Versions Compared

Old Version 17

changes.mady.by.user Kim O'Sullivan

Saved on

compared with

New Version Current

changes.mady.by.user Kim O'Sullivan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updating numbered headings

...

Element

Description

Never

The object may not be read or used under any circumstances.

Info

This is a special value that cannot be combined with any other value.

Pin

The object may be accessed only after PIN authentication.

Pin Always

The object may be accessed only IMMEDIATELY after PIN authentication in the current session.

Info

It is acceptable to also set the Pin flag in addition to this, but not necessary as Pin Always will take precedence.

Occ

The object may be accessed only after a successful Biometric On-Card Comparison in the current session.

User Admin

The object may be managed after the access conditions have been successfully met.

Info

This has the effect or permitting the PUT DATA and GENERATE ASSYMMETRIC KEYPAIR commands for these values. It does not permit extended administration commands such as PUT DATA ADMIN and CHANGE REFERENCE DATA ADMIN, which require a GlobalPlatform Secure Channel.

Always

The object may be read or used without any authentication.

Info

This is a special value that cannot be combined with any other value.

Note

When reading this field, take care to evaluate for Always and Never special values first, as the Always value sets all lower 7 bits, which can look like other options are set.

5.2 Key Object Parameters

Element

Description

Key Mechanism

Type: Enumeration

Describes which cryptographic primitive (mechanism) will be associated with this key.

Info

See Enumeration - Key Mechanism below for details on populating this value.

Key Role

Type: Enumeration

Specifies what role(s) this key may perform for GENERAL AUTHENTICATE commands.

Info

See Enumeration - Key Role below for details on populating this value.

Key Attribute

Type: Enumeration

Specifies what special attributes / options are flagged against this key.

Info

See Enumeration - Key Attribute below for details on populating this value.

5.2.1

...

Enumeration - Key Mechanism

This defines the supported cryptographic primitives as specified by NIST SP 800-78-4.

Element

Description

TDEA192

Triple-DES-ECB using 3-key length (192 bits)

RSA1024

RSA Asymmetric Keypair, 1024-bit key length

RSA2048

RSA Asymmetric Keypair, 2048-bit key length

AES128

Advanced Encryption Standard, 128-bit key length

AES192

Advanced Encryption Standard, 192-bit key length

AES256

Advanced Encryption Standard, 256-bit key length

ECC256

Elliptic Curve using curve NIST P-256

ECC384

Elliptic Curve using curve NIST P-384

SMCS2

Cipher Suite 2 - Used for Secure Messaging (PIV Opacity ZKM) based on curve NIST P256, SHA-256 and AES 128-bit

SMCS7

Cipher Suite 7 - Used for Secure Messaging (PIV Opacity ZKM) based on curve NIST P384, SHA-384 and AES 256-bit

5.

...

2.

...

2 Enumeration - Key Role

Element

Description

Authenticate

This key can be used for card (internal), host (external) or card/host (mutual) authentication.

  • For TDEA or AES key types, this role indicates the key may be used for authentication operations.

  • For RSA key types, this role is not supported.

  • For ECC key types, this role is not supported.

  • For SM key types, this role is not supported.

Key Establish

This key can be used for key establishment schemes.

  • For TDEA or AES key types, this role is not supported.

  • For RSA key types, this role indicates the key may be used for RSA Key Transport.

  • For ECC key types, this role indicates the key may be used for Elliptic-Curve Diffie-Helman Agreements (ECDH).

  • For SM key types, this role indicates the key may be used for PIV Opacity Zero-Key Management (ZKM).

Sign

This key can be used for digital signature mechanisms.

  • For TDEA or AES key types, this role is not currently supported.

  • For RSA key types, this role indicates the key may be used for RSA Digital Signatures against pre-formatted signature blocks.

  • For ECC key types, this role indicates the key may be used for Elliptic-Curve Digital Signature Algorithm operations (ECDSA).

  • For SM key types, this role is not supported.

Verify

Reserved for future use

Encrypt

Reserved for future use

Decrypt

Reserved for future use

5.

...

2.

...

3 Enumeration - Key Attributes

Element

Description

Permit Internal

Symmetric Keys Only - Permits the PIV General Authenticate command to used to request an INTERNAL authentication.

Note

Great care should be taken before enabling this feature. Most environments should leave it switched off.

Permit External

Symmetric Keys Only - Permits the PIV General Authenticate command to used to request an INTERNAL authentication.

Note

Great care should be taken before enabling this feature. Most environments should leave it switched off.

Importable

Permits the key value to be injected instead of generated on the card. If this is set to False, only the GENERATE ASSYMETRIC KEYPAIR command may be used to generate key pairs.

Info

This flag is mandatory for all symmetric key types (TDEA or AES).

...