FIPS 201 Framework: Special Pubs 80073,76,78 - PowerPoint PPT Presentation

About This Presentation
Title:

FIPS 201 Framework: Special Pubs 80073,76,78

Description:

Part 1: Migration Issues. Some agencies have smart card deployments. Government Smart Card Interoperability Specification (NISTIR 6887) ... – PowerPoint PPT presentation

Number of Views:52
Avg rating:3.0/5.0
Slides: 25
Provided by: Dod90
Category:

less

Transcript and Presenter's Notes

Title: FIPS 201 Framework: Special Pubs 80073,76,78


1
FIPS 201 FrameworkSpecial Pubs 800-73,76,78
  • Jim Dray
  • HSPD-12 Workshop
  • May 4/5, 2005

2
Special Publication 800-73
  • PIV card application definition
  • NOT a general purpose card platform spec!
  • Part 1 Common data model and migration
  • Part 2 Transition card interfaces
  • Part 3 End point specification

3
Part 1 Mandatory Data Objects
  • PIV credential element objects
  • Card Capability Container Discovery
  • Cardholder Unique Identifier PACS 2.2
  • PIV Authentication Key
  • Fingerprint Buffers (2)
  • Security Object

4
Part 1 Optional Data Objects
  • Optional PIV credential element objects
  • Printed Information
  • Facial Image
  • Digital Signature Key
  • Key Management Key
  • Card Authentication Key

5
Part 1 Migration Issues
  • Some agencies have smart card deployments
  • Government Smart Card Interoperability
    Specification (NISTIR 6887)
  • Migration path is based on continuity of the PIV
    data model
  • Legacy agencies MAY use Part 2 transition
    specification

6
SP800-73 Part 2
  • Essentially a PIV profile of GSC-IS
  • Maintains the GSC-IS dual card interfaces
  • File system
  • Virtual Machine
  • Developed by the Government Smart Card
    Interagency Advisory Board
  • Part 2 is informative

7
SP800-73 Part 3
  • Unified card command interface
  • Compliant with existing international standards
    (ISO 7816)
  • Technology neutrality Implementable on any card
    platform
  • Essential features for
  • High degree of PIV card interoperability
  • Future-proofing PIV framework

8
Part 3 Data Model
  • Data model is common to both Parts 2 and 3
  • Different identifiers (BER-TLV) used at the card
    edge in Part 3

9
Part 3 Standard Namespaces
  • ASN.1 Object Identifiers in the PIV arc of the
    Computer Security Object Register at the Client
    Application Programming Interface
  • PIV RID is the root of card Application
    Identifiers(AIDs)
  • BER-TLV tags for data objects at the card
    interface

10
Part 3 PIV Card Application
  • AID is A0 00 00 xx xx 00 00 10 00 01 00
  • Full PIV RID to be published by NIST
  • Access Control Rules applied to PIV credential
    objects
  • Provides a set of 8 ISO compliant card interface
    commands
  • Restricted functionality in contactless mode

11
Part 3 Client Application Programming Interface
  • Equivalent to GSC-IS Basic Services Interface
  • Provides 9 higher level commands
  • Implemented by middleware
  • PIV middleware is MUCH simpler than GSC-IS
    middleware because card command mapping is not
    required

12
Part 3 Reference Implementation
  • Part 3 compliant implementation
  • PIV card application running in a card simulator
  • Middleware
  • Publicly available
  • Basis for conformance tests
  • Estimated completion date June 25

13
SP800-73 Summary
  • PIV II card application and client application
    programming interface spec
  • Informative Part 2 transition specification for
    migrating legacy GSC-IS deployments
  • Normative Part 3 end point specification
  • All agencies are to reach full deployment of Part
    3 PIV cards by the end of their PIV II Phase,
    regardless of the migration path chosen.

14
Special Publication 800-78 Overview
  • FIPS 201 relies on cryptography
  • To protect objects stored on the PIV card
  • To authenticate the PIV card or cardholder
  • To authenticate the source and integrity of
    status information

15
Cryptographic Strength Requirements
  • SP 800-78 mandates a transition from 80 bit
    strength to 112 bits of strength by 1/1/2011
  • Cryptographic keys that provide long term data
    protection transition by 1/1/2009 to provide two
    years forward security
  • Elliptic Curve Cryptography is specified with a
    minimum of 112 bits of strength (224 bit keys)
  • Avoid transition issues

16
Cryptographic Objects Stored on the PIV Card
  • FIPS 201 specified
  • Cryptographic keys
  • Digitally signed objects
  • CHUID
  • Biometrics
  • X.509 Certificates
  • SP 800-073 specified
  • Authentication/Integrity Object

17
Cryptographic keys
  • Asymmetric private keys
  • PIV Authentication key (Mandatory)
  • Digital Signature key (Optional)
  • Key Management key (Optional)
  • May support key transport or key agreement
  • Card Management Key (Optional)
  • Symmetric key
  • PIV Cardholder Authentication Key (Optional)
  • May be symmetric or asymmetric

18
Asymmetric Algorithms for Cryptographic Keys
  • SP 800-78 limits asymmetric keys to RSA and ECC
  • RSA must be 1024/2048/3072
  • 1024 bit keys phased out by 1/1/2011
  • Digital signature and key management keys
    transition by 1/1/2008 to provide for forward
    security
  • Authentication keys transition by 1/1/2011 since
    forward security is not an issue
  • ECC must use a recommended curve from FIPS 186-2
  • 224 through 283 bit keys
  • No phase out specified

19
Symmetric Algorithms for Cryptographic Keys
  • SP 800-78 limits symmetric keys to Triple DES
    (TDEA) and AES
  • TDEA must be two key or three key
  • Two key TDEA phased out by 1/1/2011
  • AES may be 128, 192, or 256 bit keys
  • No phase out specified

20
Digitally Signed Objects
  • Signatures may be generated using RSA or ECDSA
  • RSA may use PKCS 1 or PSS padding schemes
  • SHA-1, SHA-224, and SHA-256 hash algorithms
  • SHA-1 phased out by 1/1/2011
  • Phase out depends on card expiration, not
    signature generation date

21
SP 800-73 Security Object
  • ICAO Authentication/Integrity Object
  • Digitally signed hash table
  • The table includes a message digest for each of
    the objects (CHUID, keys, etc.) stored on the
    card
  • Message digests are generated using SHA-1,
    SHA-224, or SHA-256
  • SHA-1 phased out by 1/1/2011
  • Signature requirements from previous slide

22
Status Information
  • FIPS 201 relies upon digitally signed X.509 CRLs
    and OCSP responses to distribute status
    information
  • Signatures may be generated using RSA or ECDSA
  • RSA may use PKCS 1 or PSS padding schemes
  • SHA-1, SHA-224, and SHA-256 hash algorithms
  • SHA-1 phased out by 1/1/2011
  • Phase out depends on signature generation date

23
Special Publication 800-76
  • Biometric Data Specification for Personal
    Identity Verification
  • Major issue Minutia vs. full image
  • File size
  • Interoperability
  • Privacy
  • Still in draft form

24
Contact Information
Curt Barker (william.barker_at_nist.gov) PIV
Program Manager Jim Dray (james.dray_at_nist.gov )
SP800-73 Terry Schwarzhoff (teresa.schwarzhoff_at_nis
t.gov) NIST Smart Card Program Manager,
Standards Lead NIST PIV Website
http//csrc.nist.gov/piv-project
Write a Comment
User Comments (0)
About PowerShow.com