| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 1/29/2027 |
| Caveat | Interim validation. When operated in approved mode. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs. |
| Vendor | Apple, Inc. |
flowchart LR
%% Deterministic review-risk graph for Apple corecrypto Module v12 [Intel, Kernel, Software]
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status output<br/>Self-test<br/>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C3,C5,C6 clue;
class I3,I5,I6 infer;
class R3,R5,R6 risk;
class E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Apple corecrypto Module v12 [Intel, Kernel, Software]
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Status output<br/>Self-test<br/>Show Status</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C3,C5,C6 clueLow;Apple Inc. Apple corecrypto Module v12 [Intel, Kernel, Software] Document Version: 1.0 January 15, 2025 Prepared by: www.acumensecurity.net This document may be reproduced and distributed only in its original entirely without revision.
| # | Section | Page |
|---|
8 Non-invasive Security Not Applicable
12 Mitigation of Other Attacks Not Applicable
Table 1
1 macOS Monterey MacBook Air Intel i5 (Amber AES-NI
2 macOS Monterey MacBook Air Intel i5 (Amber N/A
3 iMac Intel i5 (Comet AES-NI
4 macOS Monterey iMac Intel i5 (Comet N/A
5 macOS Monterey MacBook Air Intel i7 (Ice Lake) AES-NI
6 macOS Monterey MacBook Air Intel i7 (Ice Lake) N/A
7 macOS Monterey MacBook Pro Intel i7 (Coffee AES-NI
8 macOS Monterey MacBook Pro Intel i7 (Coffee N/A
9 macOS Monterey iMac Intel i7 (Comet AES-NI
10 macOS Monterey iMac Intel i7 (Comet N/A
11 macOS Monterey MacBook Pro Intel i9 (Coffee AES-NI
12 macOS Monterey MacBook Pro Intel i9 (Coffee N/A
13 macOS Monterey iMac Pro Xeon W Sky Lake AES-NI
14 macOS Monterey iMac Pro Xeon W Sky Lake N/A
15 macOS Monterey Mac Pro Xeon W Cascade AES-NI
16 macOS Monterey Mac Pro Xeon W Cascade N/A
Table 2
In addition to the platforms listed in Table 2, Apple Inc. has also tested the module on the following platforms and claims vendor affirmation on them (the processor and year per platform have also been specified): # Operating Hardware Platform System
1 macOS Monterey MacBook Pro i5 (Ice Lake) 2020
2 MacBook Pro i5 (Coffee Lake) 2020, 2019, 2018
3 macOS Monterey MacBook Pro i7 (Amber Lake) 2019, 2018
4 macOS Monterey MacBook Pro i7 (Coffee Lake) 2020, 2019, 2018
5 macOS Monterey MacBook Pro i7 (Ice Lake) 2020
6 macOS Monterey MacBook Pro i9 (Coffee Lake) 2019, 2018
7 macOS Monterey MacBook Air i5 (Ice Lake) 2020
8 macOS Monterey MacBook Air i7 (Ice Lake) 2020
9 macOS Monterey MacBook Air i5 (Amber Lake) 2019, 2018
10 macOS Monterey MacBook Air i7 (Amber Lake) 2018
11 macOS Monterey Mac mini i5 (Coffee Lake) 2018
12 macOS Monterey Mac mini i7 (Coffee Lake) 2018
13 macOS Monterey iMac i5 (Comet Lake) 2020
14 macOS Monterey iMac i7 (Comet Lake) 2020
15 macOS Monterey iMac i9 (Comet Lake) 2020
16 macOS Monterey iMac i5 (Coffee Lake) 2019
17 macOS Monterey iMac i7 (Coffee Lake) 2019
18 macOS Monterey iMac i9 (Coffee Lake) 2019
Table 3
The physical perimeter of the module which is also the Tested Operational Environment’s Physical Perimeter (TOEPP) is the physical perimeter of the macOS device that contains the module. Consequently, the embodiment of the module is a multi-chip standalone cryptographic module. (Figure 1) below depicts the following information:
is in the Approved mode of operation when the module utilizes the services that use the security functions listed in the table below. The module supports an Approved mode and a non-Approved mode of operation. The module does not support a degraded operation. The Approved mode of operation is configured in the system by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table 10 - Non-Approved Services. If the device starts up successfully, then the module has passed all self-tests and is operating in the Approved mode. Algorithm Description / Key Use / CAVP Cert and Mode/Method Size(s) / Key Function Standard Strength(s) A2858 (vng_asm) AES-128, A2853 (c_asm) CTR_DRBG Random AES-256 Key Length: 128, [SP800- Number Derivation 256 A2852 (c-aesni) 90Ar1] Generation Function Enabled A2859 (vng_aesni) SHA-1, A2855 (c_avx2) SHA2-224, A2854 (c_avx) HMAC_DRBG SHA2-256, Random Key Length: 112 [SP800- SHA2-384, Number bits or greater 90Ar1] SHA2-512 Generation A2856 (c_ssse3) No Prediction Resistance CBC CFB128 A2852 (c-aesni) CFB8 Symmetric Key Length: 128, CTR Encryption AES 192, 256 A2853 (c_asm) ECB and KW Decryption OFB Key Length: 128, A2850 192, 256 Symmetric CBC, (asm_aesni) XTS (128 and 256- Encryption AES ECB, A2851 bits key size and XTS (asm_x86) only) Decryption A2858 ECB, Symmetric (vng_asm) CCM, Key Length: 128, Encryption AES A2859 CTR, 192, 256 and (vng_aesni) GCM Decryption A2855 (c_avx2) Modulus: 2048, RSA Digital A2854 (c_avx) Key Generation 3072, 4096 [FIPS 186-4] Signature A2856 (c_ssse3) (ANSI X9.31) This document may be reproduced and distributed only in its original entirely without revision.
Algorithm Description / Key Use / CAVP Cert and Mode/Method Size(s) / Key Function Standard Strength(s)
SHA2-256, SHA2- Asymmetric Signature 284, SHA2-512), Key Generation 3072 (SHA2-224, Generation SHA2-256, SHA2(PKCS#1 v1.5) 284, SHA2-512), and (PKCS PSS) 4096 (SHA2-224, SHA2-256, SHA2284, SHA2-512) Modulus: 1024 (SHA-1 (legacy), SHA2-224, SHA2256, SHA2-284),
Signature (legacy), SHA2-224, Verification SHA2-256, SHA2284, SHA2-512), (PKCS#1 v1.5) 3072 (SHA-1 and (legacy), SHA2-224, (PKCS PSS) SHA2-256, SHA2284, SHA2-512),
(legacy), SHA2-224, SHA2-256, SHA2284, SHA2-512) Key Pair Generation (PKG): P-224, P-256, P384, P-512 Digital Public Key ECDSA Signature A2855 (c_avx2) Validation (PKV): ANSI SHA-1 (verification and A2854 (c_avx) X9.62 only, legacy), SHA2- Asymmetric A2856 (c_ssse3) Signature [FIPS 186-4] 224, SHA2-256, Key Generation SHA2-384, SHA2- Generation Signature Verification A2856 (c_ssse3) SHA-1, A2860(vng_Intel) SHS Message SHA2-224, N/A A2855 (c_avx2) [FIPS 180-4] Digest SHA2-256, A2854 (c_avx) SHA2-384, This document may be reproduced and distributed only in its original entirely without revision.
Algorithm Description / Key Use / CAVP Cert and Mode/Method Size(s) / Key Function Standard Strength(s) SHA2-512, SHA2-512/256 (except for A2860) SHA-1, SHA2-224, A2860 SHA2-256, 112 bits or greater (vng_Intel) HMAC SHA2-384, A2855 (c_avx2) [FIPS Keyed Hash SHA2-512 A2854 (c_avx) 198] SHA2-512/256 A2856 (c_ssse3) (except for A2860) KDF Mode: Counter and Feedback Supported Lengths: 8-4096 MAC Mode: Increment 8 HMAC-SHA-1, KBKDF HMAC-SHA2- Key A2856 (c_ssse3) [SP800- Fixed Data Order: 224, HMAC- Derivation 108] Before Fixed SHA2Data 256, HMACSHA2-384, Counter Length: 32 HMAC-SHA2-512 RSA Key Generation (ANSI X9.31), Modulus: 2048, Cryptographic Sections 4, 5.1, 3072, 4096 KeyGeneration Key Vendor Affirmed 6.2.2 and 6.2.3 (CKG) Generation per SP800-132r2 ECDSA Key Pair [SP800-133r2] Generation (PKG): P-224, P-256, P384, P-521 SP 800-38D KTS 128, 192, and 256- bit and SP 800AES-KW/A2852 keys providing 128, Key 38F; key AES KW AES-KW/A2853 192, or 256 bits of Wrapping wrapping per encryption strength IG D.G Table 4
The table below list non-Approved but Allowed security functions with no security claimed: Algorithm Caveat Use / Function MD5 no security claimed Message Digest (used as part of the TLS key establishment scheme only), Digest Size: 128-bit Table 5
ECDSA Key Pair Generation for compact point representation of points Integrated Encryption Scheme on elliptic Encryption / Decryption curves (ECIES) Blowfish Encryption / Decryption OMAC (One-Key CBC MAC) MAC generation Triple-DES (ECB, CBC) Encryption / Decryption Note The module itself does not enforce the limit of 216 encryptions with the same TripleDES key, as required by FIPS 140-3 IG C.G. Table 6
3. Cryptographic Module Interfaces
The module does not support a control output interface. The module is optimized for library use within the macOS kernel space and does not contain any terminating assertions or exceptions. It is implemented as a macOS dynamically loadable library. The dynamically loadable library is loaded into the macOS kernel and its cryptographic functions are made available to macOS kernel services only. Any internal error detected by the module is reflected back to the caller with an appropriate return code. The calling macOS kernel service must examine the return code and act accordingly. The module communicates any error status synchronously through the use of its documented return codes, thus indicating the module’s status. It is the responsibility of the caller to handle exceptional conditions in a FIPS 140-3 appropriate manner. Caller-induced or internal errors do not reveal any sensitive material to callers. Cryptographic bypass capability is not supported by the module. This document may be reproduced and distributed only in its original entirely without revision.
4. Roles, Services, and Authentication The module supports a single instance of one authorized role: The Crypto Officer. No support is provided for multiple concurrent operators or a Maintenance Operator. Role Service Input Output Crypto Officer (CO) AES Encryption / Input for Encryption: Output for Decryption key and plain text Encryption: cipher (Perform approved text security functions) Input for Decryption: key and cipher text Output for Decryption: plain tex AES Key Wrapping key encryption key wrapped key (Perform approved and key to be security functions) wrapped Secure Hash Message Hash value Generation (Perform approved security functions) HMAC generation HMAC key and keyed Hash value (Perform approved message security functions) RSA signature Input for SigGen: Output SigGen: generation and RSA private key and signature verification message (Perform approved Output for Sigver: security functions) Input for SigVer: RSA True or False public key and signature ECDSA signature Input for SigGen: Output for SigGen: generation and ECDSA private key signature verification and message (Perform approved Output for SigVer: security functions) Input for SigVer: True or False ECDSA public key and signature Random number Entropy input string, Random numbers generation nonce (Perform approved security functions) KBKDF key derivation key Derived key (Perform approved security functions) ECDSA (key pair random numbers generated private generation) and public key pair This document may be reproduced and distributed only in its original entirely without revision.
Role Service Input Output (Perform approved security functions) RSA (key pair random prime generated private generation) numbers and public key pair (Perform approved security functions) Release all resources handler of symmetric zeroised and released of symmetric crypto crypto function memory space function context context (Perform zeroisation) Release all resources handler of hash zeroised and released of hash context context memory space (Perform zeroisation) Release of all handler of key zeroised and released resources of key derivation memory space derivation function context (Perform zeroisation) Release of all handler of zeroised and released resources of asymmetric crypto memory space asymmetric crypto function context function context (Perform zeroisation) Self-test power Pass/Fail status (Perform self-tests) Show Status KPI invocation Operational/Error status Show Module Info KPI invocation Module Base Name + (Show module’s Module Version versioning Number information) Table 8
The module implements a dedicated KPI function to indicate if a requested service utilizes an approved security function. For services listed in Table 9 - Approved Services, the indicator function returns
Service Description Approved Keys Roles Access Indicator Security and/or rights Functions and SSP’s to certs Keys and/or SSP’s AES Input for Symmetric AES key Crypto W, E 1 Encryption / Encryption: Encryption and Officer Decryption key and plain Decryption (CO) (Perform text Output for approved Encryption: AES-CBC security cipher text (#A2852, functions) Input for #A2853, Decryption: #A2850, key and cipher #A2851) text Output for Decryption: AES-ECB plain text (#A2852, #A2853, #A2850, #A2851, #A2858, #A2859) AES-CFB128 (#A2852, #A2853) AES-CFB8 (#A2852, #A2853) AES-OFB (#A2852, #A2853) AES-CTR (#A2852, #A2853, #A2858, #A2859) AES-XTS (#A2850, #A2851) AES-GCM (#A2858, #A2859) This document may be reproduced and distributed only in its original entirely without revision.
AES-CCM (#A2858, #A2859) AES Key Input: key Key Wrapping AES key, key Crypto W, E, R 1 Wrapping encryption key KW to be Officer (Perform and key to be (#A2852, wrapped, (CO) approved wrapped #A2853) wrapped key security Output: functions) wrapped key Secure Input: Message Digest none Crypto N/A 1 Hash message Officer Generation Output: Hash SHA-1, (CO) (Perform value SHA2-224, approved SHA2-256, security SHA2-384, functions) SHA2-512, SHA2-512/256 (except for A2860) (#A2856, #A2860, #A2855, #A2854) HMAC Input: HMAC Keyed Hash HMAC key Crypto W, E 1 generation key and Officer (Perform message SHA-1, (CO) approved Output: keyed SHA2-224, security Hash value SHA2-256, functions) SHA2-384, SHA2-512 SHA2-512/256 (except for A2860) (#A2855, #A2856, #A2854, #A2860) RSA Input for SigGen, RSA key pair Crypto W, E 1 signature SigGen: RSA SigVer (including Officer generation private key intermediate (CO) and and message Signature keygen verification Output: Generation values) signature Modulus: 2048, This document may be reproduced and distributed only in its original entirely without revision.
(Perform Input for 3072, 4096 approved SigVer: RSA Signature security public key and Verification functions) signature Modulus: 1024, Output: True 2048, 3072, or False 4096 (#A2855, #A2856, #A2854) ECDSA Input for SigGen, ECDSA key Crypto W,E 1 signature SigGen: SigVer pair Officer generation ECDSA private (including (CO) and key and P-224, P-256, P- intermediate verification message 384, P-512 keygen (Perform Output: values) approved signature (#A2855, security Input for #A2856, functions) SigVer: ECDSA #A2854) public key and signature Output: True or False Random Input: Entropy Random number Entropy Input Crypto G, R, 1 number input string, generation String, Seed, Officer W, E generation nonce Output: CTR_DRBG DRBG V and (CO) (Perform Random (#A2853, DRBG Key, approved numbers #A2852, random security #A2858, numbers functions) #A2859) (DRBG Output) HMAC_DRBG (#A2855, #A2854, #A2856) CKG KBKDF Input: key Key Derivation KBKDF key Crypto W, G, 1 (Perform derivation key derivation Officer R, E approved Output: KDF Mode: key, KBKDF (CO) security derived key Counter and derived key functions) Feedback MAC Mode: HMAC-SHA-1, HMAC-SHA2224, HMACThis document may be reproduced and distributed only in its original entirely without revision.
SHA2- 256, HMAC-SHA2384, HMACSHA2-512 (#A2856) CKG ECDSA (key Input: random KeyGen ECDSA Key Crypto W, G, 1 pair numbers pair Officer R, E generation) Output: Key Generation (including (CO) (Perform generated Modulus: 2048, intermediate approved private and 3072, 4096 keygen security public key pair values) functions) (#A2855, #A2856, #A2854) CKG RSA (key Input: random KeyGen RSA Key Pair Crypto W, G, 1 pair prime numbers (including Officer R, E generation) Output: Key Generation intermediate (CO) (Perform generated Modulus: 2048, keygen approved private and 3072, 4096 values) security public key pair functions) (#A2855, #A2856, #A2854) CKG Release all Input: handler N/A AES Key Crypto Z 1 resources of of symmetric Officer symmetric crypto function (CO) crypto context function Output: context zeroised and (Perform released zeroisation) memory space Release all Input: handler N/A HMAC key Crypto Z 1 resources of of hash Officer hash context (CO) context Output: (Perform released zeroisation) memory space Release of Input: handler N/A KBKDF key Crypto Z 1 all of key derivation Officer resources of derivation key, KBKDF (CO) key function derived key This document may be reproduced and distributed only in its original entirely without revision.
derivation context function Output: context zeroised and (Perform released zeroisation) memory space Release of Input: handler N/A RSA/EC/DH Crypto Z 1 all of asymmetric keys Officer resources of crypto function (CO) asymmetric context crypto Output: function zeroised and context released (Perform memory space zeroisation) Self-test Input: power AES-CBC All SSPs Crypto E 1 (Perform Output: (#A2852, Officer self-tests) Pass/Fail #A2853, (CO) status #A2850, #A2851); AES-CCM (#A2858, #A2859); AES-GCM (#A2858, #A2859); AES-XTS (#A2850, #A2851); AES-ECB (#A2852, #A2853, #A2850, #A2851, #A2858, #A2859); AES-KW (#A2852, #A2853); CTR_DRBG (#A2858, #A2853, #A2852, #A2859); This document may be reproduced and distributed only in its original entirely without revision.
HMAC_DRBG (#A2855, #A2854, #A2856); HMAC (#A2860, #A2855, #A2854, #A2856); RSA Signature Generation (#A2855, # A2854, #A2856); RSA Signature Verification (#A2855, # A2854, #A2856); ECDSA Signature Generation (#A2855, # A2854, #A2856); ECDSA Signature Verification (#A2855, # A2854, #A2856); KBKDF (#A2856); SHA2-384 (#A2856 #A2860 #A2855 #A2854) Show Input: KPI N/A None Crypto N/A Status Status invocation Officer returned Output: (CO) This document may be reproduced and distributed only in its original entirely without revision.
Operational/Er ror status Show Input: KPI N/A None Crypto N/A Versioning Module Info invocation Officer informatio (Show Output: (CO) n returned module’s Module Base versioning Name + information) Module Version Number Table 9
Service Description Algorithms Accessed Role Indicator Encryption : cipher text Input for Decryption : key an decipher text Output for Decryption : plain text RSA Key Wrapping The CAST does not RSA encrypt/decrypt Crypto 0 perform the full Officer KTS, only the raw (CO) RSA encrypt/decrypt. Input: RSA public key and key to be wrapped Output: wrapped key RSA Signature ANSI X9.31 Key RSA KeyGen, SigGen, Crypto 0 Generation/Signature Pair Generation SigVer Officer Verification/Key-pair Key Size < 2048 (CO) Generation PKCS#1 v1.5 and PSS Signature Generation Key Size < 2048 PKCS#1 v1.5 and PSS Signature Verification key size < 1024 ECDSA PKG, PKV, ECDSA keys with ECDSA PKG, PKV, Crypto 0 Signature curve P-192 SigGen/SigVer Officer Generation/Signature (CO) Verification Ed25519 Key 256-bit key Ed25519 KeyGen Crypto 0 Generation, Signature Ed25519 SigGen Officer Generation/Signature Ed25519 SigVer (CO) Verification ANSI X9.63 Key SHA-1 hash-based SHA-1 Crypto 0 Derivation Officer (CO) SP800-56Cr1 Key SHA2-256 hash- SHA2-256 Crypto 0 Derivation (HKDF) based Officer (CO) RFC6637 Key SHA hash based SHA2-256, SHA2-512, Crypto 0 Derivation AES-128, AES-256 Officer (CO) OMAC Message One-Key CBC MAC OMAC Crypto 0 Authentication Code using 128-bit key Officer Generation and (CO) Verification This document may be reproduced and distributed only in its original entirely without revision.
Service Description Algorithms Accessed Role Indicator Message digest Input: message MD2, MD4, RIPEMD Crypto 0 generation Output: message Officer digest (CO) Ed25519 Key Ed25519 Crypto 0 Agreement Officer Input: peer public (CO) key, own private key Output: shared secret Integrated Encryption Encrypt: ECIES Crypto 0 Scheme on elliptic Input: peer public Officer curves (ECIES) key, plaintext (CO) Encryption/Decryption Output: public key, ciphertext (with authentication tag) Decrypt: Input: authentication tag, ciphertext, own private key Output: plaintext message or error Table 10
5. Software/Firmware Security Integrity Techniques The Apple corecrypto Module v12 [Intel, Kernel, Software] is in the form of binary executable code. A software integrity test is performed on the runtime image of the module. The HMAC-SHA2-256 implemented in the module is used as an approved algorithm for the integrity test. If the test fails, the module enters an error state where no cryptographic services are provided, and data output is prohibited i.e. the module is not operational. The Software Integrity Key (HMAC-SHA2-256 with 256 bits of security strength), a non-SSP, is stored in the module binary computed during build. On-Demand Integrity Test The integrity test is also performed as part of the Pre-Operational Self-Tests. It is automatically executed at power-on. It can also be invoked by powering-off and reloading the module to meet the on-demand request for integrity test. In addition, the module provides the Self-Test service to perform self-tests, including integrity test and algorithm tests, on demand. Software Loading The module does not support loading of any additional software. This document may be reproduced and distributed only in its original entirely without revision.
7. Physical Security The ISO/IEC 19790 physical security requirements do not apply to the Apple corecrypto Module v12 [Intel, Kernel, Software] since it is a software module. This document may be reproduced and distributed only in its original entirely without revision.
8. Non-invasive Security Currently, the non-invasive security is not required by FIPS 140-3 (see NIST SP 800-140F). The requirements of this area are not applicable to the module. This document may be reproduced and distributed only in its original entirely without revision.
9. Sensitive Security Parameter Management The following table summarizes the keys and Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module: Key/SSP Strengt Security Gener- Impor Establis Storage Zero- Use & Name/ h Function ation t h- isation related Type and Cert. /Expor ment keys Number t AES Key Size: AES N/A Import N/A N/A: The Automati Symmetr CSP 128, Encryption from module c ic 192, 256 / and does not zeroisati Encryptio Decryption Export provide on when n and Strength: to persisten structure Decrypti 128, CBC calling t is on 192, 256 (#A2850, applicat keys/SSP deallocat #A2851) ion s storage ed or ECB when the (#A2850, system is #A2851, powered #A2858, down #A2859) XTS (#A2850, #A2851), CCM (#A2858, #A2859), CTR (#A2852, #A2853, #A2858, #A2859) KW #A2850 HMAC Min: 112 HMAC N/A Import N/A N/A: The Automati Keyed Key bits generation from module c Hash CSP SHA-1, and does not zeroisati SHA2- Export provide on when 224, to persisten structure SHA2-256, calling t is SHA2-384, applicat keys/SSP deallocat SHA2-512 ion s storage ed or SHA2- when the 512/256 system is #A2860 This document may be reproduced and distributed only in its original entirely without revision.
Key/SSP Strengt Security Gener- Impor Establis Storage Zero- Use & Name/ h Function ation t h- isation related Type and Cert. /Expor ment keys Number t #A2855 powered #A2854 down #A2856 ECDSA Curves: ECDSA The key Import N/A N/A: The Automati Digital Key Pair P-224, KeyGen pairs are from module c signature CSP P-256, generated and does not zeroisati P-384, #A2855 conforman Export provide on when P-521 #A2854 t to to persisten structure #A2856 SP800- calling t is Strength: 133r2 applicat keys/SSP deallocat 112, CKG (CKG) ion s storage ed or 128, using when the 192, FIPS186-4 Interme system is
256 Key dia te powered
Generatio keygen down n method, values and the are not random output. RSA Key Modulus: RSA value used Import N/A N/A: The Automati Digital Pair CSP 2048, KeyGen in the key from module c Signatur 3072, generation and does not zeroisati e
4096 #A2855 is Export provide on when
#A2854 generated to persisten structure Strength: #A2856 using calling t is 112, SP800- applicat keys/SSP deallocat 128, CKG 90Ar1 ion s storage ed or
152 DRBG when the
Interme system is dia te powered keygen down values are not output. Entropy 256 bits ENT (P) Obtained Import N/A N/A: The Automati Random Input from the from module c Number String ENT OS; does not zeroisati Generati CSP No provide on when on Export persisten structure t is keys/SSP deallocat s storage ed or when the system is This document may be reproduced and distributed only in its original entirely without revision.
Key/SSP Strengt Security Gener- Impor Establis Storage Zero- Use & Name/ h Function ation t h- isation related Type and Cert. /Expor ment keys Number t powered down Seed 256 bits CTR_DRB Derived N/A N/A N/A: The Automati Random CSP G from module c Number #A2853 entropy does not zeroisati Generati #A2852 input provide on when on #A2858 string as persisten structure #A2859 defined by t is SP800- keys/SSP deallocat HMAC_DR 90Ar1 s storage ed or BG when the #A2855 system is #A2854 powered #A2856 down DRBG 256 bits CTR_DRB Generated N/A N/A N/A: The Automati Random Output G internally module c Number CSP #A2853 using the does not zeroisati Generati #A2852 approved provide on when on #A2858 DRBG persisten structure #A2859 t is keys/SSP deallocat HMAC_DR s storage ed or BG when the #A2855 system is #A2854 powered #A2856 down CKG DRBG 256 bits CTR_DRB Generated N/A N/A N/A: The Automati Random Key CSP G internally module c Number #A2853 using the does not zeroisati Generati #A2852 approved provide on when on #A2858 DRBG persisten structure #A2859 t is keys/SSP deallocat HMAC_DR s storage ed or BG when the #A2855 system is #A2854 powered #A2856 down This document may be reproduced and distributed only in its original entirely without revision.
Key/SSP Strengt Security Gener- Impor Establis Storage Zero- Use & Name/ h Function ation t h- isation related Type and Cert. /Expor ment keys Number t DRBG V 256 bits CTR_DRB Generated N/A N/A N/A: The Automati Random CSP G internally module c Number #A2853 using the does not zeroisati Generati #A2852 approved provide on when on #A2858 DRBG persisten structure #A2859 t is keys/SSP deallocat HMAC_DR s storage ed or BG when the #A2855 system is #A2854 powered #A2856 down KBKDF Min: 112 KBKDF N/A Import N/A N/A: The Automati Key Key bits Key ed from module c Derivatio Derivatio Derivation calling does not zeroisati n n Key applicat provide on when CSP KDF ion, persisten structure Mode: No t is Counter Export keys/SSP deallocat and s storage ed or Feedback when the system is MAC powered Mode: down HMACSHA-1, HMACSHA2-224, HMACSHA2256, HMACSHA2-384, HMACSHA2-512 #A2856 KBKDF Min: 112 SP800-108 Internally No N/A N/A: The Automati Key Derived bits KDF generated Import; module c Derivatio Key CSP #A2856 via SP800- Export does not zeroisati n
CKG KBKDF key calling persisten structure derivation applicat t is algorithm ion keys/SSP deallocat s storage ed or This document may be reproduced and distributed only in its original entirely without revision.
Key/SSP Strengt Security Gener- Impor Establis Storage Zero- Use & Name/ h Function ation t h- isation related Type and Cert. /Expor ment keys Number t when the system is powered down Table 11
Keys/SSPs Establishment The module provides the following key/SSP establishment services in the Approved mode: • AES-Key Wrapping The module implements a Key Transport Scheme (KTS) using AES-KW compliant to [SP80038F]. The SSP establishment methodology provides between 128 and 256 bits of encryption strength. • KBKDF Key Derivation The KBKDF is compliant to [SP800-108]. The module implements both Counter and Feedback modes with HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, or HMACSHA2-512 as the PRF. Keys/SSPs Import/Export All keys and SSPs that are entered from, or output to module, are entered from or output to the invoking application running on the same device. Keys/SSPs entered into the module are electronically entered in plain text form. Keys/SSPs are output from the module in plain text form if required by the calling application. The module allows the output of plaintext CSPs (i.e., EC/RSA Key Pairs). To prevent inadvertent output of sensitive information, the module performs the following two independent internal actions:
Keys/SSPs Zeroization Keys and SSPs are zeroised when the appropriate context object is destroyed or when the system is powered down. Input and output interfaces are inhibited while zeroisation is performed. Public Material
10. Self-tests The module performs pre-operational self-tests automatically when the module is loaded into memory; the pre- operational self-tests triggered at power-on ensure that the module is not corrupted and that the cryptographic algorithms work as expected. The ISO/IEC 19790 only requires that software/firmware integrity test(s) and the requisite cryptographic algorithm(s) be tested during power-up, but the Apple corecrypto Module v12 [Intel, Kernel, Software] runs all Cryptographic Algorithm Tests (CASTs) during power-up as well. The following tests are performed each time the Apple corecrypto Module v12 [Intel, Kernel, Software] starts. If any of the following tests fails the device (tested platform) fails to startup. To invoke the self-tests (pre-operational integrity test as well as CASTs) on demand (and periodically), the user may reboot the system. While the module is executing the self-tests, services are not available and input and output are inhibited. The self-tests are implemented for the following algorithms:
ECDSA P-224 SHA2-224 Sig Gen KAT ECDSA P-224 SHA2-224 Sig Ver KAT KBKDF counter KAT NIST SP 800-90B Repetitive Count Test (RCT) NIST SP 800-90B Adaptive Proportion Test (APT)
prohibited. The only method to clear the error state is to power cycle the device. The module will only enter into the operational state after successfully passing the preoperational software integrity test and the Conditional CASTs. The module returns the “FAILED: fipspost_post_integrity” error indicator in case of a software integrity test failure, “FAILED: <algorithm>” in case of a CAST failure. Public Material
11. Life-cycle Assurance Delivery and Operation The module is built into macOS Monterey 12 and delivered with macOS. There is no standalone delivery of the module as a software library. The vendor’s internal development process guarantees that the correct version of module goes with its intended macOS version. For additional assurance, the module is digitally signed by vendor and it is verified during the integration into macOS. This digital signature-based integrity protection during the delivery/integration process is not to be confused with the HMAC-SHA2-256 based integrity check performed by the module itself as its pre-operational self-test. No additional maintenance requirements apply. Crypto Officer Guidance The Approved mode of operation is configured in the system by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table 10 - Non-Approved Services. If the device starts up successfully, then the module has passed all self-tests and is operating in the Approved mode. A Crypto Officer Role Guide is provided by Apple which offers IT System Administrators with the necessary technical information to ensure FIPS 140-3 Compliance of macOS Monterey 12 systems. This guide walks the reader through the system’s assertion of cryptographic module integrity and the steps necessary if module integrity requires remediation. A link to the Guide can be found on the Product security, validations, and guidance page. Public Material
12. Mitigation of Other Attacks The module does not claim mitigation of other attacks. Public Material