Introduction

OpenFIPS201 has been commissioned and funded by the Australian Department of Defence, to provide an open source implementation of the on-card application for the National Institute of Standards and Technology (NIST) Personal Identity Verification (PIV) standard specified by FIPS PUB 201 and SP800-73.

This project aims to be a complete, production ready and straight-forward implementation of the SP 800-73 Card Application specification. It has a number of key implementation philosophies that drive architecture and development:

1. To provide a production quality implementation that can be openly used, shared and reviewed by the wider industry, in keeping with Kerkchoff's Principle.

2. To serve as a commonly shared reference between departments and organisations that wish to interoperate using FIPS-201 for logical and physical access control, both within the context of government departments and the industry at large (i.e. Commercial Identity Verification, or CIV).

3. To provide an openly described solution to the gaps in the PIV standard, particularly with regards to card management functions and personalisation.

4. To provide a foundation for a fully accredited open source PIV implementation that will provide a high assurance alternative to commercial solutions on the market, operating on FIPS 140 accredited tokens with Javacard 3.0.4 and Global Platform 2.1.1 or above

5. To be accreditable against FIPS PUB 201 and SP 800-73 under the NIST NPIVP program.

Getting Started

1 - Want to know what OpenFIPS201 can do? Check out Applet Features.

2 - Next, make sure your target smart card platform meets the Applet Requirements.

3 - Next, grab a copy of the of OpenFIPS201:

• For those that just want to use the standard release, just download it from the Releases section on the right side of this page.

• If you want to build it yourself from source code, head on over to the Applet Development page.

• Once you have downloaded or built your CAP file, you are now ready to install.

4 - Install OpenFIPS201 using your favourite applet loader. Want options?

• Martin Paljak's GlobalPlatformPro

• GPShell (now maintained by Karsten Ohme)

• Javacos PyAPDUTool

• Most card manufacturers have their own Global Platform capable loader tools

5 - Build the PIV file system, key store and apply any configuration settings (see Applet Pre-Personalisation).

6 - Inject any initial key or PIN values (see Applet Security Personalisation).

7 - Finally, personalise your new PIV instance in two possible ways:

• OpenFIPS201 supports personalisation over a GP Secure Channel. We strongly recommend the latter for any new rollouts as this provides message encryption and authentication. All the standard PIV personalisation commands work without change.

• If your infrastructure cannot support this or you are dealing with legacy administration equipment, you can still personalise using the 9B key and your favourite PIV Middleware / Application. Want options?

  • Yubikey PIV Tool - https://developers.yubico.com/yubico-piv-tool

  • OpenSC PIV - https://github.com/OpenSC/OpenSC/wiki/US-PIV

  • Joyent Pivy - https://github.com/joyent/pivy

  • Charismathics CSSI - https://www.charismathics.com/cssi-smartcard-middleware (Commercial)

Releases

Documentation Links:

Useful Links

PIV Standards

• NIST FIPS 201-2

• NIST SP-800-73-4

• NIST SP-800-78-4

ASN.1 Tools

• ASN1.IO - ASN.1 Playground

• LAPO ASN.1 Decoder