There has been an awful lot of discussion lately on the list regarding Encrypting data and what is and isn't available, so I wanted to chime in and clear up a fair amount of misinformation that has been brought up. This is in hopes to avoid confusion on the part of our reader base.
Jim Emmons wrote:
> To meet this new requirement, is there any Mac-based (or further *nix-based) > software available that has been approved? If so, where can we get it, and > what are the costs?
Since you did not state it, I am having to assume that your reference to "approved" is actually a reference to FIPS 140-2 Conformance Validation, right ?
Apple has been working with a certified lab for the FIPS 140-2 validation of Mac OS X to properly validate services like FileVault, Encrypted Disk Images, Keychain, etc. We are working on that and will of course post status updates when it warrants it.
On Aug 23, 2006, at 4:45 PM, Rich Trouton wrote: FileVault's not a total answer. It's hard to tie into a directory service system, let alone a mobile home system. It's also currently a backup nightmare. Rich
* I would agree that no one single feature is a total solution for all parties, since the requirements from OMB were multipart and covered more than just the encryption of data.
* FileVault is totally separate from the Director Service in Use (OD, LDAP, NetInfo, NIS, AD, ...) so, using FileVault does not make your DS use any different other than password resets.
* Mobile Home Systems - why is it any different for Mobile Home Systems ? You may be missing built-in functionality.
* Backup process - can no longer be a massive backup while user is offline unless you backup the whole encrypted container - file Backup processes can easily be altered to not only improve the process, but to provide snap shots and delta backups.
From: "Acord, Kendra N C-E LCMC HQISEC" <email@hidden>File Vault is not the answer at all. Unfortunately, as far as I can tell Apple has never made good on their promise to pursue FIPS 140-2 certification of their encryption module. The requirement for data-at-rest encryption for the Army is a FIPS 140-2 AES algorithm and Common Criteria certification at EAL 3. * Why do you feel that FileVault is not the answer at all ? - FileVault encrypts the User's Whole Home Directory -- All of the User's Data while at rest - Secure VM ensure that all data swapped out of memory during system use is stored in encrypted storage as well - FileVault uses AES-128 and Mac OS X was CCC against CAPP at EAL3, but remember that EAL# is only related to the evidence generation and is no indicator as to the strength of security. This is a typically misunderstood point and most people mistakenly only refer to the EAL# rather than the services and systems that have been certified (ST and TOE).
* Apple has publicly stated that it is committed to completing the FIPS 140-2 Conformance Validation and has been under contract with a certified lab for sometime now in an effort to complete that validation.
From: Amanda Walker <email@hidden>Date: August 24, 2006 5:00:10 PM EDT
FileVault: good protection, but only protects the home directory. This may be sufficient for unclassified machines, but it's a judgement call.
Since on Mac OS X systems, the Standard user is very limited to where they can store data on their machine (Home Directory, Group Shared Folder, etc) FileVault is actually able to protect the important PII that is the key reason for the OMB Guidelines to begin with.
Those that are focusing on complete disk encryption are trying to address the concerns of data being written all over the drive which happens on Windows, but is not in accordance with the Permissions / ACLs on Mac OS X. Hardware encrypted drives: there are a couple, but it's unclear how compatible they are with Macs:
Any external drive that is platform agnostic, typically employes an external token that provides the single factor authentication used for Hardware Encryption. You have the token inserted into the device which allows for the device to be accessed by the computer in question.
It's a growing problem, and it's not just the Army. Even my current (very Mac-positive) employer is having to make an exception to our security policy for Macs, and there is a blanket prohibition on using Macs outside of a physically secure area if they have high-value data on them.
It is unfortunate that the real security value of Mac OS X is getting overlooked while people are scrambling to meet good security requirements that they should have been meeting long before OMB issued their recommendations. It would be great to have full disk encryption with two-factor authentication (smart card, USB token, whatever), like can be done on PCs...
Understood.
From: "Wm. Cerniuk" <email@hidden>Date: August 26, 2006 3:38:16 AM EDT
Storing multiple AES encrypted sparse disk images on a single external disk (for example, per project) also presents better data integrity/security in similar fashion. FileVaults and AES encrypted sparse disk images can be backed up and restored individually as well.
Yes. Some forget that you can create as many encrypted containers as you like, on whatever accessible media you have (local disks, USB thumb drives, FireWire drives, CDs / DVDs, .... Network Volumes, etc..). Several have been creating an encrypted container and performing local synchronization from FileVault -> EDI and then backing up the EDI rather than the whole FV container. Makes it very nice to allow the user to create what is backed up and yet standardize on the process and place of data.
From: Amanda Walker <email@hidden>Date: August 26, 2006 1:40:23 PM EDT
The biggest one, especially desirable to us for laptops (and other machines to which an adversary could easily gain physical access) is deniability--It would be extremely desirable if a lost or stolen machine wasn't identifiable as belonging to our organization, even if you popped out the disk and mounted it on another machine (the big threat that full-disk encryption helps to counter). If a machine is lost or stolen, we'd really like it to be *only* an inventory problem, not an information or operational security problem.
The unfortunate aspect of that is that several agencies apply an Agency Asset Tag to the laptop which visibly indicates exactly who it belongs to.
Not all sensitive information is stored in the home directory. For example, we'd rather not disclose what software vendors we have site licenses with (Applications), network setup details (VPN settings and scripts), and so forth. FileVault doesn't protect any of that. But even that aside...
You can create an EDI for the Applications and have the system automatically mount the encrypted image upon successful login to the machine. User Settings are in ~/Library/Preferences which would indeed be part of the encrypted protection.
Unfortunately, for the private sector there seems to be no third party smart card or token system available that provides similar capabilities to a CAC. CRYPTOCard comes closest, but doesn't live up to all of its marketing claims.
CRYPTOCard is a OTP Token-based solution and is for authentication and does not provide the encryption protection you are looking for here. Their claims are right on and so I would ask what claims you are referring to.
There are *Several* commercial Smart Card vendors providing support for Mac OS X 10.4.x. Since this is a "Federal" mailing list, it typically does not come up, since Federal Agencies are basically forced to use Federal Smart Cards.
I've tried loading a MUSCLE applet onto a Java card, which works for Windows and Linux boxes, but MacOS X apparently no longer supports MUSCLE in Tiger and above. I'm currently playing with OpenSC, which looks very promising, but haven't quite gotten it to work.
MUSCLE is a Framework and not an Applet. Mac OS X 10.4.x provides a much more extensive and extensible Smart Card Architecture than you will find on other platforms. The key is that the "Applet" on your Java Card needs to have a corresponding "Tokend" available on Mac OS X 10.4.x. Two of the commercial vendors have now provided a working "tokend" in less than one day. That "tokend" then provided Cryptographic Login, System Administration (authn), Unlock of Screen (authn), Secure Web Access, Remote Access (VPN), and S/MIME. All from a couple hundred lines of code unique to their applet.
If you want to learn more about the Smart Card architecture and how it fits into Mac OS X's Security Architecture, take a look at my presentation given at the last two DoD Conferences on PKI / Smart Cards:
Presentation: Smart Cards on Mac OS X 10.4 Given: DoD PKE Forum November 8, 2005 Atlanta, GA
Retrieve the Presentation (PDF) from the following path:
Presentation: PIV Without Middleware Given: DoD Identity Management Forum June 7, 2006 Jacksonville, FL
Retrieve the Presentation (PDF) from the following path:
If someone does know of a private sector equivalent to the CAC, please drop me some email :-).
Now that you know there are several that provide commercial Smart Card support on Mac OS X, drop me a line! :)
We also provided a Briefing on August 17 at the Apple Reston, VA Briefing center on: "Meeting OMB Encryption Guidelines with Mac OS X Today" which included Enterprise Management of FileVault.
- Shawn
___________________________________________ Shawn Geddis Security Consulting Engineer Apple Enterprise Sales (Public / Private Sector) geddis [at] apple.com |