[Fed-Talk] [UPDATE][Announce] FIPS 140-2 Crypto Validations for ALL Apple Operating Systems; and SEP:SKS (HW) Module Validation
[Fed-Talk] [UPDATE][Announce] FIPS 140-2 Crypto Validations for ALL Apple Operating Systems; and SEP:SKS (HW) Module Validation
- Subject: [Fed-Talk] [UPDATE][Announce] FIPS 140-2 Crypto Validations for ALL Apple Operating Systems; and SEP:SKS (HW) Module Validation
- From: "Shawn A. Geddis" <email@hidden>
- Date: Wed, 01 Aug 2018 23:40:44 -0700
[UPDATE][Announce]
- FIPS 140-2 Crypto Validations for ALL Apple Operating Systems (iOS, tvOS,
watchOS, T2 Firmware, and macOS)
- SEP:SKS (HW) Module Validation in the Apple System-On-Chips (SoC) — A, S,
and T.
I had previously sent out an earlier version of this FIPS 140-2 Validations
Message, but now am drawing your attention to the completion of the SEP Secure
Key Store Module (Hardware) as well as new and updated Knowledge Base Articles
that cover all Product security certifications, validations, and guidance for
ALL Apple Operating Systems.
Apple: Knowledge Base References
There are Apple Support Knowledge Base Articles for each operating system
resources relating to ALL Validations and Certifications including FIPS 140-2,
Common Criteria Certification, Security Guidance Resources, and requesting
Volatility Statements. These articles contain mappings of each validated
version of the CoreCrypto Modules to the OS versions along with the CMVP
certificates, and the Crypto Officer Role Guide (CORG) provided by Apple — with
links to public postings.
** UPDATED ** KB ARTICLES
[1] Product security certifications, validations, and guidance for iOS
https://support.apple.com/HT202739 <https://support.apple.com/HT202739>
[2] Product security certifications, validations, and guidance for macOS
https://support.apple.com/HT201159 <https://support.apple.com/HT201159>
** NEW ** KB ARTICLES
[3] Product security certifications, validations, and guidance for watchOS
https://support.apple.com/HT208390 <https://support.apple.com/HT208390>
[4] Product security certifications, validations, and guidance for tvOS
https://support.apple.com/HT208389 <https://support.apple.com/HT208389>
[5] Product security certifications, validations, and guidance for T2 Firmware
https://support.apple.com/en-us/HT208675
<https://support.apple.com/en-us/HT208675>
For those wanting to go directly to the Knowledge Base Articles covering the
FIVE FIPS 140-2 Modules, here are the links.
Apple FIPS Cryptographic Modules v8.0 for ARM for iOS 11, tvOS 11, watchOS 4,
and T2 Firmware
https://support.apple.com/en-us/HT208677
<https://support.apple.com/en-us/HT208677>
Apple FIPS Cryptographic Modules v8.0 for Intel for macOS High Sierra 10.13
https://support.apple.com/en-us/HT208676
<https://support.apple.com/en-us/HT208676>
Apple FIPS Secure Enclave Processor Secure Key Store Cryptographic Module v1.0
https://support.apple.com/en-us/HT208678
<https://support.apple.com/en-us/HT208678>
Apple is already engaged in pursing FIPS 140-2 Validation for the same FIVE
Modules used by the next major OS releases
Apple FIPS Cryptographic Modules v9.0 for ARM for iOS 12, tvOS 12, watchOS 5,
and T2 Firmware
Apple FIPS Cryptographic Modules v9.0 for Intel for macOS Mojave 10.14
Apple FIPS Secure Enclave Processor Secure Key Store Cryptographic Module v9.0
(Level 2)
*** Previous Notice with updates follows ***
______________________________________________________________________
FIPS 140-2 Validation Interested Communities,
We have exciting news to share with you…
Module Validations
Expanded Coverage
Module Identification Change
Apple: Knowledge Base References
NIST: Validation References
Additional Helpful References
Review all resources for questions you may have related to the validations and
platform compliance. If you still have any questions related to security
certifications, please direct them to email@hidden
<mailto:email@hidden>.
Module Validations
Apple is pleased to announce the FIPS 140-2 Level 1 Validations for the User
Space & Kernel Space Cryptographic Modules used by macOS High Sierra v10.13,
iOS 11, tvOS 11, watchOS 4 and even for the new T2 were all completed!
(3/09/18; 3/22/18).
Apple now has also achieved the first FIPS 140-2 Validation for the hardware
module (SEP:SKS). For more information, see the following Knowledge Base
Article:
Apple FIPS Secure Enclave Processor Secure Key Store Cryptographic Module v1.0
https://support.apple.com/en-us/HT208678
<https://support.apple.com/en-us/HT208678>
As has been the case for the last six years, Apple continues to commit to
submitting the cryptographic modules for FIPS 140-2 validation for each major
release of the operating systems and now with the SEP:SKS hardware module as
well.
Expanded Coverage
Note the significantly expanded coverage of operating systems this round with
macOS High Sierra v10.13, iOS 11, tvOS 11, watchOS 4 and for the new T2. This
indicates coverage for both the User Space and Kernel Space Modules for ALL of
Apple’s Operating Systems including coverage of the OS that drives the new T2
in the iMac Pro 2017.
And in addition to the expanded coverage from 2 modules on 2 operating systems
to 2 modules on 5 Operating Systems, Apple is pleased to announce the
validation of the first hardware module as well: Apple Secure Enclave Processor
Secure Key Store Module, v1.0. The SEP:SKS is the hardware protected key oracle
embedded in the Apple System-On-Chip (SoC) — A, S, and T.
This expanded coverage significantly enhances your opportunity to build and
rely on FIPS 140-2 Compliant solutions with FIPS 140-2 Validated Cryptography
across all of Apple’s Operating Systems and devices.
Module Identification Change
The module identification has been changed to support this expanded coverage,
including ALL Apple's Operating Systems and their related Cryptographic Module
identifiers.
ARM-based platforms
Operating System(s): iOS 11, tvOS 11, watchOS 4, and T2 Firmware
Module (User Space): #3148: Apple CoreCrypto Module v8.0 for ARM
Module (Kernel Space): #3147: Apple CoreCrypto Kernel Module v8.0 for ARM
Validation Certificate #3148
csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3148
<http://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3148>
FIPS 140-2 Non-Proprietary Security Policy
csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3148.pdf
<http://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3148.pdf>
Validation Certificate #3147
csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3147
<http://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3147>
FIPS 140-2 Non-Proprietary Security Policy
csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3147.pdf
<http://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3147.pdf>
Intel Processor-based platforms
Operating System(s): macOS High Sierra 10.13
Module (User Space): #3155: Apple CoreCrypto Module v8.0 for Intel
Module (Kernel Space): #3156: Apple CoreCrypto Kernel Module v8.0 for Intel
Validation Certificate #3155
csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3155
<http://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3155>
FIPS 140-2 Non-Proprietary Security Policy
csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3155.pdf
<http://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3155.pdf>
Validation Certificate #3156
csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3156
<http://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3156>
FIPS 140-2 Non-Proprietary Security Policy
csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3156.pdf
<http://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3156.pdf>
Apple Secure Enclave Processor (SEP)
Operating System(s): iOS 11, tvOS 11, watchOS 4, and T2 Firmware
Hardware Systems: SEP embedded in the A, S, and T SoCs
iPhone/iPad/iPod touch, Apple Watch Series, Apple TV 4K, and Intel-based iMac
Pro (2017)
Module (Hardware): #3223: Apple Secure Enclave Processor Secure Key Store
Module, v1.0
Validation Certificate #3223
http://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3223
<http://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3223>
FIPS 140-2 Non-Proprietary Security Policy
http://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3223.pdf
<http://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3223.pdf>
Note: With respect to the FIPS 140-2 Validation of the SEP:SKS module, all
three SoCs (A, S, and T) provide hardware equivalency. This validation
provides FIPS 140-2 Compliance for iPhone/iPad, Apple Watch, Apple TV 4K, and
for the new Intel-based iMac Pro (2017) through the use of the T2
(iBridge2,1).
Apple: Knowledge Base References
There are Apple Support Knowledge Base Articles for each operating system
resources relating to ALL Validations and Certifications including FIPS 140-2,
Common Criteria Certification, Security Guidance Resources, and requesting
Volatility Statements. These articles contain mappings of each validated
version of the CoreCrypto Modules to the OS versions along with the CMVP
certificates, and the Crypto Officer Role Guide (CORG) provided by Apple — with
links to public postings.
[1] Product security certifications, validations, and guidance for iOS
https://support.apple.com/HT202739 <https://support.apple.com/HT202739>
[2] Product security certifications, validations, and guidance for macOS
https://support.apple.com/HT201159 <https://support.apple.com/HT201159>
[3] Product security certifications, validations, and guidance for watchOS
https://support.apple.com/HT208390 <https://support.apple.com/HT208390>
[4] Product security certifications, validations, and guidance for tvOS
https://support.apple.com/HT208389 <https://support.apple.com/HT208389>
[5] Product security certifications, validations, and guidance for T2 Firmware
https://support.apple.com/HT208675 <https://support.apple.com/HT208675>
NIST: Validation References
The cryptographic modules provided by and used within each OS repeatedly go
through FIPS 140-2 Validation at CMVP — joint framework run by both NIST (US)
and CSEC (CA). As is noted on the Apple KB Article pages for each OS, you can
verify the CAVP validated cryptography in algorithm/modes as well as the
overall Cryptographic Module Validation by CMVP against the US/CA government
requirements.
Validation of all of Apple's FIPS Validated Cryptographic Algorithms:
https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Validation
<https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Validation>
Validation of all of Apple's FIPS Validated Cryptographic Modules:
https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules
<https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules>
Search:
https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules/Search
<https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules/Search>
Search for Vendor: Apple to see and access the complete active list
NIST: Modules-In-Process
https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List
<https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List>
NIST: Implementation Under Test (IUT)
https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/IUT-List
<https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/IUT-List>
Previous Apple Cryptographic Module Validations
Apple Inc.
iOS 10 & macOS Sierra v10.12:
2827
<http://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/2827>
- Apple iOS CoreCrypto Module v7.0
2828
<http://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/2828>
- Apple iOS CoreCrypto Kernel Module v7.0
2832
<http://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/2832>
- Apple macOS CoreCrypto Module, v7.0
2830
<http://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/2830>
- Apple macOS CoreCrypto Kernel Module v7.0
iOS 9 & OS X El Capitan v10.11:
2594
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2016.htm#2594> -
Apple iOS CoreCrypto Module v6.0
2609
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2016.htm#2609> -
Apple iOS CoreCrypto Kernel Module v6.0
2610
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2016.htm#2610> -
Apple OS X CoreCrypto Module, v6.0
2597
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2016.htm#2597> -
Apple OS X CoreCrypto Kernel Module v6.0
iOS 8 & OS X Yosemite v10.10:
2396
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2015.htm#2396> -
Apple iOS CoreCrypto Module v5.0
2407
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2015.htm#2407> -
Apple iOS CoreCrypto Kernel Module v5.0
2408
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2015.htm#2408> -
Apple OS X CoreCrypto Module, v5.0
2411
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2015.htm#2411> -
Apple OS X CoreCrypto Kernel Module v5.0
iOS 7 & OS X Mavericks v10.9:
2020
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#2020> -
Apple iOS CoreCrypto Module, v4.0
2021
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#2021> -
Apple iOS CoreCrypto Kernel Module, v4.0
2015
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#2015> -
Apple OS X CoreCrypto Module, v4.0
2016
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#2016> -
Apple OS X CoreCrypto Kernel Module, v4.0
iOS 6 & OS X Mountain Lion v10.8:
1963
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#1963> -
Apple iOS CoreCrypto Module, v3.0
1944
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#1944> -
Apple iOS CoreCrypto Kernel Module, v3.0
1964
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#1964> -
Apple OS X CoreCrypto Module, v3.0
1956
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#1956> -
Apple OS X CoreCrypto Kernel Module, v3.0
“Historical” (archived) Modules ( > 5 years since validation )
OS X Lion v10.7:
1701
<https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/1701>
- Apple FIPS Cryptographic Module, v1.1
1514
<https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/1514>
- Apple FIPS Cryptographic Kernel Module, v1.1
-------------------------------------------------------------------------------------------------------------------------------
Additional Helpful References:
for those unfamiliar or needing a refresher on current FIPS 140-2 Requirements
-------------------------------------------------------------------------------------------------------------------------------
FIPS - Federal Information Processing Standard
http://csrc.nist.gov/publications/PubsFIPS.html
<http://csrc.nist.gov/publications/PubsFIPS.html>
http://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
<http://en.wikipedia.org/wiki/Federal_Information_Processing_Standards>
FIPS 140-2 - Security Requirements for Cryptographic Modules
http://csrc.nist.gov/groups/STM/cmvp/standards.html
<http://csrc.nist.gov/groups/STM/cmvp/standards.html>
CMVP - Cryptographic Module Validation Program
https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Validation
<https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Validation>
“Modules In Process”
https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List
<https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List>
Module Validation List (completed)
https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules
<https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules>
Module Validation List (Search by vendor)
https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules/Search
<https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules/Search>
(Search for Vendor: Apple) to see and access the complete list
CAVP - Cryptographic Algorithm Validation Program
(Each Algorithm validated receives a Certificate)
https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Validation
<https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Validation>
Appreciation
Apple would like to acknowledge and express appreciation for the frequently
under appreciated work performed by the CAVP and CMVP (NIST/CSE) Validation
Staff who face a never ending backlog of cryptographic algorithms and modules
everyone here uses on a daily basis. Through sincere willingness and efforts
towards process improvements. We are all working together towards shorter
processing times moving forward.
brought to you by the…
Apple Platform Security Certification Program
email@hidden <mailto:email@hidden>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden