![]() The table below shows the 2020–2022 cryptographic modules that are currently being tested by the laboratory for conformance with FIPS 140-3. They are listed on the Modules in Process List. MacOS 11 Big Sur user space, kernel space, and secure key store have completed laboratory testing and have been recommended by the laboratory to the CMVP for validation. They are listed on the Implementation Under Test List and, when testing is complete, on the Modules in Process List. MacOS 12 Monterey user space, kernel space, and secure key store are undergoing laboratory testing. MacOS 13 Ventura user space, kernel space, and secure key store are undergoing laboratory testing. For more information, see the apple_ssh_and_fips man page in macOS 12.0.1 or later. Administrators can also create their own files. MacOS then uses these files to limit the ciphers available to OpenSSH to only those which have been validated by NIST and ensures that the OpenSSH client uses the platform-provided, validated cryptographic module. The installer places two files on the Mac:įips_ssh_config: Placed in /private/etc/ssh/ssh_config.d/įips_sshd_config: Placed in /private/etc/ssh/sshd_config.d/ OpenSSH can be configured to use FIPS 140-3 validated modules for select FIPS 140-3 algorithms.Organizations can run a signed and notarized installer that is available from Apple with the password FIPS140Mode. For information about T2 chip certifications see Apple T2 Security Chip security certifications. I do not rule out that a FIPS 140-2 validation of that applet could be obtained, such that it would then be correct to tell that the RSA key pair was generated in a FIPS 140-2 validated environment.Note: Apple T2 Security chips are included in many Intel-based Mac computers. However a (less trivial) Java Card applet could " securely generate RSA key pair (with) access to private exponent in order to process it further" (as asked), for some definition of process like encryption of the private key under a master public key (a form of key escrow). " firmware loaded into this module (.) requires a separate FIPS 140-2 validation" where my reading is that this sentence applies to Java Card applets.accordingly the FIPS 140-2 level 3 certificate does not cover " operation environment"." The module is a limited operational environment under the FIPS 140-2 definitions".That's not enough to pretend that the key was generated in a FIPS 140-2 compliant environment, because the security policy mentions Such key would be for a FIPS-approved algorithm (certs# 1506-1507), and generated according to FIPS 186-4, as attested by a FIPS 140-2 level 3 certificate. A trivial Java Card applet runnign in that Smart Card's Java Card Virtual Machine can generate such RSA key, and export the private key, in clear if you want that. Here is the one on top of the list at time of writing. Several recent Java Card Smart Cards can internally generate RSA-2048 key pairs per FIPS 186-4, with security policy and FIPS 140-2 level 3 certificate to attest that. ![]() FIPS 140-2 specifies conditions applicable to the environment of RSA (and other) key generation, and refers to FIPS 186-4 for the generation itself.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |