PIV Cards Interoperability

The data objects and keys placed on a Personal Identity Verification Card during issuance use specific cryptographic algorithms selected from the acceptable algorithms. A Physical Access Control Systems application can interrogate the card to learn which algorithms are used.

To attain full interoperability, a relying Physical Access Control Systems application will need to support all acceptable algorithms, key lengths, and key material that could be presented, either by a Personal Identity Verification Card or by the Personal Identity Verification infrastructure.

The interoperability goal of the Personal Identity Verification-enabled Physical Access Control Systems can be stated:

  1. Any Personal Identity Verification Card can provide proof of identity to any electronic Physical Access Control Systems (access is granted only if the identity is so authorized).
  2. After a successful authentication, the authentication mechanism provides the cardholder’s authenticated identity, in the form of a Federal Agency Smart Credential Number (FASC-N) Identifier to the relying party.

To achieve interoperability, the Physical Access Control Systems should at least observe the following conditions:

  • If the Personal Identity Verification Authentication Key (PKI) authentication mechanism is performed by a Physical Access Control Systems application, the Physical Access Control Systems should support all of the asymmetric algorithms permitted for the Personal Identity Verification Authentication Key, i.e., RSA 1024 , RSA 2048, and Elliptic Curve Digital Signature Algorithm (ECDSA) P-256, and the Physical Access Control Systems should accept all valid Personal Identity Verification authentication certificates and require PIN (Personal Identification Number) entry.
  • If the Card Authentication Key (CAK)) authentication mechanism is performed by the Physical Access Control Systems, the accepted algorithms will be the same, but the Physical Access Control Systems will accept only Card Authentication Key certificates and not require PIN (Personal Identification Number) entry.
  • If Cardholder Unique Identifier (CHUID) authentication with signature verification is performed, the Physical Access Control Systems should support all of the signature algorithms and key sizes permitted. If only Cardholder Unique Identifier (CHUID) authentication without signature verification of the Cardholder Unique Identifier (CHUID) is performed, no cryptographic operations are performed, and no cryptographic requirement is placed on the Physical Access Control Systems.
  • PIN (Personal Identification Number)s required for Personal Identity Verification authentication mechanisms are strings of eight or fewer decimal digits. For Personal Identity Verification Authentication Key (PKI), BIO, and BIO-A authentication mechanisms, a PIN (Personal Identification Number) entry device must acquire PIN (Personal Identification Number)s from the cardholder and present them to the Personal Identity Verification Card to activate the card.

The Personal Identity Verification Implementation Maturity Model (PIMM) can be used to measure progress towards the interoperability goal. When Personal Identity Verification implementation is complete, all installed Physical Access Control Systems readers will be approved products on the General Services Administration (GSA)  Homeland Security Presidential Directive 12 (HDSP-12) Evaluation Program Approved Products List, and each will be capable of one or more Personal Identity Verification authentication mechanisms. At this time, any Personal Identity Verification Card will be able to perform any authentication mechanism it has been issued to perform at any Physical Access Control Systems.

The ability of a Personal Identity Verification Card and cardholder to authenticate at a reader does not mean they will be granted access—it means only that the cardholder has been identified, with the assurance level of the authentication mechanism employed, to the reader. A cardholder must authenticate and be authorized to be granted access.

Recommendation: To obtain the full benefit of Personal Identity Verification interoperability, Homeland Security Presidential Directive 12 (HDSP-12) project managers should understand the requirements for support of multiple cryptographic algorithms and ensure that relying systems have, or can be upgraded to have, the capability to use all cryptographic algorithms that apply to the authentication mechanism(s) performed.

Published in PIV Cards , Thursday February 5th 2009
Tags: ,



No Responses to “PIV Cards Interoperability”

  1. omar says:

    Very interesting article.I wait to read more about this subject

  2. Ken says:

    interesting post

  3. P. Silva says:

    a very good article about PIV Cards Interoperability

Leave a Reply


Privacy | About Us | Contact
Copyright © 2008 Home Automation - JAEC - All the rights reserved