1 / 24

FIPS 201 Framework: Special Pubs 800-73,76,78

FIPS 201 Framework: Special Pubs 800-73,76,78. Jim Dray HSPD-12 Workshop May 4/5, 2005. Special Publication 800-73. PIV card application definition NOT a general purpose card platform spec! Part 1: Common data model and migration Part 2: Transition card interfaces

uttara
Download Presentation

FIPS 201 Framework: Special Pubs 800-73,76,78

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FIPS 201 Framework:Special Pubs 800-73,76,78 Jim Dray HSPD-12 Workshop May 4/5, 2005

  2. Special Publication 800-73 • PIV card application definition • NOT a general purpose card platform spec! • Part 1: Common data model and migration • Part 2: Transition card interfaces • Part 3: End point specification

  3. Part 1: Mandatory Data Objects • PIV credential element objects • Card Capability Container: Discovery • Cardholder Unique Identifier: PACS 2.2 • PIV Authentication Key • Fingerprint Buffers (2) • Security Object

  4. Part 1: Optional Data Objects • Optional PIV credential element objects • Printed Information • Facial Image • Digital Signature Key • Key Management Key • Card Authentication Key

  5. Part 1: Migration Issues • Some agencies have smart card deployments • Government Smart Card Interoperability Specification (NISTIR 6887) • Migration path is based on continuity of the PIV data model • Legacy agencies MAY use Part 2 transition specification

  6. SP800-73 Part 2 • Essentially a PIV profile of GSC-IS • Maintains the GSC-IS dual card interfaces • File system • Virtual Machine • Developed by the Government Smart Card Interagency Advisory Board • Part 2 is informative

  7. SP800-73 Part 3 • Unified card command interface • Compliant with existing international standards (ISO 7816) • Technology neutrality: Implementable on any card platform • Essential features for: • High degree of PIV card interoperability • Future-proofing PIV framework

  8. Part 3: Data Model • Data model is common to both Parts 2 and 3 • Different identifiers (BER-TLV) used at the card edge in Part 3

  9. Part 3: Standard Namespaces • ASN.1 Object Identifiers in the PIV arc of the Computer Security Object Register at the Client Application Programming Interface • PIV RID is the root of card Application Identifiers(AIDs) • BER-TLV tags for data objects at the card interface

  10. Part 3: PIV Card Application • AID is ‘A0 00 00 xx xx 00 00 10 00 01 00’ • Full PIV RID to be published by NIST • Access Control Rules applied to PIV credential objects • Provides a set of 8 ISO compliant card interface commands • Restricted functionality in contactless mode

  11. Part 3: Client Application Programming Interface • Equivalent to GSC-IS Basic Services Interface • Provides 9 higher level commands • Implemented by middleware • PIV middleware is MUCH simpler than GSC-IS middleware because card command mapping is not required

  12. Part 3: Reference Implementation • Part 3 compliant implementation • PIV card application running in a card simulator • Middleware • Publicly available • Basis for conformance tests • Estimated completion date June 25

  13. SP800-73 Summary • PIV II card application and client application programming interface spec • Informative Part 2 transition specification for migrating legacy GSC-IS deployments • Normative Part 3 end point specification • All agencies are to reach full deployment of Part 3 PIV cards by the end of their PIV II Phase, regardless of the migration path chosen.

  14. Special Publication 800-78 Overview • FIPS 201 relies on cryptography • To protect objects stored on the PIV card • To authenticate the PIV card or cardholder • To authenticate the source and integrity of status information

  15. Cryptographic Strength Requirements • SP 800-78 mandates a transition from 80 bit strength to 112 bits of strength by 1/1/2011 • Cryptographic keys that provide long term data protection transition by 1/1/2009 to provide two years “forward security” • Elliptic Curve Cryptography is specified with a minimum of 112 bits of strength (224 bit keys) • Avoid transition issues

  16. Cryptographic Objects Stored on the PIV Card • FIPS 201 specified • Cryptographic keys • Digitally signed objects • CHUID • Biometrics • X.509 Certificates • SP 800-073 specified • Authentication/Integrity Object

  17. Cryptographic keys • Asymmetric private keys • PIV Authentication key (Mandatory) • Digital Signature key (Optional) • Key Management key (Optional) • May support key transport or key agreement • Card Management Key (Optional) • Symmetric key • PIV Cardholder Authentication Key (Optional) • May be symmetric or asymmetric

  18. Asymmetric Algorithms for Cryptographic Keys • SP 800-78 limits asymmetric keys to RSA and ECC • RSA must be 1024/2048/3072 • 1024 bit keys phased out by 1/1/2011 • Digital signature and key management keys transition by 1/1/2008 to provide for forward security • Authentication keys transition by 1/1/2011 since forward security is not an issue • ECC must use a recommended curve from FIPS 186-2 • 224 through 283 bit keys • No phase out specified

  19. Symmetric Algorithms for Cryptographic Keys • SP 800-78 limits symmetric keys to Triple DES (TDEA) and AES • TDEA must be two key or three key • Two key TDEA phased out by 1/1/2011 • AES may be 128, 192, or 256 bit keys • No phase out specified

  20. Digitally Signed Objects • Signatures may be generated using RSA or ECDSA • RSA may use PKCS #1 or PSS padding schemes • SHA-1, SHA-224, and SHA-256 hash algorithms • SHA-1 phased out by 1/1/2011 • Phase out depends on card expiration, not signature generation date

  21. SP 800-73 Security Object • ICAO Authentication/Integrity Object • Digitally signed hash table • The table includes a message digest for each of the objects (CHUID, keys, etc.) stored on the card • Message digests are generated using SHA-1, SHA-224, or SHA-256 • SHA-1 phased out by 1/1/2011 • Signature requirements from previous slide

  22. Status Information • FIPS 201 relies upon digitally signed X.509 CRLs and OCSP responses to distribute status information • Signatures may be generated using RSA or ECDSA • RSA may use PKCS #1 or PSS padding schemes • SHA-1, SHA-224, and SHA-256 hash algorithms • SHA-1 phased out by 1/1/2011 • Phase out depends on signature generation date

  23. Special Publication 800-76 • Biometric Data Specification for Personal Identity Verification • Major issue: Minutia vs. full image • File size • Interoperability • Privacy • Still in draft form

  24. Contact Information Curt Barker (william.barker@nist.gov): PIV Program Manager Jim Dray (james.dray@nist.gov ): SP800-73 Terry Schwarzhoff (teresa.schwarzhoff@nist.gov): NIST Smart Card Program Manager, Standards Lead NIST PIV Website: http://csrc.nist.gov/piv-project

More Related