fips 201 framework special pubs 800 73 76 78
Download
Skip this Video
Download Presentation
FIPS 201 Framework: Special Pubs 800-73,76,78

Loading in 2 Seconds...

play fullscreen
1 / 24

FIPS 201 Framework: Special Pubs 800-73,76,78 - PowerPoint PPT Presentation


  • 82 Views
  • Uploaded on

FIPS 201 Framework: Special Pubs 800-73,76,78. Jim Dray HSPD-12 Workshop May 4/5, 2005. Special Publication 800-73. PIV card application definition NOT a general purpose card platform spec! Part 1: Common data model and migration Part 2: Transition card interfaces

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' FIPS 201 Framework: Special Pubs 800-73,76,78' - uttara


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
fips 201 framework special pubs 800 73 76 78

FIPS 201 Framework:Special Pubs 800-73,76,78

Jim Dray

HSPD-12 Workshop

May 4/5, 2005

special publication 800 73
Special Publication 800-73
  • PIV card application definition
    • NOT a general purpose card platform spec!
  • Part 1: Common data model and migration
  • Part 2: Transition card interfaces
  • Part 3: End point specification
part 1 mandatory data objects
Part 1: Mandatory Data Objects
  • PIV credential element objects
    • Card Capability Container: Discovery
    • Cardholder Unique Identifier: PACS 2.2
    • PIV Authentication Key
    • Fingerprint Buffers (2)
    • Security Object
part 1 optional data objects
Part 1: Optional Data Objects
  • Optional PIV credential element objects
    • Printed Information
    • Facial Image
    • Digital Signature Key
    • Key Management Key
    • Card Authentication Key
part 1 migration issues
Part 1: Migration Issues
  • Some agencies have smart card deployments
  • Government Smart Card Interoperability Specification (NISTIR 6887)
  • Migration path is based on continuity of the PIV data model
  • Legacy agencies MAY use Part 2 transition specification
sp800 73 part 2
SP800-73 Part 2
  • Essentially a PIV profile of GSC-IS
  • Maintains the GSC-IS dual card interfaces
    • File system
    • Virtual Machine
  • Developed by the Government Smart Card Interagency Advisory Board
  • Part 2 is informative
sp800 73 part 3
SP800-73 Part 3
  • Unified card command interface
  • Compliant with existing international standards (ISO 7816)
  • Technology neutrality: Implementable on any card platform
  • Essential features for:
    • High degree of PIV card interoperability
    • Future-proofing PIV framework
part 3 data model
Part 3: Data Model
  • Data model is common to both Parts 2 and 3
  • Different identifiers (BER-TLV) used at the card edge in Part 3
part 3 standard namespaces
Part 3: Standard Namespaces
  • ASN.1 Object Identifiers in the PIV arc of the Computer Security Object Register at the Client Application Programming Interface
  • PIV RID is the root of card Application Identifiers(AIDs)
  • BER-TLV tags for data objects at the card interface
part 3 piv card application
Part 3: PIV Card Application
  • AID is ‘A0 00 00 xx xx 00 00 10 00 01 00’
  • Full PIV RID to be published by NIST
  • Access Control Rules applied to PIV credential objects
  • Provides a set of 8 ISO compliant card interface commands
  • Restricted functionality in contactless mode
part 3 client application programming interface
Part 3: Client Application Programming Interface
  • Equivalent to GSC-IS Basic Services Interface
  • Provides 9 higher level commands
  • Implemented by middleware
  • PIV middleware is MUCH simpler than GSC-IS middleware because card command mapping is not required
part 3 reference implementation
Part 3: Reference Implementation
  • Part 3 compliant implementation
  • PIV card application running in a card simulator
  • Middleware
  • Publicly available
  • Basis for conformance tests
  • Estimated completion date June 25
sp800 73 summary
SP800-73 Summary
  • PIV II card application and client application programming interface spec
  • Informative Part 2 transition specification for migrating legacy GSC-IS deployments
  • Normative Part 3 end point specification
  • All agencies are to reach full deployment of Part 3 PIV cards by the end of their PIV II Phase, regardless of the migration path chosen.
special publication 800 78 overview
Special Publication 800-78 Overview
  • FIPS 201 relies on cryptography
    • To protect objects stored on the PIV card
    • To authenticate the PIV card or cardholder
    • To authenticate the source and integrity of status information
cryptographic strength requirements
Cryptographic Strength Requirements
  • SP 800-78 mandates a transition from 80 bit strength to 112 bits of strength by 1/1/2011
    • Cryptographic keys that provide long term data protection transition by 1/1/2009 to provide two years “forward security”
  • Elliptic Curve Cryptography is specified with a minimum of 112 bits of strength (224 bit keys)
    • Avoid transition issues
cryptographic objects stored on the piv card
Cryptographic Objects Stored on the PIV Card
  • FIPS 201 specified
    • Cryptographic keys
    • Digitally signed objects
      • CHUID
      • Biometrics
      • X.509 Certificates
  • SP 800-073 specified
    • Authentication/Integrity Object
cryptographic keys
Cryptographic keys
  • Asymmetric private keys
    • PIV Authentication key (Mandatory)
    • Digital Signature key (Optional)
    • Key Management key (Optional)
      • May support key transport or key agreement
  • Card Management Key (Optional)
    • Symmetric key
  • PIV Cardholder Authentication Key (Optional)
    • May be symmetric or asymmetric
asymmetric algorithms for cryptographic keys
Asymmetric Algorithms for Cryptographic Keys
  • SP 800-78 limits asymmetric keys to RSA and ECC
    • RSA must be 1024/2048/3072
      • 1024 bit keys phased out by 1/1/2011
      • Digital signature and key management keys transition by 1/1/2008 to provide for forward security
      • Authentication keys transition by 1/1/2011 since forward security is not an issue
    • ECC must use a recommended curve from FIPS 186-2
      • 224 through 283 bit keys
      • No phase out specified
symmetric algorithms for cryptographic keys
Symmetric Algorithms for Cryptographic Keys
  • SP 800-78 limits symmetric keys to Triple DES (TDEA) and AES
    • TDEA must be two key or three key
      • Two key TDEA phased out by 1/1/2011
    • AES may be 128, 192, or 256 bit keys
      • No phase out specified
digitally signed objects
Digitally Signed Objects
  • Signatures may be generated using RSA or ECDSA
    • RSA may use PKCS #1 or PSS padding schemes
    • SHA-1, SHA-224, and SHA-256 hash algorithms
      • SHA-1 phased out by 1/1/2011
  • Phase out depends on card expiration, not signature generation date
sp 800 73 security object
SP 800-73 Security Object
  • ICAO Authentication/Integrity Object
  • Digitally signed hash table
    • The table includes a message digest for each of the objects (CHUID, keys, etc.) stored on the card
    • Message digests are generated using SHA-1, SHA-224, or SHA-256
      • SHA-1 phased out by 1/1/2011
    • Signature requirements from previous slide
status information
Status Information
  • FIPS 201 relies upon digitally signed X.509 CRLs and OCSP responses to distribute status information
  • Signatures may be generated using RSA or ECDSA
    • RSA may use PKCS #1 or PSS padding schemes
    • SHA-1, SHA-224, and SHA-256 hash algorithms
      • SHA-1 phased out by 1/1/2011
  • Phase out depends on signature generation date
special publication 800 76
Special Publication 800-76
  • Biometric Data Specification for Personal Identity Verification
  • Major issue: Minutia vs. full image
    • File size
    • Interoperability
    • Privacy
  • Still in draft form
contact information
Contact Information

Curt Barker ([email protected]): PIV Program Manager

Jim Dray ([email protected] ): SP800-73

Terry Schwarzhoff ([email protected]): NIST Smart Card Program Manager, Standards Lead

NIST PIV Website: http://csrc.nist.gov/piv-project

ad