I got a very interesting (and unexpected) email today. Apparently Apple is in the process of certifying Mac OS X to Federal Information Processing Standard 140, which is used to validate encryption and security technologies -- it's commonly associated with SSL/TLS hardware and software; I know OpenSSL was being validated against FIPS too, but haven't kept track of that progress. I had no idea Apple was working on this, but if and when it's completed, it should be a useful credential for Apple in security-sensitive environments. Note that I make no claims as to the meaning of FIPS certification, but it will be used as a simple checkbox for trustworthiness, so can't hurt Apple to have this particular tick-mark.

From: "Shawn A. Geddis" <geddis@>
To: Fed Talk <fed-talk@lists.apple.com>
Date: Mon, 10 Sep 2007 04:57:51 -0400
Subject: [FIPS 140-2] Mac OS X - Implementation Under Test (IUT)

It's Official -- Mac OS X is now in "Pre-Validation" for FIPS 140-2 Level 1 (Software) Conformance Validation

Everyone has been eager to know the status of FIPS 140-2 Conformance Validation for Apple's Mac OS X and we are happy to finally announce that as of Friday September 7, 2007 the Apple Cryptographic Service Provider (CSP) Module is officially now in "Pre-Validation".

Listed on NIST (CMVP) Pre-Validation List

You will now find the Apple "Cryptographic Service Provider (CSP)" on line 5 of page 2 on the Pre-Validation List (PDF) posted on the NIST CMVP website. To view that list now or reference it in the future, use the following link to download the PDF document:

http://csrc.nist.gov/cryptval/140-1/140PreVal.pdf

What will be covered by this validation

A Cryptography Architecture is built into Mac OS X and is the foundation for services critical to the protection and privacy of data. The key Apple Cryptographic Services which will be covered by this validation are:

FileVault (Encrypted Container - User's Home Directory)

Encrypted Disk Images (Encrypted Container - Stored on any accessible media)

Keychains (Credential Storage)

The FIPS 140-2 Conformance Validation Process

For those who are not familiar with the process and requirements, they can be found on the NIST website at:

http://csrc.nist.gov/cryptval/140-1/preval.htm

  1. Implementation Under Test (IUT)
  2. Validation Review Pending
  3. Validation Review
  4. Validation Coordination
  5. Validation Finalization

When it will be done

Many have asked when Mac OS X's cryptographic algorithms and cryptography conformance validation against FIPS 140-2 Level 1 will be complete. Apple is unable to provide you with a more specific timeframe than the first half of 2008 due to the extensiveness of the process. Apple will make every effort to post status updates on the Federal website [ http://www.apple.com/itpro/federal/] as well as occasional updates posted to the Fed-Talk Mailing list [ http://lists.apple.com/mailman/listinfo/fed-talk ].

Meeting OMB Recommendations (M-06-16)

To assist Federal Agency IT Staff in understanding how Apple's Mac OS X Operating System can help them meet OMB guidelines, the Apple Enterprise Team had developed and presented the "Meeting OMB Encryption Guidelines with Mac OS X Today" briefing to a large Federal IT Staff on August 17, 2006. Many additional Federal Staff had indicated that they were unable to attend the all day briefing and technical discussion due to scheduling conflicts, but said they were extremely interested in getting access to the presentation.

"Meeting OMB Encryption Guidelines"

http://idisk.mac.com/geddis-Public/security/Meeting_OMB_Encryption_Guidelines.pdf

Background on FileVault

FileVault provides full 128-bit AES encryption of the User's Home Directory where the user has full, direct access to read and write their data. The underlying Encrypted Disk Image architecture also provides services to create, manage and store the encrypted containers on any accessible storage media. This storage includes external volumes such as thumb drives, CDs/DVDs, USB/FireWire HDs and even network accessible volumes.

Background on Apple's Cryptographic Architecture

The Cryptography and PKI Services within Mac OS X and Mac OS X Server are provided through the CDSA - Common Data Security Architecture . The CDSA architecture is the core part of Apple's Security framework which is available from The Open Group and available as open source for review, use and modification.

Open Group - CDSA: http://www.opengroup.org/security/l2-cdsa.htm

Apple source can be found at: http://developer.apple.com/opensource/security/

If you have any additional questions at this time regarding the FIPS 140-2 Level 1 Conformance Validation of Mac OS X , please contact me directly via email at: geddis@