fips 201 fips 201 piv ii requirements ii requirements piv
play

FIPS 201 FIPS 201 PIV- -II Requirements II Requirements PIV - PowerPoint PPT Presentation

Oct 14, 2023 •98 likes •342 views

FIPS 201 FIPS 201 PIV- -II Requirements II Requirements PIV Ketan Mehta June 27, 2005 1 Agenda Identity Proofing Card Issuance and maintenance Logical Credentials Authentication Mechanism Card Topology 2 FIPS 201

  1. FIPS 201 FIPS 201 PIV- -II Requirements II Requirements PIV Ketan Mehta June 27, 2005 1

  2. Agenda � Identity Proofing � Card Issuance and maintenance � Logical Credentials � Authentication Mechanism � Card Topology 2

  3. FIPS 201 REQUIREMENTS FIPS 201 REQUIREMENTS PIV Identity Proofing and Registration Requirements PIV Identity Proofing and Registration Requirements � All PIV I control objectives must be met. � In addition, following biometrics information must be captured during the identity proofing and registration process. o A full set of fingerprints for law enforcement checks o An electronic facial image used for printing on the card o Two electronic fingerprint for storage on the card 3

  4. Agenda � Identity Proofing � Card Issuance and maintenance � Logical Credentials � Authentication Mechanism � Card Topology 4

  5. FIPS 201 REQUIREMENTS FIPS 201 REQUIREMENTS Card Issuance and Maintenance Requirements Card Issuance and Maintenance Requirements Card Issuance � All PIV I requirements must be met. � Issue a card while a NACI is pending. � Revoke the credential if NACI is not completed and favorably adjudicated in six months. � Issuer shall perform 1:1 biometric match of the applicant against the biometric included in the PIV Card. 5

  6. FIPS 201 REQUIREMENTS FIPS 201 REQUIREMENTS Card Issuance and Maintenance Requirements Card Issuance and Maintenance Requirements Card Renewal – replace the card when it expires � Card shall be valid no more than 5 years � No need to repeat the full registration procedure � NACI checks must be followed in accordance with OPM guidance � Expired card must be collected and destroyed � Same biometric data may be reused with the new PIV Card but digital signature must be recomputed with new FASC-N � Expiration date of the PIV authentication certificate and optional digital signature certificate cannot be later than the expiration date of the PIV Card 6

  7. FIPS 201 REQUIREMENTS FIPS 201 REQUIREMENTS Card Issuance and Maintenance Requirements Card Issuance and Maintenance Requirements Card Reissuance – issue a new card if the old card has been compromised. � The entire registration and issuance process, including fingerprint and facial image capture, shall be conducted � Old PIV card is revoked � Certificate corresponding to PIV authentication key must be revoked � OCSP responders shall be updated 7

  8. FIPS 201 REQUIREMENTS FIPS 201 REQUIREMENTS Card Issuance and Maintenance Requirements Card Issuance and Maintenance Requirements PIN Reset – unlock the card � Agencies determine the number of invalid PIN tries � Cardholder’s biometric match the stored biometric on the card 8

  9. FIPS 201 REQUIREMENTS FIPS 201 REQUIREMENTS Card Issuance and Maintenance Requirements Card Issuance and Maintenance Requirements Card Termination – permanently destroy and invalidate the use of the card � Card is collected and destroyed � Card is revoked � Certificate corresponding to PIV authentication key must be revoked � OCSP responders shall be updated � Cardholder data is disposed of in accordance with the stated privacy and data retention policies of the department or agency. 9

  10. Agenda � Identity Proofing � Card Issuance and maintenance � Logical Credentials � Authentication Mechanism � Card Topology 10

  11. FIPS 201 REQUIREMENTS FIPS 201 REQUIREMENTS Logical Credentials Logical Credentials Mandatory: Personal Identification Number (PIN) 1. Something the cardholder knows � Used to prove the identity of the cardholder to the card � � PIN should not be easily guessable or otherwise individually identifiable � Meet identity-based authentication requirements of FIPS 140-2 Level 2 11

  12. FIPS 201 REQUIREMENTS FIPS 201 REQUIREMENTS Logical Credentials Logical Credentials Mandatory: Cardholder Unique Identifier (CHUID) 2. Something the cardholder possess � � Used to prove the identity of the cardholder to the external entity such as a host computer system � Includes Federal Agency Smart Credential Number (FASC- N) which uniquely identifies each card � Accessible from both contact and contactless interfaces – free read � Includes expiration date and an Asymmetric Signature field � Includes the X.509 certificate which can be used to verify the signature 12

  13. FIPS 201 REQUIREMENTS FIPS 201 REQUIREMENTS Logical Credentials Logical Credentials Mandatory: PIV Authentication Key 3. � Something the cardholder possess Used to authenticate the card and prove the identity of � the cardholder to the external entity � Key shall be generated on the card and the private key exportation is not permitted � PIN must be supplied before the first use � Cryptographic operations performed only through contact interface All cryptographic operations using this key are � performed on-card 13

  14. FIPS 201 REQUIREMENTS FIPS 201 REQUIREMENTS Logical Credentials Logical Credentials Mandatory: Two biometric fingerprints 4. Something that uniquely identifies the � cardholder � Used to prove the identity of the cardholder to the external entity Biometrics only available through contact interface � after a PIN is successfully verified. 14

  15. FIPS 201 REQUIREMENTS FIPS 201 REQUIREMENTS Logical Credentials Logical Credentials Optional: � PIV Card Authentication Key � Used to authenticate the card � May employ symmetric or asymmetric key algorithms � Allow contactless access � Cryptographic operations may be performed without explicit user action (e.g., the PIN need not be supplied) � Digital Signature Key � Used to generate digital signatures � Key shall be generated on the card and the private key exportation is not permitted � Cryptographic operations must only be performed using the contact interface � Private key operations may not be performed without explicit user action 15

  16. FIPS 201 REQUIREMENTS FIPS 201 REQUIREMENTS Logical Credentials Logical Credentials Optional: � Key Management Key � Key may be generated on the card or imported to the card � Must only be accessible through contact interface � Cryptographic operations may be performed without explicit user action (e.g., the PIN need not be supplied) � Key is sometimes called an encryption key or encipherment key � Card Management Key � Imported onto the card by the issuer � Is a symmetric key used for personalization or post-issuance activities � Must only be accessible through contact interface 16

  17. FIPS 201 REQUIREMENTS FIPS 201 REQUIREMENTS Logical Credentials Logical Credentials Key Management � CA shall participate in the hierarchical PKI for the Common Policy managed by the Federal PKI. � Certificates shall be issued under the id-CommonHW and id-CommonAuth policy X.509 Certificate Requirements � CA shall maintain a LDAP directory server that holds the CRLs for the certificates it issues CA shall operate an OCSP server � � Authority Information Access (AIA) extensions shall include pointers to the appropriate OCSP status responders in addition to LDAP URIs. Certificate associated with PIV Authentication key shall not assert the nonRepudiation � bit in the keyUsage extension and must include the PIV Card’s FASC-N in the subject alternative name field. CAs that issue certificate corresponding to the PIV private keys shall issue CRLs every � 18 hours � PIV Authentication certificate contains FASC-N in the subject alternative name extension; hence, these certificates shall not be distributed publicly via LDAP or HTTP. 17

  18. Agenda � Identity Proofing � Card Issuance and maintenance � Logical Credentials � Authentication Mechanism � Card Topology 18

  19. FIPS 201 REQUIREMENTS FIPS 201 REQUIREMENTS Authentication Mechanisms Authentication Mechanisms � Three Identity Authentication Assurance levels � Authentication using PIV Visual Credentials � Authentication using the PIV CHUID � Authentication using PIV Biometric � Authentication using PIV Asymmetric Cryptography (PKI) 19

  20. FIPS 201 REQUIREMENTS FIPS 201 REQUIREMENTS Graduated Assurance Levels for Identity Authentication Graduated Assurance Levels for Identity Authentication Authentication for Physical and Logical Access Authentication for Physical and Logical Access Applicable PIV Applicable PIV Applicable PIV Authentication Authentication Authentication Mechanism Mechanism Mechanism PIV Assurance Level Required by Application/Resource Physical Access Logical Access Logical Access Local Workstation Remote/Network Environment System Environment SOME confidence VIS, CHUID CHUID PKI HIGH confidence BIO BIO PKI VERY HIGH confidence BIO-A, PKI BIO-A, PKI PKI 20

  21. Agenda � Identity Proofing � Card Issuance and maintenance � Logical Credentials � Authentication Mechanism � Card Topology 21

  22. FIPS 201 REQUIREMENTS FIPS 201 REQUIREMENTS PIV Card Requirements PIV Card Requirements � Mandatory � Integrated Circuit to Store/Process Data � One Security Feature to Resist Tempering � Interfaces: � Contact ( ISO/IES 7816) � Contactless (ISO/IES 14443) � Optional � Magnetic Stripe � Bar Code � Linear 3 of 9 Bar Code 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FIPS 201 Cryptography FIPS 201 Cryptography Tim Polk tim.polk@nist.gov Nov 18, 2004

FIPS 201 Cryptography FIPS 201 Cryptography Tim Polk tim.polk@nist.gov Nov 18, 2004

FIPS 201 Cryptography FIPS 201 Cryptography Tim Polk tim.polk@nist.gov Nov 18, 2004 Cryptography in FIPS 201 Cryptography in FIPS 201 Digital signatures on logical credentials o CHUID, X.509 certificates, biometrics Cryptographic

272 views • 12 slides
Smart Card Alliance Comments: Draft FIPS 201-2 Draft FIPS 201-2 Usage: Authentication

Smart Card Alliance Comments: Draft FIPS 201-2 Draft FIPS 201-2 Usage: Authentication

Smart Card Alliance Comments: Draft FIPS 201-2 Draft FIPS 201-2 Usage: Authentication LaChelle LeVan Director, Strategic Alliances - Probaris NIST FIPS 201-2 Public Workshop NIST, Gaithersburg, MD April 18-19, 2011 Usage and

350 views • 11 slides
2005 Security Industry Association: FIPS 201 Topology Standards on Steroids: FIPS 201 Teresa

2005 Security Industry Association: FIPS 201 Topology Standards on Steroids: FIPS 201 Teresa

2005 Security Industry Association: FIPS 201 Topology Standards on Steroids: FIPS 201 Teresa Schwarzhoff, NIST June 2005 Topic: Standards, Standards, Standards U.S. Government - FIPS Homeland Security Presidential Directive 12

433 views • 32 slides
Present bufer fips in Xwayland GSOC 2017, landed in Xserver 1.20 Roman Gilg 1 / 9 Problem

Present bufer fips in Xwayland GSOC 2017, landed in Xserver 1.20 Roman Gilg 1 / 9 Problem

Present bufer fips in Xwayland GSOC 2017, landed in Xserver 1.20 Roman Gilg 1 / 9 Problem statement T earing with Xwayland clients trying to use Present extension. Additional copy from Pixmap. 2 / 9 Solution overview Idea: fip

111 views • 9 slides
1 Software Safety Specifying safety requirements Safety vs. Reliability Component

1 Software Safety Specifying safety requirements Safety vs. Reliability Component

User requirements CSE 403 Business Requirements Lecture 14 User User Use Cases Requirements Study Safety and Security Requirements Functional Requirements Requirements Documentation Non-functional Requirements Non-functionality

275 views • 3 slides
Software Requirements and Specification Requirements Process Requirements Process SE3821 - Jay

Software Requirements and Specification Requirements Process Requirements Process SE3821 - Jay

Software Requirements and Specification Requirements Process Requirements Process SE3821 - Jay Urbain 1 Requirements 2 Requirements No matter what product you are building, you still need to explore, understand, capture, and communicate

740 views • 27 slides
1 Good Requirements Graphical Languages? Specification Qualities Examples: Complete -

1 Good Requirements Graphical Languages? Specification Qualities Examples: Complete -

REQUIREMENT SPECIFICATION The Basic Waterfall Model Today: Requirements Specification Requirements Requirements tell us what the system should do - specification not how it should do it. Analysis & Requirements are

363 views • 3 slides
Customer requirements Developer requirements Business requirements

Customer requirements Developer requirements Business requirements

Customer requirements Developer requirements Business requirements Specification ELICITATION PRACTICES Quality standards IEEE 830 Companies make up their own

320 views • 29 slides
1 Representations for requirements Unified Modeling Language UML (1997) Requirement

1 Representations for requirements Unified Modeling Language UML (1997) Requirement

Today CSE 403, Software Engineering Representation of requirements Lecture 4 Use of requirements Key parts of the discussion will (probably) be about process, not Documenting and Using artifacts Requirements Non-functional

358 views • 4 slides
1 Functional requirements: Michael Jackson s Design Functional requirements methodology

1 Functional requirements: Michael Jackson s Design Functional requirements methodology

Today s goals Requirements How can we document requirements? What are different ways of writing Use Cases? When do Use Cases (do not) fit for Use Cases capturing requirements? CS361 4-2 1 Announcements Homework 2 First

211 views • 6 slides
CS 5150 So(ware Engineering 6. Requirements Analysis William Y. Arms Requirements Requirements

CS 5150 So(ware Engineering 6. Requirements Analysis William Y. Arms Requirements Requirements

Cornell University Compu1ng and Informa1on Science CS 5150 So(ware Engineering 6. Requirements Analysis William Y. Arms Requirements Requirements describe the func1on of the system from the client's viewpoint. The requirements

438 views • 32 slides
Requirements Specifications and Requirements Attributes R. Kuehl/J. Scott Hawker p. 1 R I T

Requirements Specifications and Requirements Attributes R. Kuehl/J. Scott Hawker p. 1 R I T

Requirements Specifications and Requirements Attributes R. Kuehl/J. Scott Hawker p. 1 R I T Software Engineering Topics Documenting Requirements The Software Requirements Specification Guidelines for writing requirements

491 views • 15 slides
Requirements Specification & Quality Requirements Lectures 4b&5, DAT230, Requirements

Requirements Specification & Quality Requirements Lectures 4b&5, DAT230, Requirements

Requirements Specification & Quality Requirements Lectures 4b&5, DAT230, Requirements Engineering Robert Feldt, 2011-09-08 & 2011-09-13 tisdag den 13 september 2011 Schedule this week L6 is only virtual / video! Assignment 3

495 views • 38 slides
Voting Lecture 22 Requirements Requirements Integrity/End-to-End verifiability Requirements

Voting Lecture 22 Requirements Requirements Integrity/End-to-End verifiability Requirements

Voting Lecture 22 Requirements Requirements Integrity/End-to-End verifiability Requirements Integrity/End-to-End verifiability Collected as cast: Each voter should be convinced that their vote was collected correctly Requirements

1.43k views • 129 slides
Requirements Analysis Overview What is requirement ? Classification of requirements

Requirements Analysis Overview What is requirement ? Classification of requirements

1/31/17 Requirements Analysis Overview What is requirement ? Classification of requirements Iterative and evolutionary requirements analysis Use Cases Domain models N. Meng, B. Ryder 2 1

442 views • 28 slides
Notes On Requirements Development Requirements specification should be : Correct Complete

Notes On Requirements Development Requirements specification should be : Correct Complete

Notes On Requirements Development Requirements specification should be : Correct Complete Consistent Unambiguous Derived from functional decomposition ... therefore, traceable Verifiable Easily changed CSE, UTA 1 Notes On Requirements

1.78k views • 27 slides
DIGITAL CERTIFICATION PROGRAM Northumberland Centre for Individual Studies OUR DIGITAL JOURNEY

DIGITAL CERTIFICATION PROGRAM Northumberland Centre for Individual Studies OUR DIGITAL JOURNEY

DIGITAL CERTIFICATION PROGRAM Northumberland Centre for Individual Studies OUR DIGITAL JOURNEY Norm Clapp Angie Quinn Colline Bell SESSION SCHEDULE B RIEF P

428 views • 16 slides
A very brief overview of digital badges Markus Forsberg Collaboration Center Manager What is a

A very brief overview of digital badges Markus Forsberg Collaboration Center Manager What is a

A very brief overview of digital badges Markus Forsberg Collaboration Center Manager What is a digital badge? Generic term for digital certificate displayed in a badge format Basic idea from military and scouts for recognizing

1.37k views • 19 slides
FAC-C DS Certificate Program Informational Traci Walker // Joanie Newhart// July 18, 2018 Agenda

FAC-C DS Certificate Program Informational Traci Walker // Joanie Newhart// July 18, 2018 Agenda

FAC-C DS Certificate Program Informational Traci Walker // Joanie Newhart// July 18, 2018 Agenda Introduction & Overview Walk Through of Read-Only content Required Elements Guide Questions & Answers US Digital Service Mission

189 views • 16 slides
Beyond Bitcoin FIA Law & Compliance Division May 17, 2018 Katten Muchin Rosenman LLP Henry

Beyond Bitcoin FIA Law & Compliance Division May 17, 2018 Katten Muchin Rosenman LLP Henry

Beyond Bitcoin FIA Law & Compliance Division May 17, 2018 Katten Muchin Rosenman LLP Henry Bregstein Gary DeWaal Kevin M. Foley Christian T. Kemnitz Ayah K. Sultan Allison C. Yacker Types of Cryptocurrencies There are three

387 views • 37 slides
Diplomas certifjed on the blockchain Trusted certifjcation. Forever. CUTTING-EDGE INNOVATION

Diplomas certifjed on the blockchain Trusted certifjcation. Forever. CUTTING-EDGE INNOVATION

Diplomas certifjed on the blockchain Trusted certifjcation. Forever. CUTTING-EDGE INNOVATION FOR YOUR CERTIFICATES BCdiploma develops a turnkey application for higher education institutions and their graduates. BCdiploma dematerializes and

357 views • 11 slides
Revenue Management Association Fire Services Property Levy 19 APRIL 2018 Agenda 2017-18 Levy

Revenue Management Association Fire Services Property Levy 19 APRIL 2018 Agenda 2017-18 Levy

Revenue Management Association Fire Services Property Levy 19 APRIL 2018 Agenda 2017-18 Levy Cycle Update 2018-19 Levy Cycle FSPL funding 2018-19 FSPL Manual FSPL Digital Certificates FSPL Express Troubleshooting

402 views • 11 slides
Digital Identity - NemID Head of Division Charlotte Jacoby September 2016 1 THE DANISH AGENCY

Digital Identity - NemID Head of Division Charlotte Jacoby September 2016 1 THE DANISH AGENCY

St kryds ved Vis Digital Identity - NemID Head of Division Charlotte Jacoby September 2016 1 THE DANISH AGENCY FOR DIGITISATION Ministry of Finance Agency for the Modernisation of Agency for Digitisation Public Administration

339 views • 21 slides
ODEM makes education and employment more affordable, accessible, verifiable and transferable on a

ODEM makes education and employment more affordable, accessible, verifiable and transferable on a

ODEM makes education and employment more affordable, accessible, verifiable and transferable on a global scale. ODEMs Three Key Offerings: 1. Digital Verified Credentials Using Ethereum blockchain and IPFS, ODEM records and stores

535 views • 18 slides

More recommend