https://devzone.nordicsemi.com/f/nordic-q-a/13845/fips-140-2-certificationHas anyone taken the Nordic LE Secure ECDH key exchange and encryption code though FIPS 140-2 certification and what level was attained? I was tasked with getting to level 1 for our product and wanted to see where others were at with respect to the USen-USTelligent Community 13Mon, 23 May 2016 07:09:42 GMThttps://devzone.nordicsemi.com/thread/52909?ContentTypeID=1Mon, 23 May 2016 07:09:42 GMT137ad170-7792-4731-bb38-c0d22fbe4515:3cd3589d-c698-4b90-89f9-e6b8d9b7bb99Susheel Nuguru<p>Hi Jim, BLE compliance testing here in Nordic does verify the encryption using LESC.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/52907?ContentTypeID=1Fri, 20 May 2016 13:52:02 GMT137ad170-7792-4731-bb38-c0d22fbe4515:ced2e442-49c4-4b3b-b00b-dc85396bff84Jim Dattolo<p>Part of the reason we want to go for FIPS level 1 is that it&#39;s a line in the sand with respect to security. There isn&#39;t many other comprehensive standards out there and at least this one is documented and followed by the gov. Does the BLE compliance suite testing verify security when using LESC? If it does I can lobby our requirements team to just refer to the testing and then we just need your test report/results and we can check the box off. FIPS was only put out there since we are a Class 3 FDA medical device maker and the gov likes to see i&#39;s dotted and t&#39;s crossed and if we show us meeting a gov standard it&#39;s easier.</p> <p>One of my projects uses Nordic on both sides of the link so we are 100% good there. The other project needs Android on the Central side, Nordic did confirm that the phone we are using Nexus 5X supported it but Google just chimed in and said no.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/52906?ContentTypeID=1Fri, 20 May 2016 13:31:41 GMT137ad170-7792-4731-bb38-c0d22fbe4515:6a762026-43e1-4752-aa3a-8578881c3a62Susheel Nuguru<p>Hi Jim,</p> <p>I do not think that it is certified as it is not required to certify (unless we want US government to use our module for their security). We have to expose our module to the FIPS test suite and if we pass we can claim the compliance. I do know that we pass the compliance test but do not know which level. I have to come back to you on that next week. And for the LESC encryption, we DO support it from S13x_v2.0.0. If it works with specific version of Android, i am not sure.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/52908?ContentTypeID=1Fri, 20 May 2016 12:52:00 GMT137ad170-7792-4731-bb38-c0d22fbe4515:cb3a42aa-7ff4-4d3f-9ef3-64785a91fb5bJim Dattolo<p>we haven&#39;t started it, we are still working on getting the LESC code up and running. Moving from SDK8 to 11 took longer than we expected. I am now getting conflicting information out of Google stating that Android <em>does not support</em> LESC yet, however Nordic is claiming it and I can bond my phone with the Nordic LESC enabled stack. Can someone confirm that it really is working with Android Marshmallow and not degrading to some lower level encryption? I do see the ECDH events firing off in the nordic stack, I just want to make sure that it&#39;s actually doing the right thing before we start going down any certification routes.</p> <p>Either way I would expect that the stack and SD device itself would want to get the certification independantly of any customer since it&#39;s managing all of the security by implementing LESC.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/52905?ContentTypeID=1Fri, 20 May 2016 07:52:26 GMT137ad170-7792-4731-bb38-c0d22fbe4515:c5948b37-3623-4ea5-a388-573a5428f519Susheel Nuguru<p>Hi Jim, How did it go with your certification?</p><div style="clear:both;"></div>