iOS 6 security gets FIPS 140-2 Level 1 certification
updated 02:33 pm EDT, Tue May 7, 2013
A cryptographic component in iOS 6 has received FIPS (Federal Information Processing Standard) 140-2 Level 1 security certification from the US National Institute of Standards and Technology, says TUAW. In particular, the NIST says that when running in FIPS mode, iOS 6's CoreCrypto Kernel Module 3.0 "generates cryptographic keys whose strengths are modified by available entropy." The module is identified as "a software cryptographic module running on a multi-chip standalone mobile device and provides services intended to protect data in transit and at rest."
Level 1 certification reflects a relatively low level of security, since there are no special physical measures involved. CoreCrypto was reportedly tested on an iPhone 4, iPhone 4S, and an iPad, but it's unconfirmed if the FIPS certification carries over to any device capable of running iOS 6.
The approval may be a significant step towards wider US government adoption of iOS devices. iOS 6 is already believed to be on the path to getting Department of Defense approval, which could eventually see it and/or Android replacing BlackBerry phones for some purposes.
Fresh-Faced Recruit
Joined: 03-24-09
Check out http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm for approved modules. It says it is approved for iOS6 on both iPhone and iPad. The remaining iOS CoreCrypto Module is still under the finalization step (same step for OSX CoreCrypto Kernel Module and OSX CoreCrypto Module). Once the basic CoreCrypto Module has received FIPS 140-2 approval, any application making use of the iOS cryptographic suite will be able to make use of the FIPS certification removing one more barrier to governmental use. Of course, these barriers are more political than technical and serve are a justification NOT to use a particular product more than they are used to justify using one. Apple does not pursue certification on every iOS or OSX version since it takes so long to go through the approval process. If a highly placed manager wants a particular product that doesn't have FIPS certification, there are always ways to get around this technicality.