Apple Inc. Apple OS X CoreCrypto Module, v3.0 FIPS 140-2 Non-Proprietary Security Policy Document Control Number FIPS_CORECRYPTO_OSX_US_SECPOL_01.05 Version 01.05 June, 2013 Prepared for: Apple Inc. 1 Infinite Loop Cupertino, CA 95014 www.apple.com Prepared by: atsec information security Corp. 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com ©2013 Apple Inc. This document may be reproduced and distributed only in its original entirety without revision Table of Contents 1 INTRODUCTION ............................................................................................................................................... 4 1.1 PURPOSE ............................................................................................................................................................ 4 1.2 DOCUMENT ORGANIZATION / COPYRIGHT ................................................................................................................. 4 1.3 EXTERNAL RESOURCES / REFERENCES ....................................................................................................................... 4 1.3.1 Additional References ............................................................................................................... 4 1.4 ACRONYMS ......................................................................................................................................................... 5 2 CRYPTOGRAPHIC MODULE SPECIFICATION ...................................................................................................... 8 2.1 MODULE DESCRIPTION .......................................................................................................................................... 8 2.1.1 Module Validation Level ........................................................................................................... 8 2.1.2 Module components................................................................................................................. 8 2.1.3 Tested Platforms ....................................................................................................................... 9 2.2 MODES OF OPERATION .......................................................................................................................................... 9 2.3 CRYPTOGRAPHIC MODULE BOUNDARY ................................................................................................................... 15 3 CRYPTOGRAPHIC MODULE PORTS AND INTERFACES .......................................................................................16 4 ROLES, SERVICES AND AUTHENTICATION ........................................................................................................17 4.1 ROLES .............................................................................................................................................................. 17 4.2 SERVICES .......................................................................................................................................................... 17 4.3 OPERATOR AUTHENTICATION ................................................................................................................................ 19 5 PHYSICAL SECURITY ........................................................................................................................................20 6 OPERATIONAL ENVIRONMENT........................................................................................................................21 6.1 APPLICABILITY.................................................................................................................................................... 21 6.2 POLICY ............................................................................................................................................................. 21 7 CRYPTOGRAPHIC KEY MANAGEMENT .............................................................................................................22 7.1 RANDOM NUMBER GENERATION........................................................................................................................... 22 7.2 KEY / CSP GENERATION ...................................................................................................................................... 22 7.3 KEY / CSP ESTABLISHMENT .................................................................................................................................. 22 7.4 KEY / CSP ENTRY AND OUTPUT ............................................................................................................................ 22 7.5 KEY / CSP STORAGE ........................................................................................................................................... 23 7.6 KEY / CSP ZEROIZATION ...................................................................................................................................... 23 8 ELECTROMAGNETIC INTERFERENCE/ELECTROMAGNETIC COMPATIBILITY (EMI/EMC) ....................................24 9 SELF-TESTS ......................................................................................................................................................25 9.1 POWER-UP TESTS .............................................................................................................................................. 25 9.1.1 Cryptographic Algorithm Tests ................................................................................................ 25 9.1.2 Software / Firmware Integrity Tests ....................................................................................... 26 9.1.3 Critical Function Tests ............................................................................................................. 26 9.2 CONDITIONAL TESTS ........................................................................................................................................... 26 9.2.1 Continuous Random Number Generator Test ........................................................................ 26 9.2.2 Pair-wise Consistency Test ...................................................................................................... 26 9.2.3 SP 800-90A Assurance Tests.................................................................................................... 26 9.2.4 Critical Function Test............................................................................................................... 26 10 DESIGN ASSURANCE ...................................................................................................................................27 10.1 CONFIGURATION MANAGEMENT ........................................................................................................................... 27 10.2 DELIVERY AND OPERATION ................................................................................................................................... 27 10.3 DEVELOPMENT .................................................................................................................................................. 27 10.4 GUIDANCE ........................................................................................................................................................ 27 10.4.1 Cryptographic Officer Guidance ............................................................................................. 27 10.4.2 User Guidance......................................................................................................................... 27 11 MITIGATION OF OTHER ATTACKS .................................................................................................................28 Last update: 2013-06-12 ©2013 Apple Inc. Version: 01.05 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 2 of 28 List of Tables Table 1: Module Validation Level.................................................................................................................... 8 Table 2: Tested Platforms ................................................................................................................................ 9 Table 3: Approved Security Functions .......................................................................................................... 12 Table 4: Non-Approved Functions ................................................................................................................ 14 Table 5: Roles ................................................................................................................................................ 17 Table 6: Services and Roles ........................................................................................................................... 19 Table 7: Cryptographic Algorithm Tests ........................................................................................................ 26 List of Figures Figure 1: Logical Block Diagram .................................................................................................................... 15 Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 3 of 28 1 Introduction 1.1 Purpose This document is a non-proprietary Security Policy for the Apple OS X CoreCrypto Module, v3.0. It describes the module and the FIPS 140-2 cryptographic services it provides. This document also defines the FIPS 140-2 security rules for operating the module. This document was prepared in partial fulfillment of the FIPS 140-2 requirements for cryptographic modules and is intended for security officers, developers, system administrators, and end-users. FIPS 140-2 details the requirements of the Governments of the U.S. and Canada for cryptographic modules, aimed at the objective of protecting sensitive but unclassified information. For more information on the FIPS 140-2 standard and validation program please refer to the NIST website at http://csrc.nist.gov/cryptval. Throughout the document “Apple OS X CoreCrypto Module, v3.0.” “cryptographic module”, “CoreCrypto” or “the module” are used interchangeably to refer to the Apple OS X CoreCrypto Module, v3.0. 1.2 Document Organization / Copyright This non-proprietary Security Policy document may be reproduced and distributed only in its original entirety without any revision, ©2013 Apple Inc. 1.3 External Resources / References The Apple website (http://www.apple.com) contains information on the full line of products from Apple Inc. For a detailed overview of the operating system OS X and its security properties refer to [OS X] and [SEC]. The Cryptographic Module Validation Program website (http://csrc.nist.gov/groups/STM/cmvp/index.html) contains links to the FIPS 140-2 certificate and Apple, Inc. contact information. 1.3.1 Additional References FIPS 140-2 Federal Information Processing Standards Publication, “FIPS PUB 140-2 Security Requirements for Cryptographic Modules”, Issued May-25-2001, Effective 15-Nov- 2001, Location: http://csrc.nist.gov/groups/STM/cmvp/standards.html FIPS 180-3 Federal Information Processing Standards Publication 180-3, October 2008, Secure Hash Standard (SHS) FIPS 197 Federal Information Processing Standards Publication 197, November 26, 2001 Announcing the ADVANCED ENCRYPTION STANDARD (AES) PKCS7 RSA Laboratories, “PKCS#7 v1.5: Cryptographic Message Syntax Standard”, 1993. Location: http://www.rsa.com/rsalabs/node.asp?id=2129 PKCS3 RSA Laboratories, “PKCS#3 v1.4: Diffie-Hellman Key Agreement Standard”, 1993. Location: http://www.rsa.com/rsalabs/node.asp?id=2126 Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 4 of 28 IG NIST, “Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program”, June-29-2012 Location: http://csrc.nist.gov/groups/STM/cmvp/standards.html OS X OS X Technical Overview Location: https://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/OSX_T echnology_Overview/About/About.html SEC Security Overview Location: https://developer.apple.com/library/mac/navigation/#section=Topics&topic=Security SP800-57P1 NIST Special Publication 800-57, “Recommendation for Key Management – Part 1: General (Revised)”, March 2007 SP 800-90A NIST Special Publication 800-90, “Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Revised)”, March 2007 UG User Guide Location: https://developer.apple.com/library/mac/navigation/ 1.4 Acronyms Acronyms found in this document are defined as follows: AES Advanced Encryption Standard BS Block Size CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining mode of operation CFB Cipher Feedback mode of operation CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter mode of operation DES Data Encryption Standard DH Diffie-Hellman Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 5 of 28 DMA Direct Memory Access DRBG Deterministic Random Bit Generator DS Digest Size ECB Electronic Codebook mode of operation ECC Elliptic Curve Cryptography ECDH Diffie-Hellman based on ECC ECDSA DSA based on ECC E/D Encrypt/Decrypt EMC Electromagnetic Compatibility EMI Electromagnetic Interference FIPS Federal Information Processing Standard FIPS PUB FIPS Publication GCM Galois/Counter Mode HMAC Hash-Based Message Authentication Code HW Hardware KAT Known Answer Test KEK Key Encryption Key KEXT Kernel extension KDF Key Derivation Function KO 1 TDES Keying Option 1: All three keys are independent API Kernel Programming Interface KS Key Size (Length) MAC Message Authentication Code NIST National Institute of Standards and Technology OFB Output Feedback (mode of operation) OS Operating System PBKDF Password-based Key Derivation Function PWCT Pair Wise Consistency Test Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 6 of 28 RNG Random Number Generator SHS Secure Hash Standard SW Software TDES Triple Data Encryption Standard TLS Transport Layer Security Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 7 of 28 2 Cryptographic Module Specification 2.1 Module Description The Apple OS X CoreCrypto Module, v3.0 is a software cryptographic module running on a multi- chip standalone general-purpose computing platform. The cryptographic services provided by the module are:  Data encryption / decryption  Random number generation  Generation of hash values  Key generation  Key wrapping  Signature generation / verification  Message authentication  Key derivation 2.1.1 Module Validation Level The module is intended to meet requirements of FIPS 140-2 security level 1 overall. The following table shows the security level for each of the eleven requirement areas of the validation. FIPS 140-2 Security Requirement Area Security Level Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles, Services and Authentication 1 Finite State Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 1 Mitigation of Other Attacks 1 Table 1: Module Validation Level 2.1.2 Module components In the following sections the components of the Apple OS X CoreCrypto Module, v3.0 are listed in detail. There are no components excluded from the validation testing. Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 8 of 28 2.1.2.1 Software components CoreCrypto has an API layer that provides consistent interfaces to the supported algorithms. These implementations include proprietary optimizations of algorithms that are fitted into the CoreCrypto framework. 2.1.2.2 Hardware components There is an AES hardware accelerator component (AES-NI) shown in Figure 1, within the cryptographic module boundary. 2.1.3 Tested Platforms The module has been tested on the following platforms with and with AES-NI: Manufacturer Model Operating System Apple Inc. Mac mini with i5 CPU OS X 10.8 Apple Inc. iMac with i7 CPU OS X 10.8 Table 2: Tested Platforms 2.2 Modes of operation The Apple OS X CoreCrypto Module, v3.0 has an Approved and non-Approved modes of operation. The Approved mode of operation is configured in the system by default and cannot be changed. If the device boots up successfully then CoreCrypto framework has passed all self-tests and is operating in the Approved mode. Any calls to the non-Approved security functions listed in Table 4 will cause the module to assume the non-Approved mode of operation. As all keys and Critical Security Parameters (CSP) handled by the module are ephemeral and there are no keys and CSPs shared between any functions, the module transitions back into FIPS mode immediately when invoking one of the approved ciphers. A re-invocation of the self-tests or integrity tests is not required. Even when using this FIPS 140-2 non-approved mode, the module configuration ensures that the self-tests are always performed during initialization time of the module. The module contains multiple implementations of the same cipher as listed below. If multiple implementations of the same cipher are present, the module selects automatically which cipher is used based on internal heuristics. This includes the hardware-assisted AES (AES-NI) implementation. When using AES-GCM, the caller must use the module’s DRBG to generate at least 96 bits of random data that is used for the IV of AES-GCM. The caller is permitted to add additional deterministic data to that IV value in accordance with SP800-38D section 8.2.2. Users should consult SP 800-38D, especially section 8, for all of the details and requirements of using AES-GCM mode. The Approved security functions are listed in Table 3. Column four (Val. No.) lists the validation numbers obtained from NIST for successful validation testing of the implementation of the cryptographic algorithms on the platforms as shown in Table 2 under CAVP. Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 9 of 28 Refer to http://csrc.nist.gov/groups/STM/cavp/index.html for the current standards, test requirements, and special abbreviations used in the following table. Approved Security Functions Cryptographic Standards Usage / Description Val. No. Function i5 i7 Triple-DES ANSIX9.52- TECB (e/d; KO 1) 1339 1340 1998, FIPS 46- TCBC (e/d; KO 1) 3, TCFB8 (e/d; KO 1) TCFB64 (e/d; KO 1) SP 800-67 TOFB (e/d; KO 1) SP 800-38A CTR (internal only) Appendix E AES FIPS 197 Generic-software implementation 2103 2104 2089 2093 (non-optimized): SP 800-38 A AES-CBC/ECB (e/d; 128, 192, 256) AES-CFB8/CFB128 (e/d; 128, 192, 256) AES-OFB (e/d; 128, 192, 256) AES-CTR (internal only; 128, 192, 256) SP 800-38 D GCM (KS: AES_128(e/d) Tag Length(s): 128, 120, 112, 104, 96, 64, 32); (KS: AES_192(e/d) Tag Length(s): 128, 120, 112, 104, 96, 64, 32); (KS: AES_256(e/d) Tag Length(s): 128, 120, 112, 104, 96, 64, 32) 2088 2092 Optimized-software implementation: AES-CBC/ECB (e/d; 128, 192, 256) AES-CFB8/CFB128 (e/d; 128, 192, 256) AES-OFB (e/d; 128, 192, 256) AES-CTR (internal only; 128, 192, 256) GCM SP 800-38 D (KS: AES_128(e/d) Tag Length(s): 128, 120, 112, 104, 96, 64, 32); (KS: AES_192(e/d) Tag Length(s): 128, 120, 112, 104, 96, 64, 32); (KS: AES_256(e/d) Tag Length(s): 128, 120, 112, 104, 96, 64, 32) AES-XTS (e/d; 128, 256) SP 800-38 E Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 10 of 28 Cryptographic Standards Usage / Description Val. No. Function i5 i7 2090 2094 Hardware implementation: AES-CBC/ECB (e/d; 128, 192, 2091 2095 256) AES-XTS (e/d; 128, 256) RSA FIPS 186-2 ALG[ANSI X9.31]: KEY(gen)(MOD: 1078 1079 ANSI X9.31 1024, 1536, 2048, 3072, 4096 PubKey Values: 3, 17, 65537) PKCS#1 v1.5 ALG[RSASSA-PKCS1-v1_5]: SIG(gen), SIG(ver): 1024, 1536, 2048, 3072, 4096, ECDSA FIPS 186-2 PKG: CURVES(P-256, P-384) 312 313 ANSI X9.62 PKV: CURVES(P-256, P-384) SIG(gen): CURVES(P-256, P-384) SIG(ver): CURVES(P-256, P-384 ) SHS FIPS 180-3 Generic-software implementation 1827 1828 (non-optimized): SHA-1 (BYTE-only) SHA-224 (BYTE-only) SHA-256 (BYTE-only) SHA-384 (BYTE-only) SHA-512 (BYTE-only) Optimized-software implementation: 1816 1818 SHA-1 (BYTE-only) 1817 1819 SHA-224 (BYTE-only) SHA-256 (BYTE-only) Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 11 of 28 Cryptographic Standards Usage / Description Val. No. Function i5 i7 HMAC FIPS 198 1278 1279 Generic-software implementation (non-optimized): HMAC-SHA-1 (KSBS) HMAC-SHA-224 (KSBS), HMAC-SHA-256 (KSBS), HMAC-SHA-384 (KSBS), HMAC-SHA-512 (KSBS), Optimized-software implementation: 1267 1269 1268 1270 HMAC-SHA-1 (KSBS) HMAC-SHA-224 (KSBS), HMAC-SHA-256 (KSBS) DRBG SP 800-90A 226 227 Generic-software implementation (non-optimized): CTR_DRBG [AES-128] Optimized-software implementation: 217 219 CTR_DRBG [AES-128] Hardware-based implementation (AES-NI instruction set): 218 220 CTR_DRBG [AES-128] PBKDF SP 800-132 Password based key derivation N/A N/A according to PKCS#5 using HMAC with SHA-1 or SHA-2 as pseudorandom function Table 3: Approved Security Functions CAVEAT: The module generates cryptographic keys whose strengths are modified by available entropy – 160-bits. Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 12 of 28 Non-Approved Security Functions: Cryptographic Usage / Description Caveat Function RSA (encrypt, Key wrapping Non-Approved, but allowed: decrypt) RSAES-OAEP, RSAES-PKCS1-v1_5 RSA (Key wrapping; key establishment KS: Min 1024, Max 4096 methodology provides between 80 PKCS#1 v2.1 and 150 bits of encryption strength). RSA (sign, verify) ALG[ANSI X9.31]: SIG(gen), SIG(ver): Non-compliant 1024, 1536, 2048, 3072, 4096, SHS: SHA- 1, SHA-256, SHA-384, SHA-512 ALG[RSASSA-PKCS1-v1_5]: SIG(gen), - SIG(ver): 1024-4096 bits in multiple of 32 bits not listed in table 3 RSA (key pair ALG[ANSI X9.31]: KEY(gen)(MOD: multiple - generation) of 32 from 1024 - 4096 not listed in table 3; PublicKey Values: 65537 or larger) Diffie-Hellman Key agreement Non-Approved, but allowed: KS: Min 1024, Max 4096 Diffie-Hellman (key agreement; key establishment methodology provides ANSI X9.42, SP 800-56A between 80 and 150 bits of encryption strength). EC Diffie-Hellman Key agreement Non-Approved, but allowed: bit length of ECC subgroup order P-256, P- EC Diffie-Hellman (key agreement; key 384 establishment methodology provides ANSI X9.63, SP 800-56A 128 bits of encryption strength). DES e/d, KS: 56 bit CAST5 e/d, KS: 40 to 128 bits (but only in 8-bit increments). RC4 e/d KS: 8 to 4096 bits RC2 e/d KS: 8 to 1024 bits MD2 hashing, DS: 128 bit MD4 hashing, DS: 128 bit MD5 hashing, DS: 128 bit Non-Approved, but allowed: Used as part of the TLS key establishment scheme only RIPEMD hashing, DS: 128, 160, 256, 320 bits ECDSA PKG: CURVES(P-192, P-224, P-521) Non-compliant PKV: CURVES(P-192, P-224, P-512) SIG(gen): CURVES(P-192, P-224, P-521) SIG(ver): CURVES(P-192, P-224, P-521) Blowfish e/d BitGen1 proprietary mechanism for bit-generation BitGen2 proprietary mechanism for bit-generation BitGen3 proprietary mechanism for bit-generation OMAC (One-Key MAC generation CBC MAC) Table 4: Non-Approved Functions Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 13 of 28 The encryption strengths included in Table 4 for the key establishment methods are determined in accordance with FIPS 140-2 Implementation Guidance [IG] section 7.5 and NIST Special Publication 800-57 (Part1) [SP800-57P1]. Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 14 of 28 2.3 Cryptographic Module Boundary The physical boundary of the module is the physical boundary of the OS X device that contains the module. Consequently, the embodiment of the module is a multi-chip standalone cryptographic module. The logical module boundary is depicted in the logical block diagram given in Figure 1. Figure 1: Logical Block Diagram Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 15 of 28 3 Cryptographic Module Ports and Interfaces The underlying logical interfaces of the module are the C language Application Programming Interfaces (APIs). In detail these interfaces are the following:  Data input and data output are provided in the variables passed in the API and callable service invocations, generally through caller-supplied buffers. Hereafter, APIs and callable services will be referred to as “API”.  Control inputs which control the mode of the module are provided through dedicated parameters, as well as /var/db/FIPS/fips_data holding the HMAC check file.  Status output is provided in return codes and through messages. Documentation for each API lists possible return codes. A complete list of all return codes returned by the C language APIs within the module is provided in the header files and the API documentation. Messages are documented also in the API documentation. The module is optimized for library use within the OS X user space and does not contain any terminating assertions or exceptions. It is implemented as an OS X dynamically loadable library. The dynamically loadable library is loaded into the OS X application and its cryptographic functions are made available. Any internal error detected by the module is reflected back to the caller with an appropriate return code. The calling OS X application must examine the return code and act accordingly. There are two notable exceptions: (i) ECDSA and RSA do not return a key if the pair- wise consistency test fails; (ii) the DRBG algorithm loops a few iterations internally if the continuous test fails, eventually recovering from the error or causing a shutdown if the problem persists. The function executing FIPS 140-2 module self-tests does not return an error code but causes the system to crash if any self-test fails – see Section 9. The module communicates any error status synchronously through the use of its documented return codes, thus indicating the module’s status. It is the responsibility of the caller to handle exceptional conditions in a FIPS 140-2 appropriate manner. Caller-induced or internal errors do not reveal any sensitive material to callers. Cryptographic bypass capability is not supported by the module. Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 16 of 28 4 Roles, Services and Authentication This section defines the roles, services and authentication mechanisms and methods with respect to the applicable FIPS 140-2 requirements. 4.1 Roles The module supports a single instance of the two authorized roles: the Crypto Officer and the User. No support is provided for multiple concurrent operators or a Maintenance operator. Role General Responsibilities and Services (details see below) User Utilization of services of the module. Crypto Officer (CO) Utilization of services of the module. Table 5: Roles 4.2 Services The module provides services to authorized operators of either the User or Crypto Officer roles according to the applicable FIPS 140-2 security requirements. Table 6 contains the cryptographic functions employed by the module in the Approved mode. For each available service it lists, the associated role, the Critical Security Parameters (CSPs) and cryptographic keys involved, and the type(s) of access to the CSPs and cryptographic keys. CSPs contain security-related information (for example, secret and private cryptographic keys) whose disclosure or modification can compromise the main security objective of the module, namely the protection of sensitive information. The access types are denoted as follows:  ‘R’: the item is read or referenced by the service  ‘W’: the item is written or updated by the service  ‘Z’: the persistent item is zeroized by the service Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 17 of 28 Cryptographic Services Service Roles CSPs & crypto Access keys Type UC SO E R Triple-DES encryption and X X secret key R decryption AES encryption and X X secret key R decryption Secure Hash Generation X X none N/A HMAC generation X X secret R HMAC key ECDSA signature X X secret key R generation and verification W Z Random number X X Seed, Seed R generation Key, W Z random number AES key import X X secret key R Triple-DES key import X X secret key R HMAC key import X X HMAC key R RSA (key pair generation) X X Asymmetric key R pair W Z Diffie-Hellman Key XX Asymmetric R W agreement keys and secret session key EC Diffie-Hellman Key XX Asymmetric R W agreement keys and secret session key PBKDF Password-based XX Secret key, R key derivation password W Z Release all resources of X X AES/Triple-DES Z symmetric crypto function key context Release all resources of X X HMAC key Z hash context Release of all resources of X X Asymmetric Z Diffie-Hellman context for keys Diffie-Hellman and EC (RSA/ECDSA) Diffie-Hellman and secret session key (AES/Triple- DES) Release of all resources of X X RSA/ECDSA Z asymmetric crypto keys function context Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 18 of 28 Service Roles CSPs & crypto Access keys Type UC SO E R Self-test X X N/A N/A Software R integrity key (Public RSA key) Show Status X X None N/A Table 6: Services and Roles 4.3 Operator authentication Within the constraints of FIPS 140-2 level 1, the module does not implement an authentication mechanism for operator authentication. The assumption of a role is implicit in the action taken. The module relies upon the operating system for any operator authentication. Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 19 of 28 5 Physical Security The Apple OS X CoreCrypto Module, v3.0 is intended to operate on a multi-chip standalone platform. The device is comprised of production grade components and a production grade enclosure. Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 20 of 28 6 Operational Environment The following sections describe the operational environment of the Apple OS X CoreCrypto Module, v3.0. 6.1 Applicability The Apple OS X CoreCrypto Module, v3.0 operates in a modifiable operational environment per FIPS 140-2 level 1 specifications. It is part of OS X 10.8, a commercially available general-purpose operating system executing on the hardware specified in section 2.1.3. 6.2 Policy The operating system is restricted to a single operator (i.e. concurrent operators are explicitly excluded). When the operating system loads the module into memory, it invokes the FIPS Self-Test functionality, which in turn runs the mandatory FIPS 140-2 tests. Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 21 of 28 7 Cryptographic Key Management The following section defines the key management features available through the Apple OS X CoreCrypto Module, v3.0. 7.1 Random Number Generation A FIPS 140-2 approved deterministic random bit generator based on a block cipher as specified in NIST SP 800-90A is used. It is a CTR_DRBG using AES-128 in counter mode. The deterministic random bit generator is seeded by /dev/random. The /dev/random generator is a true random number generator that obtains entropy from interrupts generated by the devices and sensors attached to the system and maintains an entropy pool. The TRNG feeds entropy from the pool into the DRBG on demand. The TRNG provides 160-bits of entropy. 7.2 Key / CSP Generation The following approved key generation methods are used by the module:  The Approved RNG specified in section 7.1 is used to generate cryptographic secret keys for symmetric key algorithms (AES, Triple-DES) and Message authentication (HMAC).  The module provides PBKDF-based key generation services in the Approved mode  The Approved DRBG specified in section 7.1 is used to generate secret asymmetric keys for the ECDSA and RSA algorithm. It is not possible for the module to output information during the key generating process. The RNG itself is single-threaded. The cryptographic strength of the 192 and 256 bit AES keys as well as the ECDSA keys for the curve P-384, as modified by the available entropy, is limited to 160-bits. 7.3 Key / CSP Establishment The module provides Diffie-Hellman- and EC Diffie-Hellman-based key establishment services in the Approved mode. The module provides key establishment services in the Approved mode through the PBKDFv2 algorithm. The PBKDFv2 function is provided as a service and returns the key derived from the provided password to the caller. The caller shall observe all requirements and should consider all recommendations specified in SP800-132 with respect to the strength of the generated key, including the quality of the password, the quality of the salt as well as the number of iterations. The implementation of the PBKDFv2 function requires the user to provide this information. 7.4 Key / CSP Entry and Output All keys are imported from, or output to, the invoking application running on the same device. All keys entered into the module are electronically entered in plain text form. Keys are output from the module in plain text form if required by the calling application. The same holds for the CSPs. Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 22 of 28 7.5 Key / CSP Storage The Apple OS X CoreCrypto Module, v3.0 considers all keys in memory to be ephemeral. They are received for use or generated by the module only at the command of the calling application. The same holds for CSPs. The module protects all keys, secret or private, and CSPs through the memory protection mechanisms provided by the operating system. No process can read the memory of another process. 7.6 Key / CSP Zeroization Keys and CSPs are zerorized when the appropriate context object is destroyed or when the system is powered down. Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 23 of 28 8 Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC) The EMI/EMC properties of the CoreCrypto KEXT are not meaningful for the software library. The devices containing the software components of the module have their own overall EMI/EMC rating. The validation test environments have FCC Class B rating. Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 24 of 28 9 Self-Tests FIPS 140-2 requires that the module perform self-tests to ensure the integrity of the module and the correctness of the cryptographic functionality at start up. In addition, the random bit generator requires continuous verification. The FIPS Self-Tests application runs all required module self-tests. This application is invoked by the OS X boot process upon device startup. The execution of an independent application for invoking the self-tests in the libcorecrypto.dylib makes use of features of the OS X architecture: the module, implemented in libcorecrypto.dylib, is linked by libcommoncrypto.dylib which is linked by libSystem.dylib. The libSystem.dylib is a library that must be loaded into every application for operation. The operating system ensures that there is a strict CSP separation between the instances used by each application. All self-tests performed by the module are listed and described in this section. 9.1 Power-Up Tests The following tests are performed each time the Apple OS X CoreCrypto Module, v3.0 starts and must be completed successfully for the module to operate in the FIPS approved mode. If any of the following tests fails the device fails to boot. To invoke the self-tests on demand, the user may reboot the system. 9.1.1 Cryptographic Algorithm Tests Algorithm Modes Test Triple-DES CBC KAT (Known Answer Test) Generic-software implementation (non- CBC KAT optimized): Separate encryption /decryption AES-128, AES-192, AES-256 operations are performed Optimized-software implementation: CBC KAT AES-128, AES-192, AES-256 Separate encryption /decryption operations are performed Generic-software implementation (non- GCM KAT optimized): Separate encryption /decryption AES-128, AES-192, AES-256 operations are performed Optimized-software implementation: AES- GCM KAT 128, AES-192, AES-256 Separate encryption /decryption operations are performed Hardware implementations: CBC, ECB, XTS KAT AES-128, AES-192, AES-256 Separate encryption /decryption operations are performed DRBG N/A KAT Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 25 of 28 SHA-1, SHA-224, SHA-256, SHA-384, N/A KAT SHA-512 HMAC N/A KAT KAT, pair-wise consistency RSA SIG(ver), SIG(gen) checks Encrypt/decrypt ECDSA SIG(ver), SIG(gen) KAT, pair-wise consistency checks Table 7: Cryptographic Algorithm Tests 9.1.2 Software / Firmware Integrity Tests A software integrity test is performed on the runtime image of the Apple OS X CoreCrypto Module, v3.0. The CoreCrypto’s HMAC-SHA256 is used as an Approved algorithm for the integrity test. If the test fails, then the device powers itself off. 9.1.3 Critical Function Tests No other critical function test is performed on power up. 9.2 Conditional Tests The following sections describe the conditional tests supported by the Apple OS X CoreCrypto Module, v3.0. 9.2.1 Continuous Random Number Generator Test The Apple OS X CoreCrypto Module, v3.0 performs a continuous random number generator test, whenever CTR_DRBG is invoked. 9.2.2 Pair-wise Consistency Test The Apple OS X CoreCrypto Module, v3.0 does generate asymmetric keys and performs all required pair-wise consistency tests, the signature verification tests, with the newly generated key pairs. 9.2.3 SP 800-90A Assurance Tests The Apple OS X CoreCrypto Kernel Module performs a subset of the assurance tests as specified in section 11 of SP 800-90A, in particular it complies with the mandatory documentation requirements and performs know-answer tests and prediction resistance. 9.2.4 Critical Function Test No other critical function test is performed conditionally. Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 26 of 28 10 Design Assurance 10.1 Configuration Management Apple manages and records source code and associated documentation files by using the revision control system called “Git”. The Apple module hardware data, which includes descriptions, parts data, part types, bills of materials, manufacturers, changes, history, and documentation are managed and recorded. Additionally, configuration management is provided for the module’s FIPS documentation. The following naming/numbering convention for documentation is applied. _____ Example: FIPS_CORECRYPTO_OSX_US_SECPOL_01.01 Document management utilities provide access control, versioning, and logging. Access to the Git repository (source tree) is granted or denied by the server administrator in accordance with company and team policy. 10.2 Delivery and Operation The CoreCrypto is built into OS X. For additional assurance, it is digitally signed. The Mountain Lion (10.8) operating system requires that the FIPS Administration installer (http://support.apple.com/kb/HT5396) be downloaded and installed for proper configuration of the Approved mode. 10.3 Development The Apple crypto module (like any other Apple software) undergoes frequent builds utilizing a“train”philosophy. Source code is submitted to the Build and Integration group (B & I). B & I builds, integrates and does basic sanity checking on the operating systems and apps that they produce. Copies of older versions are archived offsite in underground granite vaults. 10.4 Guidance The following guidance items are to be used for assistance in maintaining the module’s validated status while in use. 10.4.1 Cryptographic Officer Guidance The Approved mode of operation is configured in the system by default and cannot be changed. If the device boots up successfully then CoreCrypto has passed all self-tests and is operating in the Approved mode. 10.4.2 User Guidance The Approved mode of operation is configured in the system by default and cannot be changed. If the device boots up successfully then CoreCrypto has passed all self-tests and is operating in the Approved mode. Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 27 of 28 11 Mitigation of Other Attacks The module protects against the utilization of known Triple-DES weak keys. The following keys are not permitted: {0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01}, {0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE}, {0x1F,0x1F,0x1F,0x1F,0x0E,0x0E,0x0E,0x0E}, {0xE0,0xE0,0xE0,0xE0,0xF1,0xF1,0xF1,0xF1}, {0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE}, {0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01}, {0x1F,0xE0,0x1F,0xE0,0x0E,0xF1,0x0E,0xF1}, {0xE0,0x1F,0xE0,0x1F,0xF1,0x0E,0xF1,0x0E}, {0x01,0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1}, {0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1,0x01}, {0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E,0xFE}, {0xFE,0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E}, {0x01,0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E}, {0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E,0x01}, {0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE}, {0xFE,0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1} Last update: 2013-06-05 ©2013 Apple Inc. Version: 01.04 Document Id: FIPS_CORECRYPTO_OSX_US_SECPOL_01.04 Page 28 of 28