FileVault 2 encryption (Previously [Fed-Talk] Re: CMV/CAVP Process Clarification (Previously [Fed-Talk] NIST Cert for iPhone and iPad Crypto))
FileVault 2 encryption (Previously [Fed-Talk] Re: CMV/CAVP Process Clarification (Previously [Fed-Talk] NIST Cert for iPhone and iPad Crypto))
- Subject: FileVault 2 encryption (Previously [Fed-Talk] Re: CMV/CAVP Process Clarification (Previously [Fed-Talk] NIST Cert for iPhone and iPad Crypto))
- From: "Link, Peter R." <email@hidden>
- Date: Tue, 11 Oct 2011 06:39:56 -0700
- Acceptlanguage: en-US
- Thread-topic: FileVault 2 encryption (Previously [Fed-Talk] Re: CMV/CAVP Process Clarification (Previously [Fed-Talk] NIST Cert for iPhone and iPad Crypto))
Shawn,
I'd like to second this request and ask for a detailed explanation on the algorithms used for FileVault 2. We received an exception from our DAA for the original FileVault because it was in process. I would like to put together paperwork for another exception for the much more secure FileVault 2 but it would be better if I was able to cite specific encryption algorithms and their (hopefully) validated status as a starting point. A statement from Apple on where FV2 fits into the FIPS validation process would also be nice. We're not asking Apple to divulge secrets, just to give us some information to make our DAA feel comfortable enough to accept the risk. Of course, I'd also like to better understand which algorithms Apple software is using as well as which non-Apple applications are still using the CDSA/CSP module. This is where it gets real complex and where we'll need Apple's assistance in preparing an exception document.
If you can make this happen, I'd also like to know if there's any way to add an acceptance banner either before the initial unlocking (single sign-on) logon or on the same screen as the unlocking (with the ability to cancel, which shuts down the Mac). Of course, Recovery Key protection is something that will cause all sorts of problems for enterprise and government users since I doubt anyone will be able to allow Apple to store this key. I know the answer to my next question but I'll ask it anyway. Any chance of adding this capability to Lion Server (or any other locally-managed system)?
stuff I've found so far
http://support.apple.com/kb/HT4790 good support article
http://csrc.nist.gov/groups/STM/cavp/#08 closest I could find to XTS-AES 128 but not sure if these are approved or still in review
On Oct 11, 2011, at 5:05 AM, Miller, Timothy J. wrote:
> On 10/9/11 10:32 PM, "Shawn Geddis" <email@hidden> wrote:
>
>> The addition of "Apple FIPS Cryptographic Module" to the Modules in
>> Process list [3] is a reflection of the "re-validation" of the CDSA/CSP
>> module shipped in Mac OS X 10.6 and validated on March 9, 2011. OS X
>> Lion (v10.7) does not use the CDSA/CSP module, but Apple is performing
>> this re-validation to provide continued validation for all third-party
>> applications using this module.
>
> Ok, great, but when will Lion's new architecture enter CMVP? You know how
> this works, Shawn--we can get exceptions in C&A only as long as we can
> file POA&Ms, emphasis on 'M' (milestones).
>
> -- T
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden