[Fed-Talk] FIPS AES for WPA2. Possibility of supporting AES-GCM for EC Wifi? Re: Fed-talk Digest, Vol 10, Issue 2
[Fed-Talk] FIPS AES for WPA2. Possibility of supporting AES-GCM for EC Wifi? Re: Fed-talk Digest, Vol 10, Issue 2
- Subject: [Fed-Talk] FIPS AES for WPA2. Possibility of supporting AES-GCM for EC Wifi? Re: Fed-talk Digest, Vol 10, Issue 2
- From: Micah Wilson <email@hidden>
- Date: Mon, 07 Jan 2013 13:03:50 -0600
As a supplement to this question I am wondering if the Kernel support and subsequent validations cover the AES being used in the WPA2 key generation and if so if the connection to a FIPS validated WIFI infrastructure would be considered FIPS compliant?
Also wondering if Apple has plans for extending WPA2 to use AES-GCM for SuiteB support. I am seeing a lot of talk of Suiteb being used to support data classification above SBU using WIFI for devices that have no ethernet port (pads, phones, sensors, etc).
Micah Wilson
email@hidden
>
> On Jan 4, 2013, at 12:59 PM, "Kachman, Donald R. Jr (DJ) - (ESE)" <email@hidden> wrote:
>> Does anyone know what specific IOS version was submitted and currently in Phase 2? I would assume that any device that can load that IOS version would be covered, or are there specific hardware versions that have a necessary chip set?
>>
>> Best Regards,
>>
>> DJ- Donald R Kachman Jr
>> CISSP CNSS/NSA
>
>
> DJ,
>
> This question has been asked quite a number of times on this list.
>
>> FIPS 140-2 certification in progress
>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
>
>
> Pointing out a few things first....
> • An OS is never validated against FIPS 140-2, but rather Cryptographic Module(s) are validated
> • Any Application or Service using a FIPS 140-2 Conformance Validated module can claim to be
> "FIPS 140-2 Compliant"
> • There are two Cryptographic Modules used by iOS directly - CoreCrypto / CoreCrypto Kernel
> • Both of these modules (CoreCrypto / CoreCrypto Kernel) were submitted for validation
> • CMVP backlog is hovering around 6+ months at this time - meaning no one is looking at submissions
> from Aug 2012 until Feb 2013.
>
> Here is a previous response I provided below...
>
>> The iOS CoreCrypto / CoreCrypto Kernel modules (yes there are two separate modules) under validation are already available starting in iOS 6 and cover ALL apple used and provided cryptography on the platform. Keep in mind that the modules also have Non-FIPS Approved algorithms/modes as well -- your applications or services would need to ensure they only used FIPS Algs/modes to claim FIPS 140-2 Compliance.
>>
>>
>> iPhone: iPhone 3GS and higher
>> iPad: iPad 2 and higher
>> iPod touch: iPod touch 4th gen. and higher
>>
>> You can see the "iOS 6 HW Compatibility list at the bottom of the "Whats-New" page: http://www.apple.com/ios/whats-new/
>>
>> Status of FIPS 140-2 Validation
>> With the up coming release of iOS 6, the new CoreCrypto Modules have been submitted for FIPS 140-2 Level 1 Conformance Validation. A followup announcement will be posted when the validations are complete and Apple has received the corresponding certificates from CMVP.
>>
>> Validation of the Cryptographic Algorithms under the CAVP is a prerequisite for CMVP module validation which was achieved by Apple on June 26, 2012 and June 29, 2012. All validated algorithms receiving certificates under the CAVP can be found at the links provided below. Multiple entries for each algorithm are listed and correspond to multiple platforms undergoing FIPS 140-2 validation. There are also variations on Software Non-Optimized, Software Optimized and Hardware Accelerated. Please see the Description/Notes section for each certificate for clarification of platform specific information.
>>
>> Operational Testing Environments
>> Apple iOS CoreCrypto Module v3.0 (platform: A4 w/ iOS 6 - User Space)
>> Apple iOS CoreCrypto Module v3.0 (platform: A5 w/ iOS 6 - User Space)
>> Apple iOS CoreCrypto Kernel Module v3.0 (platform: A4 w/ iOS 6 - Kernel Space)
>> Apple iOS CoreCrypto Kernel Module v3.0 (platform: A5 w/ iOS 6 - Kernel Space)
>>
>> CAVP Validated Algorithms:
>> ______________________________________________________________________
>> AES
>> http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#2102
>> http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#2101
>> http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#2100
>> http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#2099
>> http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#2077
>> http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#2076
>> http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#2075
>> http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#2074
>> http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#2073
>> http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#2072
>> http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#2071
>> http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#2070
>> ______________________________________________________________________
>> DRBG
>> http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html#225
>> http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html#224
>> http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html#223
>> http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html#222
>> http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html#210
>> http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html#209
>> ______________________________________________________________________
>> ECDSA
>> http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsaval.html#311
>> http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsaval.html#310
>> http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsaval.html#309
>> http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsaval.html#308
>> ______________________________________________________________________
>> HMAC
>> http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html#1277
>> http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html#1276
>> http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html#1275
>> http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html#1274
>> http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html#1258
>> http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html#1257
>> http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html#1256
>> http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html#1255
>> ______________________________________________________________________
>> RSA
>> http://csrc.nist.gov/groups/STM/cavp/documents/dss/rsaval.html#1077
>> http://csrc.nist.gov/groups/STM/cavp/documents/dss/rsaval.html#1076
>> ______________________________________________________________________
>> SHS
>> http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm#1826
>> http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm#1825
>> http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm#1824
>> http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm#1823
>> http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm#1806
>> http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm#1805
>> http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm#1804
>> http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm#1803
>> ______________________________________________________________________
>> TripleDES
>> http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledesval.html#1338
>> http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledesval.html#1337
>> http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledesval.html#1336
>> http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledesval.html#1335
>>
>>
>>
>>
>> FIPS 140-2 certification in progress
>> http://csrc.nist.gov/groups/STM/cmvp/inprocess.html
>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
>>
>> The following phases describe the FIPS 140-1 and FIPS 140-2 modules in process. The status of each cryptographic module in the process is identified in the list.
>>
>> • Implementation Under Test (IUT)
>> • There exists a viable contract between the vendor and CST laboratory for the testing of the
>> cryptographic module.
>> • The cryptographic module is resident at the CST laboratory.
>> • All of the required documentation is resident at the CST laboratory.
>> (Note: if the vendor requires the CST lab personnel to test the cryptographic module onsite,
>> all documents must be onsite with the module.)
>> If the module report was submitted to the CMVP but placed on HOLD by request from the CST Laboratory,
>> the status is reflected as IUT.
>>
>> • Review Pending
>> • Complete set of testing documents submitted to NIST and CSEC for review.
>> The set includes: draft certificate, summary module description, detailed test report, nonproprietary
>> security policy, web-site information. In addition, some CST labs include a separate physical testing report.
>> • Signed letter from laboratory stating recommendation for validation received by NIST and CSEC.
>>
>> • In Review
>> • NIST and CSEC reviewers assigned.
>> • NIST and CSEC perform a preliminary review of the test documents (if required). NIST and CSEC
>> perform a review of the test documents.
>> • Comments coordinated by NIST and CSEC reviewers and combined set of comments sent to the CST laboratory.
>>
>> • Coordination (this process may be iterative)
>> • Comments received by the CST laboratory from NIST and CSEC for resolution.
>> • Additional testing (if required).
>> • Additional documentation (if required).
>> • Comments resolution developed for resubmission to NIST and CSEC.
>> • Testing documents updated for resubmission to NIST and CSEC.
>> • Responses to comments and revised test documents submitted to NIST and CSEC.
>>
>> • Finalization
>> • Final resolution of validation review comments submitted to NIST and CSEC.
>> • Testing documents updated based on resolutions and submitted to NIST and CSEC.
>> • Certificate number assigned.
>> • Certificate printing and signature process initiated.
>
>
>
> - Shawn
> ________________________________________
> Shawn Geddis
> Security Consulting Engineer
> Apple Enterprise Division
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.apple.com/mailman/private/fed-talk/attachments/20130104/99c103d5/attachment-0001.html>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 4418 bytes
> Desc: not available
> URL: <https://lists.apple.com/mailman/private/fed-talk/attachments/20130104/99c103d5/attachment-0001.p7s>
>
> ------------------------------
>
> _______________________________________________
> Fed-talk mailing list
> email@hidden
> https://lists.apple.com/mailman/listinfo/fed-talk
>
> End of Fed-talk Digest, Vol 10, Issue 2
> ***************************************
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden