A certified AES and a non-certified AES cypher differ by diploma only, no? AES is AES, or it's not and it is something else...
On May 24, 2013, at 1:00 PM, "Marcus, Allan B" < email@hidden> wrote:
I think lee is saying that if the web server uses a non-FIPS cypher, then Safari will use that cypher for the SSL connection. If the web server is set to only allow "good" cyphers, then the Safari will use them.
My underlying goal with all this is to determine if one can use a iOS device out of the box, configured with an MDM. Specifically with Mail and active sync and safari for web. The STIG says that Safari encryption is not FIPS validated, so it cannot be
used for gov sensitive data. Will that change once the other FIPS module is validated?
--
Thanks,
Allan Marcus
Chief IT Architect
Los Alamos National Laboratory
505-667-5666
Lee,
There isn't any switching on or off of encryption algorithms used within iOS. Everything is always on. Certain algorithms, however, might not be validated by NIST, http://csrc.nist.gov/groups/STM/cavp/index.html.
It's the same way with OSX. The FIPS "application" simply validates everything is running properly, it doesn't magically turn anything on.
Windows does it differently. They have a setting to turn FIPS compliance on. This (might) enable non-compliant algorithms but to my knowledge, Apple doesn't actively use any. It has them available
(maybe) for third-party use.
On May 24, 2013, at 9:27 AM, "Neely, Lee" < email@hidden> wrote:
William-
I agree and think I make a slightly different point. I do believe that Safari uses FIPS Compliant encryption. I also believe it uses non-FIPS because it has to for compatibility,
and we can’t switch that off. Remember, the certification lists non-approved security functions on the device: DES, MD5, CAST5, ECDSA, Blowfish, BitGen1/2/3, RC4, OMAC.
Lastly, we need Shawn to clarify.
Lee
From: William Cerniuk [mailto:williamc@mac.com]
Sent: Friday, May 24, 2013 9:20 AM
To: Neely, Lee; Allan Marcus
Cc: email@hidden Talk
Subject: Re: [Fed-Talk] iOS 6, FIPS, and Data in transit?
I think Allan's question was "Mobile Safari's SSL FIPS validated". If I read in history on CoreCrypto Kernel via what Shawn wrote, any app that does not implement it's own SSL/TLS but rather takes the much much much easier route of using the system SSL/TLS
is all using the nice and tidy NIST certified FIPS 140-2 compliant cryptology now. That would be for Mail as well as Safari and include iCloud transmission as well.
Shawn can obviously speak to what Apple did or did not do in Mail and Safari but after many conversations with Shawn, the odds of winning the lottery jackpot on a single ticket purchase are better than the odds of Apple not using it's own CoreCrypto for it's
apps that do communications. :-)
On May 24, 2013, at 11:55 AM, "Neely, Lee" < email@hidden> wrote:
So, I’m saying we can force EAS into FIPS Compliant mode and the data connection will be FIPS Compliant.
The rub with web browsers is the security of the connection is dependent on the remote end and what it requires. If you implement a web server and don’t exclude the NULL
Cypher, you can have non-encrypted SSL sessions. In fact, you can choose what encryption to enable in your web server. This means that the browser needs a wide range of algorithms for maximum compatibility. So while you could certify that FIPS compliant algorithms
work as needed, I’m not sure how much good that provides when you have to also provide non-FIPS for compatibility. (Remember, Apple didn’t create a BlackBerry where we can force the issue with a security setting.)
Lee Neely, CISSP, CISM, CCUV
Lawrence Livermore National Laboratory
( Phone:
+1 (925) 422-0140
If using Apple Mail on an iOS device, say with Active Sync to an enterprise Exchange server, if the data in transit (e.g., the network connection to the exchange server) FIPS 140.2 L1 validated
(assuming Apple gets the both the FIPS validations it is seeking)?
Also, is Mobile Safari's SSL FIPS validated (or will be when the second validation comes through)?
Los Alamos National Laboratory
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list ( email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94551-0808
email@hidden
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
|