FIPS 140 refers to the certification of the cryptographic module. Basically the encryption functions operate correctly and feature a basic set of algorithms. The goal of the standard is to fight against the fake/poorly implemented encryption that was prevalent during the early days of commercial cryptography. A certified module means that when you ask it to encrypt something with AES 256, you have assurance that it really encrypted properly.
It doesn't vouch for the security or design of the rest of the device or platform. For that, you have Common Criteria. As an example, the security disaster that was Windows XP had a FIPS 140 certification, as has OS X for a while. The key being that the BlackBerry system is Common Criteria EAL 4+.
Usually there is little need to change the crypto library, CoreCrypto in Apple's case, so they are left unchanged for many versions to avoid the time and expense of recertification.
Not all of this is correct. FIPS 140-2 validation is for the crypto module but it includes how it operates on specific types of equipment. Apple had to specify the models of hardware it was tested on. Therefore, they received validation for both the iPhone and iPad versions. To update the author, Apple received validation on iOS7 in November (ref: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm). The actual encryption algorithms Apple uses are approved before their CoreCrypto modules are approved (a module is a collection of algorithms for a specific use on specific hardware).
As for the antiquated Common Criteria (CC), this was never for anyone other than the manufacturers to get government approval to sell their product. My information from various manufacturers is that CC is worthless and doesn't really demonstrate anything.
Your last paragraph is not true. CoreCrypto was new to iOS6 and required wholesale changes to Apple cryptographic modules. iOS7 had some more changes and still required re-validation. Apple choose not to get approval on every version because NIST and their test labs took so long to finish their work that they were usually at least one version behind before Apple was ready to release the latest version. Apple continuously refines their cryptographic modules.
As for Blackberry use by the President, this make sense. First, the Secret Service already has all the equipment in place and it works. I also bet the President is using an older model of phone because it still works and everyone else has it. The Blackberry is also the only mobile phone system that is current approved for classified conversations (last I was able to check). The iPhone and (ugh) Android phones have not received this approval. This is because Blackberry has a very good system (it's just their phones that are behind). This could change in the future but it will take effort on our government's part to fund the necessary work to provide a good iPhone system for classified conversations. I don't believe the latest Blackberry server options for iOS devices include enough to use iPhones as classified phones.
disclaimer: I just retired after working for a government contractor for a long time and the information I have stated comes from years of working to get Apple devices approved for operation at our facility. Of course, all it took was a few senior managers who wanted iPhones and iPads to force our Microsoft-centric IT staff to actually do something for Apple products.
Is this one of those "end of year" stories where we look back at the news from 5 years ago? I realize that it's good click-bait for political haters, but what else is this story meant to accomplish?
I'd say it's more about the security of the iPhone than Obama. Must be other people who are not allowed to use it as well... unless they are all named Obama.
Yeah it is - it's just the way they've written the article - neither Obama or Apple need to be in it. Otherwise it's about Obama can't have an iPhone because..... Intimating he wants one.
So does this article mean he wants an iPhone .....or just meaningless article - I mean it could have been Obama can't use an HTC on the equivalent HTC insider site.....or any other phone lol. Obama can't use a land line...,Obama can't use a pay phone. How about fisher price?
George took the fisher price phone when he moved out in 2009!
Having secure devices for usage in high security domain needs a lot of research and analysis of how the devices work. Blackberry was built with security in mind, it was their number one priority, so I'm not surprised that the iPhone, even with its security, is less secure for that use. The platform may also be harder to adapt to what they need.
At first I was kind of like this does not make sense the iphone has to be as good if not better then the BB. However, I suspect secure of the actual phone is not the issue.
I worked for a company who made Video conferencing equipment and the US government was one of our largest customers as one would expect. Our products had a feature which we refer to as the KGB Feature. It was a hidden feature which was only given to the our security minded government customers. What this thing did to the best of my understanding was to encrypted everything. Our product interface with a hardware box which encrypted all the communications from one of our systems to another system. When you made a video call the call would go into this box then this box would set up a secure connect to the other end then encrypt everything in real time. If someone was somehow sitting in the middle trying to listen or capture the communications they could not since it was all encrypted. The feature in our box allowed the connect to the KGB box and had special timing to allow the KGB box to do it thing and establish the connection.
I suspect that the BB has some sort of hardware/software feature they put on that allows all the communications between the president and others to be encrypted in real time. Not that could not do this with an iphone but it take lots of time to ensure it works properly. With our Video Conferencing products, it would take 6 months to a year for them to do all their testing before they were certify our hardware and software to be used in their secure communications next work. Once they had a working solution they never would upgrade that is for sure.
I set an iPad up for our Prime Minister (New Zealand) to use.
There was a ruckus when politicians complained that Parliamentary Services wouldn't allow iOS devices to connect to their Exchange server but a word from the PM meant PS had to look into it, finally allowing it after many reports were showing iOS to be one of the most secure platforms.
If he wanted iOS devices Obama could force the issue... unless it's true that the American president doesn't actually have any real power to do anything.
What an inflammatory piece of yellow journalism. Being able to pose with an iPhone does not make you tech savvy. Obama has demonstrated a remarkable ability to not grasp technology nor the business world.
HA, you think the business world is tech savvy? 17 years of working in corporate IT and I have yet to see any evidence that big business understand technology.
Hell, just look at all the negative reports about Apple to see how poorly the business world understands technology.
I set an iPad up for our Prime Minister (New Zealand) to use.
There was a ruckus when politicians complained that Parliamentary Services wouldn't allow iOS devices to connect to their Exchange server but a word from the PM meant PS had to look into it, finally allowing it after many reports were showing iOS to be one of the most secure platforms.
If he wanted iOS devices Obama could force the issue... unless it's true that the American president doesn't actually have any real power to do anything.
Finally getting his appointments passed after 6 years in office would support the *unless it's true that the American president doesn't actually have any real power to do anything.* Cheney/Bush had some power because they used the NSA for what it was intended; extortion and blackmail.
Not all of this is correct. FIPS 140-2 validation is for the crypto module but it includes how it operates on specific types of equipment. Apple had to specify the models of hardware it was tested on.
Your last paragraph is not true. CoreCrypto was new to iOS6 and required wholesale changes to Apple cryptographic modules. iOS7 had some more changes and still required re-validation. Apple choose not to get approval on every version because NIST and their test labs took so long to finish their work that they were usually at least one version behind before Apple was ready to release the latest version. Apple continuously refines their cryptographic modules.
Not all of this is correct. It is well known that Apple uses hardware acceleration on their cryptography. That's why there's a separate certification which is dependent on the hardware. Pure software-only solutions (see Apple FIPS Cryptographic Module) are tested on certain types of hardware but cover more than the one hardware configuration that they were tested on. The key for these implementations is their integrity self-tests.
Your last paragraph is also incorrect. Of course Apple has to recertify their crypto module when they make changes, but they have never made changes within a point release. See OpenSSL, a lot of Linux distros still use 0.9.8 because it was FIPS validated and changing to a newer version = more work = more cost.
why isn't he getting the latest BB device that looks and kind of functions like an iPhone? isn't that secure?
so the iPhone is not secure, but the iPad the president has, that runs the same iOS software as the iPhone, is secure enough that he's allowed to use..
There are a couple of secure iPad and iPhone apps used in the DoD and Federal Government -- Thursby PKard Reader and PKard Mail. PKard stands for Public Key card, which means a U.S. Government CAC or PIV card is leveraged for strong two factor authentication and FIPS 140-2 encryption.
The Executive Branch consists of more than the just the President and what goes for smart phones does not necessarily apply to tablets.
The article is quite correct in pointing to various layers of security and that certification can't follow product life cycles that are as fast as Apple's.
What an inflammatory piece of yellow journalism. Being able to pose with an iPhone does not make you tech savvy. Obama has demonstrated a remarkable ability to not grasp technology nor the business world.
Yes, as we know the real tech savvy ones are on androids.
He does not use a standard BB device. It was heavily modified, by an outside firm if I remember correctly and only resembles the original, just like the "Cadillac" that he rides in.
Comments
FIPS 140 refers to the certification of the cryptographic module. Basically the encryption functions operate correctly and feature a basic set of algorithms. The goal of the standard is to fight against the fake/poorly implemented encryption that was prevalent during the early days of commercial cryptography. A certified module means that when you ask it to encrypt something with AES 256, you have assurance that it really encrypted properly.
It doesn't vouch for the security or design of the rest of the device or platform. For that, you have Common Criteria. As an example, the security disaster that was Windows XP had a FIPS 140 certification, as has OS X for a while. The key being that the BlackBerry system is Common Criteria EAL 4+.
Usually there is little need to change the crypto library, CoreCrypto in Apple's case, so they are left unchanged for many versions to avoid the time and expense of recertification.
Not all of this is correct. FIPS 140-2 validation is for the crypto module but it includes how it operates on specific types of equipment. Apple had to specify the models of hardware it was tested on. Therefore, they received validation for both the iPhone and iPad versions. To update the author, Apple received validation on iOS7 in November (ref: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm). The actual encryption algorithms Apple uses are approved before their CoreCrypto modules are approved (a module is a collection of algorithms for a specific use on specific hardware).
As for the antiquated Common Criteria (CC), this was never for anyone other than the manufacturers to get government approval to sell their product. My information from various manufacturers is that CC is worthless and doesn't really demonstrate anything.
Your last paragraph is not true. CoreCrypto was new to iOS6 and required wholesale changes to Apple cryptographic modules. iOS7 had some more changes and still required re-validation. Apple choose not to get approval on every version because NIST and their test labs took so long to finish their work that they were usually at least one version behind before Apple was ready to release the latest version. Apple continuously refines their cryptographic modules.
As for Blackberry use by the President, this make sense. First, the Secret Service already has all the equipment in place and it works. I also bet the President is using an older model of phone because it still works and everyone else has it. The Blackberry is also the only mobile phone system that is current approved for classified conversations (last I was able to check). The iPhone and (ugh) Android phones have not received this approval. This is because Blackberry has a very good system (it's just their phones that are behind). This could change in the future but it will take effort on our government's part to fund the necessary work to provide a good iPhone system for classified conversations. I don't believe the latest Blackberry server options for iOS devices include enough to use iPhones as classified phones.
disclaimer: I just retired after working for a government contractor for a long time and the information I have stated comes from years of working to get Apple devices approved for operation at our facility. Of course, all it took was a few senior managers who wanted iPhones and iPads to force our Microsoft-centric IT staff to actually do something for Apple products.
Pesky NSA making O feel unsafe.
Yeah it is - it's just the way they've written the article - neither Obama or Apple need to be in it. Otherwise it's about Obama can't have an iPhone because..... Intimating he wants one.
What does Putin use?
He beams his thoughts directly into the heads of his subordinates.
So does this article mean he wants an iPhone .....or just meaningless article - I mean it could have been Obama can't use an HTC on the equivalent HTC insider site.....or any other phone lol. Obama can't use a land line...,Obama can't use a pay phone. How about fisher price?
George took the fisher price phone when he moved out in 2009!
(sorry, couldn't resist)
Henchmen.
At first I was kind of like this does not make sense the iphone has to be as good if not better then the BB. However, I suspect secure of the actual phone is not the issue.
I worked for a company who made Video conferencing equipment and the US government was one of our largest customers as one would expect. Our products had a feature which we refer to as the KGB Feature. It was a hidden feature which was only given to the our security minded government customers. What this thing did to the best of my understanding was to encrypted everything. Our product interface with a hardware box which encrypted all the communications from one of our systems to another system. When you made a video call the call would go into this box then this box would set up a secure connect to the other end then encrypt everything in real time. If someone was somehow sitting in the middle trying to listen or capture the communications they could not since it was all encrypted. The feature in our box allowed the connect to the KGB box and had special timing to allow the KGB box to do it thing and establish the connection.
I suspect that the BB has some sort of hardware/software feature they put on that allows all the communications between the president and others to be encrypted in real time. Not that could not do this with an iphone but it take lots of time to ensure it works properly. With our Video Conferencing products, it would take 6 months to a year for them to do all their testing before they were certify our hardware and software to be used in their secure communications next work. Once they had a working solution they never would upgrade that is for sure.
There was a ruckus when politicians complained that Parliamentary Services wouldn't allow iOS devices to connect to their Exchange server but a word from the PM meant PS had to look into it, finally allowing it after many reports were showing iOS to be one of the most secure platforms.
If he wanted iOS devices Obama could force the issue... unless it's true that the American president doesn't actually have any real power to do anything.
What an inflammatory piece of yellow journalism. Being able to pose with an iPhone does not make you tech savvy. Obama has demonstrated a remarkable ability to not grasp technology nor the business world.
HA, you think the business world is tech savvy? 17 years of working in corporate IT and I have yet to see any evidence that big business understand technology.
Hell, just look at all the negative reports about Apple to see how poorly the business world understands technology.
I set an iPad up for our Prime Minister (New Zealand) to use.
There was a ruckus when politicians complained that Parliamentary Services wouldn't allow iOS devices to connect to their Exchange server but a word from the PM meant PS had to look into it, finally allowing it after many reports were showing iOS to be one of the most secure platforms.
If he wanted iOS devices Obama could force the issue... unless it's true that the American president doesn't actually have any real power to do anything.
Finally getting his appointments passed after 6 years in office would support the *unless it's true that the American president doesn't actually have any real power to do anything.* Cheney/Bush had some power because they used the NSA for what it was intended; extortion and blackmail.
Not all of this is correct. FIPS 140-2 validation is for the crypto module but it includes how it operates on specific types of equipment. Apple had to specify the models of hardware it was tested on.
Your last paragraph is not true. CoreCrypto was new to iOS6 and required wholesale changes to Apple cryptographic modules. iOS7 had some more changes and still required re-validation. Apple choose not to get approval on every version because NIST and their test labs took so long to finish their work that they were usually at least one version behind before Apple was ready to release the latest version. Apple continuously refines their cryptographic modules.
Not all of this is correct. It is well known that Apple uses hardware acceleration on their cryptography. That's why there's a separate certification which is dependent on the hardware. Pure software-only solutions (see Apple FIPS Cryptographic Module) are tested on certain types of hardware but cover more than the one hardware configuration that they were tested on. The key for these implementations is their integrity self-tests.
Your last paragraph is also incorrect. Of course Apple has to recertify their crypto module when they make changes, but they have never made changes within a point release. See OpenSSL, a lot of Linux distros still use 0.9.8 because it was FIPS validated and changing to a newer version = more work = more cost.
why isn't he getting the latest BB device that looks and kind of functions like an iPhone? isn't that secure?
so the iPhone is not secure, but the iPad the president has, that runs the same iOS software as the iPhone, is secure enough that he's allowed to use..
Isn't that stupid?
The iPad doesn't need to be connected. Duh!
The Executive Branch consists of more than the just the President and what goes for smart phones does not necessarily apply to tablets.
The article is quite correct in pointing to various layers of security and that certification can't follow product life cycles that are as fast as Apple's.
What an inflammatory piece of yellow journalism. Being able to pose with an iPhone does not make you tech savvy. Obama has demonstrated a remarkable ability to not grasp technology nor the business world.
Yes, as we know the real tech savvy ones are on androids.
He does not use a standard BB device. It was heavily modified, by an outside firm if I remember correctly and only resembles the original, just like the "Cadillac" that he rides in.
You’re right. “Leader of the world” makes a lot more sense.