Even the Federal Government Won't Buy Apple Products That Don't Meet Encryption Standards

There's been much fuss lately about the desire by the FBI to be able to break into any iPhone it needs to. But the FBI is just one government agency. The interesting backstory here is that the Federal Government, in general, won't buy products that don't meet certain cryptographic standards. It's called FIPS 140-2 certification, and Apple has just announced that the cryptographic modules in iOS 9 and OS X 10.11 have obtained that validation. It's delicious irony.

From Wikipedia: "The Federal Information Processing Standard (FIPS) Publication 140-2 ... is a U.S. government computer security standard used to accredit cryptographic modules.

Why is FIPS 140-2 important in this case? Symantec explains.

There are many reasons why a product requires FIPS 140-2 validation, and the compelling one is regulatory. FIPS 140-2 evaluation is required for sale of products implementing cryptography to the Federal Government. If you don't have a certificate or at least demonstrate a commitment to obtaining one, then there is a good chance that you won't be able to sell your product in this key market.

While Apple doesn't have a predominant position when it comes to the sale of computers to the Federal Government, it does sell a significant number of Macs—as well as iPhones. It's enough that it constitutes a small but important part of Apple's overall revenue.

Apple's FIPS 140-2 Certification Statement

Recently, Apple made the following announcement.

Apple is pleased to announce the FIPS 140-2 Level 1 Validations for the two Cryptographic Modules used by both iOS 9 & OS X El Capitan v10.11 were all completed! (3/29/16; 4/05/16)

Knowledge Base References

There are Apple Support Knowledge Base Articles for iOS and OS X resources relating to ALL Validations and Certifications including FIPS 140-2, Common Criteria Certification, [link added by author] Security Guidance Resources, and requesting Volatility Statements....

iOS product security: Validations and guidance

OS X: Security certifications and validations

This topic, including the Common Criteria Certification, is a vast, technical area, and there are many nuances and complications beyond the scope of this introductory article. For example, Apple's certification of what's called "cryptographic erase" comes into play for classified material (or even private data). Another is that the recent Apple certification is only for "Level 1" which does not cover tamper resistance (Level 3) or physical security around the cryptographic module (Level 4). What's interesting, however, is that:

1. Apple has been working to secure its systems and comply with the applicable government security and cryptographic standards for quite some time. For example, I wrote about it in 2010. "Apple Announces Common Criteria Certification for Snow Leopard."

2. Even as the Apple vs. FBI conflict raged on, Apple was about the formal business of certifying its products, as it always has, for the FIPS 140-2 standard in recognition of the government's (and other organization's) need for secure and auditable systems.

And so, even as one government agency charged with law enforcement is eager to have the ability to access secured iPhones, other government agencies, for many years, have demanded that if Apple is going to sell products to them, they must meet certain cryptographic standards.

The contrast and conflict between two seemingly opposed needs, even if not on a strictly equivalent technical level, is most interesting and is worth monitoring, especially in light of pending Congressional legislation.

Resources

1. Email: Security Certification at Apple

2. Apple list server for product security matters.