FIPS 201 PIV Profiles (Third-Party Applets, Face to Face)
|
Device Profile Name |
Profile Description |
Unique Identifier |
Supported Devices |
Supported Pre-Issuance IDs |
Comments |
|---|---|---|---|---|---|
|
PIV2 Profile with OT End-Point applets v2.3.2 (SP 800-73-3) |
N/A |
Oberthur ID-One PIV 2.3.2 on Cosmo v7 |
5_OCS_PIV_232_TEST_OPSC_1
|
Card with Oberthur PIV applet v2.3.2 |
|
|
PIV2 Profile with OT End-Point applets v2.3.5 / 2.4.0 (SP 800-73-4) |
N/A |
Oberthur ID-One PIV 2.3.5 on Cosmo v8
Oberthur ID-One PIV 2.4.0 on Cosmo v8 |
5_OCS_PIV_235_TEST_OPSC_1
5_OCS_PIV_240_TEST_OPSC_1
|
Card with Oberthur PIV applet v2.3.5 or v2.4.0 |
|
| PIV FIPS201 F2F Java Card - IDEMIA ID-One PIV 2.4.X - 2048 | PIV / CIV Profile with IDEMIA End-Point applets v2.4.1 and v2.4.2 (SP800-73-4) |
N/A |
Oberthur ID-One PIV 2.4.1 on Cosmo v8.1 Oberthur ID-One PIV 2.4.2 on Cosmo v8.2 |
5_IDEMIA_PIV_241_TEST_OPSC_1
|
Card with IDEMIA PIV applet v2.4.1 Card with IDEMIA PIV applet v2.4.2 |
-
For Gemalto PIV profile (that is, the card with Gemalto PIV applet v1.20), it is necessary to obtain a Gemalto PIV card with configuration “USG 010”.
-
For Oberthur PIV profile, ActivID CMS 4.0 SP2 expects Cosmo card with BAP# 81758.
-
For Oberthur PIV profiles with Oberthur PIV applet 2.3.2, use BAP #087282.
-
For Oberthur PIV profiles with Oberthur PIV applet 2.3.5, use BAP #087420 / #087424 / #087465.
-
For Oberthur PIV profiles with Oberthur PIV applet 2.4.0, use BAP #087434.
-
For IDEMIA PIV profiles with IDEMIA PIV applet 2.4.1, use BAP #087484.
-
For IDEMIA PIV profiles with IDEMIA PIV applet 2.4.2, use BAP #087584.
PIV FIPS201 F2F Java Card – OT 2.3.2 – 2048
The profile supports SP 800-73-3 objects, including PIV Discovery, Iris, Key History and Key Management Key objects. It can accommodate 2048-bit PKI keys and the full set of PIV objects is loaded by ActivID CMS (PIV mandatory and optional objects).
The profile is only for Oberthur PIV cards with PIV applet v2.3.2.
In addition to the card pre-issuance keys, the following keys must be present in the HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system. for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:
-
MK_SD_ACE_AES_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_16 (16-byte AES keys)
PIV FIPS201 F2F Java Card – OT 2.3.5 / 2.4.0 – 2048
The profile supports SP 800-73-3 objects, including PIV Discovery, Iris, Key History and Key Management Key objects. It can accommodate 2048-bit PKI keys and the full set of PIV objects is loaded by ActivID CMS (PIV mandatory and optional objects).
The profile is only for Oberthur PIV cards with PIV applet v2.3.5 or v2.4.0.
In addition to the card pre-issuance keys, the following keys must be present in the HSM for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:
-
For the pre-issuance Card AES 128: MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_16 (16-byte AES keys)
-
For the pre-issuance Card AES 256: MK_CM_ACE_AES_32_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_32 (32-byte AES keys)
PIV FIPS201 F2F Java Card - IDEMIA ID-One PIV 2.4.X - 2048
The profile supports SP 800-73-4 objects, including PIV Discovery, Iris, Key History and Key Management Key objects.
The profile is only for IDEMIA PIV cards with PIV applet v2.4.1 or v2.4.2.
VCI application is available.
PIN is numeric only.
In addition to the card pre-issuance keys, the following keys must be present in the HSM for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:
-
For the pre-issuance Card AES 128: MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_16 (16-byte AES keys)
-
For the pre-issuance Card AES 256: MK_CM_ACE_AES_32_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_32 (32-byte AES keys)
