Sorry about the red box, but we really need you to update your browser. Read this excellent article if you're wondering why we are no longer supporting this browser version. Go to Browse Happy for browser suggestions and how to update.

Enforcing FIPS

Federal Information Processing Standard (FIPS) 140-2 specifies requirements for security algorithms. The RIM Cryptographic API includes a number of tools that you can use to create a FIPS-compliant application.

As the FIPS-validated random source, the API uses the AES cipher-based deterministic random bit generator. This random source is represented by the PRNG_TYPE_AES_CTR_DRBG constant in the Crypto class.

As the non-FIPS random source, the API uses the FIPS 186-2 pseudorandom number generator. This random number generator is represented by the PRNG_TYPE_FIPS186 constant in the Crypto class.

FIPS compliance is available in BlackBerry Enterprise Server environments. To enforce FIPS compliance, your BlackBerry Enterprise Server administrator must set an IT policy rule in the Security policy group to "Enforce FIPS Mode of Operation". For more information, see the BlackBerry Enterprise Solution Security Technical Overview, available at www.blackberry.com/security. When the "Enforce FIPS Mode of Operation" IT policy rule is set, your app will run in FIPS mode by default.

As an alternative to setting the IT policy rule, you can set the useFIPSmode parameter to true in your invocation of the following methods: AESEncryptorEngine, AESDecryptorEngine, AESCBCEncryptorEngine, and AESCBCDecryptorEngine. This setting causes your app to always use FIPS algorithms.

If you need to use random data in your application, for FIPS compliance your application must use the following settings:

  • When you use the Crypto.getPRNG method to expand a seed into a stream of pseudo-random bytes, set the prngType parameter to PRNG_TYPE_AES_CTR_DRBG. (The other available type of pseudorandom number generator, PRNG_TYPE_FIPS186, does not provide FIPS compliance.)
  • For applications that implement the FIPS186PseudoRandomSource class, set the name to AESCTRDRBGPseudoRandomSource. (If you implement the RandomSource class, the type of pseudorandom number generator changes automatically depending on the BlackBerry Enterprise Server settings.)