RE: [Fed-Talk] Apple FIPS (revalidation) now in Review Pending
RE: [Fed-Talk] Apple FIPS (revalidation) now in Review Pending
- Subject: RE: [Fed-Talk] Apple FIPS (revalidation) now in Review Pending
- From: "Kachman, Donald R. Jr (DJ) - (ESE)" <email@hidden>
- Date: Wed, 04 Jan 2012 13:22:51 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Apple FIPS (revalidation) now in Review Pending
Shawn,
Do you have any insight you can share as to the progress of getting iOS devices FIPS certified?
Best Regards,
DJ Kachman
CISSPĀ CNSS/NSA
-----Original Message-----
From: fed-talk-bounces+donald.kachman=email@hidden [mailto:fed-talk-bounces+donald.kachman=email@hidden] On Behalf Of Shawn Geddis
Sent: Wednesday, January 04, 2012 1:19 PM
To: Link, Peter R.
Cc: email@hidden Talk
Subject: Re: [Fed-Talk] Apple FIPS (revalidation) now in Review Pending
On Jan 4, 2012, at 11:08 AM, Link, Peter R. wrote:
> http://csrc.nist.gov/groups/STM/cmvp/inprocess.html click on pdf link to see status of all submissions
>
> Finally, one of the three Apple cryptographic modules currently in process for FIPS 140-2 validation has reached the second step, Review Pending. The 10.7 update (Shawn will correct me if I'm wrong) has finished the Implementation Under Test stage and moved forward. The iPhone and iPad cryptographic modules are still in IUT and have been there for a long time.
>
> The regular Apple FIPS cryptographic module is simply a 10.7 update of the CDSA/CSP module previously approved for 10.6. This module does not include any of the new CommonCrypto code nor does it include anything related to FileVault-2. The revalidation for 10.7 will help those third-party vendors who still rely on CDSA technology. I'm not sure how it will help anyone justify the use of 10.7 on federal computers but at least the process is moving forward and is a step in the right direction.
>
> Peter Link
Peter,
It is not the "10.7 update", but rather the "re-validation of same CDSA/CSP cryptographic module" which was used by Mac OS X 10.6.
> I'm not sure how it will help anyone justify the use of 10.7 on federal computers but at least the process is moving forward and is a step in the right direction.
It reflects Apple's commitment to provide, where possible, FIPS Validated crypto for use by customers under this requirement. It is, unfortunately, not always feasible to have every version of every cryptographic module on every product validated. Due to the ongoing challenge between validation times/queues and product cycles, you will see more of a sine wave with respect to validations for various cryptographic modules.
Since ALL third-party products using the built-in cryptography are still using Sec* APIs based on CDSA or directly coding to CDSA's CSSM architecture with the initial release of OS X Lion, this was very important for you. This provides a smooth transition as they update their applications to leverage the new Crypto architecture.
You are correct that this particular validation does not cover any cryptographic module utilized by OS X Lion - such as for FileVault 2.
Revalidation of a previously validated cryptographic module does not require nearly the same level of effort as the original one does. This is fully in the hands of the CMVP folks and awaiting formal validation. Time to completion is subject to current backlog.
- Shawn
________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Enterprise Division
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden