Re: [Fed-Talk] Lion File Vault encryption
Re: [Fed-Talk] Lion File Vault encryption
- Subject: Re: [Fed-Talk] Lion File Vault encryption
- From: "Miller, Timothy J." <email@hidden>
- Date: Fri, 08 Jul 2011 14:55:34 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Lion File Vault encryption
A security guide isn't the same as approval for classified use. AFAIK, Apple's crypto modules have only undergone the NIST CMVP, which is not sufficient.
-- T
On Jul 8, 2011, at 8:47 AM, Link, Peter R. wrote:
> NSA has approved Apple's Snow Leopard client and server security configuration guides by posting them on their website, http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml. FileVault configuration is included in these guides. AES-128 encryption has been approved by NSA and Apple's CDSA/CSP module received FIPS 140-2 certification. Are we there yet???
>
> Lion is still covered by the CDSA certification, at least for now. FileVault 2 is different but there are a lot of encryption modules used by Apple products that are approved. Of course, with each OS upgrade Apple adds and removes things so it can be a moving target but I believe we have enough approvals to justify the use of OSX currently (SL) and in the near future (Lion).
>
> disclaimer: I haven't looked through every CNSS document to see if this is enough but now DOE and NNSA-directed organizations get to use these documents for their NSS systems.
>
>
>
> On Jul 7, 2011, at 1:03 PM, Blumenthal, Uri - 0668 - MITLL wrote:
>
>> Not to pick nits, but for Classified use *both* algorithm (design) and implementation require approval.
>>
>> --
>> Regards,
>> Uri
>>
>> ----- Original Message -----
>> From: Miller, Timothy J. [mailto:email@hidden]
>> Sent: Thursday, July 07, 2011 03:54 PM
>> To: Fed Talk <email@hidden>
>> Subject: Re: [Fed-Talk] Lion File Vault encryption
>>
>> On Jul 7, 2011, at 11:33 AM, Blumenthal, Uri - 0668 - MITLL wrote:
>>
>>> AES-128 has not been broken, and is still approved to protect Classified information up to SECRET. If you crack it - don't forget to let NSA know. :)
>>>
>>> AES-256 is still approved to protect up to TOP SECRET (there were some attacks against AES-256, but they are not practical in any sense).
>>
>> Lest someone do something stupid, let me repeat myself: any *implementation* of a cryptographic module used to protect data classified at SECRET or higher must be approved by the NSA. An algorithm may be *acceptable*, but that's not the same as *approved.* Only implementations are approved.
>>
>> A fine point, but an important one.
>>
>> -- T
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> Peter Link
> Cyber Security Analyst
> Cyber Security Program
> Lawrence Livermore National Laboratory
> PO Box 808, L-315
> Livermore, CA 94550
> email@hidden
>
>
>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden