• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] iOS 6, FIPS, and Data in transit?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] iOS 6, FIPS, and Data in transit?

  • Subject: Re: [Fed-Talk] iOS 6, FIPS, and Data in transit?
  • From: "Neely, Lee" <email@hidden>
  • Date: Fri, 24 May 2013 16:27:42 +0000
  • Thread-topic: [Fed-Talk] iOS 6, FIPS, and Data in transit?

William-

I agree and think I make a slightly different point.  I do believe that Safari uses FIPS Compliant encryption. I also believe it uses non-FIPS because it has to for compatibility, and we can’t switch that off. Remember, the certification lists non-approved security functions on the device: DES, MD5, CAST5, ECDSA, Blowfish, BitGen1/2/3, RC4, OMAC.

 

Lastly, we need Shawn to clarify.

 

Lee

 

From: William Cerniuk [mailto:email@hidden]
Sent: Friday, May 24, 2013 9:20 AM
To: Neely, Lee; Allan Marcus
Cc: email@hidden Talk
Subject: Re: [Fed-Talk] iOS 6, FIPS, and Data in transit?

 

I think Allan's question was "Mobile Safari's SSL FIPS validated". If I read in history on CoreCrypto Kernel via what Shawn wrote, any app that does not implement it's own SSL/TLS but rather takes the much much much easier route of using the system SSL/TLS is all using the nice and tidy NIST certified FIPS 140-2 compliant cryptology now. That would be for Mail as well as Safari and include iCloud transmission as well.

 

Shawn can obviously speak to what Apple did or did not do in Mail and Safari but after many conversations with Shawn, the odds of winning the lottery jackpot on a single ticket purchase are better than the odds of Apple not using it's own CoreCrypto for it's apps that do communications. :-)

 

--

R/Wm.

 

 

 

 

  

On May 24, 2013, at 11:55 AM, "Neely, Lee" <email@hidden> wrote:



Allan-

EAS typically runs over SSL (Port 443) connection security is a function of the IIS Server, not EAS. There are registry settings to disable non-FIPS compliant algorithms in Exchange Server 2010 SP1.  http://blogs.technet.com/b/exchange/archive/2010/08/30/exchange-2010-sp1-and-support-for-fips-compliant-algorithms.aspx

 

The FIPS compliance/certification comes from the OS layer (CAPI) and its behaviors.http://technet.microsoft.com/en-us/library/cc750357.aspx

 

So, I’m saying we can force EAS into FIPS Compliant mode and the data connection will be FIPS Compliant.

 

The rub with web browsers is the security of the connection is dependent on the remote end and what it requires. If you implement a web server and don’t exclude the NULL Cypher, you can have non-encrypted SSL sessions.  In fact, you can choose what encryption to enable in your web server. This means that the browser needs a wide range of algorithms for maximum compatibility. So while you could certify that FIPS compliant algorithms work as needed, I’m not sure how much good that provides when you have to also provide non-FIPS for compatibility. (Remember, Apple didn’t create a BlackBerry where we can force the issue with a security setting.)

 

Lee

 

Lee Neely, CISSP, CISM, CCUV

 

Lawrence Livermore National Laboratory

Cyber Security Program

7000 East Ave L-315

Livermore, CA, 94551

 

( Phone: +1 (925) 422-0140

* email@hidden

 

 

 

 

From: fed-talk-bounces+neely1=email@hidden [mailto:fed-talk-bounces+neely1=email@hidden] On Behalf Of Marcus, Allan B
Sent: Friday, May 24, 2013 7:54 AM
To: email@hidden Talk
Subject: [Fed-Talk] iOS 6, FIPS, and Data in transit?

 

If using Apple Mail on an iOS device, say with Active Sync to an enterprise Exchange server, if the data in transit (e.g., the network connection to the exchange server) FIPS 140.2 L1 validated (assuming Apple gets the both the FIPS validations it is seeking)?

 

Also, is Mobile Safari's SSL FIPS validated (or will be when the second validation comes through)?

 

-- 

Thanks,

 

Allan Marcus

Chief IT Architect

Los Alamos National Laboratory

505-667-5666

email@hidden

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

 

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: [Fed-Talk] iOS 6, FIPS, and Data in transit?
      • From: "Link, Peter R." <email@hidden>
References: 
 >[Fed-Talk] iOS 6, FIPS, and Data in transit? (From: "Marcus, Allan B" <email@hidden>)
 >Re: [Fed-Talk] iOS 6, FIPS, and Data in transit? (From: "Neely, Lee" <email@hidden>)
 >Re: [Fed-Talk] iOS 6, FIPS, and Data in transit? (From: William Cerniuk <email@hidden>)

  • Prev by Date: Re: [Fed-Talk] iOS 6, FIPS, and Data in transit?
  • Next by Date: Re: [Fed-Talk] iOS 6, FIPS, and Data in transit?
  • Previous by thread: Re: [Fed-Talk] iOS 6, FIPS, and Data in transit?
  • Next by thread: Re: [Fed-Talk] iOS 6, FIPS, and Data in transit?
  • Index(es):
    • Date
    • Thread