Module Name

Apple macOS CoreCrypto Module, v7.0

Standard

FIPS 140-2

Status

Active

Sunset Date

2/1/2022

Validation Dates

02/02/2017;03/11/2021

Overall Level

1

Caveat

When operated in FIPS mode. The module generates cryptographic keys whose strengths are modified by available entropy

Security Level Exceptions

• Physical Security: N/A

Module Type

Software

Embodiment

Multi-Chip Stand Alone

Description

The Apple macOS CoreCrypto Module is a software cryptographic module running on a multi-chip standalone mobile device and provides services intended to protect data in transit and at rest.

Tested Configuration(s)

• macOS Sierra v10.12.2 running on Mac mini with i5 CPU with PAA
• macOS Sierra v10.12.2 running on Mac mini with i5 CPU without PAA
• macOS Sierra v10.12.2 running on MacBook Pro with i7 CPU with PAA
• macOS Sierra v10.12.2 running on MacBook Pro with i7 CPU without PAA
• macOS Sierra v10.12.2 running on MacBook with Core M CPU with PAA
• macOS Sierra v10.12.2 running on MacBook with Core M CPU without PAA (single-user mode)
• macOS Sierra v10.12.2 running on MacPro with Xeon CPU with PAA
• macOS Sierra v10.12.2 running on MacPro with Xeon CPU without PAA

FIPS Algorithms

AES	Certs. #4191, #4192, #4193, #4194, #4195, #4196, #4197, #4198, #4207, #4208, #4209, #4210, #4211, #4212, #4213, #4214, #4215, #4216, #4217, #4218, #4219, #4220, #4221, #4222, #4223, #4224, #4225, #4226, #4227, #4228, #4229, #4230, #4270, #4271, #4272, #4273, #4274, #4275, #4276 and #4277
CVL	Certs. #972, #973, #974, #975, #976, #977, #978 and #979
DRBG	Certs. #1291, #1292, #1293, #1294, #1295, #1296, #1297, #1298, #1299, #1300, #1301, #1302, #1303, #1304, #1305, #1306, #1307, #1308, #1309, #1310, #1311, #1312, #1313 and #1314
ECDSA	Certs. #968, #969, #970, #971, #972, #973, #974 and #975
HMAC	Certs. #2746, #2747, #2748, #2749, #2750, #2751, #2752, #2753, #2754, #2755, #2756, #2757, #2758, #2759, #2760, #2761, #2762, #2763, #2764, #2765, #2766, #2767, #2768, #2769, #2796, #2797, #2798, #2799, #2800, #2801 and #2809
KTS	AES Certs. #4215, #4216, #4217, #4218, #4219, #4220, #4221, #4222, #4223, #4224, #4225, #4226, #4227, #4228, #4229, #4230, #4270, #4271, #4272, #4273, #4274, #4275, #4276 and #4277; key establishment methodology provides between 128 and 160 bits of encryption strength
KTS	vendor affirmed
PBKDF	vendor affirmed
RSA	Certs. #2275, #2276, #2277, #2278, #2279, #2280, #2281 and #2282
SHS	Certs. #3444, #3445, #3446, #3447, #3448, #3449, #3450, #3451, #3452, #3453, #3454, #3455, #3456, #3457, #3458, #3459, #3460, #3461, #3462, #3463, #3464, #3465, #3466, #3467, #3497, #3498, #3499, #3500, #3501, #3502 and #3510
Triple-DES	Certs. #2283, #2284, #2285, #2286, #2287, #2288, #2289 and #2290

Other Algorithms

Diffie-Hellman (key agreement; key establishment methodology provides 112 or 128 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 or 160 bits of encryption strength); NDRNG; RSA (key wrapping; key establishment methodology provides 112 or 128 bits of encryption strength; non-compliant less than 112 bits of encryption strength); AES (non-compliant); ANSI X9.63 KDF; Blowfish; CAST5; DES; ECDSA (non-compliant); Ed25519; Hash_DRBG (non-compliant); Integrated Encryption Scheme on elliptic curves; KBKDF (non-compliant); MD2; MD4; MD5; OMAC (One-Key CBC MAC); RC2; RC4; RFC6637 KDF; RIPEMD; RSA (non-compliant); SP800-56C KDF (non-compliant); Triple-DES (non-compliant)

Software Versions

7.0