Download presentation
Presentation is loading. Please wait.
Published byKayli Southward Modified over 10 years ago
1
FIPS 201 Framework: Special Pubs 800-73,76,78 Jim Dray HSPD-12 Workshop May 4/5, 2005
2
Special Publication 800-73 PIV card application definition o NOT a general purpose card platform spec! Part 1: Common data model and migration Part 2: Transition card interfaces Part 3: End point specification
3
Part 1: Mandatory Data Objects PIV credential element objects o Card Capability Container: Discovery o Cardholder Unique Identifier: PACS 2.2 o PIV Authentication Key o Fingerprint Buffers (2) o Security Object
4
Part 1: Optional Data Objects Optional PIV credential element objects o Printed Information o Facial Image o Digital Signature Key o Key Management Key o Card Authentication Key
5
Part 1: Migration Issues Some agencies have smart card deployments Government Smart Card Interoperability Specification (NISTIR 6887) Migration path is based on continuity of the PIV data model Legacy agencies MAY use Part 2 transition specification
6
SP800-73 Part 2 Essentially a PIV profile of GSC-IS Maintains the GSC-IS dual card interfaces o File system o Virtual Machine Developed by the Government Smart Card Interagency Advisory Board Part 2 is informative
7
SP800-73 Part 3 Unified card command interface Compliant with existing international standards (ISO 7816) Technology neutrality: Implementable on any card platform Essential features for: o High degree of PIV card interoperability o Future-proofing PIV framework
8
Part 3: Data Model Data model is common to both Parts 2 and 3 Different identifiers (BER-TLV) used at the card edge in Part 3
9
Part 3: Standard Namespaces ASN.1 Object Identifiers in the PIV arc of the Computer Security Object Register at the Client Application Programming Interface PIV RID is the root of card Application Identifiers(AIDs) BER-TLV tags for data objects at the card interface
10
Part 3: PIV Card Application AID is A0 00 00 xx xx 00 00 10 00 01 00 Full PIV RID to be published by NIST Access Control Rules applied to PIV credential objects Provides a set of 8 ISO compliant card interface commands Restricted functionality in contactless mode
11
Part 3: Client Application Programming Interface Equivalent to GSC-IS Basic Services Interface Provides 9 higher level commands Implemented by middleware PIV middleware is MUCH simpler than GSC-IS middleware because card command mapping is not required
12
Part 3: Reference Implementation Part 3 compliant implementation PIV card application running in a card simulator Middleware Publicly available Basis for conformance tests Estimated completion date June 25
13
SP800-73 Summary PIV II card application and client application programming interface spec Informative Part 2 transition specification for migrating legacy GSC-IS deployments Normative Part 3 end point specification All agencies are to reach full deployment of Part 3 PIV cards by the end of their PIV II Phase, regardless of the migration path chosen.
14
Special Publication 800-78 Overview FIPS 201 relies on cryptography o To protect objects stored on the PIV card o To authenticate the PIV card or cardholder o To authenticate the source and integrity of status information
15
Cryptographic Strength Requirements SP 800-78 mandates a transition from 80 bit strength to 112 bits of strength by 1/1/2011 o Cryptographic keys that provide long term data protection transition by 1/1/2009 to provide two years forward security Elliptic Curve Cryptography is specified with a minimum of 112 bits of strength (224 bit keys) o Avoid transition issues
16
Cryptographic Objects Stored on the PIV Card FIPS 201 specified o Cryptographic keys o Digitally signed objects CHUID Biometrics X.509 Certificates SP 800-073 specified o Authentication/Integrity Object
17
Cryptographic keys Asymmetric private keys o PIV Authentication key (Mandatory) o Digital Signature key (Optional) o Key Management key (Optional) May support key transport or key agreement Card Management Key (Optional) o Symmetric key PIV Cardholder Authentication Key (Optional) o May be symmetric or asymmetric
18
Asymmetric Algorithms for Cryptographic Keys SP 800-78 limits asymmetric keys to RSA and ECC o RSA must be 1024/2048/3072 1024 bit keys phased out by 1/1/2011 Digital signature and key management keys transition by 1/1/2008 to provide for forward security Authentication keys transition by 1/1/2011 since forward security is not an issue o ECC must use a recommended curve from FIPS 186-2 224 through 283 bit keys No phase out specified
19
Symmetric Algorithms for Cryptographic Keys SP 800-78 limits symmetric keys to Triple DES (TDEA) and AES o TDEA must be two key or three key Two key TDEA phased out by 1/1/2011 o AES may be 128, 192, or 256 bit keys No phase out specified
20
Digitally Signed Objects Signatures may be generated using RSA or ECDSA o RSA may use PKCS #1 or PSS padding schemes o SHA-1, SHA-224, and SHA-256 hash algorithms SHA-1 phased out by 1/1/2011 Phase out depends on card expiration, not signature generation date
21
SP 800-73 Security Object ICAO Authentication/Integrity Object Digitally signed hash table o The table includes a message digest for each of the objects (CHUID, keys, etc.) stored on the card o Message digests are generated using SHA-1, SHA-224, or SHA-256 SHA-1 phased out by 1/1/2011 o Signature requirements from previous slide
22
Status Information FIPS 201 relies upon digitally signed X.509 CRLs and OCSP responses to distribute status information Signatures may be generated using RSA or ECDSA o RSA may use PKCS #1 or PSS padding schemes o SHA-1, SHA-224, and SHA-256 hash algorithms SHA-1 phased out by 1/1/2011 Phase out depends on signature generation date
23
Special Publication 800-76 Biometric Data Specification for Personal Identity Verification Major issue: Minutia vs. full image o File size o Interoperability o Privacy Still in draft form
24
Contact Information Curt Barker (william.barker@nist.gov): PIV Program Managerwilliam.barker@nist.gov Jim Dray (james.dray@nist.gov ): SP800-73james.dray@nist.gov Terry Schwarzhoff (teresa.schwarzhoff@nist.gov): NIST Smart Card Program Manager, Standards Leadteresa.schwarzhoff@nist.gov NIST PIV Website: http://csrc.nist.gov/piv-project
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.