FIPS 201 CIV Profiles (ActivID Applets)

Enterprise - Crescendo C2300

Enterprise Profile with PIV and FIDO2 support for Crescendo C2300 with Applet v3 (SP800-73-4)

• Unique Identifier (stored in the card): 201100000000000000000141

• Cards with ActivID Applets v3.0 packages preloaded (SEOS, ASClib, ACA, HMAClib, PIVEXT and FIDO).

• Profile based on ActivID Applets 3.0.

• 5 2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature PIN Once, PIV Encryption, 2 Retired Key Management Keys) loaded by ActivID CMS

• PIV EP Buffer Objects: Discovery Object, CHUID, CCC, Printed Information, Key History Object

• FIDO Applet (CTAP2 / U2F support) ^(*)

• PIN Shared between PIV and FIDO applet

• PIN Numeric Only

• In addition to the card pre-issuance keys, the following keys must be present in the HSM for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:

  • MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_16 (16-byte AES keys)

^(*) During a recycle operation (that is, card re-issuance), the FIDO credentials are reset. 

Supported Devices

Supported Pre-Issuance IDs

Crescendo C2300 (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0

HID_CRESC_2300_DEFAULT Description HID Crescendo 2300 (Dual Interface) Cards with Default Key and Applets 3.0 Pre-loaded Manufacturer Key Set VOP_ISK_AES_16_1_ENC VOP_ISK_AES_16_1_MAC VOP_ISK_AES_16_1_KEK Diversification NONE Key Set Version / Index 0x01/0x00 Logical Scheme 2 ManufacturerID HID-01 CardProductID 0000000085 PhysicalDescriptionID 0000000005 PackageConfigID FREE ContactRequirementID 0000000007 ContactKeyConfigID VOP_ISK_AES_16 ContactLogicalDescription 0000000059 ContactlessRequirementID 0000000007 ContactlessKeyConfigID VOP_ISK_AES_16 ContactlessLogicalDescription 0000000059 HID_CRESC_2300_CUSTOM Description HID Crescendo 2300 FIPS (Dual Interface) Cards with CUSTOM Key and Applets 3.0 Pre-loaded Manufacturer Key Set KMC_CM_HIDCRESC_CUST_AES_16_1 Diversification GPSCP03 Key Set Version / Index 0x01/0x00 Logical Scheme 2 ManufacturerID HID-01 CardProductID 0000000085 PhysicalDescriptionID 0000000005 PackageConfigID FREE ContactRequirementID 0000000007 ContactKeyConfigID 0000000118 ContactLogicalDescription 0000000059 ContactlessRequirementID 0000000007 ContactlessKeyConfigID 0000000118 ContactlessLogicalDescription 0000000059

Enterprise Contactless - Crescendo C2300

Enterprise Contactless Profile with PIV and FIDO2 support for Crescendo C2300 with Applet v3 (SP800-73-4)

• Unique Identifier (stored in the card): 201100000000000000000142

• Cards with ActivID Applets v3.0 packages preloaded (SEOS, ASClib, ACA, HMAClib, PIVEXT and FIDO).

• Profile based on ActivID Applets 3.0.

• 5 2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature PIN Once, PIV Encryption, 2 Retired Key Management Keys) loaded by ActivID CMS

• PIV EP Buffer Objects: Discovery Object, CHUID, CCC, Printed Information, Key History Object

• All the objects are accessible through contactless interface.

• FIDO Applet (CTAP2 / U2F support) ^(*)

• PIN Shared between PIV and FIDO applet

• PIN Numeric Only

• In addition to the card pre-issuance keys, the following keys must be present in the HSM for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:

  • MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_16 (16-byte AES keys)

^(*) During a recycle operation (that is, card re-issuance), the FIDO credentials are reset.

Supported Devices

Supported Pre-Issuance IDs

Crescendo C2300 (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0

HID_CRESC_2300_DEFAULT Description HID Crescendo 2300 (Dual Interface) Cards with Default Key and Applets 3.0 Pre-loaded Manufacturer Key Set VOP_ISK_AES_16_1_ENC VOP_ISK_AES_16_1_MAC VOP_ISK_AES_16_1_KEK Diversification NONE Key Set Version / Index 0x01/0x00 Logical Scheme 2 ManufacturerID HID-01 CardProductID 0000000085 PhysicalDescriptionID 0000000005 PackageConfigID FREE ContactRequirementID 0000000007 ContactKeyConfigID VOP_ISK_AES_16 ContactLogicalDescription 0000000059 ContactlessRequirementID 0000000007 ContactlessKeyConfigID VOP_ISK_AES_16 ContactlessLogicalDescription 0000000059 HID_CRESC_2300_CUSTOM Description HID Crescendo 2300 FIPS (Dual Interface) Cards with CUSTOM Key and Applets 3.0 Pre-loaded Manufacturer Key Set KMC_CM_HIDCRESC_CUST_AES_16_1 Diversification GPSCP03 Key Set Version / Index 0x01/0x00 Logical Scheme 2 ManufacturerID HID-01 CardProductID 0000000085 PhysicalDescriptionID 0000000005 PackageConfigID FREE ContactRequirementID 0000000007 ContactKeyConfigID 0000000118 ContactLogicalDescription 0000000059 ContactlessRequirementID 0000000007 ContactlessKeyConfigID 0000000118 ContactlessLogicalDescription 0000000059

Enterprise Contactless - Crescendo C2300 (2)

Enterprise Contactless Profile with PIV and FIDO2 support with configurable shared PIN for Crescendo C2300

• Unique Identifier (stored in the card): 20110000000000000000014A

• Replaced by Enterprise - Crescendo profile.

• Cards with ActivID Applets v3.0.3 packages preloaded (SEOS, ASClib, ACA, HMAClib, PIVEXT and FIDO).

• Profile based on ActivID Applets 3.0.3.

• 5 2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature PIN Once, PIV Encryption, 2 Retired Key Management Keys) loaded by ActivID CMS

• PIV EP Buffer Objects: Discovery Object, CHUID, CCC, Printed Information, Key History Object

• All the objects are accessible through contactless interface.

• FIDO Applet (CTAP2 / U2F support) ^(*)

• PIN can be shared between PIV and FIDO applet; PIV PIN can be numeric or alphanumeric.

• PIN Numeric Only

• In addition to the card pre-issuance keys, the following keys must be present in the HSM for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:

  • MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_16 (16-byte AES keys)

^(*) During a recycle operation (that is, card re-issuance), the FIDO credentials are reset.

Supported Devices	Supported Pre-Issuance IDs
Crescendo C2300 (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0.3	HID_CRESC_2300_DEFAULT_2 Description HID Crescendo 2300 (Dual Interface) Cards with Default Key and Applets 3.0.3 Pre-loaded Manufacturer Key Set VOP_ISK_AES_16_1_ENC VOP_ISK_AES_16_1_MAC VOP_ISK_AES_16_1_KEK Diversification NONE Key Set Version / Index 0x01/0x00 Logical Scheme 2 ManufacturerID HID-01 CardProductID 0000000085 PhysicalDescriptionID 0000000005 PackageConfigID FREE ContactRequirementID 0000000007 ContactKeyConfigID VOP_ISK_AES_16 ContactLogicalDescription 0000000061 ContactlessRequirementID 0000000007 ContactlessKeyConfigID VOP_ISK_AES_16 ContactlessLogicalDescription 0000000061
Crescendo C2300 iCLASS (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0.3	HID_CRESC_2300_ICLASS_DEFAULT Description HID Crescendo 2300 iCLASS Cards with Default Key and Applets 3.0.3 Pre-loaded Manufacturer Key Set VOP_ISK_AES_16_1_ENC VOP_ISK_AES_16_1_MAC VOP_ISK_AES_16_1_KEK Diversification NONE Key Set Version / Index 0x01/0x00 Logical Scheme 2 ManufacturerID HID-01 CardProductID 0000000087 PhysicalDescriptionID 0000000005 PackageConfigID FREE ContactRequirementID 0000000007 ContactKeyConfigID VOP_ISK_AES_16 ContactLogicalDescription 0000000061 ContactlessRequirementID 0000000007 ContactlessKeyConfigID VOP_ISK_AES_16 ContactlessLogicalDescription 0000000061

Enterprise - Crescendo Key

Enterprise Profile with PIV, OATH and FIDO2 support with configurable shared PIN for Crescendo Key

• Unique Identifier (stored in the card): 20110000000000000000014E

• Replaced by Enterprise - Crescendo profile.

• USB Keys with token button with ActivID Applets v3.0 packages preloaded (SEOS, ASClib, ACA, HMAClib, PIVEXT, FIDO and OATH).

• Profile based on ActivID Applets 3.0.3.

• 5 2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature PIN Once, PIV Encryption, 2 Retired Key Management Keys) loaded by ActivID CMS

• PIV EP Buffer Objects: Discovery Object, CHUID, CCC, Printed Information, Key History Object

• FIDO Applet (CTAP2 / U2F support) ^(*)

• PIN can be shared between PIV and FIDO applet; PIV PIN can be numeric or alphanumeric.

• OATH HOTP and TOTP support

• In addition to the card pre-issuance keys, the following keys must be present in the HSM for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:

  • MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_16 (16-byte AES keys)

^(*) During a recycle operation (that is, card re-issuance), the FIDO credentials are reset.

Supported Devices

Supported Pre-Issuance IDs

Crescendo Key (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0.3

HID_CRESC_KEY_DEFAULT_2 Description HID Crescendo Key with Default Key and Applets 3.0.3 Pre-loaded Manufacturer Key Set VOP_ISK_AES_16_1_ENC VOP_ISK_AES_16_1_MAC VOP_ISK_AES_16_1_KEK Diversification NONE Key Set Version / Index 0x01/0x00 Logical Scheme 2 ManufacturerID HID-01 CardProductID 0000000086 PhysicalDescriptionID 0000000005 PackageConfigID FREE ContactRequirementID 0000000007 ContactKeyConfigID VOP_ISK_AES_16 ContactLogicalDescription 0000000062 ContactlessRequirementID 0000000007 ContactlessKeyConfigID VOP_ISK_AES_16 ContactlessLogicalDescription 0000000062

CIV - Crescendo C2300 FIPS

CIV profile for Crescendo C2300 FIPS with Applet v3 (SP800-73-4)

• Unique Identifier (stored in the card): 201100000000000000000147

• Replaced by PIV / CIV - Crescendo FIPS profile.

• Cards with ActivID Applets v3.0 packages preloaded (ASClib, ACA, HMAClib and PIVEXT).

• Profile based on ActivID Applets 3.0.

• 14 keys PIV PKI Objects (PIV Authentication, PIV Digital Signature PIN Always, PIV Key Management Key, PIV Card Authentication (RSA 2048, ECC 256 or ECC 384), and 10 Retired Key Management Keys) loaded by ActivID CMS

  Note: In the current version of ActivID CMS, ECC keys can only be used with Card Authentication applications for the Microsoft CA. In addition, ECC certificates only support the ECDSA_256 and ECDSA_384 algorithms.

• PIV EP Buffer Objects, except Iris object

• NIST SP 800-73-4 Support

• PIN Numeric Only

• In addition to the card pre-issuance keys, the following keys must be present in the HSM for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:

  • MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_16 (16-byte AES keys)

Supported Devices

Supported Pre-Issuance IDs

Crescendo C2300 FIPS (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0

HID_CRESC_2300_FIPS_DEFAULT Description HID Crescendo 2300 FIPS (Dual Interface) Cards with Default Key and Applets 3.0 Pre-loaded Manufacturer Key Set VOP_ISK_AES_16_1_ENC VOP_ISK_AES_16_1_MAC VOP_ISK_AES_16_1_KEK Diversification NONE Key Set Version / Index 0x01/0x00 Logical Scheme 2 ManufacturerID HID-01 CardProductID 0000000084 PhysicalDescriptionID 0000000005 PackageConfigID FREE ContactRequirementID 0000000007 ContactKeyConfigID VOP_ISK_AES_16 ContactLogicalDescription 0000000058 ContactlessRequirementID 0000000007 ContactlessKeyConfigID VOP_ISK_AES_16 ContactlessLogicalDescription 0000000058 HID_CRESC_2300_FIPS_CUSTOM Description HID Crescendo 2300 FIPS (Dual Interface) Cards with CUSTOM Key and Applets 3.0 Pre-loaded Manufacturer Key Set KMC_CM_HIDCRESC_CUST_AES_16_1 Diversification GPSCP03 Key Set Version / Index 0x01/0x00 Logical Scheme 2 ManufacturerID HID-01 CardProductID 0000000084 PhysicalDescriptionID 0000000005 PackageConfigID FREE ContactRequirementID 0000000007 ContactKeyConfigID 0000000118 ContactLogicalDescription 0000000058 ContactlessRequirementID 0000000007 ContactlessKeyConfigID 0000000118 ContactlessLogicalDescription 0000000058