Apple operating system security certifications overview
Apple maintains U.S. Federal Information Processing Standard (FIPS) 140-2/-3 Conformance Validation Certificates for sepOS and T2 firmware as well as other certifications. Apple starts with certification building blocks that apply broadly across multiple platforms where appropriate. One building block is the validation of corecrypto, which is used for software and hardware cryptographic module deployments within Apple developed operating systems. A second building block is the certification of the Secure Enclave, which is embedded in many Apple devices. A third is the certification of the Secure Element (SE), found in Apple devices with Touch ID and devices with Face ID. These hardware certification building blocks form a foundation for broader platform security certifications.
Cryptographic algorithm validations
Validation of the implementation correctness of many cryptographic algorithms and related security functions is a prerequisite for FIPS 140-3 validation and supportive of other certifications. Validation is managed by the NIST Cryptographic Algorithm Validation Program (CAVP). Certificates of validation for Apple implementations can be found using the CAVP search facility.
Cryptographic module validations FIPS 140-2/3 (ISO/IEC 19790)
The cryptographic modules in Apple operating systems have been repeatedly validated by the Cryptographic Module Validation Program (CMVP) as being conformant with U.S. Federal Information Processing Standards (FIPS) 140-2 following each major release of the operating systems since 2012. After each major release, Apple submits all modules to the CMVP for full cryptographic validation. These validated modules provide cryptographic operations for Apple provided services and are available for third-party apps to use.
Apple achieves Security Level 1 each year for the software-based modules “Corecrypto Module for Intel” and “Corecrypto Kernel Module for Intel” for macOS. For Apple silicon, the modules “Corecrypto Module for ARM” and “Corecrypto Kernel Module for ARM” are applicable to iOS, iPadOS, tvOS, watchOS and to the firmware in the embedded Apple T2 Security Chip in Mac computers.
In 2019, Apple achieved the first FIPS 140-2 Security Level 2 for the embedded hardware cryptographic module identified as “Apple Corecrypto Module: Secure Key Store,” enabling US government approved use of the keys generated and managed in the Secure Enclave. Apple continues to pursue validations for the hardware cryptographic module with each successive major operating system release.
FIPS 140-3 was approved by the U.S. Department of Commerce in 2019. The most notable change in this version of the standard is the specification of ISO/IEC standards—in particular, ISO/IEC 19790:2015 and the associated testing standard ISO/IEC 24759:2017. The CMVP has initiated a transition program and has indicated that starting in 2020, cryptographic modules will begin to be validated using FIPS 140-3 as a basis. Apple cryptographic modules will aim to meet and transition to the FIPS 140-3 standard as soon as practicable.
For cryptographic modules currently in the testing and validation processes, the CMVP maintains two separate lists that may contain information about proposed validations. For cryptographic modules under testing with an accredited laboratory, the Implementation Under Test List may list the module. After the laboratory has completed testing and recommends validation by the CMVP, the Apple cryptographic modules appear in the Modules in Process List. Currently, the laboratory testing is complete and is waiting for validation of the testing by the CMVP. Because the length of the evaluation process can vary, look at the above two process lists to determine the current status of Apple cryptographic modules between the date of a major operating system release and the issuance of the validation certificate by the CMVP.
Product certifications (Common Criteria ISO/IEC 15408)
Common Criteria (ISO/IEC 15408) is a standard that’s used by many organizations as a basis for performing security evaluations of IT products.
For certifications that may be mutually recognized under the international Common Criteria Recognition Arrangement (CCRA), see the Common Criteria Portal. The Common Criteria standard may also be used outside the CCRA by national and private validation schemes. In Europe, mutual recognition is governed under the SOG-IS agreement as well as the CCRA.
The goal, as stated by the Common Criteria community, is for an internationally approved set of security standards to provide a clear and reliable evaluation of the security capabilities of Information Technology products. By providing an independent assessment of a product’s ability to meet security standards, Common Criteria Certification gives customers more confidence in the security of Information Technology products and leads to more informed decisions.
Through the CCRA, member countries have agreed to recognize the certification of Information Technology products with the same level of confidence. Evaluations required before certification are extensive and include:
Protection Profiles (PPs)
Security Targets (STs)
Security Functional Requirements (SFRs)
Security Assurance Requirements (SARs)
Evaluation Assurance Levels (EALs)
Protection Profiles (PPs) are documents that specify security requirements for a class of device types (such as Mobility) and are used to provide comparability between the evaluations of IT products within the same class. Membership of the CCRA, along with an increasing list of approved PPs, continues to grow on a yearly basis. This arrangement permits a product developer to pursue a single certification under any one of the certificate authorizing schemes and have it recognized by any of the certificate consuming signatories.
Security Targets (STs) define what will be evaluated when an IT product is being certified. The STs are translated to more specific Security Functional Requirements (SFRs), used for evaluating the STs in more detail.
The Common Criteria (CC) also includes Security Assurance Requirements. One commonly identified metric is the Evaluation Assurance Level (EAL). EALs group together frequently occurring sets of SARs and may be specified in PPs and STs to support comparability.
Many older PPs have been archived and are being replaced with targeted PPs, which are being developed and focus on specific solutions and environments. In a concerted effort to ensure continued mutual recognition across all CCRA members, international Technical Communities (iTCs) have been established to develop and maintain collaborative Protection Profiles (cPPs), which are developed from the start with involvement from CCRA signatory schemes. PPs targeted for user groups and mutual recognition arrangements other than the CCRA continue to be developed by appropriate stakeholders.
Apple began pursuing certifications under the updated CCRA with selected cPPs starting in early 2015. Since then, Apple has achieved Common Criteria certifications for each major iOS release and has expanded coverage to include the security assurance provided by new PPs.
Apple takes an active role within the technical communities focused on evaluating mobile security technologies. These include the iTCs responsible for developing and updating cPPs. Apple continues to evaluate and pursue certifications against current PPs and cPPs.
Apple platform certifications for the North America market are generally performed with the National Information Assurance Partnership (NIAP), which maintains a list of projects currently in evaluation but not yet certified.
In addition to the general platform certificates listed, other certificates have been issued in order to demonstrate specific security requirements for some markets.
For questions about Apple Security and Privacy Certifications, contact security-certifications@apple.com.