Guidelines for Derived Personal Identity Verification (PIV) Credentials

1 2 3 4 5 6 7 Draft NIST Special Publicatin 800-157 Guidelines fr Derived Persnal Identity Verificatin (PIV) Credentials 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 I N F O R M A T I O N Hildegard Ferrail David Cper Salvatre Francmacar Andrew Regenscheid Jasn Mhler Sarbari Gupta William Burr S E C U R I T Y 31

32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 Draft NIST Special Publicatin 800-157 Guidelines fr Derived Persnal Identity Verificatin (PIV) Credentials Hildegard Ferrail David Cper Salvatre Francmacar Andrew Regenscheid Cmputer Security Divisin Infrmatin Technlgy Labratry, NIST William Burr Dakta Cnsulting, Inc. Jasn Mhler Sarbari Gupta Electrsft Services, Inc. March 2014 U.S. Department f Cmmerce Penny Pritzker, Secretary Natinal Institute f Standards and Technlgy Patrick D. Gallagher, Under Secretary f Cmmerce fr Standards and Technlgy and Directr

71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 Authrity This publicatin has been develped by NIST t further its statutry respnsibilities under the Federal Infrmatin Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is respnsible fr develping infrmatin security standards and guidelines, including minimum requirements fr Federal infrmatin systems, but such standards and guidelines shall nt apply t natinal security systems withut the express apprval f apprpriate Federal fficials exercising plicy authrity ver such systems. This guideline is cnsistent with the requirements f the Office f Management and Budget (OMB) Circular A-130, Sectin 8b(3), Securing Agency Infrmatin Systems, as analyzed in Circular A- 130, Appendix IV: Analysis f Key Sectins. Supplemental infrmatin is prvided in Circular A-130, Appendix III, Security f Federal Autmated Infrmatin Resurces. Nthing in this publicatin shuld be taken t cntradict the standards and guidelines made mandatry and binding n Federal agencies by the Secretary f Cmmerce under statutry authrity. Nr shuld these guidelines be interpreted as altering r superseding the existing authrities f the Secretary f Cmmerce, Directr f the OMB, r any ther Federal fficial. This publicatin may be used by nngvernmental rganizatins n a vluntary basis and is nt subject t cpyright in the United States. Attributin wuld, hwever, be appreciated by NIST. Natinal Institute f Standards and Technlgy Special Publicatin 800-157 (Draft) Natl. Inst. Stand. Technl. Spec. Publ. 800-157, 29 pages (March 2014) CODEN: NSPUE2 Certain cmmercial entities, equipment, r materials may be identified in this dcument in rder t describe an experimental prcedure r cncept adequately. Such identificatin is nt intended t imply recmmendatin r endrsement by NIST, nr is it intended t imply that the entities, materials, r equipment are necessarily the best available fr the purpse. There may be references in this publicatin t ther publicatins currently under develpment by NIST in accrdance with its assigned statutry respnsibilities. The infrmatin in this publicatin, including cncepts and methdlgies, may be used by Federal agencies even befre the cmpletin f such cmpanin publicatins. Thus, until each publicatin is cmpleted, current requirements, guidelines, and prcedures, where they exist, remain perative. Fr planning and transitin purpses, Federal agencies may wish t clsely fllw the develpment f these new publicatins by NIST. Organizatins are encuraged t review all draft publicatins during public cmment perids and prvide feedback t NIST. All NIST publicatins, ther than the nes nted abve, are available at http://csrc.nist.gv/publicatins. Public cmment perid: March 7, 2014 thrugh April 21, 2014 Natinal Institute f Standards and Technlgy Attn: Cmputer Security Divisin, Infrmatin Technlgy Labratry 100 Bureau Drive (Mail Stp 8930), Gaithersburg, MD 20899-8930 Email: piv_cmments@nist.gv

109 110 111 112 113 114 115 116 117 118 Reprts n Cmputer Systems Technlgy The Infrmatin Technlgy Labratry (ITL) at the Natinal Institute f Standards and Technlgy (NIST) prmtes the U.S. ecnmy and public welfare by prviding technical leadership fr the Natin s measurement and standards infrastructure. ITL develps tests, test methds, reference data, prf f cncept implementatins, and technical analyses t advance the develpment and prductive use f infrmatin technlgy. ITL s respnsibilities include the develpment f management, administrative, technical, and physical standards and guidelines fr the cst-effective security and privacy f ther than natinal security-related infrmatin in Federal infrmatin systems. The Special Publicatin 800-series reprts n ITL s research, guidelines, and utreach effrts in infrmatin system security, and its cllabrative activities with industry, gvernment, and academic rganizatins. 119 120 121 122 123 124 125 126 Abstract This recmmendatin prvides technical guidelines fr the implementatin f standards-based, secure, reliable, interperable PKI-based identity credentials that are issued by Federal departments and agencies t individuals wh pssess and prve cntrl ver a valid PIV Card. The scpe f this dcument includes requirements fr initial issuance, maintenance and terminatin f these credentials, certificate plicies and cryptgraphic specificatins, technical specificatins fr permitted cryptgraphic tken types and the cmmand interfaces fr the remvable implementatins f such cryptgraphic tkens. 127 128 129 130 Keywrds authenticatin; credentials; derived PIV credentials; electrnic authenticatin; electrnic credentials; mbile devices; persnal identity verificatin; PIV 131 132 133 134 135 136 137 138 Acknwledgments The authrs, William Burr, David Cper, Hildegard Ferrail, Salvatre Francmacar and Andrew Regenscheid f the Natinal Institute f Standards and Technlgy (NIST), and Sarbari Gupta and Jasn Mhler f Electrsft, wish t thank their clleagues wh reviewed drafts f this dcument and cntributed t its technical cntent and develpment. Special thanks t the Federal Identity, Credential and Access Management (FICAM) Lgical Access Wrking Grup (LAWG) fr the review and cntributins t the dcument. 139 140 141 Trademark Infrmatin All registered trademarks r trademarks belng t their respective rganizatins. 142 143 ii

144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 Table f Cntents Executive Summary... iv 1. Intrductin... 5 1.1 BACKGROUND... 5 1.2 PURPOSE AND SCOPE... 6 1.3 AUDIENCE:... 7 1.4 DOCUMENT STRUCTURE... 7 1.5 KEY TERMINOLOGY... 8 2. Lifecycle Activities and Related Requirements... 9 2.1 INITIAL ISSUANCE... 9 2.2 MAINTENANCE... 9 2.3 TERMINATION... 10 2.4 LINKAGE WITH PIV CARD... 11 3. Technical Requirements... 12 3.1 CERTIFICATE POLICIES... 12 3.2 CRYPTOGRAPHIC SPECIFICATIONS... 12 3.3 CRYPTOGRAPHIC TOKEN TYPES... 12 3.3.1 Remvable (Nn-Embedded) Hardware Cryptgraphic Tkens... 13 3.3.2 Embedded Cryptgraphic Tkens... 15 3.4 ACTIVATION DATA... 15 3.4.1 Hardware Implementatins... 15 3.4.2 Sftware Implementatins... 16 Appendix A Digital Signature and Key Management Keys (Infrmative)... 17 Appendix B Data Mdel and Interfaces fr Remvable (Nn-Embedded) Hardware Cryptgraphic Tkens (Nrmative)... 18 B.1 PIV DERIVED APPLICATION DATA MODEL AND REPRESENTATION... 18 B.1.1 PIV Derived Applicatin Identifier... 18 B.1.2 PIV Derived Applicatin Data Mdel Elements... 18 B.1.3 PIV Derived Applicatin Data Objects Representatin... 20 B.1.4 PIV Derived Applicatin Data Types and their Representatin... 20 B.1.5 PIV Derived Authenticatin Mechanisms... 21 B.2 PIV DERIVED APPLICATION TOKEN COMMAND INTERFACE... 22 Appendix C Derived PIV Credentials in Relatin t OMB Memranda (Infrmative)... 23 Appendix D Glssary (Infrmative)... 24 Appendix E Acrnyms and Abbreviatins (Infrmative)... 25 Appendix F References (Infrmative)... 26 List f Tables Table B-1 Mapping f Data Objects... 20 Table B-2 Mapping f Key Types... 21 Table C-1 Tken types and Relatin t OMB s Electrnic Authenticatin Guidelines... 23 iii

186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 Executive Summary The deplyment f PIV Cards and their supprting infrastructure was initiated in 2004 by Hmeland Security Presidential Directive-12 (HSPD-12) with a directive t eliminate the wide variatins in the quality and security f authenticatin mechanisms used acrss Federal agencies. The mandate called fr a cmmn identificatin standard t prmte interperable authenticatin mechanisms at graduated levels f security based n the envirnment and the sensitivity f data. In respnse, the 2005 Federal Infrmatin Prcessing Standard (FIPS) 201 specified a cmmn set f credentials in a smart card frm factr, knwn as the Persnal Identity Verificatin (PIV) Card, which is currently used gvernment-wide, as intended, fr bth fr physical access t gvernment facilities and lgical access t Federal infrmatin systems. At the time that FIPS 201 was first published, lgical access was geared twards traditinal cmputing devices (i.e., desktp and laptp cmputers) where the PIV Card prvides cmmn authenticatin mechanisms thrugh integrated readers acrss the federal gvernment. With the emergence f a newer generatin f cmputing devices and in particular with mbile devices, 1 the use f PIV Cards has prved challenging. Mbile devices lack the integrated smart card readers fund in laptp and desktp cmputers and require separate card readers attached t devices t prvide authenticatin services frm the device. Fr sme department and agencies, the use f PIV Cards and separate card readers is a practical slutin fr authenticatin frm mbile devices. Other department and agencies may plan t take advantage f Near Field Cmmunicatin (NFC) t cmmunicate with the PIV Card frm NFC-enabled mbile devices. These slutins are summarized in Sectin 1.1, Backgrund, and prvide the cmplete picture f mbile device PIV-enablement. SP 800-157 des nt address use f the PIV Card with mbile devices, but instead prvides an alternative t the PIV Card in cases in which it wuld be impractical t use the PIV Card. Instead f the PIV Card, SP 800-157 prvides an alternative tken, which can be implemented and deplyed directly n mbile devices (such as smart phnes and tablets). The PIV credential assciated with this alternative tken is called a Derived PIV Credential. The use f a different type f tken greatly imprves the usability f electrnic authenticatin frm mbile devices t remte IT resurces. Derived PIV Credentials are based n the general cncept f derived credential in SP 800-63-2, which leverages identity prfing and vetting results f current and valid credentials. When applied t PIV, identity prfing and vetting prcesses d nt have t be repeated t issue a Derived PIV Credential. Instead, the user prves pssessin f a valid PIV Card t receive a Derived PIV Credential. T achieve interperability with the PIV infrastructure and its applicatins, a Derived PIV Credential is a PKI credential. 2 1 A mbile device, fr the purpse f this dcument is a prtable cmputing device that: (i) has a small frm factr such that it can easily be carried by a single individual; (ii) is designed t perate withut a physical cnnectin (e.g., wirelessly transmit r receive infrmatin); (iii) pssesses lcal, nn-remvable r remvable data strage; and (iv) includes a self-cntained pwer surce. Mbile devices may als include vice cmmunicatin capabilities, n-bard sensrs that allw the devices t capture infrmatin, and/r built-in features fr synchrnizing lcal data with remte lcatins. Examples include smart phnes, tablets, and e-readers. 2 While the PIV Card may be used as the basis fr issuing ther types f derived credentials, the issuance f these ther credentials is utside the scpe f this dcument. Only derived credentials issued in accrdance with this dcument are cnsidered t be PIV credentials. iv

219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 1. Intrductin FIPS 201 specifies a cmmn set f identity credentials fr the purpse f HSPD-12 in a smart card frm factr, knwn as the Persnal Identity Verificatin (PIV) Card. This publicatin is a cmpanin dcument t FIPS 201 that specifies use f an additinal cmmn identity credential, a Derived PIV Credential, which is issued by a Federal department r agency and may be used with mbile devices where the use f a PIV Card is nt practical. Cnsistent with the gals f HSPD-12, the Derived PIV Credential is designed t serve as a Federal gvernment-wide standard fr a secure and reliable identity credential that is interperable acrss agencies. 1.1 Backgrund FIPS 201 riginally required that all PIV credentials and assciated keys be stred in a PIV Card. While the use f the PIV Card fr electrnic authenticatin wrks well with traditinal desktp and laptp cmputers, it is nt ptimized fr mbile devices. In respnse t the grwing use f mbile devices within the Federal gvernment, FIPS 201 was revised t permit the issuance f an additinal, Derived PIV Credential, fr which the crrespnding private key is stred in a cryptgraphic mdule with an alternative frm factr t the PIV Card. Derived PIV Credentials leverage the current investment in the PIV infrastructure fr electrnic authenticatin and build upn the slid fundatin f well-vetted and trusted identity f the PIV cardhlder -- achieving substantial cst savings by leveraging the identityprfing results that were already perfrmed t issue PIV cards. This dcument prvides the technical guidelines fr the implementatin f Derived PIV Credentials. The use f a Derived PIV Credential is ne pssible way t PIV-enable a mbile device. In ther cases it may be practical t use the PIV Card itself with the mbile device, using either the PIV Card s cntact r cntactless interface, rather than issuing a Derived PIV Credential. Mbile devices are generally t small t integrate smart card readers int the device itself, requiring alternative appraches fr cmmunicating between the PIV Card and the mbile device. Sme f these appraches are pssible by tday s set f available prducts. Other, newer technlgies are addressed by new guidelines in the existing set f PIV Special Publicatins. The current slutin fr PIV enablement directly uses PIV Cards with mbile devices thrugh smart card readers. This has the advantage f aviding the additinal time and expense required t issue and manage Derived PIV Credentials. The apprach requires smart card readers that are separate frm, but attached t, the mbile device itself. These readers interface with the mbile device ver a wired interface (e.g., USB) r wireless interface. The use f PIV Cards with mbile devices is functinally similar t their use with laptp and desktp cmputers. It des nt invlve new r different requirements t cmmunicate with the PIV Card. Instead, the existing cntact interface specificatins f the PIV Card, as utlined in SP 800-73, frm the basis fr these type f readers t cmmunicate with the PIV Card. Newer technlgy culd take advantage f mbile devices that can directly cmmunicate with and use PIV Cards ver a wireless interface using Near Field Cmmunicatin (NFC). Similarly t the mbile devices and attached reader scenari, the use f NFC technlgy als avids the additinal time and expense required t issue and manage Derived PIV Credentials. NFC uses radi frequency t establish cmmunicatin between NFC-enabled devices. An NFC-enabled mbile device can interact with a PIV Card ver its cntactless antenna at a very clse range, allwing the mbile device t use the keys n the PIV Card withut a physical cnnectin. The user wuld need t hld r place the card next t the mbile device. Earlier PIV specificatins did nt allw the use f certain keys ver the cntactless interface, as existing technlgies and standards did nt supprt a secure channel between the smart card and the mbile device ver NFC. SP 800-73-4 will include a new capability t enable access t all nn- 5

264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 card-management functinalities f the PIV Card ver a secure wireless channel using the virtual cntact interface (VCI). 1.2 Purpse and Scpe This dcument prvides guidelines fr cases in which the use f PIV Cards with mbile devices, using either cntact card readers r NFC, is deemed impracticable. This guideline specifies the use f tkens with alternative frm factrs t the PIV Card that may be inserted int mbile devices, such as micrsd tkens, USB tkens, Universal Integrated Circuit Cards (UICC, the new generatin f SIM cards), r that are embedded in the mbile device. The embedded tkens may be either hardware r sftware cryptgraphic mdules. The use f tkens with alternative frm factrs greatly imprves the usability f electrnic authenticatin frm mbile devices t remte IT resurces, while at the same time maintaining the gals f HSPD-12 fr cmmn identificatin that is secure, reliable and interperable gvernmentwide. The scpe f the Derived PIV Credential is t prvide PIV-enabled authenticatin services n the mbile device t authenticate the credential hlder t remte systems as illustrated in Figure 1-1. T achieve interperability with the PIV infrastructure and its applicatins, public key infrastructure (PKI) technlgy has been selected as the basis fr the Derived PIV Credential. The PKI based Derived PIV Credentials specified in this dcument are issued at levels f assurance (LOA) 3 and 4. 3 281 282 Figure 1-1 Use f Derived PIV Credential 3 [M0404] prvides a fundatin fr fur levels f assurance (LOA) fr electrnic authenticatin. [SP800-63] prvides guidance and technical requirements fr electrnic authenticatin slutins at each f the fur levels f assurance. 6

283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 Derived PIV Credentials are based n the general cncept f derived credential in SP 800-63, which leverages identity prfing and vetting results f current and valid credentials. When applied t PIV, identity prfing and vetting prcesses d nt have t be repeated t issue a Derived PIV Credential. Instead, the user prves pssessin f a valid PIV Card t receive a Derived PIV Credential. The Derived PIV Credential is a PIV Derived Authenticatin certificate, which is an X.509 public key certificate that has been issued in accrdance with the requirements f this dcument and the X.509 Certificate Plicy fr the U.S. Federal PKI Cmmn Plicy Framewrk [COMMON]. While the PIV Card may be used as the basis fr issuing ther types f derived credentials, the issuance f these ther credentials is utside the scpe f this dcument. Only derived credentials issued in accrdance with this dcument are cnsidered t be Derived PIV credentials. The dcument prvides the technical guidelines n: Three primary lifecycle activities fr the Derived PIV Credential initial issuance, maintenance and terminatin and the requirements fr each activity t ensure security; and Technical requirements fr the Derived PIV Credential including certificate plicies, cryptgraphic specificatins, types f cryptgraphic implementatin that are permitted and mechanisms fr activatin and use f the credential. The publicatin als includes an infrmative annex that prvides recmmendatins fr the inclusin f digital signature and key management keys n mbile devices. 1.3 Audience: This dcument is targeted at sftware develpers and thers wh will be respnsible fr prcuring, designing, implementing, and managing deplyments f Derived PIV Credentials fr mbile devices. 1.4 Dcument Structure The structure f the rest f this dcument is as fllws: Sectin 2 describes Derived PIV Credential lifecycle activities and related requirements. This sectin is nrmative. Sectin 3 describes the technical requirements fr implementing Derived PIV Credentials. This sectin is nrmative. Appendix A cntains guidance n digital signature and key management keys. This appendix is infrmative. Appendix B prvides detailed interface requirements fr the remvable hardware implementatins. This appendix is nrmative fr implementatin f Derived PIV n remvable (nn-embedded) hardware cryptgraphic tkens. Appendix C summarizes the assciatin f the Derived PIV Credentials tken types with the electrnic authenticatin plicies in OMB memranda M-06-16 and M-07-16. This appendix is infrmative. Appendix D cntains a glssary defining selected terms frm this dcument. This appendix is infrmative. 7

320 321 322 323 324 325 326 327 328 Appendix E defines acrnyms and ther abbreviatins used in this dcument. This appendix is infrmative. Appendix F prvides a list f references fr this dcument. This appendix is infrmative. 1.5 Key Terminlgy Certain key PIV terms have assigned meanings within the cntext f this dcument. The term PIV Cardhlder refers t a persn wh pssesses a valid PIV Card, regardless f whether they have been issued a Derived PIV Credential. The term Applicant refers t a PIV Cardhlder wh is pending issuance f a Derived PIV Credential, and the term Subscriber refers t a PIV Cardhlder wh has already been issued a Derived PIV Credential. 8

329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 2. Lifecycle Activities and Related Requirements The lifecycle activities (phases) fr a Derived PIV Credential are initial issuance, maintenance, and terminatin. This sectin describes these lifecycle activities and prvides requirements and recmmendatins as apprpriate. Issuers f Derived PIV Credentials must dcument the prcess fr each f the lifecycle activities described belw. In accrdance with [HSPD-12], the reliability f the Derived PIV Credential issuer shall be established thrugh an fficial accreditatin prcess. The prcess, as utlined in [SP800-79], shall include an independent (third-party) assessment. 2.1 Initial Issuance The initial issuance activity deals with the identificatin f an Applicant and the issuance f the Derived PIV Credential and ther related data. A Derived PIV Credential shall be issued fllwing verificatin f the Applicant s identity using the PIV Authenticatin key n his r her existing PIV Card. The PIV Authenticatin certificate shall be validated as being active and nt revked prir t issuance f a Derived PIV Credential, and the Applicant must demnstrate pssessin and cntrl f the related PIV Card via the PKI-AUTH authenticatin mechanism as per sectin 6.2.3.1 f [FIPS 201]. The revcatin status f the Applicant s PIV Authenticatin certificate shall be rechecked seven (7) calendar days fllwing issuance f the Derived PIV Credential this step prtects against the use f a cmprmised PIV Card t btain a Derived PIV Credential. Derived PIV Credentials can be issued at identity assurance levels three r fur (LOA-3 r LOA-4). The credential resides n a hardware r sftware security tken as illustrated in Table C-1. An LOA-3 Derived PIV Credential may be issued remtely r in persn in accrdance with [SP800-63]. If the credential is issued ver an electrnic sessin, all cmmunicatins shall be authenticated and prtected frm mdificatin (e.g., using TLS), and encryptin shall be used, if necessary, t prtect the cnfidentiality f any private r secret data. Mrever, if the issuance prcess invlves tw r mre electrnic transactins, the Applicant must identify himself/herself in each new encunter by presenting a temprary secret that was issued in a previus transactin, as described in Sectin 5.3.1 f [SP800-63]. An LOA-4 Derived PIV Credential shall be issued in persn, in accrdance with [SP800-63], and the Applicant shall identify himself/herself using a bimetric sample that can be verified against the Applicant s PIV Card. If there are tw r mre transactins during the issuance prcess, the Applicant shall identify himself/herself using a bimetric sample that can either be verified against the PIV Card r against a bimetric that was recrded in a previus transactin. The issuer shall retain fr future reference the bimetric sample used t validate the Applicant. It may be nted that this guideline desn t preclude the issuance f multiple Derived PIV Credentials t the same Applicant n the basis f the same PIV Card. Issuing several Derived PIV Credentials t an individual, hwever, culd increase the risk that ne f the tkens will be lst/stlen withut the lss being reprted, r that the subscriber will inapprpriately prvide ne f the tkens t smene else. 2.2 Maintenance Derived PIV Credentials may require typical maintenance activities applicable t asymmetric cryptgraphic credentials these include rekey, mdificatin, and revcatin. These peratins may be perfrmed either remtely r in-persn and shall be perfrmed in accrdance with the certificate plicy 9

369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 under which the PIV Derived Authenticatin certificate is issued. When certificate re-key r mdificatin is perfrmed remtely fr an LOA-4 Derived PIV Credential, the fllwing shall apply: + Cmmunicatin between the issuer and the cryptgraphic mdule in which the PIV Derived Authenticatin private key is stred shall ccur nly ver mutually authenticated secure sessins between tested and validated cryptgraphic mdules. + Data transmitted between the issuer and the cryptgraphic mdule in which the PIV Derived Authenticatin private key is stred shall be encrypted and cntain data integrity checks. The initial issuance prcess shall be fllwed fr: 1) re-key f an expired r cmprmised Derived PIV credential r 2) re-key f a Derived PIV Credential at LOA-4 t a new hardware tken. If the tken crrespnding t the Derived PIV Credential is lst, stlen, damaged r cmprmised, the PIV Derived Authenticatin certificate shall be revked in accrdance with the underlying certificate plicy. 4 The Derived PIV Credential is unaffected by lss, theft r damage t the Subscriber s PIV Card. 5 The ability t use the Derived PIV Credential is especially useful in such circumstances because the PIV Card is unavailable, yet the Subscriber is able t use the Derived PIV Credential t gain lgical access t remte Federally cntrlled infrmatin systems frm his/her mbile device. Similarly, the Derived PIV Credential is unaffected by the revcatin f the PIV Authenticatin certificate. Sme maintenance activities fr the subscriber s PIV Card may trigger crrespnding maintenance activities fr the Derived PIV Credential. Fr example, if the subscriber s PIV Card is reissued as a result f the Subscriber s name change, a new PIV Derived Authenticatin certificate with the new name may als need t be issued. 2.3 Terminatin A Derived PIV Credential shall be terminated when the department r agency that issued the credential determines that the Subscriber is n lnger eligible t have a PIV Card (i.e., PIV Card is terminated 6 ). A Derived PIV Credential may als be terminated when the department r agency that issued the credential determines that the Subscriber n lnger requires a derived credential, even if the Subscriber s PIV Card is nt being terminated. The latter may happen, fr example, when the Subscriber s rle in the agency changes such that he/she n lnger has the need t access agency resurces frm a mbile device using a Derived PIV Credential. If the PIV Derived Authenticatin private key was created and stred n a hardware cryptgraphic tken that des nt permit the user t exprt the private key, then terminatin f the Derived PIV Credential may be perfrmed by either: 1) cllecting and either zerizing the private key r destrying the tken r 2) revking the PIV Derived Authenticatin certificate. In all ther cases, terminatin shall be perfrmed by revking the PIV Derived Authenticatin certificate. 4 Recvering frm a mbile device cmputer security incident [SP 800-61] may als require revking the PIV Derived Authenticatin certificate. 5 In the case f a lst r stlen PIV Card there is the risk that the PIV Card culd be used t btain a fraudulently issued Derived PIV Credential. If the issuer f the PIV Card als issues Derived PIV Credentials then when a PIV Card is reprted lst r stlen the issuer shuld investigate whether any fraudulent Derived PIV Credentials might have been issued. 6 [FIPS201] prvides a list f circumstances that require PIV Card terminatin. 10

403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 2.4 Linkage with PIV Card The issuer f the Derived PIV Credential shall implement a prcess that maintains a link between the Subscriber s PIV Card and the Derived PIV Credential t enable the issuer f the latter credential t track the status f the PIV Card in rder t perfrm timely maintenance and terminatin activities in respnse t changes in the status f the PIV Card. The issuer f the Derived PIV Credential shall nt slely rely n tracking the revcatin status f the PIV Authenticatin certificate as a means f tracking the terminatin status f the PIV Card. This is because there are scenaris where the card s PIV Authenticatin certificate is nt revked even thugh the PIV Card has been terminated. This may happen, fr example, when a terminated PIV Card is cllected and either zerized r destryed by an agency in this case, in accrdance with [FIPS201], the crrespnding PIV Authenticatin certificate des nt need t be revked. Additinal methds must be emplyed fr maintaining a linkage between the current PIV Card and the crrespnding Derived PIV Credential. Sme example mechanisms t maintain this linkage are listed belw hwever, any ther mechanism that meets the abve requirements is als acceptable. If the Derived PIV Credential is issued by the same agency that issued the Subscriber s PIV Card, the linkage between the tw credentials may be maintained thrugh the cmmn Identity Management System (IDMS) database implemented by the issuing agency. When the issuer f the Derived PIV Credential is different frm the PIV Card Issuer, the fllwing mechanisms may be applied: 422 423 424 425 426 427 428 429 The Backend Attribute Exchange [BAE] can be queried fr the terminatin status f the PIV Card, if an attribute prviding this infrmatin is defined and the issuer f the PIV Card maintains this attribute fr the Subscriber. The issuer f the PIV Card maintains a list f crrespnding Derived PIV Credential issuers and sends ntificatin t the latter set when the PIV Card is terminated. If a Unifrm Reliability and Revcatin Service (URRS) is implemented in accrdance with Sectin 3.7 f [NISTIR7817], the issuer f a Derived PIV Credential may btain terminatin status f the Subscriber s PIV Card thrugh the URRS. 430 431 432 The linkage between the Derived PIV Credential and the Subscriber s PIV Card shall be updated when the Subscriber btains a new PIV Card (e.g., the Subscriber btains a replacement PIV Card after cmprmise f the riginal PIV Card). 11

433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 3. Technical Requirements This sectin describes technical requirements related t Derived PIV Credentials and their tkens. 3.1 Certificate Plicies PIV Derived Authenticatin certificates shall be issued under either the id-fpki-cmmn-pivauthderived-hardware (LOA-4) r the id-fpki-cmmn-pivauth-derived (LOA-3) plicy f the X.509 Certificate Plicy fr the U.S. Federal PKI Cmmn Plicy Framewrk [COMMON]. A Derived PIV Credential shall be deemed t satisfy e-authenticatin LOA-4 if it is issued in cnfrmance with the idfpki-cmmn-pivauth-derived-hardware certificate plicy, and e-authenticatin LOA-3 if it is issued in cnfrmance with the id-fpki-cmmn-pivauth-derived certificate plicy. The PIV Derived Authenticatin certificate shall cmply with Wrksheet 10: PIV Derived Authenticatin Certificate Prfile in [PROF]. The expiratin date f the PIV Derived Authenticatin certificate is based n the certificate plicy f the issuer and need nt be related t the expiratin date f the PIV Authenticatin certificate r the expiratin f the PIV Card. 3.2 Cryptgraphic Specificatins The cryptgraphic algrithm and key size requirements fr the PIV Derived Authenticatin certificate and private key are the same as the requirements fr the PIV Authenticatin certificate and private key, as specified in [SP800-78]. Fr PIV Derived Authenticatin certificates issued under id-fpki-cmmn-pivauth-derived-hardware, the PIV Derived Authenticatin key pair shall be generated within a hardware cryptgraphic mdule that has been validated t [FIPS140] Level 2 r higher that prvides Level 3 physical security t prtect the PIV Derived Authenticatin private key while in strage and that des nt permit exprtatin f the private key. Fr PIV Derived Authenticatin certificates issued under id-fpki-cmmn-pivauth-derived, the PIV Derived Authenticatin key pair shall be generated within a cryptgraphic mdule that has been validated t [FIPS140] Level 1 r higher. 3.3 Cryptgraphic Tken Types The Derived PIV Credentials and their crrespnding private keys may be used in a variety f cryptgraphic tkens available fr use n mbile devices. These tkens may be hardware r sftwarenly implementatins. Hardware tkens may either be remvable r embedded within a mbile device. Three kinds f remvable hardware tkens are specified, each with well-defined physical and lgical interfaces, t facilitate tken prtability between mbile devices in a manner analgus t PIV Card interchangeability. Embedded hardware tkens are nt remvable frm the mbile device, and may be accessed by sftware using the native cryptgraphic interface f the mbile device; hwever, nthing here is intended t either require r prhibit emulatin f PIV Card r the remvable tken sftware interface. Similar rules apply t embedded sftware tkens; nthing here is intended t either require r prhibit the emulatin f the sftware interfaces t PIV Cards r ther remvable tkens. 12

471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 Althugh sftware tkens are cnsidered embedded tkens fr this reasn, as a practical matter it will ften be impssible t prevent users frm making cpies f sftware tkens r prting them t ther devices. The cryptgraphic tkens permitted fr Derived PIV Credentials are described in the subsectins belw. 3.3.1 Remvable (Nn-Embedded) Hardware Cryptgraphic Tkens This sectin prvides requirements fr implementatins where the PIV Derived Authenticatin private key resides in a hardware cryptgraphic mdule (r tken) that can be remved frm the mbile device. In such cases, a PIV Derived Applicatin, as defined in Appendix B, shall be implemented n the hardware cryptgraphic tken. When the remvable hardware cryptgraphic mdule supprts multiple security dmains 7 managed by independent issuers, the PIV Derived Applicatin shall be implemented in a security dmain that is separate frm ther security dmains, dedicated t the Derived PIV Credential, and under the explicit cntrl f the issuing agency. The permitted types f remvable hardware cryptgraphic tkens are described in the fllwing subsectins. Each tken type is a standards-based hardware frm-factr that supprts cmpatibility and prtability acrss a variety f mbile cmputing devices. In each case, the frm-factr supprts a secure element (SE), a tamper resistant cryptgraphic cmpnent that prvides security and cnfidentiality. The Applicatin Prtcl Data Units (APDUs) fr the PIV Derived Applicatin cmmand interface (as defined in Appendix B) are transprted t the secure element within each frm-factr ver a standardized transprt prtcl apprpriate fr that frm factr. Further details f the required transprt prtcls are prvided belw. As described in Appendix B, the PIV Derived Applicatin may include digital signature and key management private keys and their crrespnding certificates in additin t the Derived PIV Credential. 3.3.1.1 SD Card with Cryptgraphic Mdule A Secure Digital (SD) Card is a nn-vlatile memry card frmat fr use in prtable devices such as mbile phnes and tablet cmputers. The SD frmat is available in three different sizes the riginal size, the "mini" size, and the "micr" size. While any size is permissible fr Derived PIV Credential issuance, the micrsd frm factr is mre likely t be available fr use within a mbile device. A PIV Derived Applicatin may reside n SD Card implementatins that include an n-bard secure element r security system. An example f a security system is an implementatin f the smartsd standard, which describes a smart card element within an SD memry card. The secure element used fr the PIV Derived Applicatin shall supprt the Advanced Security SD (ASSD) Extensin Simplified Specificatin [ASSD-EXT] t interface with the card cmmands specified in Appendix B f this dcument. [ASSD-EXT] serves as an extensin t the SD Card Physical Layer Specificatin and prvides all f the definitins required t transprt security system specific cmmand 7 A security dmain is a prtected area n a smart card. T this security dmain are assigned applicatins, which can use cryptgraphic services it ffers. By default nly the security dmain f the card issuer exists n a card. If anther institutin wants its wn security dmain, e.g., fr having its wn secure applicatin envirnment r managing its wn applicatins, such a dmain can be created with the help f the card issuer. Institutins managing their wn applicatins are als referred t as applicatin prviders. A cntrlling authrity security dmain, that is ptinally present, ffers a cnfidential persnalizatin service t authenticated applicatin prviders. 13

505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 packets frm the ASSD enabled hst (such as a mbile device) t the ASSD-enabled secure element and vice versa. Fr use as a transprt mechanism fr APDUs, [ASSD-EXT] is cnstrained/prfiled as belw t prmte interperability between mbile devices and tken implementatins: The cmmands fr the PIV Derived Applicatin shall be transprted nly in ASSD mde. Only the [ASSD-EXT] cmmand transfer prtcl is supprted fr interperable use. The secure data transfer cmmands are nt relevant fr PIV Derived Applicatin use. A secure cmmands sequence cmpsed f a WRITE_SEC_CMD cmmand in cmd-mde shall always be fllwed by a READ_SEC_CMD cmmand t retrieve the respnse t the cmmand. The WRITE_SEC_CMD shall be implemented nly in blcking mde t ensure that there is n interleaving f cmmands. 3.3.1.2 UICC with Cryptgraphic Mdule The Universal Integrated Circuit Card (UICC) cnfiguratin is based n the GlbalPlatfrm Card Specificatin v2.2.1 [GP-SPEC]. The UICC cnfiguratin standardizes a minimum level f interperability fr mbile prducts that supprt remte applicatin management via ver-the-air (OTA) mechanisms. UICC represents a new generatin Subscriber Identity Mdule (SIM) card. The UICC includes strage and prcessing, as well as input/utput capabilities. Unlike the SIM card, the UICC can als supprt a variety f ther applicatins and services and multiple security dmains. [GP-A] defines a mechanism fr an applicatin prvider t manage (i.e., lad, install and persnalize) its applicatin in a cnfidential manner while using a third party cmmunicatin netwrk. The PIV Derived Applicatin shall be implemented in a security dmain that is separate frm ther security dmains, dedicated t the Derived PIV Credential, and under the explicit cntrl f the issuing agency. A UICC is a secure element, which may be capable f hsting a PIV Derived Applicatin. A UICC used t hst a Derived PIV Credential shall implement the GlbalPlatfrm Card Secure Element Cnfiguratin v1.0 [GP-SE]. 3.3.1.3 USB Tken with Cryptgraphic Mdule A Universal Serial Bus (USB) tken is a device that plugs int the USB prt n varius IT cmputing platfrms, including mbile devices. USB tkens typically include nbard strage and may als include cryptgraphic prcessing capabilities (e.g., cryptgraphic mechanisms t verify the identity f users). USB tken implementatins that cntain an integrated secure element (an Integrated Circuit Card r ICC) are suitable fr issuance f Derived PIV Credentials. Such implementatins are called Chip Card Interface Devices (CCID) and shall cmply with the Universal Serial Bus Device Class: Smart Card CCID Specificatin fr Integrated Circuit(s) Cards Interface Devices Specificatin [CCIDSPEC]. The APDUs fr the PIV Derived Applicatin (as specified in Appendix B) shall be transprted t the secure element using the Bulk-Out cmmand pipe and the respnses shall be received frm the secure element using the Bulk-In cmmand pipe. USB tkens with cryptgraphic mdules that supprt a PIV Derived Applicatin shall als be cmpliant 14

542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 with the specificatins in [SP800-96] fr APDU supprt fr cntact card readers. The requirements fr the Applicatin Prgramming Interface (API) fr PIV Derived Applicatin implementatins are beynd the scpe f this dcument. 3.3.2 Embedded Cryptgraphic Tkens A Derived PIV Credential and its assciated private key may be used in cryptgraphic mdules that are embedded within mbile devices. These mdules may either be in the frm f a hardware cryptgraphic mdule that is a cmpnent f the mbile device r in the frm f a sftware cryptgraphic mdule that runs n the device. The cryptgraphic mdule shall satisfy the requirements in Sectin 3.2 fr either certificates issued under id-fpki-cmmn-pivauth-derived-hardware r id-fpki-cmmn-pivauth-derived. As described in Appendix A, these same cryptgraphic mdules may als hld ther keys, such as digital signature and key management private keys and their crrespnding certificates. 3.4 Activatin Data The Subscriber shall be authenticated t the cryptgraphic tken befre the private key crrespnding t the Derived PIV Credential can be used. The subsectins belw include requirements n activatin data establishment and reset fr hardware as well as sftware implementatins f the Derived PIV Credential. 3.4.1 Hardware Implementatins When the private key crrespnding t the Derived PIV Credential is stred in a (remvable r embedded) hardware cryptgraphic mdule, Persnal Identificatin Number based (PIN-based) Subscriber activatin shall be implemented. The PIN shuld nt be easily guessable r therwise individually identifiable in nature (e.g., part f a Scial Security Number, phne number). The required PIN length shall be a minimum f six bytes. At LA-4, the hardware cryptgraphic mdule shall include a mechanism t blck use f the PIV Derived Authenticatin private key after a number f cnsecutive failed authenticatin attempts as stipulated by the department r agency. 8 When required, PIN reset may be perfrmed as described belw. The PIN may need t be reset if the Subscriber has frgtten the PIN r if PIN-lckut has ccurred fllwing repeated use f invalid PINs. PIN reset may be perfrmed at the issuer s facility, at an unattended kisk perated by the issuer, r remtely via a general cmputing platfrm. When PIN reset is perfrmed in-persn at the issuer's facility, r at an unattended kisk perated by the issuer, it shall be implemented thrugh ne f the fllwing prcesses: 571 572 573 574 575 576 577 The Subscriber s PIV Card shall be used t authenticate the Subscriber (via PIV-AUTH mechanism as per sectin 6.2.3.1 f [FIPS 201]) prir t PIN reset. The issuer shall verify that the Derived PIV Credential is fr the same Subscriber that authenticated using the PIV Card. A 1:1 bimetric match shall be perfrmed against the bimetric sample retained during initial issuance f the Derived PIV Credential. The issuer shall verify that the Derived PIV Credential is fr the same Subscriber fr whm the bimetric match was cmpleted. 8 Subscribers may change their PINs anytime by prviding the current PIN and the new PIN values. 15

578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 Fr remte PIN reset fr hardware cryptgraphic mdules the Subscriber s PIV Card shall be used t authenticate the Subscriber (via PIV-AUTH authenticatin mechanism as per Sectin 6.2.3.1 f [FIPS 201]) prir t PIN reset. If the reset ccurs ver a sessin that is separate frm the sessin ver which the PIV-AUTH authenticatin mechanism was cmpleted, strng linkage (e.g., using a temprary secret) must be established between the tw sessins. The issuer shall verify that the Derived PIV Credential is fr the same Subscriber that authenticated using the PIV Card. The remte PIN reset shall be cmpleted ver a prtected sessin (e.g., using TLS). 3.4.2 Sftware Implementatins Fr sftware implementatins (LOA-3) f Derived PIV Credentials, a passwrd-based mechanism shall be used t perfrm cryptgraphic peratins with the private key crrespnding t the Derived PIV Credential. The passwrd shall meet the requirements f an LOA-2 memrized secret tken as specified in Table 6, Tken Requirements per Assurance Level, in [SP800-63]. Fr sftware cryptgraphic mdules, passwrd reset is nt supprted. The initial issuance prcess shall be fllwed if the passwrd is frgtten. Lckut mechanisms fr repeated unsuccessful activatin attempts are nt required fr sftware cryptgraphic mdules. 594 16

595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 Appendix A Digital Signature and Key Management Keys (Infrmative) In additin t the PIV Authenticatin key, [FIPS 201] als requires each PIV Card t have a digital signature key and a key management key, unless the cardhlder des nt have a gvernment-issued email accunt at the time f credential issuance. A subscriber wh has been issued a PIV Derived Authenticatin certificate fr use with a mbile device may als have a need t use a digital signature and key management key with that mbile device. Fr mst Subscribers, it will be necessary fr the key management key n the mbile device t be the same key as the ne n the PIV Card. Neither [FIPS 201] nr [COMMON] precludes the key management private key frm being used n mre than ne device (e.g., the PIV Card and a smart phne) as lng as all f the requirements f the plicy under which the key management certificate was issued are satisfied. Nte that this means that in rder t be able t use a cpy f the key management private key in [FIPS140] Level 1 sftware cryptgraphic mdule the crrespnding certificate wuld have t be issued under a certificate plicy, such as id-fpki-cmmn-plicy, that des nt require the use f a [FIPS140] Level 2 hardware cryptgraphic mdule. This shuld be taken int accunt at the time that the key management certificate that will be placed n the PIV Card is issued. Key recvery mechanisms are encuraged fr key management keys issued t mbile devices. As the digital signature key n a PIV Card cannt be cpied, a mbile device will have t be issued a new digital signature private key and certificate. The issuance f this private key and certificate is cmpletely independent f the issuance f the PIV Card, althugh the issuer may chse t leverage the Applicant s PIV Card t identity prf the Applicant prir t issuing the digital signature certificate. As the certificate plicies assciated with digital signature certificates in [COMMON] (id-fpki-cmmn-plicy, id-fpkicmmn-hardware, and id-fpki-cmmn-high) are nt limited t use with PIV Cards, a certificate fr a digital signature certificate fr a mbile device may be issued under ne f these plicies, as lng as all f the requirements f the plicy are satisfied. 17

619 620 621 622 623 624 625 626 627 628 Appendix B Data Mdel and Interfaces fr Remvable (Nn-Embedded) Hardware Cryptgraphic Tkens (Nrmative) This appendix prvides data mdel and interface requirements fr the PIV Derived Applicatins implemented n remvable hardware cryptgraphic tkens. B.1 PIV Derived Applicatin Data Mdel and Representatin The data mdel and representatin requirements fr PIV Derived Applicatins are based n the requirements fr PIV Card Applicatins as described in [SP800-73Part1]. The specificatins fr the mandatry and ptinal data bjects listed belw are the same as the specificatins f the crrespnding data bjects n a PIV Card Applicatin as described in [SP800-73Part1], except fr the general difference that the cntactless interface is nt supprted by the PIV Derived Applicatin. 629 B.1.1 PIV Derived Applicatin Identifier 630 The Applicatin Identifier (AID) f the PIV Derived Applicatin shall be: 631 632 633 634 'A0 00 00 03 08 XX XX XX XX XX XX' [Nte: the specific value fr the AID will be included in the final versin f this dcument. It will be different frm the AID f the PIV Card Applicatin.] 635 636 637 The PIV Derived Applicatin can be selected as the current applicatin n the remvable hardware cryptgraphic tken by prviding the full AID listed abve r by prviding the right truncated versin, as fllws: 638 'A0 00 00 03 08 XX XX XX XX' 639 B.1.2 PIV Derived Applicatin Data Mdel Elements 640 641 642 643 644 645 646 647 648 649 650 651 652 653 The PIV Derived Applicatin shall cntain the fllwing mandatry interperable data bject: X.509 Certificate fr PIV Derived Authenticatin The read access cntrl rule fr X.509 PIV Derived Authenticatin Certificate and the PKI cryptgraphic functin access rule fr the crrespnding private key are as described fr the X.509 Certificate fr PIV Authenticatin in Sectin 3.1.3 f [SP 800-73Part1]. The ptinal data bjects are as fllws: X.509 Certificate fr Digital Signature The read access cntrl rule fr the X.509 Certificate fr Digital Signature and the PKI cryptgraphic functin access rule fr the crrespnding private key are as described in Sectin 3.2.1 f [SP800-73Part1]. X.509 Certificate fr Key Management The read access cntrl rule fr the X.509 Certificate fr Key Management and the PKI cryptgraphic functin access rule fr the crrespnding private key are as described in Sectin 3.3.2 f [SP800-73Part1]. Discvery Object The requirements fr the Discvery Object are as described in Sectin 3.3.2 f [SP800-73Part1] except fr the fllwing: 654 References t PIV Card Applicatin AID are replaced by PIV Derived Applicatin 18

655 656 657 658 659 660 AID. References t PIV Card Applicatin PIN are replaced by PIV Derived Applicatin PIN. The first byte f the PIN Usage Plicy shall be set t 0x40. (This means that the Glbal PIN des nt satisfy the access cntrl rules fr cmmand executin and data bject access within the PIV Derived Applicatin.) 661 662 663 664 665 666 Key Histry Object Up t 20 retired key management private keys may be stred in the PIV Derived Applicatin. The Key Histry Object shall be present in the PIV Derived Applicatin if the PIV Derived Applicatin cntains any retired key management private keys, but may be present even if n such keys are present in the PIV Derived Applicatin. The requirements fr the Key Histry bject are as described in Sectin 3.3.3 f [SP800-73Part1] except fr the fllwing: 667 668 669 670 671 672 673 674 References t keyswithoncardcerts shuld be interpreted as keys fr which the crrespnding certificate is ppulated within the PIV Derived Applicatin. References t keyswithoffcardcerts shuld be interpreted as keys fr which the crrespnding certificate is nt ppulated within the PIV Derived Applicatin. References t ffcardcerturl shuld be interpreted as a URL that pints t a file cntaining the certificates crrespnding t all f the retired key management private keys within the PIV Derived Applicatin including thse fr which the crrespnding certificate is stred within the PIV Derived Applicatin. 675 676 677 678 679 680 681 Retired X.509 Certificates fr Key Management The read access cntrl rules fr the Retired X.509 Certificates fr Key Management and PKI cryptgraphic functin access rules fr crrespnding private keys are as described in Sectin 3.3.4 f [SP800-73Part1]. Security Object The Security Object shall be present in the PIV Derived Applicatin if either the Discvery Object r the Key Histry Object is present, and shall be absent therwise. The requirements fr the Security Object are as described in Sectin 3.1.7 f [SP800-73Part1], except fr the fllwing: 682 683 684 685 686 687 688 689 The Security Object fr a PIV Derived Applicatin is signed using a private key whse crrespnding public key is cntained in a PIV cntent signing certificate that satisfies the requirements fr certificates used t verify signatures n Cardhlder Unique Identifiers (CHUID), as specified in Sectin 4.2.1 f [FIPS 201]. The signature field f the Security Object, tag 0xBB, shall include the Derived PIV Credential Issuer s certificate. All unsigned data bjects (i.e., the Discvery Object and the Key Histry Object) within the PIV Derived Applicatin shall be included in the Security Object. 690 691 B.1.2.1 PIV Derived Applicatin Data Object Cntainers and assciated Access Rules 692 Sectin 3.5 f [SP800-73Part1] prvides the cntainer IDs and Access Rules fr the mandatry and 19

693 694 695 696 697 698 699 700 701 702 703 ptinal data bjects fr a PIV Derived Applicatin with the fllwing mappings: PIV Derived Applicatin Data Object PIV Card Applicatin Data Object X.509 Certificate fr PIV Derived Authenticatin X.509 Certificate fr PIV Authenticatin Security Object Security Object X.509 Certificate fr Digital Signature X.509 Certificate fr Digital Signature X.509 Certificate fr Key Management X.509 Certificate fr Key Management Discvery Object Discvery Object Key Histry Object Key Histry Object Retired X.509 Certificate fr Key Management n Retired X.509 Certificate fr Key Management n Table B-1 Mapping f Data Objects The detailed data mdel specificatins fr each f the data bjects f the PIV Derived Applicatin are the same as the specificatins f the crrespnding data bjects (mapped per the table abve) f the PIV Card Applicatin as described in Appendix A f [SP800-73Part1], except fr the fllwing: References t cntactless interface are nt applicable. The PIV Derived Applicatin nly supprts a cntact interface. The Security Object fr the PIV Derived Applicatin is ptinal. It is required if either the ptinal Discvery Object r the ptinal Key Histry Object is present. 704 B.1.3 PIV Derived Applicatin Data Objects Representatin 705 706 707 708 The ASN.1 bject identifiers (OID) and basic encding rules tag length value (BER-TLV) tags fr the varius mandatry and ptinal data bjects within the PIV Derived Applicatin are the same as fr the crrespnding data bjects (mapped per the table abve) f the PIV Card Applicatin as described in Sectin 4 f [SP800-73Part1]. 709 B.1.4 PIV Derived Applicatin Data Types and their Representatin 710 711 This appendix prvides a descriptin f the data types used in the PIV Derived Applicatin Cmmand Interface. 712 B.1.4.2 PIV Derived Applicatin Key References 713 714 715 Key references are assigned t keys and PINs f the PIV Derived Applicatin. Table 6-1 f [SP800-78] and Table 4 f [SP800-73Part1] define the key reference values that shall be used n the PIV Derived Applicatin interfaces with the fllwing mappings: 716 PIV Derived Key Type Glbal PIN PIV Key Type Glbal PIN 20

717 718 719 720 PIV Derived Key Type PIV Key Type PIV Derived Applicatin PIN PIV Card Applicatin PIN PIV Unblcking Key PIN Unblcking Key PIV Derived Authenticatin Key PIV Authenticatin Key PIV Derived Tken Management Key Card Management Key Digital Signature Key Digital Signature Key Key Management Key Key Management Key Retired Key Management Key Retired Key Management Key Table B-2 Mapping f Key Types The key reference specificatins in Sectin 5.1 f [SP800-73Part1] are applicable t the crrespnding keys included in the PIV Derived Applicatin (mapped per the table abve) except fr the fllwing: References t PIV Card Applicatin are replaced by PIV Derived Applicatin 721 722 B.1.4.3 PIV Derived Applicatin Cryptgraphic Algrithm and Mechanism Identifiers 723 724 725 726 The algrithm identifiers fr the cryptgraphic algrithms that may be recgnized n the PIV Derived Applicatin interfaces are the asymmetric and symmetric identifiers specified in Table 6-2 f [SP 800-78]. The cryptgraphic mechanism identifiers that may be recgnized n the PIV Derived Applicatin interfaces are thse specified in Table 5 f [SP800-73Part1]. 727 B.1.4.4 PIV Derived Applicatin Status Wrds 728 729 The status wrds that may be returned n the PIV Derived Applicatin cmmand interface are as specified in Sectin 5.6 f [SP800-73Part1]. 730 B.1.5 PIV Derived Authenticatin Mechanisms 731 732 733 734 735 736 737 738 739 740 741 The PIV Derived Applicatin supprts the fllwing validatin steps: Credential Validatin (CredV) thrugh verificatin f the certificates retrieved frm the PIV Derived Applicatin and checking f the revcatin status f these certificates. PIV Derived Applicatin Hlder Validatin (HlderV) thrugh matching the PIN prvided by the tken hlder with the PIN within the PIV Derived Applicatin. The PIV Derived Applicatin facilitates a single authenticatin mechanism, which is a cryptgraphic challenge and respnse authenticatin prtcl using the PIV Derived Authenticatin private key as described in Appendix B.1.2 f [SP80073Part1] with the fllwing translatins: References t PIV Applicatin are replaced by PIV Derived Applicatin. References t PIV Auth Certificate are replaced by PIV Derived Authenticatin Certificate. References t PIV Card App ID are replaced with PIV Derived Applicatin ID. 21

742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 B.2 PIV Derived Applicatin Tken Cmmand Interface This appendix cntains the technical specificatins f the cmmand interface t the PIV Derived Applicatin surfaced by the card edge f the Integrated Circuit Card (ICC) that represents the remvable hardware cryptgraphic tken. The cmmand interface fr the PIV Derived Applicatin shall implement all f the card cmmands supprted by the PIV Card Applicatin as described in [SP800-73Part2], which include: SELECT GET DATA VERIFY CHANGE REFERENCE DATA RESET RETRY COUNTER GENERAL AUTHENTICATE PUT DATA GENERATE ASYMMETRIC KEY PAIR The specificatins fr the tken cmmand interface shall be the same as the specificatins fr the crrespnding card edge cmmands fr a PIV Card as described in [SP800-73Part2], except fr the fllwing deviatins: References t PIV Card Applicatin are replaced by PIV Derived Applicatin References t the cntactless interface are ignred References t PIV Data Objects are replaced by PIV Derived Data Objects References t PIV Authenticatin Key are replaced with PIV Derived Authenticatin Key In Appendix A: 764 765 766 767 References t PIV Card Applicatin Administratr are replaced by PIV Derived Applicatin Administratr References t Card Management Key are replaced by PIV Derived Tken management Key 768 769 770 771 The tken platfrm shall supprt a default selected applicatin. In ther wrds, there shall be a currently selected applicatin immediately after a cld r warm reset. This applicatin is the default selected applicatin. The default applicatin may be the PIV Derived Applicatin, r it may be anther applicatin. 22

772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 Appendix C Derived PIV Credentials in Relatin t OMB Memranda (Infrmative) This dcument prvides a spectrum f chices fr tw-factr remte authenticatin with a mbile device, all f which are subject t OMB guidance n remte electrnic authenticatin. Table C-1 summarizes the assciatin f Derived PIV Credentials tken types with the existing remte electrnic authenticatin plicies in OMB memranda M-06-16 [M0616] and M-07-16 [M0716]. Bth memranda specify a Cntrl Remte Access prvisin that calls fr tw-factr authenticatin where ne f the tw factrs is prvided by a device that is separate frm the device accessing the remte resurce. Increasingly, mbile devices are becming smaller and/r lighter. These cnstraints limit external prts and frce the integratin f authenticatin tkens and security features. As indicated by clumn 6 in Table C-1, 9 fur f the five tkens with Derived Credentials are integrated. Fr these tkens, future guidance will be made available by OMB t prvide an alternative t the remte authenticatin plicy in M-06-16 and M-07-16. With integrated tkens, authenticatin factrs are nt prvided by a separate tken and sensitive gvernment infrmatin may be at greater risk f lss. OMB s alternative guidance intends t als address these risks by pinting t NIST guidelines fr cmpensating cntrls (e.g., SP 800-53, SP 800-124, SP 800-164). Nte: T prvide a cmplete set f ptins fr PIV-enabled remte access with mbile devices, the PIV Card as tken type has been included. 790 Credential Type Tken Type PIV Assurance Level PIV Derived Authenticatin certificate PIV Card s PIV Authenticatin certificate credential Cmparable OMB E-Authenticatin Level M-06-16/M-07-16 fr Separate Tkens Target Guidance: Future Alternate OMB Guidance fr Integrated Tkens MicrSD Tken Very High 4 USB Security Tken Very High 4 Sftware Tken High 3 Embedded Hardware Tken Very High 4 UICC Tken Very High 4 PIV Card (via attached reader r NFC) Very High 4 Table C-1 Tken types and Relatin t OMB s Electrnic Authenticatin Guidelines 9 Draft NIST Interagency Reprt 7981 [NISTIR7981] summarizes the unique set f cnstraints fr mbile devices that necessitate alternative OMB guidance fr e-authenticatin fr mbile devices. 23

791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 Appendix D Glssary (Infrmative) Selected terms used in the guide are defined belw. Derived PIV Credential: An X.509 PIV Derived Authenticatin certificate, which is issued in accrdance with the requirements specified in this dcument where the PIV Authenticatin certificate n the applicant s PIV Card serves as the riginal credential. The Derived PIV Credential is an additinal cmmn identity credential under HSPD-12 and FIPS 201 that is issued by a Federal department r agency and used with mbile devices. Mbile Device: A prtable cmputing device that: (i) has a small frm factr such that it can easily be carried by a single individual; (ii) is designed t perate withut a physical cnnectin (e.g., wirelessly transmit r receive infrmatin); (iii) pssesses lcal, nn-remvable r remvable data strage; and (iv) includes a self-cntained pwer surce. Mbile devices may als include vice cmmunicatin capabilities, n-bard sensrs that allw the devices t capture infrmatin, and/r built-in features fr synchrnizing lcal data with remte lcatins. Examples include smart phnes, tablets, and e-readers. PIV Derived Applicatin: A standardized applicatin residing n a remvable, hardware cryptgraphic tken that hsts a Derived PIV Credential and assciated mandatry and ptinal elements. All ther significant technical terms used within this dcument are defined in ther key dcuments including [FIPS201], [SP800-63] and [SP 800-73]. 809 24

810 811 Appendix E Acrnyms and Abbreviatins (Infrmative) Selected acrnyms and abbreviatins used in the guide are defined belw. 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 AID APDU API ASN.1 ASSD BER CCID FIPS HSPD ICC IT ITL LOA NFC NIST IR NIST OID OMB OTA PCI PIN PIV PKI P.L. SD SE SIM SP TLS TLV UICC URL USB VCI Applicatin Identifier Applicatin Prtcl Data Unit Applicatin Prgramming Interface Abstract Syntax Ntatin One Advanced Security SD Basic Encding Rules Chip Card Interface Device Federal Infrmatin Prcessing Standard Hmeland Security Presidential Directive Integrated Circuit Card Infrmatin Technlgy Infrmatin Technlgy Labratry Level f Assurance Near Field Cmmunicatin Natinal Institute f Standards and Technlgy Interagency r Internal Reprts Natinal Institute f Standards and Technlgy Object Identifier Office f Management and Budget Over-the-Air PIV Card Issuer Persnal Identificatin Number Persnal Identity Verificatin Public Key Infrastructure Public Law Secure Digital Secure Element Subscriber Identity Mdule Special Publicatin Transprt Layer Security Tag-Length-Value Universal Integrated Circuit Card Unifrm Resurce Lcatr Universal Serial Bus Virtual Cntact Interface 25

849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 Appendix F References (Infrmative) This appendix prvides references fr the dcument. [ASSD-EXT] Advanced Security SD Extensin Simplified Specificatin Versin 2.00, May 2010. Available at https://www.sdcard.rg/dwnlads/pls/simplified_specs/archive/parta1_200.pdf. [BAE] Backend Attribute Exchange (BAE) v2.0 Overview, January 2012. Available at http://idmanagement.gv/sites/default/files/dcuments/bae_v2_overview_dcument_final_v1.0.0.pdf. [CCID] Universal Serial Bus Device Class: Smart Card CCID Specificatin fr Integrated Circuit(s) Cards Interface Devices, Revisin 1.1, April 2005. Available at http://www.usb.rg/develpers/devclass_dcs/dwg_smart-card_ccid_rev110.pdf. [COMMON] X.509 Certificate Plicy fr the U.S. Federal PKI Cmmn Plicy Framewrk, Versin 1.21, December 2012. Available at http://www.idmanagement.gv/dcuments/cmmn-plicyframewrk-certificate-plicy. [Nte: A change prpsal that wuld add the id-fpki-cmmn-pivauthderived and id-fpki-cmmn-pivauth-derived-hardware plicies t this certificate plicy has been submitted t the Federal PKI Plicy Authrity.] [FIPS140] FIPS Publicatin 140-2, Security Requirements fr Cryptgraphic Mdules, NIST, May 25, 2001, r as amended. Available at http://csrc.nist.gv/publicatins/fips/fips140-2/fips1402.pdf. [FIPS201] FIPS Publicatin 201-2, Persnal Identity Verificatin (PIV) f Federal Emplyees and Cntractrs, NIST, August 2013, r as amended. Available at http://nvlpubs.nist.gv/nistpubs/fips/nist.fips.201-2.pdf. [GP-A] Cnfidential Card Cntent Management GlbalPlatfrm Card Specificatin v2.2 - Amendment A v1.0.1, January 2011. Available at http://www.glbalplatfrm.rg/specificatinscard.asp. [GP-SPEC] GlbalPlatfrm Card Specificatin Versin 2.2.1, January 2011. Available at http://www.glbalplatfrm.rg/specificatinscard.asp. [GP-SE] GlbalPlatfrm Card Secure Element Cnfiguratin v1.0, Octber 2012. Available at http://www.glbalplatfrm.rg/specificatinscard.asp. [M0404] OMB Memrandum M-04-04, E-Authenticatin Guidance fr Federal Agencies, OMB, December 2003. [M0616] OMB Memrandum M-06-16, Prtectin f Sensitive Agency Infrmatin, OMB, December 2006. [M0716] OMB Memrandum M-07-16, Safeguarding Against and Respnding t the Breach f Persnally Identifiable Infrmatin, OMB, May 2007. [NISTIR7817] NIST Interagency Reprt 7817, A Credential Reliability and Revcatin Mdel fr Federated Identities, Nvember 2012. Available at http://csrc.nist.gv. [NISTIR7981] Draft NIST Interagency Reprt 7981, Mbile, PIV, and Authenticatin, March 2014. Available at http://csrc.nist.gv. 26

884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 [PROF] X.509 Certificate and Certificate Revcatin List (CRL) Prfile fr the Shared Service Prviders (SSP) Prgram, Versin 1.5, January 2008, r as amended. Available at http://csrc.nist.gv. [Nte: A change prpsal that wuld add Wrksheet 10 has been submitted t the Federal PKI Plicy Authrity.] [SP800-53] NIST Special Publicatin 800-53 Revisin 4, Security and Privacy Cntrls fr Federal Infrmatin Systems and Organizatins, NIST, April 2013, r as amended. Available at http://csrc.nist.gv. [SP800-61] NIST Special Publicatin 800-61 Revisin 2, Cmputer Security Incident Handling Guide, August 2012, r as amended. Available at http://csrc.nist.gv. [SP800-63] NIST Special Publicatin 800-63-2, Electrnic Authenticatin Guideline, NIST, August 2013, r as amended. Available at http://csrc.nist.gv. [SP800-73] Draft NIST Special Publicatin 800-73-4, Interfaces fr Persnal Identity Verificatin, NIST, May 2013, r as amended. Available at http://csrc.nist.gv. [SP800-78] Draft NIST Special Publicatin 800-78-4, Cryptgraphic Algrithms and Key Sizes fr Persnal Identity Verificatin, NIST, May 2013, r as amended. Available at http://csrc.nist.gv. [SP800-79] Draft NIST Special Publicatin 800-79-2, Guidelines fr the Authrizatin f Persnal Identity Verificatin Card Issuers and Derived PIV Credential Issuers, NIST, r as amended. Sn available at http://csrc.nist.gv. [SP800-124] NIST Special Publicatin 800-124 Revisin 1, Guidelines fr Managing the Security f Mbile Devices in the Enterprise, NIST, June 2013, r as amended. Available at http://csrc.nist.gv. [SP800-164] Draft NIST Special Publicatin 800-164, Guidelines n Hardware-Rted Security in Mbile Devices, NIST, Octber 2012, r as amended. Available at http://csrc.nist.gv. 27