I'm starting to dive into a customer requirement that we use FIPS 140-2 for data at rest and data in transit. From my (limited) reading so far, it sounds like iOS 7 and up have FIPS support built in. I've also seen articles on the subject (iOS with FIPS) point to building OpenSSL and including that in your project to get FIPS support. I'm not sure why OpenSSL is necessary if FIPS is already included in iOS 7+. Am I missing something?
Why use OpenSSL for FIPS 140-2 vs relying on CoreCrypto on iOS?
828 views Asked by Chris Williams At
3
There are 3 answers
2
On
At the time of this writing OpenSSL FIPS is pretty much broken for newer Apple devices and versions of iOS past 6, because getting it to compile requires heavy modification of the build process, which is absolutely disallowed for FIPS compliance. You get a library, but not FIPS compliance unless you re-certify. Try stepping through the documented build process to observe the minefield. Community contributions to help resolve the issues have not been incorporated. It is also not very secure because it isn't responsively updated for threats. Heartbleed will be with us for years, but CommonCrypto turns on a dime in comparison, being re-certified as needed and updated along with other OS updates. Use Apple CommonCrypto.
One of the many threads about why it is broken: https://groups.google.com/forum/#!topic/mailing.openssl.users/V_HITNhWaDA
A related(not duplicate) question by me. The only answer breaks FIPS compliance. Unknown cpu type when compiling OpenSSL FIPS Capable libraries for arm64 or arm7s
0
On
Why use OpenSSL for FIPS 140-2 vs relying on CoreCrypto on iOS?
OpenSSL is available on a wider array of iOS platforms. For example, OpenSSL includes iOS 5 through iOS 7 using the A4 through A6 processors. There are more iOS validations, but they have not been given to the public under Certificate 1747. For example, the foundation already has an iOS 8 validation in progress.
In addition, OpenSSL is available on non-Apple platforms. The latter is appealing because the means the same code base can be used on multiple platforms, including Windows, Linux and Android.
Apple got its first validation on May 2013, which meant there was nothing available from Apple from 2010 to summer of 2013. That was a big void. Apple still only provides a validated module up to iOS 7.
And during the time of missing vendor support, Apple made it appear they had a validated module through their marketing literature. (Apple had a "Module In Progress", which is different than a "Validated Module". And it took them years to get it validated, which was kind of unheard of).
As someone who follows these things, Apple's tactics from 2010 through 2013 were clearly meant to confuse those who were looking for FIPS 140 validated modules. (I wrote to the CMVP about Apple's despicable practices. The CMVP will request a Cease and Desist order for vendors like Apple. Apple is not the only vendor to confuse and lie to folks - CipherCloud did it too).
Unless you need some functionality that is in OpenSSL that is not in Common Crypto use Common Crypto.
The reason that Apple no longer supplies OpenSSL is due to many instances where SSL is not backward compatible and an Apple supplied current version may not be compatible with an app that was built with an earlier version.
Further, Common Crypto uses the build-in hardware crypto and OpenSSL may not.