The National Institute of Standards and Technology (NIST) has updated its PIV standards to better align with revisions to the Federal Information Processing Standard (FIPS) 201 dating back to January of 2022.
FIPS 201 sets the standards for Personal Identity Verification (PIV) credentials, including PIV Cards. The FIPS changes prompted subsequent revisions to NIST Special Publication (SP) 800-73-5: Parts 1–3 and SP 800-78-5 to align with the new FIPS 201 requirements.
NIST SP 800-73-5: Parts 1–3 focuses on the technical specifications for using PIV Cards. These parts include the PIV data model (Part 1), the card edge interface (Part 2), and the application programming interface (Part 3). Significant changes in these documents involve the removal of the previously deprecated Cardholder Unique Identifier (CHUID) authentication mechanism, and the deprecation of the SYM-CAK and Visual (VIS) authentication mechanisms. CHUID is an older method of identifying someone using a unique number on their card, while SYM-CAK is a security method that uses a shared secret key for authentication. VIS is a method that relies on visual checks of the card.
An optional one-factor secure messaging authentication mechanism (SM-Auth) has been introduced for facility access applications. Additionally, the use of facial image biometrics has been expanded for general authentication via the BIO and BIO-A authentication mechanisms.
The revised SP 800-73-5 also now includes an optional Cardholder identifier in the PIV Authentication Certificate, which identifies a PIV credential holder within their PIV credential set issued during eligibility. And it imposes restrictions on the number of consecutive activation retries for both PIN and On-Card Comparison (OCC) attempts, limiting them to 10 or fewer.
Notably, the PIV Middleware specification in Part 3 is now optional to implement, offering more flexibility in deployment.
NIST SP 800-78-5, which addresses Cryptographic Algorithms and Key Sizes for Personal Identity Verification, has also been updated. This publication defines the cryptographic capabilities required for PIV Cards and their supporting systems, in alignment with FIPS 201-3.
Key updates include the deprecation of certain Triple Data Encryption Algorithm (3TDEA) identifiers and the removal of the retired Random Number Generator (RNG) from Cryptographic Algorithm Validation Program (CAVP) PIV component testing. Similarly, the retired FIPS 186-2 key generation method has been removed from CAVP PIV component testing where applicable.
Additional updates to SP 800-78-5 include the accommodation of the Secure Messaging Authentication key, and updates to Section 3.1 and Table 1 to reflect the inclusion of higher strength keys with at least 128-bit security, which will be required for authentication starting in 2031. These updates are meant to ensure that the cryptographic standards keep pace with advancements in security technology and provide robust protection for PIV credentials.
These revisions by NIST aim to enhance the security and interoperability of PIV credentials and the systems that use them. By aligning SP 800-73-5 and SP 800-78-5 with the updated FIPS 201, NIST is continuing to support the secure identification and authentication needs of federal agencies that rely on PIV credentials.
Source: NIST
–
July 24, 2024 – by Cass Kennedy and Alex Perala
Related News
Pittsburgh Councillor Moves to Ban Police Use of Biometric Facial Recognition Tech
NIST Launches Three New Biometric Databases to Aid Identity Verification Research
Innovatrics Algorithm Bests Competition in NIST Facial Recognition Testing
Facial Recognition Has Shown 20X Improvement Since 2014: NIST- ID3 Touts FRVT Performance in Latest NIST Testing
Ever AI Facial Recognition Gets Top Ranking in FRVT 1:1 Testing for Wild Images
Follow Us