| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Historical |
| Caveat | Interim validation. When operated in approved mode |
| Vendor | Apple Inc. |
| Requirement area | Level |
|---|---|
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
flowchart LR
%% Deterministic review-risk graph for Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1]
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Firmware Load</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Self-test<br/>Show status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1]
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Firmware Load</i><br/>src: text:keyword"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Self-test<br/>Show status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C5,C6 clueLow;
class C3 clueHigh;Apple Inc. Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Document Version 2.0 December 2024 Prepared by: Lightship Security Inc. 1101-150 Isabella Street, Ottawa, ON, K1S 1V7 www.lightshipsec.com This document may be reproduced and distributed only in its original entirety without revision.
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Trademarks Apple's trademarks applicable to this document are listed in https://www.apple.com/legal/intellectualproperty/trademark/appletmlist.html. Other company, product, and service names may be trademarks or service marks of others. This document may be reproduced and distributed only in its original entirety without revision.
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Contents 1. 2. 3. 4. 5. 6. 4.1 4.2 5.1 5.2 6.1 7. 8. 9. 9.1 9.2 9.3 9.4 9.5 9.6 10.1 10.2 10.3 11.1 11.2 This document may be reproduced and distributed only in its original entirety without revision.
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Tables This document may be reproduced and distributed only in its original entirety without revision.
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 1 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security | N/A |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle assurance | 1 |
| 12 | 12 | Mitigation of other attacks | N/A |
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1]
| Name | Operating System | Hardware Platform | Processor | Paa Pai | |
|---|---|---|---|---|---|
| 1 | macOS Ventura v13 | MacBook Air (2022) | Intel i5 (Amber Lake) | PAA | 1 |
| 2 | macOS Ventura v13 | MacBook Air (2022) | Intel i7 (Ice Lake) | PAA | 2 |
| 3 | macOS Ventura v13 | MacBook Pro (2022) | Intel i7 (Coffee Lake) | PAA | 3 |
| 4 | macOS Ventura v13 | iMac (2022) | Intel i7 (Comet Lake) | PAA | 4 |
| 5 | macOS Ventura v13 | MacBook Pro (2022) | Intel i9 (Coffee Lake) | PAA | 5 |
| 6 | macOS Ventura v13 | iMac Pro (2022) | Xeon W SkyLake | PAA | 6 |
| 7 | macOS Ventura v13 | Mac Pro (2022) | Xeon W Cascade Lake | PAA | 7 |
| 8 | macOS Ventura v13 | Mac Pro (2022) | Intel i5 (Coffee Lake) | PAA | 8 |
| 9 | macOS Ventura v13 | MacBook Air (2022) | Intel i5 (Amber Lake) | No | 9 |
| 10 | macOS Ventura v13 | MacBook Air (2022) | Intel i7 (Ice Lake) | No | 10 |
| 11 | macOS Ventura v13 | MacBook Pro (2022) | Intel i7 (Coffee Lake) | No | 11 |
| 12 | macOS Ventura v13 | iMac (2022) | Intel i7 (Comet Lake) | No | 12 |
| 13 | macOS Ventura v13 | MacBook Pro (2022) | Intel i9 (Coffee Lake) | No | 13 |
| 14 | macOS Ventura v13 | iMac Pro (2022) | Xeon W SkyLake | No | 14 |
| 15 | macOS Ventura v13 | Mac Pro (2022) | Xeon W Cascade Lake | No | 15 |
| 16 | macOS Ventura v13 | Mac Pro (2022) | Intel i5 (Coffee Lake) | No | 16 |
| 1 | macOS Ventura v13 | MacBook Pro - i5 (Ice Lake), 2021, 2020 | 1 | ||
| 2 | macOS Ventura v13 | MacBook Pro - i5 (Coffee Lake), 2021, 2020, 2019, 2018 | 2 | ||
| 3 | macOS Ventura v13 | MacBook Pro - i7 (Amber Lake), 2021, 2019, 2018 | 3 | ||
| 4 | macOS Ventura v13 | MacBook Pro - i7 (Coffee Lake), 2021, 2020, 2019, 2018 | 4 | ||
| 5 | macOS Ventura v13 | MacBook Pro - i7 (Ice Lake), 2021, 2020 | 5 | ||
| 6 | macOS Ventura v13 | MacBook Pro - i9 (Coffee Lake), 2021, 2019, 2018 | 6 | ||
| 7 | macOS Ventura v13 | MacBook Air - i5 (Ice Lake), 2021, 2020 | 7 | ||
| 8 | macOS Ventura v13 | MacBook Air - i7 (Ice Lake), 2021, 2020 | 8 | ||
| 9 | macOS Ventura v13 | MacBook Air - i5 (Amber Lake), 2021, 2019, 2018 | 9 | ||
| 10 | macOS Ventura v13 | MacBook Air - i7 (Amber Lake), 2021, 2018 | 10 | ||
| 11 | macOS Ventura v13 | Mac mini - i5 (Coffee Lake), 2021, 2018 | 11 | ||
| 12 | macOS Ventura v13 | Mac mini - i7 (Coffee Lake), 2021, 2018 | 12 |
| Name | Operating System | Hardware Platform | Processor | Paa Pai | |
|---|---|---|---|---|---|
| 1 | macOS Ventura v13 | MacBook Air (2022) | Intel i5 (Amber Lake) | PAA | 1 |
| 2 | macOS Ventura v13 | MacBook Air (2022) | Intel i7 (Ice Lake) | PAA | 2 |
| 3 | macOS Ventura v13 | MacBook Pro (2022) | Intel i7 (Coffee Lake) | PAA | 3 |
| 4 | macOS Ventura v13 | iMac (2022) | Intel i7 (Comet Lake) | PAA | 4 |
| 5 | macOS Ventura v13 | MacBook Pro (2022) | Intel i9 (Coffee Lake) | PAA | 5 |
| 6 | macOS Ventura v13 | iMac Pro (2022) | Xeon W SkyLake | PAA | 6 |
| 7 | macOS Ventura v13 | Mac Pro (2022) | Xeon W Cascade Lake | PAA | 7 |
| 8 | macOS Ventura v13 | Mac Pro (2022) | Intel i5 (Coffee Lake) | PAA | 8 |
| 9 | macOS Ventura v13 | MacBook Air (2022) | Intel i5 (Amber Lake) | No | 9 |
| 10 | macOS Ventura v13 | MacBook Air (2022) | Intel i7 (Ice Lake) | No | 10 |
| 11 | macOS Ventura v13 | MacBook Pro (2022) | Intel i7 (Coffee Lake) | No | 11 |
| 12 | macOS Ventura v13 | iMac (2022) | Intel i7 (Comet Lake) | No | 12 |
| 13 | macOS Ventura v13 | MacBook Pro (2022) | Intel i9 (Coffee Lake) | No | 13 |
| 14 | macOS Ventura v13 | iMac Pro (2022) | Xeon W SkyLake | No | 14 |
| 15 | macOS Ventura v13 | Mac Pro (2022) | Xeon W Cascade Lake | No | 15 |
| 16 | macOS Ventura v13 | Mac Pro (2022) | Intel i5 (Coffee Lake) | No | 16 |
| 1 | macOS Ventura v13 | MacBook Pro - i5 (Ice Lake), 2021, 2020 | 1 | ||
| 2 | macOS Ventura v13 | MacBook Pro - i5 (Coffee Lake), 2021, 2020, 2019, 2018 | 2 | ||
| 3 | macOS Ventura v13 | MacBook Pro - i7 (Amber Lake), 2021, 2019, 2018 | 3 | ||
| 4 | macOS Ventura v13 | MacBook Pro - i7 (Coffee Lake), 2021, 2020, 2019, 2018 | 4 | ||
| 5 | macOS Ventura v13 | MacBook Pro - i7 (Ice Lake), 2021, 2020 | 5 | ||
| 6 | macOS Ventura v13 | MacBook Pro - i9 (Coffee Lake), 2021, 2019, 2018 | 6 | ||
| 7 | macOS Ventura v13 | MacBook Air - i5 (Ice Lake), 2021, 2020 | 7 | ||
| 8 | macOS Ventura v13 | MacBook Air - i7 (Ice Lake), 2021, 2020 | 8 | ||
| 9 | macOS Ventura v13 | MacBook Air - i5 (Amber Lake), 2021, 2019, 2018 | 9 | ||
| 10 | macOS Ventura v13 | MacBook Air - i7 (Amber Lake), 2021, 2018 | 10 | ||
| 11 | macOS Ventura v13 | Mac mini - i5 (Coffee Lake), 2021, 2018 | 11 | ||
| 12 | macOS Ventura v13 | Mac mini - i7 (Coffee Lake), 2021, 2018 | 12 |
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 2. Cryptographic Module Specification The Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] cryptographic module (hereafter referred to as "the Module") is a software module running on a multi-chip standalone general-purpose computing platform. The version of module is 13 written as v13.0. The module provides implementations of low-level cryptographic primitives to the Host OS's (macOS Ventura v13) Security Framework and CommonCrypto. The module has been tested by Lightship Security, Inc. CST lab on the following platforms with and without PAA: # Table 2
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| AES [FIPS 197] [SP 800-38A] | A3618 (asm_aesni) A3619 (asm_x86) A3620 (c_aesni) A3621 (c_asm) | CBC | 128, 192, 256 | Symmetric encryption and decryption |
| AES [FIPS 197] [SP 800-38C] | A3626 (vng_asm) A3627 (vng_aesni) | CCM | 128, 192, 256 | Authenticated encryption and decryption |
| AES [FIPS 197] [SP 800-38A] | A3620 (c_aesni) A3621 (c_asm) | CFB128 | 128, 192, 256 | Symmetric encryption and decryption |
| AES [FIPS 197] [SP 800-38A] | A3620 (c_aesni) A3621 (c_asm) | CFB8 | 128, 192, 256 | Symmetric encryption and decryption |
| AES [FIPS 197] [SP 800-38A] | A3620 (c_aesni) A3621 (c_asm) A3626 (vng_asm) A3627 (vng_aesni) | CTR | 128, 192, 256 | Symmetric encryption and decryption |
| AES [FIPS 197] [SP 800-38A] | A3618 (asm_aesni) A3619 (asm_x86) A3620 (c_aesni) A3621 (c_asm) A3626 (vng_asm) A3627 (vng_aesni) | ECB | 128, 192, 256 | Symmetric encryption and decryption |
| AES [FIPS 197] [SP 800-38D] | A3626 (vng_asm) A3627 (vng_aesni) | GCM | 128, 192, 256 | Authenticated encryption and decryption |
| AES | A3620 (c_aesni) | KW | 128, 192, 256 | Key wrapping |
| 13 | macOS Ventura v13 | iMac - i5 (Comet Lake), 2021, 2020 |
|---|---|---|
| 14 | macOS Ventura v13 | iMac - i7 (Comet Lake), 2021, 2020 |
| 15 | macOS Ventura v13 | iMac - i9 (Comet Lake), 2021, 2020 |
| 16 | macOS Ventura v13 | iMac - i5 (Coffee Lake), 2021, 2019 |
| 17 | macOS Ventura v13 | iMac - i7 (Coffee Lake), 2021, 2019 |
| 18 | macOS Ventura v13 | iMac - i9 (Coffee Lake), 2021, 2019 |
| 19 | macOS Ventura v13 | iMac - i9 (Comet Lake), 2022 |
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Table 3
| Name | Key Size | Use Function | ||
|---|---|---|---|---|
| [FIPS 197] [SP 800-38F] | A3621 (c_asm) | |||
| AES [FIPS 197] [SP 800-38A] | 128, 192, 256 | OFB | A3620 (c_aesni) A3621 (c_asm) | Symmetric encryption and decryption |
| XTS-AES [FIPS 197] [SP 800-38E] | 128, 256 | XTS | A3618 (asm_aesni) A3619 (asm_x86) | Symmetric encryption and decryption on storage devices |
| CTR_DRBG [SP 800-90Ar1] | Key Length/ Key Strength: 128, 256 Derivation Function Enabled: Yes | AES-CTR | A3620 (c_aesni) A3621 (c_asm) A3626 (vng_asm) A3627 (vng_aesni) | Random Number Generation |
| ECDSA [FIPS 186-4] | Curves: P-224, P-256, P- 384, P-521 Key Strength: from 112 to 256 | KeyGen, KeyVer, SigGen, SigVer | A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3) | Digital signatures and asymmetric key generation and verification |
| CKG | Key Pair Generation (CKG) using method in Sections 4 and 5.1 in [SP 800-133r2] | Vendor Affirmed | Cryptographic key generation | |
| HMAC [FIPS 198-1] | 112 bits or greater | HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 | A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3) A3628 (vng_intel) | Message authentication |
| HMAC [FIPS 198-1] | 112 bits or greater | HMAC-SHA2-512/256 | A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3) | Message authentication |
| HMAC_DRBG [SP 800-90Ar1] | 112 bits or greater | SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 | A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3) | Random Number Generation |
| KBKDF1 [SP 800-108r1] | HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 | Counter (CTR) Feedback | A3624 (c_sse3) | Key-based key derivation |
| RSA [FIPS 186-4] | KeyGen: 2048, 3072, 4096 SigGen: 2048, 3072, 4096 SigVer: 1024 (legacy use), 2048, 3072, 4096 | KeyGen (ANSI X9.31), SigGen (PKCS#1 v1.5) and (PKCS PSS) SigVer (PKCS#1 v1.5) and (PKCS PSS) | A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3) | Digital signatures and asymmetric key generation and verification |
| SHS [FIPS 180-4] | 112 bits or greater | SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 | A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3) A3628 (vng_intel) | Message digest |
| SHS [FIPS 180-4] | 112 bits or greater | SHA2-512/256 | A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3) | Message digest |
| Triple-DES | Keying Option: 1 | ECB | A3625 (c_ltc) | Symmetric decryption |
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] KBKDF: Supported Lengths: 8 to 4096 in increments of 8. Fixed Data Order: Before Fixed Data. When using HMAC as the PRF. This document may be reproduced and distributed only in its original entirety without revision.
| Name | Use Function |
|---|---|
| RSA | ANSI X9.31 Key Pair Generation Key Size < 2048 PKCS#1 v1.5 and PSS Signature Generation Key Size < 2048 PKCS#1 v1.5 and PSS Signature Verification Key Size< 1024 |
| RSA | Key Encapsulation: OAEP, PKCS#1 v1.5 and PSS schemes |
| X25519 | Key Agreement Key Generation |
| Ed25519 | Key Generation Signature Generation Signature Verification |
| ANSI X9.63 KDF | Hash based Key Derivation Function |
| RFC6637 | Key Derivation Function |
| HKDF [SP 800-56C] | Key Derivation Function |
| DES | Encryption / Decryption, Key Size: 56-bits |
| CAST5 | Encryption / Decryption, Key Sizes: 40 to 128-bits in 8-bit increments |
| RC4 | Encryption / Decryption, Key Sizes: 8 to 4096-bits |
| RC2 | Encryption / Decryption Key Sizes 8 to 1024-bits |
| MD2 | Message Digest, Digest size 128-bit |
| MD4 | Message Digest, Digest size 128-bit |
| MD5 | Message Digest, Digest size 128-bit |
| RIPEMD | Message Digest, Digest size 160-bits |
| ECDSA | Key-pair generation: Curve P-192 Public key validation: Curve P-192 Signature Generation: Curve P-192 Signature Verification: Curve P-192 Key Pair Generation for compact point representation of points |
| Integrated Encryption Scheme on elliptic curves (ECIES) | Encryption / Decryption |
| Blowfish | Encryption / Decryption |
| OMAC (One-Key CBC MAC) | MAC generation |
| Triple-DES [SP 800-67r2]2 | CBC, ECB: Encryption/Decryption Note: The module does not enforce the limit of 216 encryptions with the same Triple-DES key, as required by FIPS 140-3 IG C.G. |
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Table 4
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] The Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] executes within the kernel space of the computing platforms and operating systems listed in Table 2
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A | N/A | Data Input | Data inputs are provided in the variables passed in the KPI and callable service invocations, generally through caller-supplied buffers |
| N/A | N/A | Data Output | Data outputs are provided in the variables passed in the KPI and callable service invocations, generally through caller-supplied buffers |
| N/A | N/A | Control Input | Control inputs which control the mode of the module are provided through dedicated parameters, namely the kernel module plist whose information is supplied to the module by the kernel module loader. |
| N/A | N/A | Control Output | Not Applicable4 |
| N/A | N/A | Status Output | Status output is provided in return codes and through messages. Documentation for each KPI lists possible return codes. A complete list of all return codes returned by the C language KPIs within the module is provided in the header files and the KPI documentation. Messages are also documented in the KPI documentation. |
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 3. Cryptographic Module Interfaces As a software-only module, the module does not have physical ports. For the purpose of the FIPS 140-3 validation, the physical ports are interpreted to be the physical ports of the hardware platform on which it runs. interfaces are described in the table below. N/A N/A N/A N/A N/A Table 6
| Name | Roles | Input | Output |
|---|---|---|---|
| Symmetric encryption | Crypto-Officer (CO) | AES Key Plain text data | Cipher text |
| Symmetric decryption | Crypto-Officer (CO) | AES Key Cipher text data | Plain text |
| Key wrapping | Crypto-Officer (CO) | Key-encryption-key Key to be wrapped | Wrapped key |
| Key unwrapping | Crypto-Officer (CO) | Key-encryption-key Wrapped key | Unwrapped key |
| Secure Hashing | Crypto-Officer (CO) | Message | Message digest |
| Message Authentication Code (MAC) Generation | Crypto-Officer (CO) | message, MAC key, MAC algorithm | Message Authentication Code |
| Message Authentication Code (MAC) Verification | Crypto-Officer (CO) | MAC, message, HMAC key, MAC algorithm | pass/fail result |
| Generate asymmetric key pair | Crypto-Officer (CO) | Random numbers, domain parameters | Public/private key pair |
| Generate digital signature | Crypto-Officer (CO) | private key, message, hash function | Digital signature |
| Verify digital signature | Crypto-Officer (CO) | public key | True or False |
| Generate random number | Crypto-Officer (CO) | entropy, seed, V and key values | random bit-string |
| Derive key via KBKDF | Crypto-Officer (CO) | KBKDF Key Derivation Key | Derived key |
| Zeroise symmetric keys | Crypto-Officer (CO) | Handler of symmetric crypto function context | Released memory space |
| Zeroise asymmetric keys | Crypto-Officer (CO) | Handler of asymmetric crypto function context | Released memory space |
| Zeroise hash | Crypto-Officer (CO) | Handler of hash context | Released memory space |
| Self-test | Crypto-Officer (CO) | Instantiation | Status |
| Show status | Crypto-Officer (CO) | KPI invocation | Operational / error status |
| Show module info | Crypto-Officer (CO) | KPI invocation | Module base name Module version |
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 4. Roles, Services and Authentication The Module supports a single instance of one authorized role, designated as the Crypto-Officer. No support is provided for multiple concurrent operators or a Maintenance Operator. The table below lists the services available to the Crypto-Officer: Table 7
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| ECDSA key pair generation | Generate a public/private key pair | CO | ECDSA key pair | ECDSA5 CKG | GR | 1 |
| ECDSA signature generation | Generate a digital signature | CO | ECDSA private key | ECDSA | RE | 1 |
| ECDSA signature verification | Verify a digital signature | CO | ECDSA public key | ECDSA | RWE | 1 |
| Derive key via KBKDF | Derive keys | CO | KBKDF Key derivation key KBKDF Derived key | KBKDF | WE GRE | 1 |
| Key wrapping | Perform key wrapping | CO | AES Key-encrypting key | AES-KW | WE | 1 |
| Key unwrapping | Perform key unwrapping | CO | AES Key-encrypting key | AES-KW | WE | 1 |
| Hashing | Compute a message digest | CO | N/A | SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA2-512/256 | N/A | 1 |
| MAC Generation | Compute a message authentication code | CO | HMAC key | HMAC | WE | 1 |
| MAC Verification | Verify a message authentication code | CO | HMAC key | HMAC | WE | 1 |
| RSA key pair generation | Generate a public/private key pair | CO | RSA key pair | RSA6 CKG | GR | 1 |
| RSA signature generation | Generate a digital signature | CO | RSA private key | RSA | RE | 1 |
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 4.2 Services The module implements a dedicated KPI function to indicate if a requested service utilizes an approved security function. For services listed in Table 8 – Approved services, the indicator function returns
| Name | Mode Method | Use Function | ||||
|---|---|---|---|---|---|---|
| RSA public key | RSA | RSA signature verification | Verify a digital signature | CO | RWE | 1 |
| DRBG entropy input DRBG seed DRBG 'V' value DRBG 'Key' value | CTR_DRBG | Random number generation | Generate a random number | CO | Input: WE Seed: GE V: GE Key: GE | 1 |
| N/A | N/A | Self-test | Perform pre- operational and algorithm self-test | CO | N/A | 1 |
| N/A | N/A | Show status | Return module status | CO | N/A | N/A |
| N/A | N/A | Show module info | Return module name and versioning information | CO | N/A | N/A |
| AES Key AES GCM key AES XTS key | AES-CBC AES-CCM AES-CFB128 AES-CFB8 AES-CTR AES-ECB AES-OFB AES-GCM XTS-AES | Symmetric encryption | Encrypt plaintext data | CO | WE | 1 |
| AES Key AES GCM key AES XTS key | AES-CBC AES-CCM AES-CFB128 AES-CFB8 AES-CTR AES-ECB AES-OFB AES-GCM XTS-AES | Symmetric decryption | Decrypt ciphertext data | CO | WE | 1 |
| AES Key AES GCM key AES XTS key AES Key-encrypting key KBKDF Key derivation key KBKDF Derived key | N/A | Zeroise symmetric keys | Release all resources of symmetric crypto function context | CO | Z | 1 |
| RSA key pair ECDSA key pair | N/A | Zeroise asymmetric keys | Release of all resources of asymmetric crypto function context | CO | Z | 1 |
| HMAC key | N/A | Zeroise hash | Release all resources of hash context | CO | Z | 1 |
| Name | Description | Roles | Approved Functions | Indicator |
|---|---|---|---|---|
| Key Encapsulation | Perform key wrapping | CO | RSA encrypt | 0 |
| Key Decapsulation | Perform key unwrapping | CO | RSA decrypt | 0 |
| EdDSA/X25519 key pair generation | Generate a public/private key pair Curve: Ed25519 and Curve25519 | CO | EdDSA KeyGen X25519 KeyGen | 0 |
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Z N/A Z N/A Z Table 8
| Name | Key Size | Use Function | ||
|---|---|---|---|---|
| EdDSA SigGen | Generate a digital signature Curve: Ed25519 | EdDSA signature generation | CO | 0 |
| EdDSA SigVer | Verify a digital signature Curve: Ed25519 | EdDSA signature verification | CO | 0 |
| X25519 Key agreement | Perform key agreement | X25519 key agreement | CO | 0 |
| ECDSA | Generate a public/private key pair Curve: P-192 | ECDSA key pair generation | CO | 0 |
| ECDSA | Generate a digital signature Curve: P-192 | ECDSA signature generation | CO | 0 |
| ECDSA | Verify a digital signature Curve: P-192 | ECDSA Signature verification | CO | 0 |
| ANSI X9.31 | Generate a public/private key pair Key size < 2048 | RSA key pair generation | CO | 0 |
| PKCS#1 v1.5 PSS | Generate a digital signature Key size < 2048 | RSA signature generation | CO | 0 |
| PKCS#1 v1.5 PSS | Verify a digital signature Key size < 1024 | RSA Signature verification | CO | 0 |
| SHA-1 | Hash-based key derivation Per: ANSI X9.63 | Key Derivation | CO | 0 |
| SHA-256 | Hash-based key derivation Per: SP 800-56C HKDF | Key Derivation | CO | 0 |
| SHA-256, SHA-512, AES-128, AES-256 | Hash-based key derivation Per: RFC6637 | Key Derivation | CO | 0 |
| OMAC | Compute a message authentication code | Generate MAC | CO | 0 |
| MD2, MD4, MD5, RIPEMD | Compute a message digest | Hashing | CO | 0 |
| Triple-DES, Blowfish, CAST5, DES, ECIES, RC2, RC4 | Perform symmetric data encryption | Symmetric encryption | CO | 0 |
| Triple-DES, Blowfish, CAST5, DES, ECIES, RC2, RC4 | Perform symmetric data decryption | Symmetric decryption | CO | 0 |
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Table 9
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 5. Software/Firmware Security 5.1 Integrity Techniques The Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1], which is made up of a single component, is provided in the form of binary executable code. A software integrity test is performed on the runtime image of the module. The HMAC-SHA2-256 implemented in the module is used as an approved algorithm for the integrity test. If the test fails, the module enters an error state where no cryptographic services are provided and data output is prohibited. In this state the module is not operational. 5.2 On Demand Integrity Test Integrity tests are performed as part of the Pre-Operational Self-Tests. The software integrity test is automatically executed at power-on. It can also be invoked by self-test service or powering-off and reloading the module. This document may be reproduced and distributed only in its original entirety without revision.
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1]
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 7. Physical Security The FIPS 140-3 physical security requirements do not apply to the Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] since it is a software module. This document may be reproduced and distributed only in its original entirety without revision.
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 8. Non-invasive Security Currently, the ISO/IEC 19790:2012 non-invasive security area is not required by FIPS 140-3 (see NIST SP 800-140F). The requirements of this area are not applicable to the module. This document may be reproduced and distributed only in its original entirety without revision.
| Name | Strength | Security Function | Generation | Establishment | Storage | Use | Import Export | Zeroisation |
|---|---|---|---|---|---|---|---|---|
| AES key | 128 to 256 bits | AES (CBC, CCM, CFB, CTR, ECB, KW, OFB modes) A3618 (asm_aesni) A3619 (asm_x86) A3620 (c_aesni) A3621 (c_asm) A3626 (vng_asm) A3627 (vng_aesni) | N/A | N/A | N/A. The module does not provide persistent keys/SSPs storage. | Symmetric Encryption and Decryption | Imported from kernel No export | Automatic zeroisation when structure is deallocated or when the system is powered down |
| AES Key- encrypting key | 128 to 256 bits | AES-KW A3620 (c_aesni) A3621 (c_asm) | N/A | N/A | Key Wrapping and Unwrapping (KTS) | Imported from kernel No export | ||
| AES GCM key | 128 to 256 bits | AES (GCM mode) A3626 (vng_asm) A3627 (vng_aesni) | N/A | N/A | Symmetric Encryption and Decryption | Imported from kernel No export | ||
| AES XTS key | 128 and 256 bits | XTS-AES A3618 (asm_aesni) A3619 (asm_x86) | N/A | N/A | Symmetric Encryption and Decryption | Imported from kernel No export | ||
| HMAC key | >=112 bits | HMAC-SHA-1 HMAC-SHA-2 A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3) A3628 (vng_intel) | N/A | N/A | Generate and Verify MAC | Imported from kernel No export | ||
| ECDSA public key | 112 to 256 bits | ECDSA A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3) | The key pairs are generated conformant to [SP 800- 133r2] Section 4 (CKG) using FIPS186-4 Key Generation method, and the random value used in the key generation is generated using [SP 800-90Ar1] DRBG | N/A | Signature verification | Imported from or exported to kernel | ||
| ECDSA private key | N/A | Signature generation | Exported to kernel Intermediate keygen values are not output | |||||
| RSA public key | 112 to 256 bits | RSA A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3) | The key pairs are generated conformant to [SP 800- 133r2] Section 4 (CKG) using FIPS186-4 Key Generation | N/A | Signature verification | Imported from or exported to kernel | ||
| RSA private key | N/A | Signature generation | Exported to kernel. Intermediate keygen values are not output |
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 9. Sensitive Security Parameter Management The following table summarizes the keys and Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module: N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A This document may be reproduced and distributed only in its original entirety without revision.
| Name | Key Size | Use Function | ||||
|---|---|---|---|---|---|---|
| Random Number Generation | 256 bits | Entropy Input String | N/A | Imported from entropy source | N/A | Random Number Generation |
| CTR_DRBG A3620 (c_aesni) A3621 (c_asm) A3627 (vng_aesni) HMAC_DRBG A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3) | 256 bits | DRBG Seed, internal state: V value and Key | Internally generated as defined by [SP 800- 90Ar1] | N/A | N/A | Random Number Generation |
| KBKDF A3624 (c_sse3) | Min: 112 bits | KBKDF Key derivation key | N/A | Imported from calling application No export | N/A | Key Derivation |
| KBKDF A3624 (c_sse3) | Min: 112 bits | KBKDF Derived key | Generated via KBKDF | No import Exported to calling application | N/A | Key Derivation |
| Entropy source | Minimum number of | Details | |
|---|---|---|---|
| bits of entropy | |||
| ESV Cert #E14 (physical source) ESV Cert #E110 (non-physical source) | 256 | The seed is provided by post-processed entropy data from two entropy sources. The entropy sources are located within the physical perimeter of the module but outside the |
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] N/A N/A N/A N/A N/A N/A N/A Table 10
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] cryptographic boundary of the module. Table 11
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 9.6 Key / SSP Zeroisation Keys and SSPs are zeroised when the appropriate context object is destroyed or when the system is powered down. Input and output interfaces are inhibited while zeroisation is performed. This document may be reproduced and distributed only in its original entirety without revision.
| Name | Use Function | ||
|---|---|---|---|
| Algorithm(s) | Algorithm(s) | Notes | |
| HMAC-SHA256 | CAST (KAT) performed prior to module’s integrity test during POSTs | ||
| AES implementations selected by the module for the | Separate encryption / decryption operations are performed |
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 10. Self-tests This section specifies the pre-operational and conditional self-tests performed by the module. The preoperational and conditional self-tests ensure that the module is not corrupted and that the cryptographic algorithms work as expected. The module does not implement a bypass mode nor security functions critical to the secure operation of the cryptographic module and thus, does not implement either a pre-operational bypass test or pre-operational critical functions test. While the module is executing the self-tests, services are not available and input and output are inhibited. If the module fails pre-operational or conditional self-tests fail, it will report an error message indicating the cause of the failure and enters the Error State (See section 10.3). The module permits operators to initiate the pre-operational or conditional self-tests on demand for periodic testing of the module by rebooting the system (i.e., power-cycling).
The module performs a pre-operational software integrity test automatically when the module is loaded into memory (i.e., at power on) before the module transitions to the operational state. A software integrity test is performed on the runtime image of the Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] with HMAC-SHA2-256 used to perform the approved integrity technique. Prior to using HMAC-SHA-256, Conditional Cryptographic Algorithm Self-Test (CAST) is performed. If the CAST on the HMAC-SHA-256 is successful, the HMAC value of the runtime image is recalculated and compared with the stored HMAC value pre-computed at compilation time.
Conditional self-tests are to be performed by a cryptographic module when the conditions specified for the following tests occur: Cryptographic Algorithm Self-Test, Pair-Wise Consistency Test. The module does not implement any functions requiring a Software/Firmware Load Test, Manual Entry Test, Conditional Bypass Test nor Conditional Critical Functions Test; therefore, these tests are not performed by The following sub-sections describe the conditional tests supported by the Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1]. 10.2.1. Conditional Cryptographic Algorithm Self-Tests In addition to the pre-operational software integrity test described in Section 10.1, the Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] also runs the Conditional Cryptographic Algorithm Self-Tests (CAST) for all cryptographic functions of each approved cryptographic algorithm implemented by the module during power-up as well. All CASTs are performed prior to the first operational use of the cryptographic algorithm. These tests are detailed in Table 12
| Name | Use Function |
|---|---|
| corresponding environment AES-CCM, AES-GCM, AES-XTS, AES-CBC, AES-ECB, AES-KW using 128-bit key | |
| CTR_DRBG and HMAC_DRBG | Each DRBG mode tested separately KAT and Health test per NIST [SP 800-90Ar1] Section 11.3 |
| HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-512 | KAT |
| SHA-1, SHA2-256, SHA2-512 | Covered by high level HMAC self-test |
| RSA, 2048-bit modulus with SHA-256 | Separate Signature generation/ verification KAT are performed |
| ECDSA, P-256 curve with SHA-256 | Signature generation/verification are performed |
| KBKDF (counter and feedback modes) | KAT |
| Cause of Error | Error indicator | ||
|---|---|---|---|
| Failed Pre-operational Software Integrity Test | print statement “FAILED: fipspost_post_integrity” to stdout | ||
| Failed Conditional CAST | print statement “FAILED: <event>” to stdout (<event> refers to any of the cryptographic functions listed in Table 12 – Conditional Cryptographic Algorithm Self-tests.) | ||
| Failed Conditional PCT | Error code “CCEC_GENERATE_KEY_CONSISTENCY” returned for ECDSA Error code “CCRSA_GENERATE_KEY_CONSISTENCY” returned for RSA |
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] The Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] does generate RSA and ECDSA asymmetric keys and performs the required RSA and ECDSA pair-wise consistency tests on the newly generated key pairs.
If any of the self-tests described in Sections 10.1, 10.2.1 or 10.2.2 fail, the module reports the cause of the error and enters an error state. In the Error State, no cryptographic services are provided, and data output is prohibited. The only method to recover from the error state is to power cycle the device which results in the module being reloaded into memory and reperforming the pre-operational software integrity test and the Conditional CASTs. The module will only enter into the operational state after successfully passing the preoperational software integrity test and the CASTs. The table below shows the different causes that lead to the Error State and the status indicators reported. Table 13
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 11. Life-cycle Assurance
The module is built into macOS Ventura v13 and delivered with device. There is no standalone delivery of the module as a software library. The vendor's internal development process guarantees that the correct version of module goes with its intended macOS version. For additional assurance, the module is digitally signed by vendor and it is verified during the integration into macOS. This digital signature-based integrity protection during the delivery/integration process is not to be confused with the HMAC-SHA2-256 based integrity check performed by the module itself as part of its pre-operational self-tests.
The Approved mode of operation is configured in the system by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table 9 – Non-approved services. If the device starts up successfully, then the module has passed all self-tests and is operating in the Approved mode. The ESV Public Use Document (PUD) reference for physical entropy source is: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validationprogram/documents/entropy/E14_PublicUse.pdf The ESV Public Use Document (PUD) reference for non-physical entropy source is: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validationprogram/documents/entropy/E110_PublicUse.pdf Apple Platform Certifications guide [platform certifications] and Apple Platform Security guide [SEC] are provided by Apple which offers IT System Administrators with the necessary technical information to ensure FIPS 140-3 Compliance of the deployed systems. This guide walks the reader through the system’s assertion of cryptographic module integrity and the steps necessary if module integrity requires remediation. The Crypto Officer shall consider the following requirements and restrictions when using the module: o AES-GCM IV is constructed in compliance with IG C.H scenario
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 12. Mitigation of Attacks The module does not claim mitigation of other attacks. This document may be reproduced and distributed only in its original entirety without revision.
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CAST Cryptographic Algorithm Self-Test CAST5 A symmetric-key 64-bit block cipher with 128-bit key CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECDSA Elliptic Curve Digital Signature Algorithm ESVP Entropy Source Validation Program FIPS Federal Information Processing Standards GCM Galois Counter Mode HMAC Hash Message Authentication Code KAT Known Answer Test KBKDF Key Based Key Derivation Function KDF Key Derivation Function KEXT Kernel Extension KW AES Key Wrap MAC Message Authentication Code KPI Kernel Programming Interface NIST National Institute of Standards and Technology OAEP Optimal Asymmetric Encryption Padding OFB Output Feedback PAA Processor Algorithm Acceleration PCT Pairwise Consistency Test PKG Key-Pair Generation PKV Public Key Validation PRF Pseudo-Random Function PSS Probabilistic Signature Scheme PUD Public Use Document (ESVP) RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm SHS Secure Hash Standard TOEPP Tested Operational Environment Physical Perimeter This document may be reproduced and distributed only in its original entirety without revision.
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] XTS XEX Tweakable Block Ciphertext Stealing This document may be reproduced and distributed only in its original entirety without revision.
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements for Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 SP 800-140x CMVP FIPS 140-3 Related Reference https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3standards FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-igannouncements FIPS140-3_MM CMVP FIPS 140-3 Draft Management Manual https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/Draft%20FIPS-140-3CMVP%20Management%20Manual%2009-18-2020.pdf SP 800-140 FIPS 140-3 Derived Test Requirements (DTR) https://csrc.nist.gov/publications/detail/sp/800-140/final SP 800-140A CMVP Documentation Requirements https://csrc.nist.gov/publications/detail/sp/800-140a/final SP 800-140B CMVP Security Policy Requirements https://csrc.nist.gov/publications/detail/sp/800-140b/final SP 800-140C CMVP Approved Security Functions https://csrc.nist.gov/publications/detail/sp/800-140c/final SP 800-140D CMVP Approved Sensitive Security Parameter Generation and Establishment Methods https://csrc.nist.gov/publications/detail/sp/800-140d/final SP 800-140E CMVP Approved Authentication Mechanisms https://csrc.nist.gov/publications/detail/sp/800-140e/final SP 800-140F CMVP Approved Non-Invasive Attack Mitigation Test Metrics https://csrc.nist.gov/publications/detail/sp/800-140f/final FIPS180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf This document may be reproduced and distributed only in its original entirety without revision.
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 http://www.ietf.org/rfc/rfc5649.txt SP 800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP 800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf This document may be reproduced and distributed only in its original entirety without revision.
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] SP 800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP 800-57r5 NIST Special Publication 800-57 Part 1 Revision 5 - Recommendation for Key Management Part 1: General May 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf SP 800-67r1 NIST Special Publication 800-67 Revision 1 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher January 2012 http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf SP 800-90Ar1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800-108 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions (Revised) October 2009 http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf SP 800-131Ar2 NIST Special Publication 800-131A - Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf SP 800-132 NIST Special Publication 800-132 - Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP 800-135r1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf This document may be reproduced and distributed only in its original entirety without revision.
Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] MACOS macOS Technical Overview https://developer.apple.com/macos/ SEC Apple Platform Security Guide https://support.apple.com/guide/security/welcome/web macOS Product security certifications for macOS https://support.apple.com/HT201159 This document may be reproduced and distributed only in its original entirety without revision.