Re: [Fed-Talk] FIPS question - Continued...
Re: [Fed-Talk] FIPS question - Continued...
- Subject: Re: [Fed-Talk] FIPS question - Continued...
- From: "Lamb, John (NIH/NHLBI) [C]" <email@hidden>
- Date: Tue, 28 Aug 2012 16:44:05 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] FIPS question - Continued...
Shawn,
Does the 10.8 crypto code significantly diverge from what was shipped in 10.7? Also -"There are many, many services and numerous Algorithms/ Modes that are compliant because of the FIPS 140-2 Level 1 Conformance Validation." might any of those be security transforms that deal with PKI and asymmetric encryption? :)
--
John Lamb
Desktop Support Technician [Contractor]
Customer Support Branch
Center for Biomedical Informatics (CBI)
National Heart Lung and Blood Institute, NIH
10 Center Drive - Building 10 6C103
Bethesda, MD 20892-7994
Telephone (240) 751-6562 | Email: email@hidden |
NHLBI Computer Services: http://insider.nhlbi.nih.gov/computer
From: Shawn Geddis <email@hidden<mailto:email@hidden>>
Date: Tuesday, August 28, 2012 3:35 PM
To: "email@hidden<mailto:email@hidden>" <email@hidden<mailto:email@hidden>>
Subject: Re: [Fed-Talk] FIPS question - Continued...
John, Peter:
Will try to clarify further based on your additional questions.
On Aug 28, 2012, at 12:13 PM, "Lamb, John (NIH/NHLBI) [C]" <email@hidden<mailto:email@hidden>> wrote:
Are we to take this to mean that once CoreCrypto Kernel for OS X 10.8 is validated and Filevault 2 can be considered "FIPS 140-2 Compliant" that this extends only to Filevault 2 in OS X 10.8, and does not retroactively apply to Mac OS X 10.7?
Correct!
Apple would be unable to claim FIPS 140-2 Compliance for the CoreCrypto Kernel module under OS X Lion v10.7, since that module never was nor will it be submitted for validation. We keep moving forward, so going backwards is not an option here.
Apple CANNOT claim that FileVault 2 under OS X Lion v10.7 is FIPS 140-2 Compliant. However, individual organizations could make their own decision.
(Hence, on the level of abstraction our superiors care about, there will be two separate FileVault 2s; one compliant, one not.)
I would re-word that to say that it will only be under OS X Mountain Lion v10.8+ that Apple can assert a fully FIPS 140-2 Compliant crypto module is used by FileVault 2 (FDE). And yes, Apple could not assert the same for the crypto module used by FileVault 2 on OS X Lion v10.7. The reason I would suggest a re-wording of your sentence is that it reads like only FileVault 2 is covered. There are many, many services and numerous Algorithms/ Modes that are compliant because of the FIPS 140-2 Level 1 Conformance Validation.
A Side Note:
Just to be sure that everyone following this is well aware: The CoreCrypto Kernel module going through the validation process provides crypto to the Kernel for much more than just FileVault 2. I know this has been the line of discussion on this thread, but it can be easily misunderstood. The two modules: CoreCrypto Kernel & CoreCrypto are very much, but not entirely, the exact same source code - the key difference is that the CoreCrypto Kernel module runs in kernel space and the CoreCrypto module runs in User/Application space .
On Aug 28, 2012, at 12:17 PM, "Link, Peter R." <email@hidden<mailto:email@hidden>> wrote:
1. Once the 10.8 FIPS patch has been installed, nothing has to be done when performing minor release updates.
Absolutely!
2. Given that 10.8 is always in FIPS mode (after patch), the only test we should have to perform for continuous monitoring of encryption modules covered by CoreCrypto and CoreCrypto Kernel would be the simple "/usr/libexec/cc_fips_test -v" command, which should be easy to include in any continuous testing process (SCAP ;-) .
Be careful here. If you execute the above command as a standard user, with a capital "V", or anything else, it will say it failed. If you *properly* execute the command as noted in the KBase Article [ http://support.apple.com/kb/HT5396 ] it will indeed say that User Space is running in FIPS Mode.
$ sudo /usr/libexec/cc_fips_test -v
Password:
Running user space in FIPS MODE
FIPS USER Space POST: Integrity test success!
FIPS USER Space POST: AES GCM Test success!
FIPS USER Space POST: AES CBC Test success!
FIPS USER Space POST: AES AESNI ECB Test success!
FIPS USER Space POST: AES AESNI XTS Test success!
FIPS USER Space POST: TDES CBC Test success!
FIPS USER Space POST: SHA Test success!
FIPS USER Space POST: HMAC Test success!
FIPS USER Space POST: RSA Test success!
FIPS USER Space POST: ECDSA Test success!
FIPS USER Space POST: DRBG Test success!
FIPS USER Space POST Success!
By design, you should never have to check whether or not it is running in FIPS Mode because it always will -- System will shutdown if CoreCrypto Kernel is ever found to fail for POST/Continual integrity tests and will fail appropriately for User Space/Applications if the CoreCrypto module is ever found to fail for POST/Continual integrity tests.
But if desired, your use of "$ sudo /usr/libexec/cc_fips_test -v" would definitely enable you to provide this confirmation programmatically on demand for User Space.
3. In 10.7, we still have to uninstall the FIPS mode software (or move the FIPS Launchd item aside) before performing ANY minor release updates (yes/no?).
For all updates to 10.7.1-10.7.4 that would absolutely be true.
If these are correct, then I'm good. I would be interested in someone trying to put together a master chart of encryption algorithms used by various vendors (including Apple) to know who's using CDSA, CoreCrypto, or neither.
Peter: Knowing what algorithm is used is different than knowing which crypto module the Application / Service is using. You all could do what you need to do to help each other with this, but I know that it will be a daunting task to cover all Applications, Services, Tools, etc. using which modules on each platform. It would of course be most prudent for you to start with the most important Apps / Services / Protocols and begin there. Also keep in mind what I have been saying that there are also the challenges of knowing what Algorithms within each module you are using -- Some Algs may not have a corresponding Certificate from CAVP within a given module. What I am saying is that it is not just good enough to know what module is validated, but also the Algorithms in that module. This is much more complex than I would say most people on this list even imagine.
This would help everyone in justifying OS X's FIPS 140-2 compliance status. (Something we could post on macosforge.com<http://macosforge.com/>?)
MacOSForge.org<http://MacOSForge.org> is not a dumping ground! That is a location for *selected* Open Source Projects with community involvement . This is not an open source project, but rather all the source is made available to the community as open source. Very different.
FIPS 140-2 Level 1 Conformance Validation ?
Several people have asked me why I keep referring in all of these messages to "FIPS 140-2 Level 1 Conformance Validation" when most people just say FIPS! Well, just saying FIPS is, in my humble opinion, extremely misleading considering that there are currently "17" FIPS Standards posted on the NIST FIPS Publications<http://csrc.nist.gov/publications/PubsFIPS.html> page alone. So, when you say or type FIPS, which one do you mean ? Also, it clearly articulates that this is a "Level 1" Validation - of which there are 4 -- http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf.
- Shawn
________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Enterprise Division
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden