Archive

Archive for the ‘FIPS’ Category

FileVault 2 on El Capitan is now FIPS 140-2 Compliant

April 20, 2016 1 comment

Apple officially announced on Wednesday, April 6th that the FIPS 140-2 validations for the cryptographic modules used by iOS 9 and OS X 10.11.x have now been completed. This is significant news for folks who want to use FileVault 2 in government and regulated industries (such as financial and health-care institutions.)

For folks who haven’t heard of it before, FIPS 140-2 is an information technology security accreditation program run jointly by the US and Canadian governments. This program is used by private sector vendors to have their cryptographic modules certified for use in US and Canadian government departments and private industries with regulatory requirements for security.

As part of the announcement, Apple has released KBase articles and guidance for security offices who deal with encryption:

Apple FIPS Cryptographic Modules v6.0 for OS X El Capitan v10.11https://support.apple.com/HT205748

Crypto Officer Role Guide for FIPS 140-2 Compliance OS X El Capitan v10.11https://support.apple.com/library/APPLE/APPLECARE_ALLGEOS/HT205748/APPLEFIPS_GUIDE_CO_OSX10.11.pdf

According to Apple, the OS X El Capitan Cryptographic Modules, Apple OS X CoreCrypto Module v6.0 and Apple OS X CoreCrypto Kernel Module v6.0, require no setup or configuration to be in “FIPS Mode” for FIPS 140-2 compliance on devices running OS X El Capitan 10.11.x.

FileVault 2 is listed as being FIPS 140-2 Compliant as part of the Crypto Officer Role Guide for FIPS 140-2 Compliance OS X El Capitan v10.11 documentation, in the Compliant Applications and Services section.

Screen Shot 2016 04 20 at 7 14 05 AM

 

For more information about the validation certification, please see below the jump.

Read more…

FIPS 140-2 validation and FileVault 2

January 10, 2016 2 comments

One question I’ve seen which has caused confusion for folks who deal with security regulations is this: Is FileVault 2 FIPS 140-2 compliant?

The answer is: Yes, depending on the version of OS X

The cryptography used by FileVault 2 on the following versions of OS X has gone through the FIPS validation process and has been validated as being FIPS 140-2 Compliant:

The CoreCrypto cryptographic modules used by OS X 10.11 are currently in the process of becoming FIPS 140-2 validated. The reason FileVault 2 in El Capitan is not automatically FIPS 140-2 compliant has to do with OS X’s CoreCrypto cryptography foundation and how the FIPS 140-2 validation process works.

FIPS validation

The FIPS validation process tests a specific cryptographic module used inside a system to protect information. It also applies only to a cryptographic module used in a shipping product; the cryptographic module in question can’t be a prototype or in beta. 

Another important thing to know is that the testing is very specific and applies only to the cryptographic module submitted for review. If the vendor changes anything in the cryptographic module, it loses its FIPS validation and has to be resubmitted for laboratory testing and government review.

There are three major phases in the process:

Phase 1: Design and Documentation

In order to prepare for the FIPS validation process, the cryptographic module in question has to be designed to pass the various tests involved and also be properly documented. This is the part of the process which the vendor has the most control over.

Phase 2: Laboratory Testing

Once the cryptographic module has been designed, documented and shipped, it is submitted to a third-party accredited Cryptographic and Security Testing (CST) laboratory to test the module(s) in question against FIPS 140-2’s qualitative levels of security. This testing can take an indeterminate amount of time, depending on how well the cryptographic module is designed and documented.

Best case: A cryptographic module that properly meets the requirements and with all required documentation written correctly can complete its laboratory testing in two to three months.

Phase 3: Government Review

After the lab has tested the cryptographic module, a report on the testing is submitted to the Cryptographic Module Validation Program (CMVP) for review. CMVP is a joint US-Canadian program that reviews all the test reports, with the CMVP Validation Authorities being the National Institute of Standards and Technology (NIST) for the US Government and the Communications Security Establishment (CSE) for the Government of Canada. This review can also take an indeterminate amount of time, depending on how many test reports need review, and can range from two months to eight months.

Apple and CoreCrypto

Apple’s CoreCrypto library is used by various components in OS X to provide low level cryptographic primitive support. This is the cryptographic library which is submitted by Apple to the FIPS 140-2 validation process.

With every version of iOS and OS X, Apple has made changes to CoreCrypto. As part of making those changes, Apple has had to resubmit CoreCrypto to laboratory testing and government review as part of the FIPS 140-2 validation process.

Apple’s stated intention is to continue FIPS 140-2 validation for OS X’s CoreCrypto cryptography foundation, which would also cover FileVault 2 on future versions of OS X, but the validation process itself can only be begun once that future OS has been released. Meanwhile, as noted above, the testing and governmental review process will take months to complete.

The good news is that it’s possible to at least see where Apple is in the process. NIST has a website where the current list of modules in the process can be viewed via a PDF which is updated weekly. To check for Apple’s progress, search the PDF for entries where Apple Inc. is listed as the vendor.

For more information on this subject, Apple has KBase articles available via the links below:

Product security, validations, and guidance for iOS

Product security, validations, and guidance for OS X

Apple’s existing FIPS validations are also available for reference via the link below:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm

FileVault 2 on Yosemite is now FIPS 140-2 Compliant

August 11, 2015 Leave a comment

Apple announced on Saturday, August 8th that the FIPS 140-2 validations for the cryptographic modules used by iOS 8 and OS X 10.10.x have now been completed. This is significant news for folks who want to use FileVault 2 in government and regulated industries (such as financial and health-care institutions.)

For folks who haven’t heard of it before, FIPS 140-2 is an information technology security accreditation program run jointly by the US and Canadian governments. This program is used by private sector vendors to have their cryptographic modules certified for use in US and Canadian government departments and private industries with regulatory requirements for security.

As part of the announcement, Apple has released KBase articles and guidance for security offices who deal with encryption:

OS X Yosemite: Apple FIPS Cryptographic Modules v5.0http://support.apple.com/kb/HT205017

Crypto Officer Role Guide for FIPS 140-2 Compliance OS X Yosemite v10.10https://support.apple.com/library/APPLE/APPLECARE_ALLGEOS/HT205017/APPLEFIPS_GUIDE_CO_OSX10.10.pdf

According to Apple, the OS X Yosemite Cryptographic Modules, Apple OS X CoreCrypto Module v5.0 and Apple OS X CoreCrypto Kernel Module v5.0, require no setup or configuration to be in “FIPS Mode” for FIPS 140-2 compliance on devices running OS X Yosemite v10.10.

FileVault 2 is listed as being FIPS 140-2 Compliant as part of the Crypto Officer Role Guide for FIPS 140-2 Compliance OS X Yosemite v10.10 documentation, in the Compliant Applications and Services section.

Screen Shot 2015 08 11 at 11 13 21 AM

For more information about the validation certification, please see below the jump.

Read more…

FileVault 2 on Mavericks is now FIPS 140-2 Compliant

November 12, 2013 1 comment

Apple officially announced on Monday, November 11th that the FIPS 140-2 validations for the cryptographic modules used by iOS 7 and OS X 10.9.x have now been completed. This is significant news for folks who want to use FileVault 2 in government and regulated industries (such as financial and health-care institutions.)

For folks who haven’t heard of it before, FIPS 140-2 is an information technology security accreditation program run jointly by the US and Canadian governments. This program is used by private sector vendors to have their cryptographic modules certified for use in US and Canadian government departments and private industries with regulatory requirements for security.

As part of today’s announcement, Apple has released KBase articles and guidance for security offices who deal with encryption:

OS X Mavericks: Apple FIPS Cryptographic Modules v4.0http://support.apple.com/kb/HT6051

Crypto Officer Role Guide for FIPS 140-2 Compliance OS X Mavericks v10.9http://km.support.apple.com/library/APPLE/APPLECARE_ALLGEOS/HT6051/APPLEFIPS_GUIDE_CO_OSX10.9.pdf

According to Apple, the OS X Mavericks Cryptographic Modules, Apple OS X CoreCrypto Module v4.0 and Apple OS X CoreCrypto Kernel Module v4.0, require no setup or configuration to be in “FIPS Mode” for FIPS 140-2 compliance on devices running OS X Mavericks v10.9.

FileVault 2 is listed as being FIPS 140-2 Compliant as part of the Crypto Officer Role Guide for FIPS 140-2 Compliance OS X Mavericks v10.9 documentation, in the Compliant Applications and Services section.

Screen Shot 2013-11-12 at 10.09.30 AM

FileVault 2 on OS X 10.8.x is now FIPS 140-2 Compliant

June 29, 2013 Leave a comment

Apple announced on Friday, June 28th that the FIPS 140-2 validations for the cryptographic modules used by iOS 6 and OS X 10.8.x have now been completed. This is significant news for Mac admins who want to use FileVault 2 in government and regulated industries (such as financial and health-care institutions.)

For folks who haven’t heard of it before, FIPS 140-2 is an information technology security accreditation program run jointly by the US and Canadian governments. This program is used by private sector vendors to have their cryptographic modules certified for use in US and Canadian government departments and private industries with regulatory requirements for security.

As part of today’s announcement, Apple has released KBase articles, tools and guidance for security offices who deal with encryption:

Apple FIPS Cryptographic Modules v3.0http://support.apple.com/kb/DL1555

Mountain Lion: How to set up and maintain a FIPS-enabled systemhttp://support.apple.com/kb/HT5396

Crypto Officer Role Guide for FIPS 140-2 Compliance OS X Mountain Lion v10.8http://km.support.apple.com/library/APPLE/APPLECARE_ALLGEOS/HT5396/Crypto_Officer_Role_Guide_for_FIPS_140-2_Compliance_OS_X_Mountain_Lion_v10.8.pdf

FIPS Administration Tools v3.0http://support.apple.com/kb/DL1555

FileVault 2 is listed as being FIPS 140-2 Compliant as part of the Crypto Officer Role Guide for FIPS 140-2 Compliance OS X Mountain Lion v10.8 documentation, in the Compliant Applications and Services section.

Screen Shot 2013-06-28 at 8.01.43 PM
%d bloggers like this: