Re: [Fed-Talk] Re: CMV/CAVP Process Clarification
Re: [Fed-Talk] Re: CMV/CAVP Process Clarification
- Subject: Re: [Fed-Talk] Re: CMV/CAVP Process Clarification
- From: "Link, Peter R." <email@hidden>
- Date: Wed, 12 Oct 2011 06:39:51 -0700
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Re: CMV/CAVP Process Clarification
Paul,
Thank you for your concern. We're pestering Shawn because he is the Apple contact for encryption. Filing a bug won't get approvals through NIST any faster. All we're asking for are explanations and status (more in depth status that what we can get from NIST). We have received this information, especially when I offer (slightly) incorrect information and Shawn is gracious enough to politely correct me. We understand Apple is reengineering their encryption modules and, as of this week, know Apple is not going to submit some modules to NIST for FIPS 140-2 validation (including FileVault 2). This will have an impact on all government Mac users and we're going to have to find a way to deal with it.
As for two-factor authentication, there is a long history of requests made to Apple for this to work seamlessly with current systems and the result of submitting all those bug reports is Apple pushing this work out the door to http://smartcardservices.macosforge.org/, a site run by Shawn. I'm glad Shawn is running it but it also makes it look like Apple isn't wanting to keep this as one of its core services. I highly doubt Apple will go through the effort of creating tokens for every Mac/iPhone/iPad/iPod they sell. Yes, two-factor authentication is something that could dramatically help secure access to data but I'd rather give it a bit more time so we don't have to rely on Windows servers/infrastructure to manage this process.
On Oct 12, 2011, at 5:51 AM, Paul Suh wrote:
> Folks,
>
> Some insight from a developer --
>
> To speak bluntly, the CDSA API's are seriously ugly, and the whole library is hugely over-engineered for a mobile platform such as iOS. There's a reason why CDSA is now deprecated. Apple needs to replace CDSA to move forward -- and there are a bunch of engineers working like beavers to make it happen. However, CDSA has a lot of functionality so replacing it takes time and I'm sure that we'd rather have correct, solid cypto than discover a major weakness down the line.
>
> I'm quite familiar with the whole train wreck/check the box/rear-end covering exercise that pretends that it is securing systems in the government today. I sympathize with people who have to implement this -- me being one of them on occasion. We gotta have the FIPS certification to implement Lion and iOS 5, but pestering Shawn on this list isn't going to make it come any faster. If you want to do something positive, file a bug in Radar. If the dupe count on a bug goes up, engineering management will give it a higher priority.
>
> [pipe dream]
> Just as Apple jump-started USB back in 1998 with the iMac, Apple could jump-start multi-factor authentication in the consumer space. Ship a quartet of USB authentication tokens with every Mac or a single token with every iOS device. Go into any Apple retail store, show a government photo ID, and get the cert on your token signed and validated. Integrate this into the OS/Safari so that it works easily with any web site, such as a bank or brokerage. Voila, a critical mass of people using 2-factor auth, so banks and other web sites start using it. With that in the core OS, CAC support is a trivial extension by changing a plist.
>
> Yeah, I know. Lots of legal liability issues, etc. But I can dream. :-)
> [/pipe dream]
>
>
> --Paul
>
>
> Paul Suh
> email@hidden
> (240) 672-4212
> http://ps-enable.com/
>
>
>
>
> On Oct 11, 2011, at 2:19 PM, Miller, Timothy J. wrote:
>
>> That¹s as may be, and in many ways you're preaching to the choir, but the
>> fact remains that FIPS 140 certification is required by Federal law in any
>> acquisition that uses cryptography outside of designated National Security
>> Systems.
>>
>> Re-certifying the 10.6 module if fine as far as it goes, but this is only
>> a stopgap measure. When 10.8 ships and that module will no longer even
>> install, where will we be?
>>
>> -- T
>>
>>
>> On 10/11/11 10:24 AM, "Shawn Geddis" <email@hidden> wrote:
>>
>>> On Oct 11, 2011, at 8:05 AM, Miller, Timothy J. wrote:
>>>
>>> On 10/9/11 10:32 PM, "Shawn Geddis" <email@hidden> wrote:
>>>
>>>
>>> The addition of "Apple FIPS Cryptographic Module" to the Modules in
>>> Process list [3] is a reflection of the "re-validation" of the CDSA/CSP
>>> module shipped in Mac OS X 10.6 and validated on March 9, 2011. OS X
>>> Lion (v10.7) does not use the CDSA/CSP module, but Apple is performing
>>> this re-validation to provide continued validation for all third-party
>>> applications using this module.
>>>
>>>
>>> Ok, great, but when will Lion's new architecture enter CMVP? You know
>>> how this works, Shawn--we can get exceptions in C&A only as long as we
>>> can file POA&Ms, emphasis on 'M' (milestones).
>>>
>>> -- T
>>>
>>>
>>>
>>>
>>>
>>> Tim,
>>>
>>>
>>> OS X Lion (v10.7) does not use the CDSA/CSP module, but Apple is
>>> performing this re-validation to provide continued validation for all
>>> third-party applications using this module.
>>>
>>>
>>>
>>> Sorry, I guess my statements have not been clear enough. The ONLY module
>>> used in OS X Lion that is undergoing FIPS 140-2 Conformance Validation is
>>> the CDSA/CSP module that was validated for Mac OS X 10.6 -- this is
>>> solely being re-validated for third-party applications that still use it.
>>>
>>> Cryptography on OS X and iOS are undergoing convergence, but they are in
>>> no way the same module(s) today. This convergence takes Engineering time
>>> and careful transitioning.
>>>
>>>
>>> /* Personal Comment */
>>> The FIPS 140 Conformance Validation Process needs a major overhaul if the
>>> US Federal Government is to maintain any chance of staying current with
>>> innovation. I believe FIPS 140-3 was initially targeted for 2007, but is
>>> still in DRAFT -- I believe that tells us all something very valuable.
>>> When a module submission sits in the queue for ~6 months and the products
>>> are changing ~12/15 months, it makes it impossible for any vendor to
>>> realistically achieve validation for each release. Significant Resources
>>> for NIST/CMVP and changes in the process are going to have to be realized
>>> before this can ever be truly effective for the US Federal Government.
>>>
>>> Please also keep in mind that FIPS 140 Validation in no way ensures a
>>> product is secure in any manner. It simply ensures that the
>>> cryptographic algorithms are properly implemented and the product does
>>> what the vendor claims it does according to guidelines set forth by NIST.
>>> Any Application/Service could inappropriately handle cryptographic data
>>> supplied by a FIPS 140-2 Validated module and in turn fail to protect the
>>> sensitive data as expected. FIPS 140-2 has become a box checking
>>> exercise by agencies with seemingly little thought to the actual
>>> implementations and protection of data.
>>> /* Personal Comment */
>>>
>>>
>>> - Shawn
>>> ________________________________________
>>> Shawn Geddis
>>> Security Consulting Engineer
>>> Apple Enterprise Division
>>>
>> __
> <smime.p7s> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden