Cryptography – General Physical Security Requirements
The following requirements shall apply to all physical embodiments:
- Documentation shall specify the physical embodiment and the security level for which the physical security mechanisms of a cryptographic module are implemented.
- Whenever zeroization is performed for physical security purposes, the zeroization shall occur in a sufficiently small time period so as to prevent the recovery of the sensitive data between the time of detection and the actual zeroization.
- If a module includes [..]
Cryptographic Module Specification
A cryptographic module shall be a set of hardware and software that implements cryptographic functions or processes, including cryptographic algorithms and, optionally, key generation, and is contained within a defined cryptographic boundary.
In an Approved mode of operation a cryptographic module shall implement at least one Approved or Allowed security function. Certain non-Approved security functions are allowed for use in an Approved mode of operation. Allowed security functions used in an [..]
Cryptography – Acronyms
The following acronyms and abbreviations are used throughout this standard:
CMS Configuration Management System
CSP Critical Security Parameter
DPA Differential Power Analysis
EDC Error Detection Code
EFP Environmental Failure Protection [..]
Cryptography – Security Levels
Security Level 1
Security Level 1 provides the lowest level of assurance. Basic security requirements are specified for a cryptographic module (e.g., at least one Approved security function must be used). No specific physical security mechanisms are required in a Security Level 1 cryptographic module beyond the basic requirement for production-grade components.
Security Level 1 allows the software components of a cryptographic module to be executed on a general purpose computing system [..]
PIV Cards Interoperability
The data objects and keys placed on a PIV Card during issuance use specific cryptographic algorithms selected from the acceptable algorithms in [SP800-78]. A PACS application can interrogate the card to learn which algorithms are used.
To attain full interoperability, a relying PACS application will need to support all acceptable algorithms, key lengths, and key material that could be presented, either by a PIV Card [..]
PIV CARDS – Authentication Capability
Deployed PACS readers use proximity or magnetic stripe technology to interface with identity cards and use proprietary protocols to communicate data. Some of these proprietary protocols employ cryptography, but their use is limited to the local site.
Recommendation for the Use of PIV Credentials in PACScredentials that could be used for a new generation of identity management technology for building access. FIPS 201 and its supporting special publications define the credential [..]
PIV Cards | Counterfeiting | Skimming | Cloning | Social Engineering
Terminated PIV Cards
PIV Cards may be terminated for a number of reasons, including a lost or stolen card. A terminated PIV Card could continue to open doors with the CHUID authentication mechanism long after the card has been terminated.
The check for termination should be performed by a status check, using either the Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRL), on a PIV authentication certificate. Credential validation is [..]
PIV Systems – Threat Environment
The PIV System is defined to enhance security and trust in identity credentials, but no practical system can guarantee perfect security. This section discusses known technical threats to PIV authentication mechanisms, especially the CHUID authentication mechanism.
Methods of attack are described in general terms, and this is not an exhaustive list of possible attacks. Attackers often succeed by exploiting overlooked or newly [..]
Mobile Malware | Wireless Protocol | Threats and Prevention
A simple defense against many forms of malware is to turn off Bluetooth, WiFi, infrared, and otherwireless interfaces until they are needed.
This is particularly important for Bluetooth devices due to the increased risk of encountering mobile malware in crowded settings, such as an airport, sports event, or concert, which offer a target-rich environment for an attack.
Being invisible prevents the device from being scanned and located, and its wireless interface used [..]
Handheld Device – Backup Data & Reduce Data Exposure
Backup Data
Using a handheld device as the sole repository for important information is an invitation for disaster. To protect valuable data residing on a handheld device, a restorable backup of the contents should be done regularly. Data may be synched with a desktop computer as a primary means of backup and also possible dual use. Data includes Personal Information Management data, electronic documents, including photos and music, applications, and network [..]