Apple has posted the Apple FIPS Cryptographic Module v1.1 and has an associated "How to set up and maintain a FIPS-enabled OS X Lion system" kbase. FIPS validation is a certification program by NIST (National Institute of Standards and Technology) to verify cryptographic modules. It appears from here that the CDSA module is 140-2 level 1 certified. For those not versed in the dark details of FIPS certification, Wikipedia defines 140-2 Level 1 as "all components must be "production-grade" and various egregious kinds of insecurity must be absent".
The interesting piece to all this is in the "additional information" section of the "How to set up and maintain a FIPS-enabled OS X Lion system" kbase:
"OS X Lion security services are now built on a newer "Next Generation Cryptography" platform and have transitioned from the CDSA/CSP module previously validated on Mac OS X v10.6. However, Apple has re-validated the same CDSA/CSP module under OS X Lion to provide continued validation solely for third-party applications."
So Lion is not FIPS validated, but the CDSA on Lion is, but only 3rd party apps use it. Clear?
Recent Comments