Thanks Peter.
Had not found that document. Appreciate the link.
On May 7, 2013, at 11:13 PM, "Link, Peter R." < email@hidden> wrote:
William,
from NIST website mentioned below:
***
-Operational Environment: Tested as meeting Level 1 with iOS 6.0 running on an iPhone4; iOS 6.0 running on an iPhone4S; iOS 6.0 running on an iPad (single-user mode)
-FIPS-approved algorithms: Triple-DES (Certs. #1335 and #1337); AES (Certs. #2070, #2071, #2099 and #2101); SHS (Certs. #1803, #1804, #1823 and #1825); ECDSA (Certs. #308 and #310); HMAC (Certs. #1255, #1256, #1274 and #1276); DRBG (Certs. #222 and #224);
PBKDF (vendor affirmed)
-Other algorithms: ECDSA (Curves P-192, P-224 and P-521; non-compliant); DES; MD5; CAST5; Blowfish; BitGen1; BitGen2; BitGen3; RC4; OMAC (non-compliant)
Multi-chip standalone
"The Apple iOS CoreCrypto Kernel Module is a software cryptographic module running on a multi-chip standalone mobile device and provides services intended to protect data in transit and at rest."
***
To try and answer your SSN question, from what I can see, the CoreCrypto Kernel provides the encryption that protects data in transit and at rest. Of course, this only works if the application
uses CoreCrypto but it sounds like you're asking if all data is properly protected at rest and in transit and from what the security policy states, I believe it does and it does it without you having to explicitly telling it to do it (does it by default).
I am sure Shawn will fix anything incorrect I've stated but there's a lot of information in the security policy document. When the other CoreCrypto module has been approved, we can see what the
differences are and what each module addresses.
On May 7, 2013, at 6:22 PM, William Cerniuk < email@hidden> wrote:
Ok, so now that it is approved under the certificate number #1944, the real question is "what does this do for me".
While it has been said:
This stuff is easy to look up for yourselves
I disagree. From the customer perspective, it is near meaningless. "CoreCrypto Kernel Module" has been certified by NIST, yet the only tidbit of information on our threads here seems to be:
On Feb 13, 2013, at 11:31 AM, Shawn Geddis < email@hidden> wrote:
How about the device encryption on iOS devices?
Yes. CoreCrypto Kernel.
Which is a bit of a misnomer? I *suspect* it means the device storage subsystem encryption or 'whole disk encryption' in PC terms.
But even given that… with the encryption system changes and the app controlled encryption parameters.
So lets say I hypothetically receive an email in the native iOS Mail app on an iPad 3 running iOS 6.1.3 with a social security number in it. Is that social security number, as of cert 1944, protected to OMB specifications? Is it encrypted at rest in the
storage system and was it encrypted in motion during the transmission all using the CoreCrypto Kernel Module or are we waiting for the non-kernel module or...
If it was all encrypted per OMB in transit and at rest using the certified CoreCrypto Kernel Module, what is the "CoreCrypto Module" going to do for me when it eventually passes?
--
R/Wm.
On May 6, 2013, at 9:51 AM, "Link, Peter R." < email@hidden> wrote:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm
Apple iOS CoreCrypto Kernel Module, v3.0
(Software Version: 3.0)
(When operated in FIPS mode. The module generates cryptographic keys whose strengths are modified by available entropy)
Validated to FIPS 140-2
--contains security policy and consolidated validation certificate
The updated modules in-progress pdf hasn't been posted as of 6:49am Pacific time.
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94551-0808
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94551-0808
email@hidden
|