John,
from previous email from Shawn---
To restate quickly here for you again what I have noted a few times on the list before.....
** OSX ***
Will be covered by
Service
Crypto module Apple's FIPS 140-2 Validation
• FIleVault 2
CoreCrypto Kernel
YES
• TLS/SSL CoreCrypto
YES - *IF* using FIPS Approved Algorithms
• S/MIME CoreCrypto
YES - *IF* using FIPS Approved Algorithms
• SSH (OpenSSH) Uses OpenSSL
NO
• SSL (OpenSSL) Uses its Own Crypto
NO
• Heimdal Kerberos
Uses its Own Crypto
NO
How about the SSL provided in OS X Server web server?
Apache uses OpenSSL --> No.
How about the SSL embedded in Safari and Mobile Safari?
There is no SSL embedded in Safari or Mobile Safari. That would indicate a misunderstanding of the architecture. Safari relies on built-in OS services such as SecureTransport / CFNetwork / etc. which all use the CoreCrypto module.
How about the device encryption on iOS devices?
Yes. CoreCrypto Kernel.
- Shawn
***from Peter
CoreCrypto is already being used by OSX. It is the default crypto module for most Apple applications. Third-party applications can still use other modules and have
to get FIPS certification for those separately from what Apple is doing.
On Mar 5, 2013, at 9:06 AM, "Oliver, John N JR CTR SPAWARSYSCEN-PACIFIC, 53223"
wrote:
Actually, I was thinking more along the lines of, when is CoreCrypto going to be the default out-of-the-box? When does the old OpenSSL go away?
-----Original Message-----
From:
fed-talk-bounces+john.n.oliver.ctr=email@hidden [mailto:fed-talk-bounces+john.n.oliver.ctr=email@hidden] On Behalf Of Neely, Lee
Sent: Tuesday, March 05, 2013 8:32 AM
To: Link, Peter R.; Apple Fed-Talk
Subject: Re: [Fed-Talk] Apple CoreCrypto FIPS Status
John-
What you're really looking for is information on what needs to be configured (and how) to meet/pass. Apple has indicated they will publish information after the certification completes. I'm hoping (and I think Peter hints at it as well) the impact is nominal,
or even trivial.
Lee
Lee Neely, CISSP, CCUV
Lawrence Livermore National Laboratory
Cyber Security Program
7000 East Ave L-315
Livermore, CA, 94551
( Phone: +1 (925) 422-0140
( Mobile : +1 (925) 321-0087
* email@hidden
From: fed-talk-bounces+neely1=email@hidden [mailto:fed-talk-bounces+neely1=email@hidden] On Behalf
Of Link, Peter R.
Sent: Tuesday, March 05, 2013 8:25 AM
To: Apple Fed-Talk
Subject: Re: [Fed-Talk] Apple CoreCrypto FIPS Status
too early, too many typos---
Depends on what you mean by deployment. The software is already there and the only "deployment" feature would be an upgraded FIPS application that would check that everything has started up properly, which generates a report you can use for any auditors. I
don't believe Apple is adding any modules that don't already exist. The FIPS certification is simply that, a certification that the modules are working properly.
On Mar 5, 2013, at 7:48 AM, "Oliver, John N JR CTR SPAWARSYSCEN-PACIFIC, 53223" <email@hidden> wrote:
Do we have any idea what that means as far as a potential timetable to actual deployment?
-----Original Message-----
From:
fed-talk-bounces+john.n.oliver.ctr=email@hidden <mailto:fed-talk-bounces+john.n.oliver.ctr=email@hidden> [mailto:fed-talk-bounces+john.n.oliver.ctr=email@hidden]
On Behalf Of Rowe, Walter
Sent: Tuesday, March 05, 2013 6:10 AM
To: email@hidden
Subject: [Fed-Talk] Apple CoreCrypto FIPS Status
All four of Apple's CoreCrypto modules are in the "Coordination" phase according to the March 4th, 2013 CMVP report (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf).
* Apple iOS CoreCrypto Module
* Apple iOS CoreCrypto Kernel Module
* Apple OS X CoreCrypto Module
* Apple OS X CoreCrypto Kernel Module
Walter
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
email@hidden
301-975-2885
_______________________________________________
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94551-0808
email@hidden
|