Stripy Castle FIPS

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Stripy Castle FIPS

David Templar-2

Hi,

Mainly for Mr Hook.

OK, as you know my interest is in Android and I do like BC and besides FIPS BC, traditional BC is great and life is good :) - maybe it is just me... lock-down and a lot more time to do things I used to enjoy!

There might be StripyCastle versions of BC FIPS for Android (some book says so :) ) - they will be ODEX and jars and probably have a different checksum (am I wrong on this ...) and installed on Android devices... obviously, as per previous posts a new checksum = a new FIPS certification requirement.

Can you confirm such is the case? If yes, is such only available to OEM/Support Contract billed people?

Even if it was free - the very fact that it needs custom install per device in root/unlocked bootloaders etc... eliminates 99.999% of all markets and users.

Am I correct or is there some secret recipe for StripyCastle?

This puzzle has been itching me for some time :)

1. The devices Stripy is installed on use a different format for the JVM and its jars - compared to Samsung, Lenovo, Motorola, Huawei etc?

2. Stripy is a separate product (with different checksums and maybe other bits different) and licensed and paid for by those who can?

3. There is some special method to get BC FIPS in an Android app without triggering checksums and creating a security hack;  theoretically -obfuscation, -compression etc should have worked. But Android likes to package specially.

4. You have on Android a virtual JVM app - in which case all is possible.

As you know I can get both to work on Android devices - even 1.65 works on 4.1 (probably earlier). Traditional does not need a checksum trick. FIPS... what is the magic? :)

For the traditional BC - thanks for the truststore solution! That filled a lot of gaps!

-- 
Kind regards,

David Templar

Reply | Threaded
Open this post in threaded view
|

Re: Stripy Castle FIPS

David Templar-2

May I suggest a solution?

Android 10 or Q is rolling out now- I still have many of the latest devices from Samsung that do not have the Q upgrade.

However, A10 actually has improved security features. I could go into them but in a simple way it is becoming more like Linux/Unix.

This is the time to hit home regarding files, emails and all data security!

For Advanced:

However, a new data box is required - it is adaptive (even when a computer cannot assist/shut down) - Data in the box is preserved/retrievable.

The state of data is not as important as the output. This negates both parties.

On 23/04/2020 00:25, David Templar wrote:

Hi,

Mainly for Mr Hook.

OK, as you know my interest is in Android and I do like BC and besides FIPS BC, traditional BC is great and life is good :) - maybe it is just me... lock-down and a lot more time to do things I used to enjoy!

There might be StripyCastle versions of BC FIPS for Android (some book says so :) ) - they will be ODEX and jars and probably have a different checksum (am I wrong on this ...) and installed on Android devices... obviously, as per previous posts a new checksum = a new FIPS certification requirement.

Can you confirm such is the case? If yes, is such only available to OEM/Support Contract billed people?

Even if it was free - the very fact that it needs custom install per device in root/unlocked bootloaders etc... eliminates 99.999% of all markets and users.

Am I correct or is there some secret recipe for StripyCastle?

This puzzle has been itching me for some time :)

1. The devices Stripy is installed on use a different format for the JVM and its jars - compared to Samsung, Lenovo, Motorola, Huawei etc?

2. Stripy is a separate product (with different checksums and maybe other bits different) and licensed and paid for by those who can?

3. There is some special method to get BC FIPS in an Android app without triggering checksums and creating a security hack;  theoretically -obfuscation, -compression etc should have worked. But Android likes to package specially.

4. You have on Android a virtual JVM app - in which case all is possible.

As you know I can get both to work on Android devices - even 1.65 works on 4.1 (probably earlier). Traditional does not need a checksum trick. FIPS... what is the magic? :)

For the traditional BC - thanks for the truststore solution! That filled a lot of gaps!

-- 
Kind regards,

David Templar

-- 
Kind regards,

David Templar

This email is digitally signed to ensure authenticity.
Reply | Threaded
Open this post in threaded view
|

Re: Stripy Castle FIPS

David Hook-3

Last we looked, while Android 10 had improved the situation with Bouncy Castle in general, due to the sand boxing, the checksum issue remained. The jar still needs to be installed as part of the underlying OS to ensure there's a way of confirming that it's checksum is valid.

The checksum (which is actually a HMAC) is a requirement of FIPS put in place to ensure that the software being executed comes from the same byte code as the NIST originally signed off on.

The Zebra TC75 Touch Computer (Android 5.1), Zebra TC51-HC Touch Computer (Android 6), and the Zebra TC52 Touch Computer  (Android 8.1) are examples of devices which have been certified as FIPS compliant using StripyCastle. In terms of "free" or not - the StripyCastle code is a direct port of the associated version of BC-FJA, subtleties of certification aside, this is probably something anyone could do. Where the cost comes in is with the lab fees and the NIST recovery fees (of course there's time as well, but even without considering that, the lab and NIST fees are substantial - you're looking at 40K to 50K USD).

Regards,

David

On 23/4/20 12:21 pm, David Templar wrote:

May I suggest a solution?

Android 10 or Q is rolling out now- I still have many of the latest devices from Samsung that do not have the Q upgrade.

However, A10 actually has improved security features. I could go into them but in a simple way it is becoming more like Linux/Unix.

This is the time to hit home regarding files, emails and all data security!

For Advanced:

However, a new data box is required - it is adaptive (even when a computer cannot assist/shut down) - Data in the box is preserved/retrievable.

The state of data is not as important as the output. This negates both parties.

On 23/04/2020 00:25, David Templar wrote:

Hi,

Mainly for Mr Hook.

OK, as you know my interest is in Android and I do like BC and besides FIPS BC, traditional BC is great and life is good :) - maybe it is just me... lock-down and a lot more time to do things I used to enjoy!

There might be StripyCastle versions of BC FIPS for Android (some book says so :) ) - they will be ODEX and jars and probably have a different checksum (am I wrong on this ...) and installed on Android devices... obviously, as per previous posts a new checksum = a new FIPS certification requirement.

Can you confirm such is the case? If yes, is such only available to OEM/Support Contract billed people?

Even if it was free - the very fact that it needs custom install per device in root/unlocked bootloaders etc... eliminates 99.999% of all markets and users.

Am I correct or is there some secret recipe for StripyCastle?

This puzzle has been itching me for some time :)

1. The devices Stripy is installed on use a different format for the JVM and its jars - compared to Samsung, Lenovo, Motorola, Huawei etc?

2. Stripy is a separate product (with different checksums and maybe other bits different) and licensed and paid for by those who can?

3. There is some special method to get BC FIPS in an Android app without triggering checksums and creating a security hack;  theoretically -obfuscation, -compression etc should have worked. But Android likes to package specially.

4. You have on Android a virtual JVM app - in which case all is possible.

As you know I can get both to work on Android devices - even 1.65 works on 4.1 (probably earlier). Traditional does not need a checksum trick. FIPS... what is the magic? :)

For the traditional BC - thanks for the truststore solution! That filled a lot of gaps!

-- 
Kind regards,

David Templar

-- 
Kind regards,

David Templar

This email is digitally signed to ensure authenticity.


Reply | Threaded
Open this post in threaded view
|

Re: Stripy Castle FIPS

David Templar-2
I think I did the Android tests.....

OK $0-50K...

Yes, fees and time is money!

Actually I remember when it was just a spec - I am a bit tired but does 1999 help: https://jcp.org/en/jsr/detail?id=27 ( I am a bit tired to look further back and to be honest Oracle has "lost" previous pages).

Oracle now charges $5 per Desktop programmer... ORACLE - BILLIONAIRE COMPANY $5...

No - BC FIPS cannot be installed on a traditional device unless the ODEX/Checksum matches! I can match them! But is that checksum certified?

ZEBRA devices - OK, let's all go into the bush and get Opal or Gold... that is the device you are targeting?

I can buy a sat phone, linked to an ANDROID device and use just traditional BC to encrypt comms. In fact, my voice it self is strange enough to be be considered encrypted. :)

I do understand costs.

And yes a badge does cost money. At the same time I was around when JCE was considered nonsense but 3d or VOIP etc were worth more.

All topics have grown!

If $50K go and fight for it!!! Your NIST cert deserves this!



On 23/04/2020 04:00, David Hook wrote:

Last we looked, while Android 10 had improved the situation with Bouncy Castle in general, due to the sand boxing, the checksum issue remained. The jar still needs to be installed as part of the underlying OS to ensure there's a way of confirming that it's checksum is valid.

The checksum (which is actually a HMAC) is a requirement of FIPS put in place to ensure that the software being executed comes from the same byte code as the NIST originally signed off on.

The Zebra TC75 Touch Computer (Android 5.1), Zebra TC51-HC Touch Computer (Android 6), and the Zebra TC52 Touch Computer  (Android 8.1) are examples of devices which have been certified as FIPS compliant using StripyCastle. In terms of "free" or not - the StripyCastle code is a direct port of the associated version of BC-FJA, subtleties of certification aside, this is probably something anyone could do. Where the cost comes in is with the lab fees and the NIST recovery fees (of course there's time as well, but even without considering that, the lab and NIST fees are substantial - you're looking at 40K to 50K USD).

Regards,

David

On 23/4/20 12:21 pm, David Templar wrote:

May I suggest a solution?

Android 10 or Q is rolling out now- I still have many of the latest devices from Samsung that do not have the Q upgrade.

However, A10 actually has improved security features. I could go into them but in a simple way it is becoming more like Linux/Unix.

This is the time to hit home regarding files, emails and all data security!

For Advanced:

However, a new data box is required - it is adaptive (even when a computer cannot assist/shut down) - Data in the box is preserved/retrievable.

The state of data is not as important as the output. This negates both parties.

On 23/04/2020 00:25, David Templar wrote:

Hi,

Mainly for Mr Hook.

OK, as you know my interest is in Android and I do like BC and besides FIPS BC, traditional BC is great and life is good :) - maybe it is just me... lock-down and a lot more time to do things I used to enjoy!

There might be StripyCastle versions of BC FIPS for Android (some book says so :) ) - they will be ODEX and jars and probably have a different checksum (am I wrong on this ...) and installed on Android devices... obviously, as per previous posts a new checksum = a new FIPS certification requirement.

Can you confirm such is the case? If yes, is such only available to OEM/Support Contract billed people?

Even if it was free - the very fact that it needs custom install per device in root/unlocked bootloaders etc... eliminates 99.999% of all markets and users.

Am I correct or is there some secret recipe for StripyCastle?

This puzzle has been itching me for some time :)

1. The devices Stripy is installed on use a different format for the JVM and its jars - compared to Samsung, Lenovo, Motorola, Huawei etc?

2. Stripy is a separate product (with different checksums and maybe other bits different) and licensed and paid for by those who can?

3. There is some special method to get BC FIPS in an Android app without triggering checksums and creating a security hack;  theoretically -obfuscation, -compression etc should have worked. But Android likes to package specially.

4. You have on Android a virtual JVM app - in which case all is possible.

As you know I can get both to work on Android devices - even 1.65 works on 4.1 (probably earlier). Traditional does not need a checksum trick. FIPS... what is the magic? :)

For the traditional BC - thanks for the truststore solution! That filled a lot of gaps!

-- 
Kind regards,

David Templar

-- 
Kind regards,

David Templar

This email is digitally signed to ensure authenticity.


-- 
Kind regards,

David Templar

This email is digitally signed to ensure authenticity.