William-
I agree and think I make a slightly different point. I do believe that Safari uses FIPS Compliant encryption. I also believe it uses non-FIPS because it has
to for compatibility, and we can’t switch that off. Remember, the certification lists non-approved security functions on the device: DES, MD5, CAST5, ECDSA, Blowfish, BitGen1/2/3, RC4, OMAC.
Lastly, we need Shawn to clarify.
Lee
From: William Cerniuk [mailto:email@hidden]
Sent: Friday, May 24, 2013 9:20 AM
To: Neely, Lee; Allan Marcus
Cc: email@hidden Talk
Subject: Re: [Fed-Talk] iOS 6, FIPS, and Data in transit?
I think Allan's question was "Mobile Safari's SSL FIPS validated". If I read in history on CoreCrypto Kernel via what Shawn wrote, any app that does not implement it's own SSL/TLS but rather takes the much much much easier route of using
the system SSL/TLS is all using the nice and tidy NIST certified FIPS 140-2 compliant cryptology now. That would be for Mail as well as Safari and include iCloud transmission as well.
Shawn can obviously speak to what Apple did or did not do in Mail and Safari but after many conversations with Shawn, the odds of winning the lottery jackpot on a single ticket purchase are better than the odds of Apple not using it's own
CoreCrypto for it's apps that do communications. :-)
On May 24, 2013, at 11:55 AM, "Neely, Lee" <email@hidden> wrote:
So, I’m saying we can force EAS into FIPS Compliant mode and the data connection will be FIPS Compliant.
The rub with web browsers is the security of the connection is dependent on the remote end and what it requires. If you implement a web server and don’t exclude
the NULL Cypher, you can have non-encrypted SSL sessions. In fact, you can choose what encryption to enable in your web server. This means that the browser needs a wide range of algorithms for maximum compatibility. So while you could certify that FIPS compliant
algorithms work as needed, I’m not sure how much good that provides when you have to also provide non-FIPS for compatibility. (Remember, Apple didn’t create a BlackBerry where we can force the issue with a security setting.)
Lee Neely, CISSP, CISM, CCUV
Lawrence Livermore National Laboratory
( Phone:
+1 (925) 422-0140
If using Apple Mail on an iOS device, say with Active Sync to an enterprise Exchange server, if the data in transit (e.g., the network connection to the exchange server)
FIPS 140.2 L1 validated (assuming Apple gets the both the FIPS validations it is seeking)?
Also, is Mobile Safari's SSL FIPS validated (or will be when the second validation comes through)?
Los Alamos National Laboratory
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
|