Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated NIST compliant configuration to disable pin complexity rules

1 Contents

Table of Contents
minLevel1
maxLevel7
excludeContents.*

...

2 Overview

The following scripts can be executed with your favourite smartcard utility to pre-personalise OpenFIPS201 to be fully compliant with the SP800-73-4 data object, configuration and key requirements.

...

Info

All commands below must be executed under a GlobalPlatform Secure Channel session with the C_ENCRYPTION and C_MAC options set (SCP03).

...

3 Configuration Scripts

This script serves only as a reference for the NIST compliant values and does not need to be sent if you don’t wish to change any values.

Code Block
# UPDATE CONFIGURATION
00 DB 3F 00 5D 68 5B A0 24 80 01 FF 81 01 00 82 01 00 83 01 00 84 01 06 85 01 08 86 01 06 87 01 
05 88 01 00 89 01 04 8A 01 0400 8B 01 0400 A1 12 80 01 FF 81 01 00 82 01 08 83 01 06 84 01 05 85 01 
00 A2 03 80 01 00 A3 03 80 01 00 A4 15 80 01 00 81 01 00 82 01 00 83 01 00 84 01 FF 85 01 00 86 
01 00

...

4 PIN / PUK Scripts

The following scripts will set the cardholder reference values to the following defaults:

...

Code Block
# CHANGE REFERENCE DATA - PIN (80) to 123456
00 24 FF 80 08 31 32 33 34 35 36 FF FF

# CHANGE REFERENCE DATA - PUK (81) to 12345678
00 24 FF 81 08 31 32 33 34 35 36 37 38

...

5 Data Object Scripts

...

5.1 Mandatory

Code Block
# CREATE DATA OBJECT - 5FC107 - Card Capability Container
00 DB 3F 00 0D 64 0B 8B 03 5F C1 07 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC102 - Cardholder Unique Identifier
00 DB 3F 00 0D 64 0B 8B 03 5F C1 02 8C 01 7F 8D 01 7F

# CREATE DATA OBJECT - 5FC105 - X509 Certificate for PIV Authentication
00 DB 3F 00 0D 64 0B 8B 03 5F C1 05 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC101 - X509 Certificate for Card Authentication
00 DB 3F 00 0D 64 0B 8B 03 5F C1 01 8C 01 7F 8D 01 7F

# CREATE DATA OBJECT - 5FC103 - Cardholder Fingerprints
00 DB 3F 00 0D 64 0B 8B 03 5F C1 03 8C 01 01 8D 01 00

# CREATE DATA OBJECT - 5FC108 - Cardholder Facial Image
00 DB 3F 00 0D 64 0B 8B 03 5F C1 08 8C 01 01 8D 01 00

# CREATE DATA OBJECT - 5FC106 - Security Object
00 DB 3F 00 0D 64 0B 8B 03 5F C1 06 8C 01 7F 8D 01 00


#
# Mandatory only for US-Government Issued PIV Credentials
#

# CREATE DATA OBJECT - 5FC10A - X509 Certificate for Digital Signature
00 DB 3F 00 0D 64 0B 8B 03 5F C1 0A 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC10B - X509 Certificate for Key Management
00 DB 3F 00 0D 64 0B 8B 03 5F C1 0B 8C 01 7F 8D 01 00

...

5.2 Optional

Code Block
# CREATE DATA OBJECT - 5FC109 - Printed Information
00 DB 3F 00 0D 64 0B 8B 03 5F C1 09 8C 01 01 8D 01 00

# CREATE DATA OBJECT - 5FC122 - Secure Messaging Signer
00 DB 3F 00 0D 64 0B 8B 03 5F C1 22 8C 01 7F 8D 01 7F

# CREATE DATA OBJECT - 7E - Discovery Object
00 DB 3F 00 0B 64 09 8B 01 7E 8C 01 7F 8D 01 7F

# CREATE DATA OBJECT - 5FC10C - Key History Object
00 DB 3F 00 0D 64 0B 8B 03 5F C1 0C 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC10D - Retired X509 Certificate for Key Management 1
00 DB 3F 00 0D 64 0B 8B 03 5F C1 0D 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC10E - Retired X509 Certificate for Key Management 2
00 DB 3F 00 0D 64 0B 8B 03 5F C1 0E 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC10F - Retired X509 Certificate for Key Management 3
00 DB 3F 00 0D 64 0B 8B 03 5F C1 0F 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC110 - Retired X509 Certificate for Key Management 4
00 DB 3F 00 0D 64 0B 8B 03 5F C1 10 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC111 - Retired X509 Certificate for Key Management 5
00 DB 3F 00 0D 64 0B 8B 03 5F C1 11 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC112 - Retired X509 Certificate for Key Management 6
00 DB 3F 00 0D 64 0B 8B 03 5F C1 12 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC113 - Retired X509 Certificate for Key Management 7
00 DB 3F 00 0D 64 0B 8B 03 5F C1 13 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC114 - Retired X509 Certificate for Key Management 8
00 DB 3F 00 0D 64 0B 8B 03 5F C1 14 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC115 - Retired X509 Certificate for Key Management 9
00 DB 3F 00 0D 64 0B 8B 03 5F C1 15 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC116 - Retired X509 Certificate for Key Management 10
00 DB 3F 00 0D 64 0B 8B 03 5F C1 16 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC117 - Retired X509 Certificate for Key Management 11
00 DB 3F 00 0D 64 0B 8B 03 5F C1 17 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC118 - Retired X509 Certificate for Key Management 12
00 DB 3F 00 0D 64 0B 8B 03 5F C1 18 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC119 - Retired X509 Certificate for Key Management 13
00 DB 3F 00 0D 64 0B 8B 03 5F C1 19 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC11A - Retired X509 Certificate for Key Management 14
00 DB 3F 00 0D 64 0B 8B 03 5F C1 1A 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC11B - Retired X509 Certificate for Key Management 15
00 DB 3F 00 0D 64 0B 8B 03 5F C1 1B 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC11C - Retired X509 Certificate for Key Management 16
00 DB 3F 00 0D 64 0B 8B 03 5F C1 1C 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC11D - Retired X509 Certificate for Key Management 17
00 DB 3F 00 0D 64 0B 8B 03 5F C1 1D 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC11E - Retired X509 Certificate for Key Management 18
00 DB 3F 00 0D 64 0B 8B 03 5F C1 1E 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC11F - Retired X509 Certificate for Key Management 19
00 DB 3F 00 0D 64 0B 8B 03 5F C1 1F 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC120 - Retired X509 Certificate for Key Management 20
00 DB 3F 00 0D 64 0B 8B 03 5F C1 20 8C 01 7F 8D 01 00

# CREATE DATA OBJECT - 5FC121 - Cardholder Iris Images
00 DB 3F 00 0D 64 0B 8B 03 5F C1 21 8C 01 01 8D 01 00

# CREATE DATA OBJECT - 7F61 - Biometric Information Templates Group Template
00 DB 3F 00 0C 64 0A 8B 02 7F 61 8C 01 7F 8D 01 7F

...

6 Key Object Scripts

...

6.1 TDEA-128 Mechanism

Code Block
# CREATE KEY - 9B - Application Administration Key (TDEA3KEY)
00 DB 3F 00 14 66 12 8B 01 9B 8C 01 7F 8D 01 00 8E 01 03 8F 01 01 90 01 11

# CREATE KEY - 9E - Card Authentication Key (TDEA3KEY)
00 DB 3F 00 14 66 12 8B 01 9E 8C 01 7F 8D 01 7F 8E 01 03 8F 01 01 90 01 10

...

6.2 AES-128 Mechanism

Code Block
# CREATE KEY - 9B - Application Administration Key (AES128)
00 DB 3F 00 14 66 12 8B 01 9B 8C 01 7F 8D 01 00 8E 01 08 8F 01 01 90 01 11

# CREATE KEY - 9E - Card Authentication Key (AES128)
00 DB 3F 00 14 66 12 8B 01 9E 8C 01 7F 8D 01 7F 8E 01 08 8F 01 01 90 01 10

...

6.3 AES-192 Mechanism

Code Block
# CREATE KEY - 9B - Application Administration Key (AES192)
00 DB 3F 00 14 66 12 8B 01 9B 8C 01 7F 8D 01 00 8E 01 0A 8F 01 01 90 01 11

# CREATE KEY - 9E - Card Authentication Key (AES192)
00 DB 3F 00 14 66 12 8B 01 9E 8C 01 7F 8D 01 7F 8E 01 0A 8F 01 01 90 01 10

...

6.4 AES-256 Mechanism

Code Block
# CREATE KEY - 9B - Application Administration Key (AES256)
00 DB 3F 00 14 66 12 8B 01 9B 8C 01 7F 8D 01 00 8E 01 0C 8F 01 01 90 01 11

# CREATE KEY - 9E - Card Authentication Key (AES256)
00 DB 3F 00 14 66 12 8B 01 9E 8C 01 7F 8D 01 7F 8E 01 0C 8F 01 01 90 01 10

...

6.5 RSA-1024 Mechanism

Code Block
TBD

...

6.6 RSA-2048 Mechanism

Code Block
# CREATE KEY - 9A - PIV Authentication Key (RSA2048)
00 DB 3F 00 14 66 12 8B 01 9A 8C 01 01 8D 01 00 8E 01 07 8F 01 04 90 01 10

# CREATE KEY - 9C - Digital Signature Key (RSA2048)
00 DB 3F 00 14 66 12 8B 01 9C 8C 01 02 8D 01 00 8E 01 07 8F 01 04 90 01 10

# CREATE KEY - 9D - Key Management Key (RSA2048)
00 DB 3F 00 14 66 12 8B 01 9D 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 9E - Card Authentication Key (RSA2048)
00 DB 3F 00 14 66 12 8B 01 9E 8C 01 7F 8D 01 7F 8E 01 07 8F 01 04 90 01 10

#
# RETIRED KEYS
#

# CREATE KEY - 82 - Retired Key Management Key 01 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 82 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 83 - Retired Key Management Key 02 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 83 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 84 - Retired Key Management Key 03 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 84 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 85 - Retired Key Management Key 04 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 85 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 86 - Retired Key Management Key 05 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 86 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 87 - Retired Key Management Key 06 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 87 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 88 - Retired Key Management Key 07 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 88 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 89 - Retired Key Management Key 08 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 89 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 8A - Retired Key Management Key 09 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 8A 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 8B - Retired Key Management Key 10 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 8B 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 8C - Retired Key Management Key 11 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 8C 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 8D - Retired Key Management Key 12 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 8D 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 8E - Retired Key Management Key 13 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 8E 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 8F - Retired Key Management Key 14 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 8F 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 90 - Retired Key Management Key 15 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 90 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 91 - Retired Key Management Key 16 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 91 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 92 - Retired Key Management Key 17 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 92 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 93 - Retired Key Management Key 18 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 93 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 94 - Retired Key Management Key 19 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 94 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

# CREATE KEY - 95 - Retired Key Management Key 20 (RSA2048)
00 DB 3F 00 14 66 12 8B 01 95 8C 01 01 8D 01 00 8E 01 07 8F 01 02 90 01 10

...

6.7 ECC-256 Mechanism

Code Block
# CREATE KEY - 9A - PIV Authentication Key (ECC256)
00 DB 3F 00 14 66 12 8B 01 9A 8C 01 01 8D 01 00 8E 01 11 8F 01 04 90 01 10

# CREATE KEY - 9C - Digital Signature Key (ECC256)
00 DB 3F 00 14 66 12 8B 01 9C 8C 01 02 8D 01 00 8E 01 11 8F 01 04 90 01 10

# CREATE KEY - 9D - Key Management Key (ECC256)
00 DB 3F 00 14 66 12 8B 01 9D 8C 01 01 8D 01 00 8E 01 11 8F 01 02 90 01 10

# CREATE KEY - 9E - Card Authentication Key (ECC256)
00 DB 3F 00 14 66 12 8B 01 9E 8C 01 7F 8D 01 7F 8E 01 11 8F 01 04 90 01 10

...

6.8 ECC-384 Mechanism

Code Block
# CREATE KEY - 9C - Digital Signature Key (ECC384)
00 DB 3F 00 14 66 12 8B 01 9C 8C 01 02 8D 01 00 8E 01 14 8F 01 04 90 01 10

# CREATE KEY - 9D - Key Management Key (ECC384)
00 DB 3F 00 14 66 12 8B 01 9D 8C 01 01 8D 01 00 8E 01 14 8F 01 02 90 01 10