Re: [Fed-Talk] Lion File Vault encryption
Re: [Fed-Talk] Lion File Vault encryption
- Subject: Re: [Fed-Talk] Lion File Vault encryption
- From: "Link, Peter R." <email@hidden>
- Date: Fri, 08 Jul 2011 06:47:32 -0700
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Lion File Vault encryption
NSA has approved Apple's Snow Leopard client and server security configuration guides by posting them on their website, http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml. FileVault configuration is included in these guides. AES-128 encryption has been approved by NSA and Apple's CDSA/CSP module received FIPS 140-2 certification. Are we there yet???
Lion is still covered by the CDSA certification, at least for now. FileVault 2 is different but there are a lot of encryption modules used by Apple products that are approved. Of course, with each OS upgrade Apple adds and removes things so it can be a moving target but I believe we have enough approvals to justify the use of OSX currently (SL) and in the near future (Lion).
disclaimer: I haven't looked through every CNSS document to see if this is enough but now DOE and NNSA-directed organizations get to use these documents for their NSS systems.
On Jul 7, 2011, at 1:03 PM, Blumenthal, Uri - 0668 - MITLL wrote:
> Not to pick nits, but for Classified use *both* algorithm (design) and implementation require approval.
>
> --
> Regards,
> Uri
>
> ----- Original Message -----
> From: Miller, Timothy J. [mailto:email@hidden]
> Sent: Thursday, July 07, 2011 03:54 PM
> To: Fed Talk <email@hidden>
> Subject: Re: [Fed-Talk] Lion File Vault encryption
>
> On Jul 7, 2011, at 11:33 AM, Blumenthal, Uri - 0668 - MITLL wrote:
>
>> AES-128 has not been broken, and is still approved to protect Classified information up to SECRET. If you crack it - don't forget to let NSA know. :)
>>
>> AES-256 is still approved to protect up to TOP SECRET (there were some attacks against AES-256, but they are not practical in any sense).
>
> Lest someone do something stupid, let me repeat myself: any *implementation* of a cryptographic module used to protect data classified at SECRET or higher must be approved by the NSA. An algorithm may be *acceptable*, but that's not the same as *approved.* Only implementations are approved.
>
> A fine point, but an important one.
>
> -- T
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden