PIV Token Issuance PIV Token Issuance Ketan Mehta - - PowerPoint PPT Presentation

piv token issuance piv token issuance
SMART_READER_LITE
LIVE PREVIEW

PIV Token Issuance PIV Token Issuance Ketan Mehta - - PowerPoint PPT Presentation

Dec 21, 2023 180 likes •327 views

PIV Token Issuance PIV Token Issuance Ketan Mehta Mehta_Ketan@bah.com October 6, 2004 1 Agenda Agenda Definition and Purpose Issuance Process Token Issuance Authority Requirements Token Personalization Requirements

slide-1
SLIDE 1

1

PIV Token Issuance PIV Token Issuance

Ketan Mehta Mehta_Ketan@bah.com October 6, 2004

slide-2
SLIDE 2

2

Agenda Agenda

  • Definition and Purpose
  • Issuance Process
  • Token Issuance Authority Requirements
  • Token Personalization Requirements
  • Standards Compliance
slide-3
SLIDE 3

3

Definition and Purpose Definition and Purpose

  • Definition
  • The process of issuing identity credentials on a

token

  • Purpose
  • Provide an identity token to the applicant
  • Create and maintain a directory server that

reports on the status of the token

slide-4
SLIDE 4

4

PIV Token Issuance Process PIV Token Issuance Process

Verify Person Authentication & Data Update Verify/Edit User Data, Collect Fingerprint & Photo

Token Issuance Database

Query Database for Duplicate

1

Token Issuance Authority Verify Identity Update Database with a New Record

2

.

3 4

slide-5
SLIDE 5

5

PIV Token Issuance Process PIV Token Issuance Process

Generate Public/Private Key Pair

6

Begin Token Generation Process

User Selects PIN Print Token Initialize Token Install Demographic Data onto Token 5 Verify Person Authentication & Data Update Verify/Edit User Data, Collect Fingerprint & Photo

Token Issuance Database

Query Database for Duplicate

1

Token Issuance Authority Verify Identity Update Database with a New Record

2

.

3 4

slide-6
SLIDE 6

6

PIV Token Issuance Process PIV Token Issuance Process

CERT

CA Generate Public/Private Key Pair

6

CERT

8

Obtain Public Key Certs from CA Begin Token Generation Process

User Selects PIN Print Token Initialize Token Applets Install Demographic Data onto Token 5 7

Public Key sent to CA

Verify Person Authentication & Data Update Verify/Edit User Data, Collect Fingerprint & Photo

Token Issuance Database

Query Database for Duplicate

1

Token Issuance Authority Verify Identity Update Database with a New Record

2

.

3 4

PKI Repository

slide-7
SLIDE 7

7

PIV Token Issuance Process PIV Token Issuance Process

CERT

CA Generate Public/Private Key Pair

6

CERT

8

Obtain Public Key Certs from CA Install Public-Key Certificates and Private Key on Chip

CERT

9

Begin Token Generation Process

User Selects PIN Print Token Initialize Token Applets Install Demographic Data onto Token 5 7

Public Key sent to CA

Verify Person Authentication & Data Update Verify/Edit User Data, Collect Fingerprint & Photo

Token Issuance Database

Query Database for Duplicate

1

Token Issuance Authority Verify Identity Update Database with a New Record

2

.

3 4

PKI Repository

slide-8
SLIDE 8

8

PIV Token Issuance Process PIV Token Issuance Process

CERT

CA Issue Token

10

Generate Public/Private Key Pairs

6

CERT

8

Obtain Public Key Certs from CA Install Public-Key Certificates and Private Key on Chip

CERT

9

Begin Token Generation Process

User Selects PIN Print Token Initialize Token Applets Install Demographic Data onto Token 5 7

Public Key sent to CA

Verify Person Authentication & Data Update Verify/Edit User Data, Collect Fingerprint & Photo

Token Issuance Database

Query Database

1

Token Issuance Authority Verify Identity Update Database

3 2

.

4

Token Status Registry

Update Registry

11

PKI Repository

slide-9
SLIDE 9

9

Token Issuance Authority Requirements Token Issuance Authority Requirements

  • Issuance authority shall assure that PIV tokens cannot be cloned,

counterfeited, modified without authorization, probed to obtain cryptographic keys, and used to gain access by anyone other than the authorized applicant.

  • All applicants that are issued a PIV token must appear in person to obtain

credentials.

  • The PIV token personalization shall include printing of photograph, name and

information on the token as well as loading the relevant Token applications, biometrics, Personal Identification Number (PIN), PKI certificates, and symmetric keys.

  • Biometric characteristics captured during the PIV token personalization

include two index fingerprints and a digital photograph.

  • Issuance authority will maintain a LDAP directory server that reports on the

status of the token and may provide additional authentication services.

  • Issuance authority may acquire Certificate Authority services who shall

maintain and operate Certificate Revocation List and On-line Certificate Status Protocol.

slide-10
SLIDE 10

10

Token Issuance Authority Requirements Token Issuance Authority Requirements

  • Access to LDAP and OCSP servers will be authenticated and access to the

status information is at the agency discretion; agencies may choose to make the certificate or token status information publicly available to unauthenticated parties.

  • All certificates issued to support PIV token authentication shall be issued

under the id-CommonHW policy as defined in the X.509 Certificate Policy for the Common Policy Framework.

  • This standard mandates the inclusion of a 1024-bit RSA Identity

Authentication key within a PIV token. The associated certificate and all other certificates in the verification chain including the Root trust anchor must be included on the PIV token.

  • Digital signatures (optional feature) generated by infrastructure components

must be generated using 2048-bit RSA private keys.

slide-11
SLIDE 11

11

Token Personalization Requirements Token Personalization Requirements

  • Following authentication data is required on the token:
  • A Token holder unique identification string (CHUID)
  • Personal Identification Number (PIN)
  • Biometric templates
  • Symmetric keys
  • Asymmetric key pairs and associated certificates
  • Biometric match-on-card is NOT required
  • The token shall support contact (ISO 7816) and contactless (ISO 14443)
  • interfaces. The standard does not require dual interface readers; an agency can

choose contact readers for logical access application and contactless readers for physical access.

  • The assurance levels being considered require both symmetric and asymmetric

key challenge-response protocols. In addition to these operations, the agency may require Token holder to submit PIN.

  • The CHUID and biometric templates shall be stored in the root file system of

the Token. The CHUID must be openly readable.

slide-12
SLIDE 12

12

Standards Compliance Standards Compliance

  • The format of the CHUID shall be as defined in PACS
  • The format of biometric templates shall be as defined in CBEFF
  • The public key certificates stored on the PIV token shall conform to RFC 3280
  • The internal format of cryptographic keys stored on the Token is not specified

in this standard

  • The physical access control systems where the reader is not connected to

general purpose desktop computing system, the reader-to-host system interface is not specified in this standard.

  • The CHUID data element that contains the Token holder’s FASC-N identifier

is used for various symmetric key based challenge-response schemes that are specified within the PACS model.

slide-13
SLIDE 13

13

Questions Questions Comments Comments Discussion Discussion