Fips 201 framework special pubs 800 73 76 78
Download
1 / 24

FIPS 201 Framework: Special Pubs 800-73,76,78 - PowerPoint PPT Presentation


  • 82 Views
  • Uploaded on

FIPS 201 Framework: Special Pubs 800-73,76,78. Jim Dray HSPD-12 Workshop May 4/5, 2005. Special Publication 800-73. PIV card application definition NOT a general purpose card platform spec! Part 1: Common data model and migration Part 2: Transition card interfaces

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'FIPS 201 Framework: Special Pubs 800-73,76,78' - uttara


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Fips 201 framework special pubs 800 73 76 78

FIPS 201 Framework:Special Pubs 800-73,76,78

Jim Dray

HSPD-12 Workshop

May 4/5, 2005


Special publication 800 73
Special Publication 800-73

  • PIV card application definition

    • NOT a general purpose card platform spec!

  • Part 1: Common data model and migration

  • Part 2: Transition card interfaces

  • Part 3: End point specification


Part 1 mandatory data objects
Part 1: Mandatory Data Objects

  • PIV credential element objects

    • Card Capability Container: Discovery

    • Cardholder Unique Identifier: PACS 2.2

    • PIV Authentication Key

    • Fingerprint Buffers (2)

    • Security Object


Part 1 optional data objects
Part 1: Optional Data Objects

  • Optional PIV credential element objects

    • Printed Information

    • Facial Image

    • Digital Signature Key

    • Key Management Key

    • Card Authentication Key


Part 1 migration issues
Part 1: Migration Issues

  • Some agencies have smart card deployments

  • Government Smart Card Interoperability Specification (NISTIR 6887)

  • Migration path is based on continuity of the PIV data model

  • Legacy agencies MAY use Part 2 transition specification


Sp800 73 part 2
SP800-73 Part 2

  • Essentially a PIV profile of GSC-IS

  • Maintains the GSC-IS dual card interfaces

    • File system

    • Virtual Machine

  • Developed by the Government Smart Card Interagency Advisory Board

  • Part 2 is informative


Sp800 73 part 3
SP800-73 Part 3

  • Unified card command interface

  • Compliant with existing international standards (ISO 7816)

  • Technology neutrality: Implementable on any card platform

  • Essential features for:

    • High degree of PIV card interoperability

    • Future-proofing PIV framework


Part 3 data model
Part 3: Data Model

  • Data model is common to both Parts 2 and 3

  • Different identifiers (BER-TLV) used at the card edge in Part 3


Part 3 standard namespaces
Part 3: Standard Namespaces

  • ASN.1 Object Identifiers in the PIV arc of the Computer Security Object Register at the Client Application Programming Interface

  • PIV RID is the root of card Application Identifiers(AIDs)

  • BER-TLV tags for data objects at the card interface


Part 3 piv card application
Part 3: PIV Card Application

  • AID is ‘A0 00 00 xx xx 00 00 10 00 01 00’

  • Full PIV RID to be published by NIST

  • Access Control Rules applied to PIV credential objects

  • Provides a set of 8 ISO compliant card interface commands

  • Restricted functionality in contactless mode


Part 3 client application programming interface
Part 3: Client Application Programming Interface

  • Equivalent to GSC-IS Basic Services Interface

  • Provides 9 higher level commands

  • Implemented by middleware

  • PIV middleware is MUCH simpler than GSC-IS middleware because card command mapping is not required


Part 3 reference implementation
Part 3: Reference Implementation

  • Part 3 compliant implementation

  • PIV card application running in a card simulator

  • Middleware

  • Publicly available

  • Basis for conformance tests

  • Estimated completion date June 25


Sp800 73 summary
SP800-73 Summary

  • PIV II card application and client application programming interface spec

  • Informative Part 2 transition specification for migrating legacy GSC-IS deployments

  • Normative Part 3 end point specification

  • All agencies are to reach full deployment of Part 3 PIV cards by the end of their PIV II Phase, regardless of the migration path chosen.


Special publication 800 78 overview
Special Publication 800-78 Overview

  • FIPS 201 relies on cryptography

    • To protect objects stored on the PIV card

    • To authenticate the PIV card or cardholder

    • To authenticate the source and integrity of status information


Cryptographic strength requirements
Cryptographic Strength Requirements

  • SP 800-78 mandates a transition from 80 bit strength to 112 bits of strength by 1/1/2011

    • Cryptographic keys that provide long term data protection transition by 1/1/2009 to provide two years “forward security”

  • Elliptic Curve Cryptography is specified with a minimum of 112 bits of strength (224 bit keys)

    • Avoid transition issues


Cryptographic objects stored on the piv card
Cryptographic Objects Stored on the PIV Card

  • FIPS 201 specified

    • Cryptographic keys

    • Digitally signed objects

      • CHUID

      • Biometrics

      • X.509 Certificates

  • SP 800-073 specified

    • Authentication/Integrity Object


Cryptographic keys
Cryptographic keys

  • Asymmetric private keys

    • PIV Authentication key (Mandatory)

    • Digital Signature key (Optional)

    • Key Management key (Optional)

      • May support key transport or key agreement

  • Card Management Key (Optional)

    • Symmetric key

  • PIV Cardholder Authentication Key (Optional)

    • May be symmetric or asymmetric


Asymmetric algorithms for cryptographic keys
Asymmetric Algorithms for Cryptographic Keys

  • SP 800-78 limits asymmetric keys to RSA and ECC

    • RSA must be 1024/2048/3072

      • 1024 bit keys phased out by 1/1/2011

      • Digital signature and key management keys transition by 1/1/2008 to provide for forward security

      • Authentication keys transition by 1/1/2011 since forward security is not an issue

    • ECC must use a recommended curve from FIPS 186-2

      • 224 through 283 bit keys

      • No phase out specified


Symmetric algorithms for cryptographic keys
Symmetric Algorithms for Cryptographic Keys

  • SP 800-78 limits symmetric keys to Triple DES (TDEA) and AES

    • TDEA must be two key or three key

      • Two key TDEA phased out by 1/1/2011

    • AES may be 128, 192, or 256 bit keys

      • No phase out specified


Digitally signed objects
Digitally Signed Objects

  • Signatures may be generated using RSA or ECDSA

    • RSA may use PKCS #1 or PSS padding schemes

    • SHA-1, SHA-224, and SHA-256 hash algorithms

      • SHA-1 phased out by 1/1/2011

  • Phase out depends on card expiration, not signature generation date


Sp 800 73 security object
SP 800-73 Security Object

  • ICAO Authentication/Integrity Object

  • Digitally signed hash table

    • The table includes a message digest for each of the objects (CHUID, keys, etc.) stored on the card

    • Message digests are generated using SHA-1, SHA-224, or SHA-256

      • SHA-1 phased out by 1/1/2011

    • Signature requirements from previous slide


Status information
Status Information

  • FIPS 201 relies upon digitally signed X.509 CRLs and OCSP responses to distribute status information

  • Signatures may be generated using RSA or ECDSA

    • RSA may use PKCS #1 or PSS padding schemes

    • SHA-1, SHA-224, and SHA-256 hash algorithms

      • SHA-1 phased out by 1/1/2011

  • Phase out depends on signature generation date


Special publication 800 76
Special Publication 800-76

  • Biometric Data Specification for Personal Identity Verification

  • Major issue: Minutia vs. full image

    • File size

    • Interoperability

    • Privacy

  • Still in draft form


Contact information
Contact Information

Curt Barker (william.barker@nist.gov): PIV Program Manager

Jim Dray (james.dray@nist.gov ): SP800-73

Terry Schwarzhoff (teresa.schwarzhoff@nist.gov): NIST Smart Card Program Manager, Standards Lead

NIST PIV Website: http://csrc.nist.gov/piv-project