Cryptography – SSP Entry and Output

SSPs may be entered into or output from a module.  If SSPs are entered into or output from a module, theentry or output of SSPs is performed using manual (e.g., entered via a keyboard or output via a visual display) or electronic (e.g., via a smart card/tokens, PC card, other electronic key loading device, or the module operating system) methods or some combination thereof.

Documentation shall specify the SSP entry and [..]

Cryptography – Environmental Failure Testing Procedures

EFT shall involve a combination of analysis, simulation, and testing of a cryptographic module to provide reasonable assurance that environmental conditions or fluctuations (accidental or induced) outside the module’s normal operating ranges for temperature and voltage will not compromise the security of the module.

EFT shall demonstrate that, if the operating temperature or voltage falls outside the normal operating range of the cryptographic module resulting in a failure, at no time [..]

Single-Chip Cryptographic Modules

The following requirements are specific to single-chip cryptographic modules.

SECURITY LEVEL 1

There are no additional Security Level 1 requirements for single-chip cryptographic modules.

SECURITY LEVEL 2

In addition to the requirements for Security Level 1, the following requirements shall apply to single-chip cryptographic modules for Security Level 2.

• The cryptographic module shall be covered with a tamper-evident coating (e.g., a tamper-evident passivation material or a tamper-evident material covering the passivation) or contained in atamper-evident [..]

Cryptography – General Physical Security Requirements

The following requirements shall apply to all physical embodiments:

• Documentation shall specify the physical embodiment and the security level for which the physical security mechanisms of a cryptographic module are implemented.
• Whenever zeroization is performed for physical security purposes, the zeroization shall occur in a sufficiently small time period so as to prevent the recovery of the sensitive data between the time of detection and the actual zeroization.
• If a module includes [..]

Cryptographic Module Specification

A cryptographic module shall be a set of hardware and software that implements cryptographic functions or processes, including cryptographic algorithms and, optionally, key generation, and is contained within a defined cryptographic boundary.

In an Approved mode of operation a cryptographic module shall implement at least one Approved or Allowed security function. Certain non-Approved security functions are allowed for use in an Approved mode of operation. Allowed security functions used in an [..]

Cryptography – Acronyms

The following acronyms and abbreviations are used throughout this standard:

CMS Configuration Management System

CSP Critical Security Parameter

DPA Differential Power Analysis

EDC Error Detection Code

EFP Environmental Failure Protection [..]

Cryptography – Security Levels

Security Level 1

Security Level 1 provides the lowest level of assurance. Basic security requirements are specified for a cryptographic module (e.g., at least one Approved security function must be used). No specific physical security mechanisms are required in a Security Level 1 cryptographic module beyond the basic requirement for production-grade components.

Security Level 1 allows the software components of a cryptographic module to be executed on a general purpose computing system [..]

PIV Cards Interoperability

The data objects and keys placed on a PIV Card during issuance use specific cryptographic algorithms selected from the acceptable algorithms in [SP800-78]. A PACS application can interrogate the card to learn which algorithms are used.

To attain full interoperability, a relying PACS application will need to support all acceptable algorithms, key lengths, and key material that could be presented, either by a PIV Card [..]

PIV CARDS – Authentication Capability

Deployed PACS readers use proximity or magnetic stripe technology to interface with identity cards and use proprietary protocols to communicate data. Some of these proprietary protocols employ cryptography, but their use is limited to the local site.

Recommendation for the Use of PIV Credentials in PACScredentials that could be used for a new generation of identity management technology for building access. FIPS 201 and its supporting special publications define the credential [..]

PIV Cards | Counterfeiting | Skimming | Cloning | Social Engineering

Terminated PIV Cards

PIV Cards may be terminated for a number of reasons, including a lost or stolen card. A terminated PIV Card could continue to open doors with the CHUID authentication mechanism long after the card has been terminated.

The check for termination should be performed by a status check, using either the Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRL), on a PIV authentication certificate. Credential validation is [..]