How to set up and maintain a FIPS-enabled Mac OS X v10.6 Snow Leopard system
The FIPS validated cryptographic module that ships with Mac OS X v10.6 Snow Leopard requires an additional setup step to place the system into “FIPS Mode” for full compliance. The FIPS Administration Installer must be obtained and installed on the system by the System Administrator (Crypto Officer).
How to install the FIPS Administration Tools
The FIPS Administration Installer is available here. For complete instructions about FIPS Administration Installation and management, refer to the FIPS Administration Tools Crypto Officer Role Guide.
- Log in as an administrator on the target computer system where the tools will be installed.
- Double-click the FIPS Administration Installer package.
- Click Continue after reading the information on the Introduction page.
- Click Continue after reading the information on the Read Me page. You can also Print or Save the information on this page as needed.
- Click Continue after reading the Software License Agreement on the License page. You can also Print or Save the information on this page as needed.
- Click Agree if you agree with the terms of the software license. Otherwise click Disagree and the installer will exit.
- Select the Mac OS X volume to install the FIPS Administration Tools, then click Continue on the Destination Select page. The FIPS Administration Tools should only be installed on the startup (boot) volume.
- Click the Install button.
- Enter your administrator username and password.
- Click Continue Installation with the understanding that the computer must be restarted once the installation is complete.
- Click Restart.
To verify that the FIPS Administration Tools were installed successfully
The FIPS Administration Tools installation can be verified by ensuring the system is in “FIPS Mode”.
Verify the system is in FIPS Mode by executing the following in a Terminal window:
The result should be:
[FIPSPerformSelfTest][ModeStatus] FIPS Mode Status : ENABLED
There are two other places where you can manually verify that the FIPS Administration Tools were successfully installed:
- The first place to verify is in /System/Library/LaunchDaemons/ for the file named:
- The second place to verify is in the /usr/sbin/fips folder that is created during the installation. The Tools installed in that folder are:
- FIPSPerformSelfTest – (Power-On-Self-Test Tool)
- CryptoKAT – (CRYPTO Algorithm Known Answer Test Tool)
- postsig – (DSA/ECDSA Signature Test Tool)
About the FIPS 140-2 Validated Cryptographic Module in Mac OS X v10.6
Several security services in Snow Leopard are built on the Common Data Security Architecture (CDSA). The architecture is a set of layered security services in which the AppleCSP (Apple Cryptographic Service Provider) provides the cryptography for any Apple and third-party software products using CDSA.
For purposes of the FIPS 140-2 validation process, the AppleCSP and related components are collectively referred to as “Apple FIPS Cryptographic Module (Software Version: 1.0)”. This module has received FIPS 140-2 Level 1 Conformance Validation certificate #1514, and is posted to the CMVP webpage listing “Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules".
Background on NIST/CSEC CMVP and FIPS 140-2
The National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2 and other cryptography based standards. The CMVP is a joint effort between NIST and the Communications Security Establishment Canada (CSEC).
The main website for the NIST/CSEC CMVP is hosted by NIST, and contains complete details on the program, all the related standards and documents, as well as the official lists of FIPS 140-1 and FIPS 140-2 validated cryptographic modules.
FIPS 140-2 refers specifically to the security requirements for cryptographic modules. The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. A complete description of each level can be found within the FIPS 140-2 publication found on the NIST website (FIPS PUB 140-2).
Cryptographic Modules validated as conforming to FIPS 140-2 are accepted by the Federal Agencies of both countries for the protection of sensitive information.