BlackBerry OS 6 Gets ‘FIPS 149-2’ Approval from US Government

RIM's BlackBerry logo

Research In Motion launched the newest version of its smartphone operating system—BlackBerry OS 6—back in August and the new OS has finally received its FIPS 149-2 certification from the US Government. FIPS 149-2 certification means that the new BB operating system meets certain US Government requirements regarding encryption methods inside of both the software and hardware underneath. Without the encryption certification, BlackBerry OS 6 isn’t usable for government employees.

BlackBerry OS versions 3.3 through 5 have all received FIPS 149-2 certification so BB OS 6 receiving the stamp of approval is really no surprise. Still, each hardware and software component utilizing encryption inside devices running BB OS 6 (and older BlackBerrys that get the update eventually) is rated on a scale of one through four. Too complex? Not all FIPS 149-2 certified devices are created equal so I have compiled a breakdown on what level of certification under the FIPS banner means.

Four FIPS 149-2 Security Levels:

  • Level 1 security is the lowest level of FIPS 149-2 certification that passes approval. To get the certification, a component has to have basic cryptography security but no physical security to prevent tampering.
  • Level 2 security is a step up from level 1 in that it requires measures in place to prevent physical tampering. Role-based authentication (client/server and multiple access levels) and timesharing of secure resources is also present.
  • Level 3 security requires tamper resistant security and authentication based on identity in addition to the specifications in the first two levels.
  • Level 4 security requires an “envelop of protection” around the cryptography components in addition to the requirements for the previous three levels.

 

How BlackBerry OS 6 Rates Under FIPS:

  • ASTRO Subscriber Universal Crypto Module (UCM)—this component provides encryption for your phone calls. BB OS 6’s rating? 1.
  • BlackBerry Cryptographic Kernel—provides “basic cryptographic functionality for the BlackBerry.” This also received a rating of 1.
  • Cloakware Security Kernel—an encryption library that lets Java applications use encryption services and interfaces with servers.  Also rated a 1 out of 4.
  • IronKey S200/D200—high end encryption and decryption for NAND flash and RAM. A very respectable rating of 3 was awarded to this component.
  • Advanced Configurable Cryptographic Environment (ACCE) 2—a cryptography module that commands a top rating of 4.
  • Atalla Cryptographic Subsystem (ACS)—another cryptography component that ranks in with a rating of 4.

RIM literally has hundreds of different components approved to be FIPS compatible with BB OS 6. As you can see from the few I compiled for the list, they vary wildly in security levels. Don’t worry though—the numbers mean less than you think for the average user looking for security. If you are really interested in all of the juicy details about BB OS 6 and security, check out the government site with the details here - csrc.nist.gov.

Interestingly, Apple’s iPhone has had trouble moving towards FIPS certification and as of to-date (correct me if I am wrong), only one company is offering the certification in an encryption SDK (software developers kit) for future apps. This why BlackBerrys still rule business? How is Android moving towards meeting the strict requirements?

Let me know what you think about all of this. Oh, and the Bold 9700 and 9650 do pop up in RIM’s press release on the certification news. Why? Because RIM still says that they’re getting BB OS 6 of course. Keep your fingers crossed for that one.

Tags: , , , ,