Identity Proofing
Download
Report
Transcript Identity Proofing
FIPS 201 Framework:
Special Pubs 800-73,76,78
Jim Dray
HSPD-12 Workshop
May 4/5, 2005
Special Publication 800-73
•
PIV card application definition
o
•
•
•
NOT a general purpose card platform spec!
Part 1: Common data model and migration
Part 2: Transition card interfaces
Part 3: End point specification
Part 1: Mandatory Data Objects
•
PIV credential element objects
o
o
o
o
o
Card Capability Container: Discovery
Cardholder Unique Identifier: PACS 2.2
PIV Authentication Key
Fingerprint Buffers (2)
Security Object
Part 1: Optional Data Objects
•
Optional PIV credential element objects
o
o
o
o
o
Printed Information
Facial Image
Digital Signature Key
Key Management Key
Card Authentication Key
Part 1: Migration Issues
•
Some agencies have smart card deployments
• Government Smart Card Interoperability
Specification (NISTIR 6887)
• Migration path is based on continuity of the PIV
data model
• Legacy agencies MAY use Part 2 transition
specification
SP800-73 Part 2
•
•
Essentially a PIV profile of GSC-IS
Maintains the GSC-IS dual card interfaces
o
o
•
•
File system
Virtual Machine
Developed by the Government Smart Card
Interagency Advisory Board
Part 2 is informative
SP800-73 Part 3
•
•
•
•
Unified card command interface
Compliant with existing international
standards (ISO 7816)
Technology neutrality: Implementable on
any card platform
Essential features for:
o
o
High degree of PIV card interoperability
Future-proofing PIV framework
Part 3: Data Model
•
•
Data model is common to both Parts 2 and 3
Different identifiers (BER-TLV) used at the
card edge in Part 3
Part 3: Standard Namespaces
•
•
•
ASN.1 Object Identifiers in the PIV arc of
the Computer Security Object Register at
the Client Application Programming
Interface
PIV RID is the root of card Application
Identifiers(AIDs)
BER-TLV tags for data objects at the card
interface
Part 3: PIV Card Application
•
•
•
•
•
AID is ‘A0 00 00 xx xx 00 00 10 00 01 00’
Full PIV RID to be published by NIST
Access Control Rules applied to PIV
credential objects
Provides a set of 8 ISO compliant card
interface commands
Restricted functionality in contactless mode
Part 3: Client Application
Programming Interface
•
•
•
•
Equivalent to GSC-IS Basic Services
Interface
Provides 9 higher level commands
Implemented by middleware
PIV middleware is MUCH simpler than
GSC-IS middleware because card command
mapping is not required
Part 3: Reference
Implementation
•
•
•
•
•
•
Part 3 compliant implementation
PIV card application running in a card
simulator
Middleware
Publicly available
Basis for conformance tests
Estimated completion date June 25
SP800-73 Summary
•
PIV II card application and client application
programming interface spec
• Informative Part 2 transition specification for
migrating legacy GSC-IS deployments
• Normative Part 3 end point specification
• All agencies are to reach full deployment of Part 3
PIV cards by the end of their PIV II Phase,
regardless of the migration path chosen.
Special Publication 800-78
Overview
•
FIPS 201 relies on cryptography
o
o
o
To protect objects stored on the PIV card
To authenticate the PIV card or cardholder
To authenticate the source and integrity of
status information
Cryptographic Strength
Requirements
•
SP 800-78 mandates a transition from 80 bit
strength to 112 bits of strength by 1/1/2011
o
•
Cryptographic keys that provide long term data
protection transition by 1/1/2009 to provide two
years “forward security”
Elliptic Curve Cryptography is specified
with a minimum of 112 bits of strength (224
bit keys)
o
Avoid transition issues
Cryptographic Objects Stored on
the PIV Card
•
FIPS 201 specified
o
o
Cryptographic keys
Digitally signed objects
• CHUID
• Biometrics
• X.509 Certificates
•
SP 800-073 specified
o
Authentication/Integrity Object
Cryptographic keys
•
Asymmetric private keys
o
o
o
PIV Authentication key (Mandatory)
Digital Signature key (Optional)
Key Management key (Optional)
• May support key transport or key agreement
•
Card Management Key (Optional)
o
•
Symmetric key
PIV Cardholder Authentication Key (Optional)
o
May be symmetric or asymmetric
Asymmetric Algorithms for
Cryptographic Keys
•
SP 800-78 limits asymmetric keys to RSA and
ECC
o
RSA must be 1024/2048/3072
• 1024 bit keys phased out by 1/1/2011
• Digital signature and key management keys transition by
1/1/2008 to provide for forward security
• Authentication keys transition by 1/1/2011 since forward
security is not an issue
o
ECC must use a recommended curve from FIPS 186-2
• 224 through 283 bit keys
• No phase out specified
Symmetric Algorithms for
Cryptographic Keys
•
SP 800-78 limits symmetric keys to Triple
DES (TDEA) and AES
o
TDEA must be two key or three key
• Two key TDEA phased out by 1/1/2011
o
AES may be 128, 192, or 256 bit keys
• No phase out specified
Digitally Signed Objects
•
Signatures may be generated using RSA or
ECDSA
o
o
RSA may use PKCS #1 or PSS padding
schemes
SHA-1, SHA-224, and SHA-256 hash
algorithms
• SHA-1 phased out by 1/1/2011
•
Phase out depends on card expiration, not
signature generation date
SP 800-73 Security Object
•
•
ICAO Authentication/Integrity Object
Digitally signed hash table
o
o
The table includes a message digest for each of
the objects (CHUID, keys, etc.) stored on the
card
Message digests are generated using SHA-1,
SHA-224, or SHA-256
• SHA-1 phased out by 1/1/2011
o
Signature requirements from previous slide
Status Information
•
FIPS 201 relies upon digitally signed X.509 CRLs
and OCSP responses to distribute status
information
• Signatures may be generated using RSA or
ECDSA
o
o
RSA may use PKCS #1 or PSS padding schemes
SHA-1, SHA-224, and SHA-256 hash algorithms
• SHA-1 phased out by 1/1/2011
•
Phase out depends on signature generation date
Special Publication 800-76
•
•
Biometric Data Specification for Personal
Identity Verification
Major issue: Minutia vs. full image
o
o
o
•
File size
Interoperability
Privacy
Still in draft form
Contact Information
Curt Barker ([email protected]): PIV Program
Manager
Jim Dray ([email protected] ): SP800-73
Terry Schwarzhoff ([email protected]): NIST
Smart Card Program Manager, Standards Lead
NIST PIV Website: http://csrc.nist.gov/piv-project