Title: FIPS 201 Framework: Special Pubs 80073,76,78
1FIPS 201 FrameworkSpecial Pubs 800-73,76,78
- Jim Dray
- HSPD-12 Workshop
- May 4/5, 2005
2Special Publication 800-73
- PIV card application definition
- NOT a general purpose card platform spec!
- Part 1 Common data model and migration
- Part 2 Transition card interfaces
- Part 3 End point specification
3Part 1 Mandatory Data Objects
- PIV credential element objects
- Card Capability Container Discovery
- Cardholder Unique Identifier PACS 2.2
- PIV Authentication Key
- Fingerprint Buffers (2)
- Security Object
4Part 1 Optional Data Objects
- Optional PIV credential element objects
- Printed Information
- Facial Image
- Digital Signature Key
- Key Management Key
- Card Authentication Key
5Part 1 Migration Issues
- Some agencies have smart card deployments
- Government Smart Card Interoperability
Specification (NISTIR 6887) - Migration path is based on continuity of the PIV
data model - Legacy agencies MAY use Part 2 transition
specification
6SP800-73 Part 2
- Essentially a PIV profile of GSC-IS
- Maintains the GSC-IS dual card interfaces
- File system
- Virtual Machine
- Developed by the Government Smart Card
Interagency Advisory Board - Part 2 is informative
7SP800-73 Part 3
- Unified card command interface
- Compliant with existing international standards
(ISO 7816) - Technology neutrality Implementable on any card
platform - Essential features for
- High degree of PIV card interoperability
- Future-proofing PIV framework
8Part 3 Data Model
- Data model is common to both Parts 2 and 3
- Different identifiers (BER-TLV) used at the card
edge in Part 3
9Part 3 Standard Namespaces
- ASN.1 Object Identifiers in the PIV arc of the
Computer Security Object Register at the Client
Application Programming Interface - PIV RID is the root of card Application
Identifiers(AIDs) - BER-TLV tags for data objects at the card
interface
10Part 3 PIV Card Application
- AID is A0 00 00 xx xx 00 00 10 00 01 00
- Full PIV RID to be published by NIST
- Access Control Rules applied to PIV credential
objects - Provides a set of 8 ISO compliant card interface
commands - Restricted functionality in contactless mode
11Part 3 Client Application Programming Interface
- Equivalent to GSC-IS Basic Services Interface
- Provides 9 higher level commands
- Implemented by middleware
- PIV middleware is MUCH simpler than GSC-IS
middleware because card command mapping is not
required
12Part 3 Reference Implementation
- Part 3 compliant implementation
- PIV card application running in a card simulator
- Middleware
- Publicly available
- Basis for conformance tests
- Estimated completion date June 25
13SP800-73 Summary
- PIV II card application and client application
programming interface spec - Informative Part 2 transition specification for
migrating legacy GSC-IS deployments - Normative Part 3 end point specification
- All agencies are to reach full deployment of Part
3 PIV cards by the end of their PIV II Phase,
regardless of the migration path chosen.
14Special Publication 800-78 Overview
- FIPS 201 relies on cryptography
- To protect objects stored on the PIV card
- To authenticate the PIV card or cardholder
- To authenticate the source and integrity of
status information
15Cryptographic Strength Requirements
- SP 800-78 mandates a transition from 80 bit
strength to 112 bits of strength by 1/1/2011 - Cryptographic keys that provide long term data
protection transition by 1/1/2009 to provide two
years forward security - Elliptic Curve Cryptography is specified with a
minimum of 112 bits of strength (224 bit keys) - Avoid transition issues
16Cryptographic Objects Stored on the PIV Card
- FIPS 201 specified
- Cryptographic keys
- Digitally signed objects
- CHUID
- Biometrics
- X.509 Certificates
- SP 800-073 specified
- Authentication/Integrity Object
17Cryptographic keys
- Asymmetric private keys
- PIV Authentication key (Mandatory)
- Digital Signature key (Optional)
- Key Management key (Optional)
- May support key transport or key agreement
- Card Management Key (Optional)
- Symmetric key
- PIV Cardholder Authentication Key (Optional)
- May be symmetric or asymmetric
18Asymmetric Algorithms for Cryptographic Keys
- SP 800-78 limits asymmetric keys to RSA and ECC
- RSA must be 1024/2048/3072
- 1024 bit keys phased out by 1/1/2011
- Digital signature and key management keys
transition by 1/1/2008 to provide for forward
security - Authentication keys transition by 1/1/2011 since
forward security is not an issue - ECC must use a recommended curve from FIPS 186-2
- 224 through 283 bit keys
- No phase out specified
19Symmetric Algorithms for Cryptographic Keys
- SP 800-78 limits symmetric keys to Triple DES
(TDEA) and AES - TDEA must be two key or three key
- Two key TDEA phased out by 1/1/2011
- AES may be 128, 192, or 256 bit keys
- No phase out specified
20Digitally Signed Objects
- Signatures may be generated using RSA or ECDSA
- RSA may use PKCS 1 or PSS padding schemes
- SHA-1, SHA-224, and SHA-256 hash algorithms
- SHA-1 phased out by 1/1/2011
- Phase out depends on card expiration, not
signature generation date
21SP 800-73 Security Object
- ICAO Authentication/Integrity Object
- Digitally signed hash table
- The table includes a message digest for each of
the objects (CHUID, keys, etc.) stored on the
card - Message digests are generated using SHA-1,
SHA-224, or SHA-256 - SHA-1 phased out by 1/1/2011
- Signature requirements from previous slide
22Status Information
- FIPS 201 relies upon digitally signed X.509 CRLs
and OCSP responses to distribute status
information - Signatures may be generated using RSA or ECDSA
- RSA may use PKCS 1 or PSS padding schemes
- SHA-1, SHA-224, and SHA-256 hash algorithms
- SHA-1 phased out by 1/1/2011
- Phase out depends on signature generation date
23Special Publication 800-76
- Biometric Data Specification for Personal
Identity Verification - Major issue Minutia vs. full image
- File size
- Interoperability
- Privacy
- Still in draft form
24Contact Information
Curt Barker (william.barker_at_nist.gov) PIV
Program Manager Jim Dray (james.dray_at_nist.gov )
SP800-73 Terry Schwarzhoff (teresa.schwarzhoff_at_nis
t.gov) NIST Smart Card Program Manager,
Standards Lead NIST PIV Website
http//csrc.nist.gov/piv-project