Mobile: +91-95-91345900
> e-mail: [hidden email]
> ________________________________
>
>
>
>
>
>
> From:        "Eckenfels. Bernd" [hidden email]
> To:        [hidden email] [hidden email]
> Cc:        [hidden email] [hidden email]
> Date:        26/04/2018 09:17 AM
> Subject:        RE: [dev-crypto] Information on FIPS
> ________________________________
>
>
>
> What is your definition of FIPS compliance? (I think there is none -especially not for applications-, so you cannot safely claim it).
>
> If you need to announce ‚uses FIPS 140-2 level 1 validated cryptographic module‘ then yes you would need to use the BC FIPS JAR and switch the thread in approved mode. Or you can use JCE with the IBM FIPS validated software modules. If you want to claim ‚uses (only) FIPS 140-2 approved cryptographic Service of a non-validated implementation then you might be fine.
>
> Gruss
> Bernd
> --
>
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.com&d=DwIF-g&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=uIPpV29xVxb45xnJqR72qlB4gARN-dEF9g-WVJsFEpM&s=K11FueLuskyKK0QOyAl3o2Y45rTBsLnJog7dc7AWVJs&e=
> ________________________________________
> From: Dileep Dixith [[hidden email]]
> Sent: Thursday, April 26, 2018 05:09
> To: Eckenfels. Bernd
> Cc: [hidden email]
> Subject: RE: [dev-crypto] Information on FIPS
>
> Hello,
>
> We use only HMAC Message digest from Bouncy castle. In my view, HMAC implementation based on RFC2104 is FIPS compliant.
>
> Sample Code is below:
>
> publicbyte[] getHmacDigest(String algo, byte[] key, byte[] message)
>                    throwsNoSuchAlgorithmException, InvalidKeyException
>    {
>        HMac hmac= newHMac(DigestFactory.getDigest(algo));
>        byte[] resBuf= newbyte[hmac.getMacSize()];
>        hmac.init(newKeyParameter(key));
>        hmac.update(message, 0, message.length);
>        hmac.doFinal(resBuf, 0);
>        returnresBuf;
>    }
>
> We don't use any Bouncy castle Provider, TLS/SSL or any other encryption related functions.
>
> Do we still need to use bc-fips.jar to be FIPS compliant. Whether bc-fips jar has any improvements to HMAC implementation to be FIPS compliant?
>
> Regards,
> ________________________________
>
>
> Dileep Dixith
>         Bangalore, 560071
> [
<a href="cid:_1_37DF188837DF133800115DF96525827B" moz-do-not-send="true">cid:_1_37DF188837DF133800115DF96525827B]
>
> Security Developer, Big Storage and MCStore      India
>
> IBM Systems & Technology Lab
> +91-80-41776741
> Mobile: +91-95-91345900
> e-mail: [hidden email]
> ________________________________
>
>
>
>
>
>
> From:        "Eckenfels. Bernd" [hidden email]
> To:        [hidden email] [hidden email]
> Date:        25/04/2018 08:52 AM
> Subject:        RE: [dev-crypto] Information on FIPS
> ________________________________
>
>
>
> Hello,
>
>
>
> The FIPS validated library is a different Provider jar, check out the web page:
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bouncycastle.org_fips-5Fjava-5Froadmap.html&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=SnE70IYEUNxZwH73IXmh5DTJ9vux5W0yEzV85EqVViU&e=
>
>
>
> Gruss
>
> Bernd
>
> --
>
>
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.com&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=IqoqN_7iTHgu6NN6D7-2-fOhSLelNP2ohJjy1axOJTs&e=
>
> ________________________________________
>
> From: Dileep Dixith [[hidden email]]
>
> Sent: Wednesday, April 25, 2018 04:33
>
> To: [hidden email]
>
> Subject: [dev-crypto] Information on FIPS
>
>
>
> Hi All,
>
>
>
> We use  bcprov-jdk15on-1.54in our product. We want to understand whether this version is FIPS compliant?  If yes, can you provide ways to enable it.
>
>
>
> If it is not FIPS enabled, let us know which version is FIPS enabled so that we can move to that version.
>
>
>
>
>
> Regards,
>
>
>
> Dileep Dixith
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
>
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
>
> Edisonstr. 1
>
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
>
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
>
> Fax: 07252 / 96 - 2222
>
> Internet:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.de&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=4_2w8WU_z822O0_iZsZC0MeROiuWSrulr0fVar5JMIg&s=XW4MYeDgMc0vgSYAvudy6rL4R9ZvwagTalJf411XrHI&e=            Registergericht/Commercial Register:
>
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
>
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
>
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.seeburger.de&d=DwIF-g&c=jf_iaSHvJObTbx-siA1ZOg&r=B5ChIrN6jtbYJC4PJ6nEiuI1yqiRWKnPlWbZ6YLOBkM&m=uIPpV29xVxb45xnJqR72qlB4gARN-dEF9g-WVJsFEpM&s=gQIHtQduwSI0K5mtc_VoxDNe2V-F4ym3cAaOd8O_Qd0&e=             Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
> [attachment "ATT00001.gif" deleted by Dileep Dixith/India/IBM]
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet:
http://www.seeburger.de              Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
>
>