FIPS 140-2 Compliant Phones

Laptops, PDAs, Cell Phones, and all other tech that you carry with you.

Moderators: mac_h8r1, Nelliesboo, David

FIPS 140-2 Compliant Phones

Postposted on Mon Apr 22, 2013 9:30 am

Anyone know where there's a good list of these. New standards coming down for hooking personal phones to office e-mail and 140-2 compliance is mandatory. The only phones I've found so far that comply are the Samsung Galaxy S2 and S3, as well as the Blackberry Z10.
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20099
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Postposted on Tue Apr 23, 2013 5:43 pm

Bueller, Bueller?

I can't be the only one in this pickle. Feel free to PM if worried about attribution.
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20099
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Postposted on Tue Apr 23, 2013 5:54 pm

FIPS 140-2 ?

What is this I don't even
Carpe diem quam minimum credula postero
sid1089
Gerbil Team Leader
 
Posts: 290
Joined: Wed Jul 26, 2006 4:56 am

Re: FIPS 140-2 Compliant Phones

Postposted on Tue Apr 23, 2013 6:00 pm

sid1089 wrote:FIPS 140-2 ?

What is this I don't even

An information security standard. I'll not even start with Level 1 v Level 4.

http://en.wikipedia.org/wiki/FIPS_140-2

In short, the boffins that run my employer's e-mail system came out with a policy stating that any mobile device that connects to the Exchange server must meet FIPS 140-2 and have AES256 encryption on anything that came from the server. Given my day job it's perfectly clear that said boffins simply regurgitated some "industry standard" without taking any time to find out exactly what devices meet the specification they're pushing down. My Googles have found 3 handsets and 1 tablet that meet the spec. None of them run iOS and Apple does not have a single device cleared under 140-2 that I can find. I despise Apple (take it to another thread), but living in the hippie homeland of Vermont I must acknowledge that the vast majority of smartphone owners love their fruit.

My life was driven by my Outlook calendar, and it's now lost to my phone. Since my old Droid Global 2 cannot meet the FIPS 140-2 spec I've been forced to delete my work e-mail account from the phone. The boffins who implemented the policy obviously did so without even assessing exactly what phones would meet the new standards, unless of course Blackberry paid them off to force purchases of Z10s.
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20099
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Postposted on Tue Apr 23, 2013 7:41 pm

http://csrc.nist.gov/groups/STM/cmvp/do ... al-all.htm

That is ALL FIPS140-2 compliance devices.

The only devices are the 2 Samsung Phones, Certain LG devices, the Nexus S, the Motorola Business Ready devices, and oh yeah EVERY SINGLE DEVICE USING OPENSSL, which is to say, all of them.

FIPS140-2 doesn't really say what they "think" it says. None of the data is encrypted on the devices except the Motorola Business Ready phones, Blackberries and iPhones.
keltor
Gerbil First Class
 
Posts: 176
Joined: Thu May 10, 2012 4:29 pm

Re: FIPS 140-2 Compliant Phones

Postposted on Tue Apr 23, 2013 7:47 pm

What do the higher-ups have? One assumes that being a vice-president doesn't exclude one from compliance.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3127
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: FIPS 140-2 Compliant Phones

Postposted on Tue Apr 23, 2013 7:54 pm

keltor wrote:EVERY SINGLE DEVICE USING OPENSSL


Only if they're using the FIPS-compliant cryptosystems. Work used to have a critical webserver running SSL3 that was /not/ FIPS compliant because it used RC4 for encryption.

I expect Ned's IT critters are wanting end-user devices that store stuff encrypted, not simply transmitting/receiving it that way.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3127
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: FIPS 140-2 Compliant Phones

Postposted on Tue Apr 23, 2013 9:36 pm

The server can easily be limited to only allow certain protocols.

Defense and Gov't don't allow BYOD, so they'd provide a device if you are allowed to have it at all.

For everything else, it's usually some sort of petty deal. Otherwise use one of the devices which IS individually certified.
keltor
Gerbil First Class
 
Posts: 176
Joined: Thu May 10, 2012 4:29 pm

Re: FIPS 140-2 Compliant Phones

Postposted on Wed Apr 24, 2013 1:02 am

keltor wrote:FIPS140-2 doesn't really say what they "think" it says. None of the data is encrypted on the devices except the Motorola Business Ready phones, Blackberries and iPhones.

S3 can do device encryption once it downloads the Exchange policies from the server.
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24285
Joined: Mon May 24, 2004 2:19 am

Re: FIPS 140-2 Compliant Phones

Postposted on Wed Apr 24, 2013 4:56 am

bthylafh wrote:I expect Ned's IT critters are wanting end-user devices that store stuff encrypted, not simply transmitting/receiving it that way.

Yup, AES256 is mandatory for on-phone storage.
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20099
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Postposted on Wed Apr 24, 2013 5:09 am

bthylafh wrote:What do the higher-ups have? One assumes that being a vice-president doesn't exclude one from compliance.

You have to be an elected official or at the Commissioner level (appointed, confirmed by state Senate) to get a state-issue phone. Since my work life includes avoiding all such people as much as possible, I don't know.
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20099
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Postposted on Wed Apr 24, 2013 7:43 pm

This is definitely a workaround, but I think you could meet the letter of the law by accessing the Exchange server through a web browser that's configured to never cache anything.

Assuming Web Services are enabled, naturally.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3127
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: FIPS 140-2 Compliant Phones

Postposted on Wed Apr 24, 2013 8:05 pm

bthylafh wrote:This is definitely a workaround, but I think you could meet the letter of the law by accessing the Exchange server through a web browser that's configured to never cache anything.

Assuming Web Services are enabled, naturally.

The problem is that in the course of my field work I quite often find myself in places where I can't find Ethernet or open Wi-Fi, thus making me reliant on my phone. I'd prefer not to tether (easy on a rooted Droid with a grandfathered unlimited VZW data plan) as it's hard on the phone (you should see the temperature spike as data rates increase) and it adds to the space I need to occupy in places where my space allowance is often a chair and a 3'x3' table, although doing so would meet the letter of the standard. I'd much rather leave e-mail to the phone and put the laptop back in the bag so I have more space to get my work done, thus leaving me with the requirement to meet a standard that my centralized IT boffins cribbed from some "best practices" document without doing the slightest bit of research into whether or not the standard is achievable at not-ridiculous costs.

We've asked Central IT to give us a list of phones that meet their standards. They refused, saying that the analysis of compliance and the required personal signature on the policy stating that our phones comply with their policy is our problem.

I so adore check-box engineering.

[/heavy sarcasm]
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20099
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Postposted on Wed Apr 24, 2013 11:56 pm

Captain Ned wrote: I'd prefer not to tether (easy on a rooted Droid with a grandfathered unlimited VZW data plan) as it's hard on the phone (you should see the temperature spike as data rates increase) and it adds to the space I need to occupy in places where my space allowance is often a chair and a 3'x3' table, although doing so would meet the letter of the standard.

Is this maybe a function of having an older phone? I've not really noticed this kind of problem with my GNex. Also, most of the better smart phones can do WiFi hotspotting these days, which at least gets one of the devices off the desk.
He who laughs last, laughs first next time.
ludi
Gerbil Elder
 
Posts: 5403
Joined: Fri Jun 21, 2002 10:47 pm
Location: Sunny Colorado front range

Re: FIPS 140-2 Compliant Phones

Postposted on Thu Apr 25, 2013 4:59 am

ludi wrote:Is this maybe a function of having an older phone? I've not really noticed this kind of problem with my GNex. Also, most of the better smart phones can do WiFi hotspotting these days, which at least gets one of the devices off the desk.

Likely so. The problem is that a phone upgrade means the end of my grandfathered unlimited data plan.
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20099
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Postposted on Thu Apr 25, 2013 11:44 am

Captain Ned wrote:
ludi wrote:Is this maybe a function of having an older phone? I've not really noticed this kind of problem with my GNex. Also, most of the better smart phones can do WiFi hotspotting these days, which at least gets one of the devices off the desk.

Likely so. The problem is that a phone upgrade means the end of my grandfathered unlimited data plan.

Even if you buy an unlocked phone and swap SIMs?
He who laughs last, laughs first next time.
ludi
Gerbil Elder
 
Posts: 5403
Joined: Fri Jun 21, 2002 10:47 pm
Location: Sunny Colorado front range

Re: FIPS 140-2 Compliant Phones

Postposted on Thu Apr 25, 2013 11:47 am

ludi wrote:
Captain Ned wrote:
ludi wrote:Is this maybe a function of having an older phone? I've not really noticed this kind of problem with my GNex. Also, most of the better smart phones can do WiFi hotspotting these days, which at least gets one of the devices off the desk.

Likely so. The problem is that a phone upgrade means the end of my grandfathered unlimited data plan.

Even if you buy an unlocked phone and swap SIMs?

VZW, no such thing?

Besides, whether you are tethering over wifi or usb, when the data is really flying through (say stream an HD youtube), phones will get hot as they are doing work.
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24285
Joined: Mon May 24, 2004 2:19 am

Re: FIPS 140-2 Compliant Phones

Postposted on Thu Apr 25, 2013 5:05 pm

Flying Fox wrote:VZW, no such thing?

AFAIK it depends on the age of the phone. The 4G LTE phones apparently use them, not sure about anything older.
He who laughs last, laughs first next time.
ludi
Gerbil Elder
 
Posts: 5403
Joined: Fri Jun 21, 2002 10:47 pm
Location: Sunny Colorado front range

Re: FIPS 140-2 Compliant Phones

Postposted on Thu Apr 25, 2013 5:16 pm

ludi wrote:
Flying Fox wrote:VZW, no such thing?

AFAIK it depends on the age of the phone. The 4G LTE phones apparently use them, not sure about anything older.

VZW is a CDMA network, so no SIM cards. My Droid 2 Global is CDMA and GSM and has a SIM card that VZW will enable if I travel out of the US to a GSM network area.
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20099
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Postposted on Thu Apr 25, 2013 6:03 pm

This confused me too, but apparently LTE is a GSM technology? My dad's Samsung Stratosphere phone on Verizon has a SIM, as does my coworker's HTC <something>. I dunno the story, but a lot of newer Verizon phones do in fact have SIM cards.
i5-3570K @ 4.4 (NH-C14), 4x8GB DDR3-1866, GA-Z68MA-D3H-B2, ASUS GTXTITAN-6GD5, 128GB Vertex 4 / 2x60GB Vertex Plus R2 / 2x2TB Barracuda 7200.14 RAID0 / ANS-9010 (4x4GB), SST-DA1000 (PSU), 2x VS229H-P, 1x VG248QE, 1x MIMO 720F, Corsair Vengeance K90+M95
auxy
Gerbil Elite
 
Posts: 781
Joined: Sat Jan 19, 2013 4:25 pm
Location: the armpit of Texas

Re: FIPS 140-2 Compliant Phones

Postposted on Thu Apr 25, 2013 6:42 pm

auxy wrote:This confused me too, but apparently LTE is a GSM technology? My dad's Samsung Stratosphere phone on Verizon has a SIM, as does my coworker's HTC <something>. I dunno the story, but a lot of newer Verizon phones do in fact have SIM cards.

It's a card that looks like a SIM card but has another name I can't yet pull out of Wikipedia. LTE is a completely different transmission scheme than GSM or CDMA, although it can still fall back to either. Looks like the real goal with LTE is to get away from the circuit-switched calls of GSM/CDMA and create the cell equivalent of VOIP for everything.
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20099
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Postposted on Thu Apr 25, 2013 11:13 pm

I'm pretty sure you can buy an unsubsidized VZW phone, and then move that onto your plan to keep your unlimited data. I'm not sure how one would go about doing that though...
Lenovo W520
IBM dx340
Nokia Lumia 928
Sony a7 with far too many lenses to list or even count
lonleyppl
Gerbil XP
 
Posts: 343
Joined: Wed Jan 26, 2011 2:59 pm


Return to Mobile Tech

Who is online

Users browsing this forum: No registered users and 4 guests