• State Not Answered
  • Replies 5 replies
  • Subscribers 71 subscribers
  • Views 3212 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 113844
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

FIPS 140-2 certification

Jim Dattolo

Has anyone taken the Nordic LE Secure ECDH key exchange and encryption code though FIPS 140-2 certification and what level was attained? I was tasked with getting to level 1 for our product and wanted to see where others were at with respect to the US Gov encryption standards.

  • 0

    we haven't started it, we are still working on getting the LESC code up and running. Moving from SDK8 to 11 took longer than we expected. I am now getting conflicting information out of Google stating that Android does not support LESC yet, however Nordic is claiming it and I can bond my phone with the Nordic LESC enabled stack. Can someone confirm that it really is working with Android Marshmallow and not degrading to some lower level encryption? I do see the ECDH events firing off in the nordic stack, I just want to make sure that it's actually doing the right thing before we start going down any certification routes.

    Either way I would expect that the stack and SD device itself would want to get the certification independantly of any customer since it's managing all of the security by implementing LESC.

  • 0

    Hi Jim,

    I do not think that it is certified as it is not required to certify (unless we want US government to use our module for their security). We have to expose our module to the FIPS test suite and if we pass we can claim the compliance. I do know that we pass the compliance test but do not know which level. I have to come back to you on that next week. And for the LESC encryption, we DO support it from S13x_v2.0.0. If it works with specific version of Android, i am not sure.

  • 0

    Part of the reason we want to go for FIPS level 1 is that it's a line in the sand with respect to security. There isn't many other comprehensive standards out there and at least this one is documented and followed by the gov. Does the BLE compliance suite testing verify security when using LESC? If it does I can lobby our requirements team to just refer to the testing and then we just need your test report/results and we can check the box off. FIPS was only put out there since we are a Class 3 FDA medical device maker and the gov likes to see i's dotted and t's crossed and if we show us meeting a gov standard it's easier.

    One of my projects uses Nordic on both sides of the link so we are 100% good there. The other project needs Android on the Central side, Nordic did confirm that the phone we are using Nexus 5X supported it but Google just chimed in and said no.

  • 0

    Hi Jim, BLE compliance testing here in Nordic does verify the encryption using LESC.

Related
Terms of service