FIPS 201 PIV Profiles (ActivID Applets, Face to Face Issuance)

Device Profile Name	Profile Description	Unique Identifier (stored in the card)	Supported Devices	Supported Pre-Issuance IDs	Comments
PIV FIPS201 F2F Java Card – AI 1024-2048 (3)	Standard PIV+ Profile with ActivID Applet v2.6.2b	2011000000000000000000EF	G&D SmartCafe Expert v3.2 144K preloaded with ActivID Applet G&D SmartCafe Expert v5.0 144K preloaded with ActivID Applet Gemalto TOP DL GX4 FIPS preloaded with ActivID Applet Oberthur ID-One Cosmo v7.0-n 128K preloaded with ActivID Applet Oberthur ID-One Cosmo v5.5 128K	GND_144K_GDA_PIV_TEST_OPSC_1 GND_144K_GDA_PIV_PROD_OPSC_1 GND_144K_SCE50_GDA_PIV_TEST_OPSC_1 GND_144K_SCE50_GDA_PIV_PROD_OPSC_1 GEM_GCX4_144K_V1_PIV_TEST_OPSC_2 GEM_GCX4_144K_V1_PIV_PROD_OPSC_2 OCS70_128K_OCS_PIV_TEST_OPSC_1 OCS70_128K_OCS_PIV_PROD_OPSC_1 OCS55_128K_OCS_PIV_TEST_OPSC_1 OCS55_128K_OCS_PIV_PROD_OPSC_1	Based on ActivID Applet v2.6.2b, support for additional certificates compared to previous profiles
PIV FIPS201 F2F Java Card – AI 1024-2048 (4)	Standard PIV+ Profile with ActivID Applet v2.6.2b	2011000000000000000000F8	G&D SmartCafe Expert v3.2 72K preloaded with ActivID Applet G&D SmartCafe Expert v3.2 80K preloaded with ActivID Applet NXP JCOP31 v2.4.1 preloaded with ActivID Applet HID Crescendo C1100 (JCOP v2.4.1 R3) preloaded with ActivID Applet (requires custom order)	GND_72K_GDA_PIV_TEST_OPSC_1 GND_72K_GDA_PIV_PROD_OPSC_1 GND_80K_GDA_PIV_TEST_OPSC_1 GND_80K_GDA_PIV_PROD_OPSC_1 NXP_JCOP_31_NXP_PIV_TEST_OPSC_1 NXP_JCOP_31_NXP_PIV_PROD_OPSC_1 NXP_JCOP_31_NXP_PIV_TEST_OPSC_1 NXP_JCOP_31_NXP_PIV_PROD_OPSC_1	Compared to profile (3), this profile only supports 72K-80K cards and exposes 8 PKI slots Based on ActivID Applet v2.6.2b
PIV FIPS201 F2F Java Card – AI 1024-2048 (6)	Standard PIV+ Profile with ActivID Applet v2.6.2b	201100000000000000000107	G&D SmartCafe Expert v3.2 72K preloaded with ActivID Applet G&D SmartCafe Expert v3.2 80K preloaded with ActivID Applet G&D SmartCafe Expert v5.0 80K preloaded with ActivID Applet G&D Mobile Security Card (secure microSD) preloaded with ActivID Applet Gemalto TOP DL GX4 FIPS preloaded with ActivID Applet NXP JCOP31 v2.4.1 preloaded with ActivID Applet HID Crescendo C1100 (JCOP v2.4.1 R3) preloaded with ActivID Applet (requires custom order)	GND_72K_GDA_PIV_TEST_OPSC_1 GND_72K_GDA_PIV_PROD_OPSC_1 GND_80K_GDA_PIV_TEST_OPSC_1 GND_80K_GDA_PIV_PROD_OPSC_1 GND_80K_SCE50_GDA_PIV_TEST_OPSC_1 GND_80K_SCE50_GDA_PIV_PROD_OPSC_1 GEM_GCX4_144K_V1_PIV_TEST_OPSC_2 GEM_GCX4_144K_V1_PIV_PROD_OPSC_2 NXP_JCOP_31_NXP_PIV_TEST_OPSC_1 NXP_JCOP_31_NXP_PIV_PROD_OPSC_1 NXP_JCOP_31_NXP_PIV_TEST_OPSC_1 NXP_JCOP_31_NXP_PIV_PROD_OPSC_1	Compared to profile (4), this profile sets all objects as optional. It is compatible with Apple Mac TokenD, and supports new cards Based on ActivID Applet v2.6.2b
PIV FIPS201 F2F Java Card – AI 1024-2048 (7)	Standard PIV+ Profile (800-73-3) with ActivID Applet v2.7	20110000000000000000010D	Oberthur ID-On Cosmo v7.0-n 128K preloaded with ActivID Applet G&D SmartCafe Expert v3.2 144K preloaded with ActivID Applet G&D SmartCafe Expert v5.0 144K preloaded with ActivID Applet Gemalto TOP DL GX4 FIPS preloaded with ActivID Applet HID pivCLASS (JCOP v2.4.2 R0 preloaded with ActivID Applet)	OCS70_128K_OCS_PIV_TEST_OPSC_1_APP27 OCS70_128K_OCS_PIV_PROD_OPSC_1_APP27 GND_144K_SCE32_GDA_PIV_TEST_OPSC_1_APP27 GND_144K_SCE32_GDA_PIV_PROD_OPSC_1_APP27 GND_144K_SCE50_GDA_PIV_TEST_OPSC_1_APP27 GND_144K_SCE50_GDA_PIV_PROD_OPSC_1_APP27 GEM_GCX4_144K_V1_PIV_TEST_OPSC_2_APP27 GEM_GCX4_144K_V1_PIV_PROD_OPSC_2_APP27 HID_CRESC_JCOP_242_PIV_TEST_OPSC_1_APP27 HID_CRESC_JCOP_242_PIV_PROD_OPSC_1_APP27	Profile supporting SP 800-73-3 Based on ActivID Applet v2.7
PIV FIPS201 F2F Java Card – AI 1024-2048 (8)	Standard PIV+ Profile (800-73-3) with ActivID Applet v2.7.1	201100000000000000000116	HID pivCLASS (JCOP v2.4.2 R0 preloaded with ActivID Applet)	HID_CRESC_JCOP_242_PIV_TEST_OPSC_1_APP271 HID_CRESC_JCOP_242_PIV_PROD_OPSC_1_APP271	Profile supporting SP 800-73-3 FIPS140-2 L2 Compliant Based on ActivID Applet v2.7.1
PIV FIPS201 F2F Java Card – AI 1024-2048 (9)	Standard PIV+ Profile (800-73-3) with ActivID Applet v2.7.1 with 4 PKI PIN	201100000000000000000124	HID pivCLASS (JCOP v2.4.2 R0 preloaded with ActivID Applet)	HID_CRESC_JCOP_242_PIV_TEST_OPSC_1_APP271 HID_CRESC_JCOP_242_PIV_PROD_OPSC_1_APP271	Similar to (8) but with 4 PIN-protected PKI. Not FIPS 140 compliant. Based on ActivID Applet v2.7.1
PIV FIPS201 F2F Java Card – AI 1024-2048 (10)	Standard PIV+ Profile (800-73-3) with ActivID Applet v2.7.1	2011FD000000000000000001	HID pivCLASS (JCOP v2.4.2 R0 preloaded with ActivID Applet)	HID_CRESC_JCOP_242_PIV_TEST_OPSC_1_APP271 HID_CRESC_JCOP_242_PIV_PROD_OPSC_1_APP271	Similar to (8) with improved Win 8/10 compatibility Based on ActivID Applet v2.7.1
PIV FIPS201 F2F Java Card – AI 1024-2048 – C1100	PIV profile for C1100	2011FD000000000000000002	HID Crescendo C1100 (JCOP v2.4.1 R3)	HID_CRESC_C1100_GEN_TEST_OPSC_1 HID_CRESC_C1100_GEN_PROD_OPSC_1	Based on ActivID Applet 2.7. Aligned with SP 800-73-3, but no FIPS 140 compliance, no contactless interface
PIV FIPS201 F2F Java Card – AI 2048 Crescendo 144K FIPS	PIV profile, with extended PKI, for Crescendo 144K FIPS	201100000000000000000131	Crescendo 144K FIPS (G&D SCE 7.0 144K) preloaded with ActivID Applet	HID_CRESC_144K_FIPS_DEFAULT HID_CRESC_144K_FIPS_CUSTOM	Cards with ActivID Applets v2.7.3 packages preloaded (ASClib, ACA, GC/PKI, PIV and SMA V3). Profile based on ActivID Applet 2.7.3.
PIV FIPS201 F2F Java Card – AI 2048 Crescendo PIV	PIV profile, with extended PKI, for Crescendo PIV	201100000000000000000135	Crescendo PIV (G&D SCE 7.0 144K) preloaded with ActivID Applet 2.7.5	HID_CRESC_PIV_DEFAULT HID_CRESC_PIV_CUSTOM	Cards with ActivID Applets v2.7.5 packages preloaded (ASClib, ACA, GC/PKI, PIV and SMA V3). Profile based on ActivID Applet 2.7.5.
PIV / CIV - Crescendo FIPS	PIV / CIV profile for Crescendo 2300 FIPS and Crescendo Key FIPS	201100000000000000000150	Crescendo C2300 FIPS (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0 Crescendo Key FIPS (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0	HID_CRESC_2300_FIPS_DEFAULT HID_CRESC_2300_FIPS_CUSTOM HID_CRESC_KEY_FIPS_DEFAULT	Devices with ActivID Applets v3.0 packages preloaded (ASClib, ACA, HMAClib and PIVEXT). Profile based on ActivID Applets 3.0.

Note:

For ActivID PIV+ profiles (preloaded with ActivID Applet packages v2.6.2a), the following default configurations are supported by ActivID CMS:
- Oberthur: BAP #85034
- Gemalto: C1022470
- G&D SmartCafe v3.2 144K: CONFIGURATION3

For ActivID PIV+ profiles (preloaded with ActivID Applet packages v2.6.2b), the following default configuration is supported by ActivID CMS:
- G&D SmartCafe v3.2 144K with ActivID Applet v2.6.2b [CONFIGURATION4]
- G&D SmartCafe v5.0 144K with ActivID Applet v2.6.2b [CONFIGURATION40]
- For the other configuration (non-PIV), this card is requested in [CONFIGURATION1]
- G&D Smart Café Expert v3.2 80K is delivered in [CONFIGURATION25]

PIV FIPS201 F2F Java Card – AI 1024-2048 (9)

NOT recommended for PIV deployments with FIPS 140 requirements
NIST SP 800-73-3 Support
16 1024/2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication, 12 Retired Key Management Keys) loaded by ActivID CMS
4 1024/2048-bit keys PKI objects loaded by client
PIV EP Buffer Objects, including Iris, Key History
Synchronous SKI Object: Download by the server
Offline / Online Unlock done via XAUTH
Profile is not FIPS 140 compliant due to the 4 PIN protected PKI
Compatible with Apple Mac TokenD
All PIV objects configured as optional

PIV FIPS201 F2F Java Card – AI 1024-2048 (10)

NIST SP 800-73-3 Support
20 1024/2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication, 16 Retired Key Management Keys) loaded by ActivID CMS
PIV EP Buffer Objects, including Iris, Key History
Synchronous SKI Object: Download by the server
Offline / Online Unlock done via XAUTH
FIPS 140-2 L2 Compliant Profile
Compatible with Apple Mac TokenD
All PIV objects configured as optional
For pivCLASS, improved compatibility with Microsoft PIV mini driver on Windows 8 and 10

PIV FIPS201 F2F Java Card – AI 1024-2048 – C1100

Profile for Crescendo C1100 aligned with NIST SP 800-73-3, but no FIPS 140 certification and no contactless interface
NIST SP 800-73-3 Support
6 1024/2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication, 2 Retired Key Management Keys) loaded by ActivID CMS
6 1024/2048-bit keys PKI Objects loaded by ActivID CMS
PIV EP Buffer Objects, including Iris, Key History
Synchronous SKI Object: Download by the server
Offline / Online Unlock done via XAUTH
FIPS 140-2 L2 Compliant Profile
Compatible with Apple Mac TokenD
All PIV objects configured as optional

PIV FIPS201 F2F Java Card – AI 2048 Crescendo 144K FIPS

9 2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication, 5 Retired Key Management Keys) loaded by ActivID CMS
7 2048-bit keys PKI Objects loaded by ActivID CMS
PIV EP Buffer Objects, except Iris
PIV AUTHENTICATION, CHUID Card Holder Unique Identifier, and Security Object are mandatory. All other objects are optional.
Printed Information buffer is optional but is recommended and required for compatibility with the Mac TokenD / PIV Mini Driver.
In addition to the card pre-issuance keys, the following keys must be present in the HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system. for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:
- MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK (16-byte AES keys)
- MK_ID_ACE_UNLCK_1_TRIPLE (24-byte DES keys)

Note: This device profile does not provide One-Time Password capability compatible with current versions of HID authentication servers. Do not use an SKI application in your device policy. Contact HID Global for additional information.

PIV FIPS201 F2F Java Card – AI 2048 Crescendo PIV

9 2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication, 5 Retired Key Management Keys) loaded by ActivID CMS
7 2048-bit keys PKI Objects loaded by ActivID CMS
PIV EP Buffer Objects, except Iris
PIV AUTHENTICATION, CHUID, and Security Object are mandatory. All other objects are optional.
Printed Information buffer is optional but is recommended and required for compatibility with the MAC Tokend / PIV Mini Driver.
PIN Numeric Only
In addition to the card pre-issuance keys, the following keys must be present in the HSM for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:
- MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK (16-byte AES keys)
- MK_ID_ACE_UNLCK_1_TRIPLE (24-byte DES keys)

PIV / CIV - Crescendo FIPS

14 keys PIV PKI Objects (PIV Authentication, PIV Digital Signature PIN Always, PIV Key Management Key, PIV Card Authentication (RSA 2048, ECC 256 or ECC 384), and 10 Retired Key Management Keys) loaded by ActivID CMS

Note: In the current version of ActivID CMS, ECC keys can only be used with Card Authentication applications for the Microsoft CA. In addition, ECC certificates only support the ECDSA_256 and ECDSA_384 algorithms.
PIV EP Buffer Objects, except Iris object
NIST SP 800-73-4 Support
Minimum PIN Length 6 / Maximum PIN Length 8
PIN Numeric Only
In addition to the card pre-issuance keys, the following keys must be present in the HSM for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:
- MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_16 (16-byte AES keys)