About Apple security certifications
Apple maintains a security certifications program in order to meet global requirements for security assurance.
The approach starts with certification building blocks that apply broadly across multiple platforms where appropriate. One building block is the validation of corecrypto, which is used for software and hardware cryptographic module deployments within Apple developed operating systems. A second building block is the certification of the Secure Enclave, which is embedded in many Apple devices. A third is the certification of the Secure Element (SE), found in Apple devices with Face ID and Touch ID. These hardware certification building blocks form a foundation for broader platform security certifications.
Apple builds on these certifications of core security functionality to provide the foundation for further certifications for operating systems, applications and security-related features such as strong authentication.
Cryptographic algorithm validations
Validation of the implementation correctness of many cryptographic algorithms and related security functions is a prerequisite for FIPS 140-3 validation and supportive of other certifications. Validation is managed by the National Institute of Standards and Technology (NIST) Cryptographic Algorithm Validation Program (CAVP). Certificates of validation for Apple implementations can be found using the CAVP search facility. For more information, see the Cryptographic Algorithm Validation Program (CAVP) website.
Cryptographic module validations: FIPS 140-2/3 (ISO/IEC 19790)
Apple’s cryptographic modules have been repeatedly validated by the Cryptographic Module Validation Program (CMVP) as being conformant with U.S. Federal Information Processing Standard for cryptographic modules (FIPS 140-2) following each major release of the operating systems since 2012. After each major release, Apple submits the modules to the CMVP for validation of conformance with the standard. As well as being used by Apple operating systems and apps, these modules provide cryptographic functionality for Apple-provided services and are available for third-party apps to use.
Apple achieves Security Level 1 each year for the software-based modules “Corecrypto Module for Intel” and “Corecrypto Kernel Module for Intel” for macOS. For Apple silicon, the modules “Corecrypto Module for ARM” and “Corecrypto Kernel Module for ARM” are applicable to iOS, iPadOS, tvOS, watchOS and to the firmware in the embedded Apple T2 Security Chip in Mac computers.
In 2019, Apple achieved the first FIPS 140-2 Security Level 2 for the embedded hardware cryptographic module identified as “Apple Corecrypto Module: Secure Key Store,” enabling US government approved use of the keys generated and managed in the Secure Enclave. Apple continues to pursue validations for the hardware cryptographic module with each successive major operating system release.
FIPS 140-3 was approved by the U.S. Department of Commerce in 2019. The most notable change in this version of the standard is the specification of ISO/IEC standards—in particular, ISO/IEC 19790:2015 and the associated testing standard ISO/IEC 24759:2017. The CMVP has initiated a transition program and has indicated that starting in 2020, cryptographic modules will begin to be validated using FIPS 140-3 as a basis. Apple cryptographic modules will aim to meet and transition to the FIPS 140-3 standard as soon as practicable.
For cryptographic modules currently in the testing and validation processes, the CMVP maintains two separate lists that may contain information about proposed validations. For cryptographic modules under testing with an accredited laboratory, the Implementation Under Test List may list the module. After the laboratory has completed testing and recommends validation by the CMVP, the Apple cryptographic modules appear in the Modules in Process List. Currently, the laboratory testing is complete and is waiting for validation of the testing by the CMVP. Because the length of the evaluation process can vary, look at the above two process lists to determine the current status of Apple cryptographic modules between the date of a major operating system release and the issuance of the validation certificate by the CMVP.
Product certifications: Common Criteria (ISO/IEC 15408)
Common Criteria (ISO/IEC 15408) is a standard that’s used by many organizations as a basis for performing security evaluations of IT products.
For certifications that may be mutually recognized under the international Common Criteria Recognition Arrangement (CCRA), see the Common Criteria portal. The Common Criteria standard may also be used outside the CCRA by national and private validation schemes. In Europe, mutual recognition is governed under the SOG-IS agreement as well as the CCRA.
The goal, as stated by the Common Criteria community, is for an internationally approved set of security standards to provide a clear and reliable evaluation of the security capabilities of Information Technology products. By providing an independent assessment of a product’s ability to meet security standards, Common Criteria Certification gives customers more confidence in the security of Information Technology products and leads to more informed decisions.
Through the CCRA, member countries have agreed to recognize the certification of Information Technology products with the same level of confidence. Evaluations required before certification are extensive and include:
Protection Profiles (PPs)
Security Targets (STs)
Security Functional Requirements (SFRs)
Security Assurance Requirements (SARs)
Evaluation Assurance Levels (EALs)
Protection Profiles (PPs) are documents that specify security requirements for a class of device types (such as Mobility) and are used to provide comparability between the evaluations of IT products within the same class. Membership of the CCRA, along with an increasing list of approved PPs, continues to grow on a yearly basis. This arrangement permits a product developer to pursue a single certification under any one of the certificate authorizing schemes and have it recognized by any of the certificate consuming signatories.
Security Targets (STs) define what will be evaluated when an IT product is being certified. The STs are translated to more specific Security Functional Requirements (SFRs), used for evaluating the STs in more detail.
The Common Criteria (CC) also includes Security Assurance Requirements. One commonly identified metric is the Evaluation Assurance Level (EAL). EALs group together frequently occurring sets of SARs and may be specified in PPs and STs to support comparability.
Many older PPs have been archived and are being replaced with targeted PPs, which are being developed and focus on specific solutions and environments. In a concerted effort to ensure continued mutual recognition across all CCRA members, international Technical Communities (iTCs) have been established to develop and maintain collaborative Protection Profiles (cPPs), which are developed from the start with involvement from CCRA signatory schemes. PPs targeted for user groups and mutual recognition arrangements other than the CCRA continue to be developed by appropriate stakeholders.
Apple began pursuing certifications under the updated CCRA, with selected cPPs starting in early 2015. Since then, Apple has achieved Common Criteria certifications for iOS, iPadOS, and macOS, as well as for some key Apple apps. It’s also expanded coverage to include the security assurance provided by new PPs.
Apple also takes an active role within the technical communities that are developing and updating PPs and cPPs.
For questions about Apple Security and Privacy Certifications, contact security-certifications@apple.com.