Appendix - Frequently Asked Questions
- Kim O'Sullivan
Contents
Â
- 1 Frequently Asked Questions
- 1.1 Q - What is FIPS PUB 201-2 and HSPD-12?
- 1.2 Q - What is the PIV Card Application ?
- 1.3 Q - What can I do with a PIV token ?
- 1.4 Q - What doesn't this implementation do?
- 1.5 Q - Why aren't individual object field values and lengths validated?
- 1.6 Q - Does this support PIV-I or CIV?
- 1.7 Q - Will OpenFIPS201 be formally accredited?
- 1.8 Q - Can I contribute to this project?
- 2 PIV Concepts
- 2.1 Roles
- 2.1.1 Card Issuer
- 2.1.2 Card Holder
- 2.1.3 Security Officer
- 2.1.4 Certificate Authority
- 2.2 Pin Always
- 2.1 Roles
Frequently Asked Questions
Q - What is FIPS PUB 201-2 and HSPD-12?
This answer is straight from the horses mouth:
On August 27, 2004, the President signed Homeland Security Presidential Directive 12 (HSPD-12), entitled "Policy for a Common Identification Standard for Federal Employees and Contractors." HSPD-12 required the development and implementation of a government-wide standard for secure and reliable forms of identification for Federal employees and contractors. As required by HSPD-12, the National Institute of Standards and Technology (NIST) developed Federal Information Processing Standard 201 (FIPS 201) titled "Personal Identity Verification (PIV) of Federal Employees and Contractors" in coordination with other government agencies and the private sector. Subsequently, NIST issued several special publications, in support of FIPS 201 to enable interoperable implementations.
This Standard specifies the architecture and technical requirements for a common identification standard for Federal employees and contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to Federally controlled government facilities and logical access to government information systems.
So HSPD-12 was the motivating policy which resulted in the creation of FIPS 201-2. While FIPS 201-2 lays out the overall architecture, requirements and procedures, it is more of an umbrella specification. The detailed technical specifications are described in a number of other documents, the most important of these is NIST SP800-73-4, which defines the data model, card application, security and off-card interface (middleware). This project implements the PIV Card Application portion of this document.
The following pages contain links to the standards behind FIPS201-2 and PIV:
NIST FIPS 201-2 - Personal Identity Verification (PIV) of Federal Employees and Contractors
NIST SP 800-73-4 - Interfaces for Personal Identity Verification
NIST SP 800-78-4 - Cryptographic Algorithms and Key Sizes for Personal Identity Verification
Q - What is the PIV Card Application ?
The PIV Card Application is a contact and/or contactless ISO-7816 smart card applet, which provides a number of basic features:
It contains a file system that allows reading and writing of a number of Data Objects (DO’s). It controls access to each DO using access control conditions, which require some form of authentication by either the cardholder or the Card Management System.
It provides a number of verification mechanisms utilising PIN's, symmetric and asymmetric (PKI) algorithms to authenticate the cardholder
It allows card authentication processes, digital signatures to be generated and also participates in key establishment mechanisms for encryption in-flight or at-rest.
It provides a means to generate asymmetric keys on-card to provide high assurance, especially where digital signatures are involved
Q - What can I do with a PIV token ?
The PIV standard permits you to securely store PKI keys and use them with almost any PKI-compatible solution for Encryption, Digital Signatures, Authentication, Key Establishment, etc.
Authentication - Allows you to provide multi-factor login support to your Microsoft Windows, Apple OSX or Linux computer / network. In addition to this, it can also be used to authenticate to:
Remote Control tools such as SSH, Microsoft RDP, VMWare, and Citrix
Multi-Function Devices such as Konica Minolta and Citrix to support follow-me printing and scanning.
Encryption and Digital Signatures - Digitally protect documents and emails with PKI-compliant software such as Microsoft Office, Adobe Acrobat, Microsoft Outlook, and Mozilla Thunderbird.
Integrate with Physical Access Control (PACS) systems for boundary protection.
Q - What doesn't this implementation do?
As of the accreditation release, although the biometric data objects exist, there is no support for biometric On-Card Comparison. Other than that, all mandatory and optional PIV features are implemented.
Q - Why aren't individual object field values and lengths validated?
There are a number of reasons:
It isn't practical to validate every object within the applet itself without considerably increasing the code size, while the card management system seems the logical place to have much more robust data validation.
With many PIV middleware/clients out there requiring backwards compatibility and differing interpretations of object requirements, there isn't a simple one-size-fits-all validation for every installation.
Some objects are candidates for GZip compression, which would then necessitate on-card deflation to validate
Q - Does this support PIV-I or CIV?
Most likely! It seems that PIV-I and CIV are just relaxed versions for the current PIV data object, security and access mode requirements. The flexibility built-in to OpenFIPS201 means that it should be fairly easy to create adapted versions to suit non-federal requirements.
Q - Will OpenFIPS201 be formally accredited?
Yes! OpenFIPS201 is currently in the preliminary stages of accreditation for FIPS 140-3.
Q - Can I contribute to this project?
Yes! Contributions to OpenFIPS201 are welcome, whether they be in the form of code improvements, tests, security audits or even just bug/feature reports. As this project has been developed on behalf of the Commonwealth of Australia, there are some conditions applied:
Any contributions, submissions, suggested amendments or fixes will not be considered for adoption unless they are provided under the MIT license terms, or a similar permissive open source licence which does not place obligations or restrictions for use and modification of the licensed material.
Changes will only be accepted if they are of sufficient quality and our team reserves the right to reject any submissions that don't meet our quality control processes.
This project is intended for use in production and as such, changes that substantially deviate from the PIV standard may not be accepted (we want to keep the code-base clean). You are of course welcome to fork the project if you have grand ideas for a new direction!
Â
PIV Concepts
Roles
There are a number of roles in the PIV scheme which are described below and referred to throughout the rest of the OpenFIPS201 documentation:
Card Issuer
The card issuer is the entity responsible for the issuance and management of PIV cards in a scheme. They typically perform the following tasks:
Creation and configuration of PIV cards using the Token Management System (sometimes also called Card Management System)
Confirming the identity of the cardholder prior for the purposes of requesting digital certificates
Management of cardholder information (or at the very least that which is stored or physically printed on the card)
Management of keys, data objects and verification data such as PIN, PUK and biometric templates
Post-issuance management of the PIV card applet and data including re-issuance)
Card Holder
The card holder is the individual who is in physical possession of the card and whose identity is bound to keys, certificates and data on the card. They make use of the card functionality to perform cryptographic operations and (aside from changing the PIN value) typically have no ownership or management authority over the card. A cardholder is almost always an individual person (especially when digital signatures are involved), although in some cases it can refer to an organisation.
A cardholder verifies their authority to use the card by presenting the correct PIN for verification, which then permits the use of the private keys stored on the card.
Security Officer
The security officer is the role responsible for unlocking cards that have been blocked due to too many invalid PIN attempts being made. They are in possession of the PIN Unblocking Key (PUK), which when used with the PIV VERIFY card command will unlock and reset the cardholder PIN value. The ‘security officer’ role is often a system, rather than individuals and can include self-unlocking services where the PUK is remotely issued to the card.
Certificate Authority
The certificate authority is the trusted entity responsible for issuing all digital certificates stored on the card. Each private key must have an associated certificate which binds it to the named individual or organisation. They are also responsible for maintaining Certificate Revocation Lists to track invalidated key pairs (for instance, when a card is lost or the cardholder has left the organisation).
Â
The term ‘Role’ typically refers to any entity that is permitted to act a certain way in a system and typically does not refer to any particular individual or system. Roles are typically authorised to perform their functionality by means of cryptographic keys or knowledge of verification data (i.e. PIN / PUK), meaning that anyone with the ability authenticate correctly may perform all the functionals of that role.
Â
Pin Always
TBD describe PIN Always here
Â