Document toolboxDocument toolbox

Appendix - NIST Compliant Profile

Owned by Kim O'Sullivan
Last updated: Jan 12, 2023Version comment
10 min read

1 Contents

 

2 Overview

The following scripts can be executed with your favourite smartcard utility to pre-personalise OpenFIPS201 to be fully compliant with the SP800-73-4 data object, configuration and key requirements.

All commands are ISO 7816 T=1 in the following format:

[CLA] [INS] [P1] [P2] [LC] [DATA]

Note that the LE byte is not present in any command.

All commands below must be executed under a GlobalPlatform Secure Channel session with the C_ENCRYPTION and C_MAC options set (SCP03).

 

3 Configuration Scripts

This script serves only as a reference for the NIST compliant values and does not need to be sent if you don’t wish to change any values.

# UPDATE CONFIGURATION 00 DB 3F 00 5D 68 5B A0 24 80 01 FF 81 01 00 82 01 00 83 01 00 84 01 06 85 01 08 86 01 06 87 01 05 88 01 00 89 01 04 8A 01 00 8B 01 00 A1 12 80 01 FF 81 01 00 82 01 08 83 01 06 84 01 05 85 01 00 A2 03 80 01 00 A3 03 80 01 00 A4 15 80 01 00 81 01 00 82 01 00 83 01 00 84 01 FF 85 01 00 86 01 00

4 PIN / PUK Scripts

The following scripts will set the cardholder reference values to the following defaults:

  • PIN - 123456

  • PUK - 12345678

This is great for testing, but typically not for production.

# CHANGE REFERENCE DATA - PIN (80) to 123456 00 24 FF 80 08 31 32 33 34 35 36 FF FF # CHANGE REFERENCE DATA - PUK (81) to 12345678 00 24 FF 81 08 31 32 33 34 35 36 37 38

5 Data Object Scripts

5.1 Mandatory

 

5.2 Optional

 

6 Key Object Scripts

6.1 TDEA-128 Mechanism

6.2 AES-128 Mechanism

6.3 AES-192 Mechanism

6.4 AES-256 Mechanism

6.5 RSA-1024 Mechanism

6.6 RSA-2048 Mechanism

6.7 ECC-256 Mechanism

6.8 ECC-384 Mechanism