Versions Compared

Old Version 4

changes.mady.by.user Kim O'Sullivan

Saved on

compared with

New Version 5

changes.mady.by.user Kim O'Sullivan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Parameter

Description

Default Value

PIN RETRIES

The number of retries before the PIN object is blocked.
SP800-73-4 Requirement: Issuer-defined

6

PIN RETRIES INTERMEDIATE

The number of retries remaining before the PIN object is blocked on the contactless interface only.
SP800-73-4 Requirement: Issuer-defined

1

PUK RETRIES

The number of retries before the PUK object is blocked.
SP800-73-4 Requirement: Issuer-defined

6

PUK RETRIES INTERMEDIATE

The number of retries before the PIN object is blocked on the contactless interface only.
SP800-73-4 Requirement: Issuer-defined

1

PIN LENGTH MIN

The minimum length of the PIN value (SP800-73-4 default is '6' - NOTE: Changing this value from its default will break PIV compliance).
SP800-73-4 Requirement: Must be set to 6

6

PIN LENGTH MAX

The maximum length of the PIN value (SP800-73-4 default is '8' - NOTE: Changing this value from its default will break PIV compliance).
SP800-73-4 Requirement: Must be set to 8

8

4 Applet Architecture

...

Image Added

Component

Description

OpenFIPS201 Facade

This is the derived implementation of the Javacard Applet class and provides the entry point for all communications to the applet.

It implements the following functionality:

  • Applet installation and memory allocation

  • Applet selection and deselection

  • APDU processing

  • GP Secure Channel processing

PIV

The implementation of all [SP800-73-4] commands and functionality.

PIV Object

The base class from which all PIV dynamic objects derive. It contains the identification and access control information associated with all PIV objects.

It defines the following attributes:

  • Object Identifier

  • Access Mode - Contact Interface

  • Access Mode - Contactless Interface

Info

This class is abstract and cannot be instantiated.

PIV Security Provider

This class is the entry point for all cryptographic operations. It performs the following:

  1. Manages the cryptographic key store.

  2. Permits querying of available keys.

  3. Maintains card verification data and state.

  4. Permits querying of PIV Object access conditions against the current verification and authentication state.

Key Object

The base class from which all PIV dynamic Keys derive. It extends PIV Object to include additional attributes.

  • Cryptographic Mechanism

  • Key Role

  • Key Attributes

Info

This class is abstract and cannot be instantiated.

PKI Key

The base class for asymmetric keys. It extends the Key Object to include additional functionality:

  • Signing operation

  • Key Agreement operation

  • Key Generation operation

Info

This class is abstract and cannot be instantiated.

RSA Key

A concrete implementation of the PKI Key class, which provides RSA cryptographic operations.

Info

This class implements the Lockable pattern.

ECC Key

A concrete implementation of the PKI Key class, which provides Elliptic Curve cryptographic operations.

Info

This class implements the Lockable pattern.

Symmetric Key

A concrete implementation of the Key Object class, which provides AES and TripleDES cryptographic operations.

Info

This class implements the Lockable pattern.

Data Object

Represents a single PIV Data Object, which is accessed via the GET DATA and PUT DATA commands.

TLV Reader

Implements ASN.1 BER and DER-TLV object validation and querying.

Info

This class is implemented as a Singleton and implements the Lockable pattern.

TLV Writer

Implements ASN.1 BER and DER-TLV object validation and querying.

Info

This class is implemented as a Singleton and implements the Lockable pattern.

Chain Buffer

Implements [ISO 7816] command chaining to a temporary command buffer so that other components need not consider the existence of chaining.

CMVPIN

Extends the Java Card PIN interface to implement access to the GlobalPlatform Global PIN in a consistent manner.

...

  • File System Descriptors

  • Data Objects

  • Key Objects

...

Info

For Data Objects

...

:

  • Memory is allocated on first-write. If memory allocation fails, the object remains uninitialised and unchanged.

...

  • Subsequent writes cause the initial object to be de-allocated and then a new object is allocated. This causes the Garbage Collection process to be requested if available.

Info

For Key Objects:

  • For Key Objects, allocation occurs either when the first key element is injected or when key generation is requested. In both cases, all memory relating to the Key object is allocated to prevent the possibility of partial allocation causing undefined behaviour.

  • For Key Objects, memory is de-allocated when the key is explicitly cleared via caller request.

4.2.6 Defined Cryptographic Boundary

...

The classes that contain references to cryptographic primitive instances are:

  • PIV Security Provider

  • PIV Key Object - RSA

  • PIV Key Object - ECC

  • PIV Key Object - SymmetricCrypto

4.2.7 Optimised File Allocation Table

...