FIPS 201 CIV Profiles (ActivID Applets)

CIV – AI 1024-2048 C1100

CIV profile for C1100

  • Unique Identifier (stored in the card): 2011FD000000000000000003

  • Based on ActivID Applet 2.7

  • Profile aligned with NIST SP 800-73-3, for Commercial Identity Verification (CIV) cards: similar card edge as PIV for US Government employees, but for the commercial world, without any trust to the US Federal bridge.

  • 6 1024/2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication, 2 Retired Key Management Keys) loaded by ActivID CMS

  • PIV EP Buffer Objects, including Iris, Key History

  • Synchronous SKI Object: Download by the server

  • Offline / Online Unlock done via XAUTH

  • Compatible with Apple Mac TokenD

  • CHUID Card Holder Unique Identifier, Printed Information, PKI AUTHENTICATE objects are mandatory. All other objects are optional.

Supported Devices

Supported Pre-Issuance IDs
HID Crescendo C1100 (JCOP v2.4.1 R3)

Description

Test Cards

Manufacturer Key Set

KMC_CM_HIDCRESC_GENERIC_TEST_OPSC_1_ENC

KMC_CM_HIDCRESC_GENERIC_TEST_OPSC_1_MAC

KMC_CM_HIDCRESC_GENERIC_TEST_OPSC_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000074

PhysicalDescriptionID

000000000B

PackageConfigID

FREE

Contact RequirementID

0000000020

Contact KeyConfigID

0000000092

Contact LogicalDescription

0000000040

Contactless RequirementID

0000000020

Contactless KeyConfigID

0000000092

Contactless LogicalDescription

0000000040

Description

Production Cards

Manufacturer Key Set

KMC_CM_HIDCRESC_GENERIC_PROD_OPSC_1_ENC

KMC_CM_HIDCRESC_GENERIC_PROD_OPSC_1_MAC

KMC_CM_HIDCRESC_GENERIC_PROD_OPSC_1_KEK

Diversification

OP202

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000074

PhysicalDescriptionID

000000000B

PackageConfigID

FREE

Contact RequirementID

0000000020

Contact KeyConfigID

0000000093

Contact LogicalDescription

0000000040

Contactless RequirementID

0000000020

Contactless KeyConfigID

0000000093

Contactless LogicalDescription

0000000040

CIV – AI 1024-2048 C1100 (2)

CIV profile for C1100 with Asynchronous SKI

  • Unique Identifier (stored in the card): 201100000000000000000146

  • Based on ActivID Applet 2.7.

  • Profile aligned with NIST SP 800-73-3, for Commercial Identity Verification (CIV) cards: similar card edge as PIV for US Government employees, but for the commercial world, without any trust to the US Federal bridge.

  • 6 1024/2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication, 2 Retired Key Management Keys) loaded by ActivID CMS

  • PIV EP Buffer Objects, including Iris, Key History

  • Asynchronous SKI Object: Download by the server

  • Offline / Online Unlock done via XAUTH

  • Compatible with Apple Mac TokenD

  • CHUID, Printed Information, PKI AUTHENTICATE objects are mandatory. All other objects are optional.

Supported Devices

Supported Pre-Issuance IDs
HID Crescendo C1100 (JCOP v2.4.1 R3)

Description

Test Cards

Manufacturer Key Set

KMC_CM_HIDCRESC_GENERIC_TEST_OPSC_1_ENC

KMC_CM_HIDCRESC_GENERIC_TEST_OPSC_1_MAC

KMC_CM_HIDCRESC_GENERIC_TEST_OPSC_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000074

PhysicalDescriptionID

000000000B

PackageConfigID

FREE

Contact RequirementID

0000000020

Contact KeyConfigID

0000000092

Contact LogicalDescription

0000000040

Contactless RequirementID

0000000020

Contactless KeyConfigID

0000000092

Contactless LogicalDescription

0000000040

Description

Production Cards

Manufacturer Key Set

KMC_CM_HIDCRESC_GENERIC_PROD_OPSC_1_ENC

KMC_CM_HIDCRESC_GENERIC_PROD_OPSC_1_MAC

KMC_CM_HIDCRESC_GENERIC_PROD_OPSC_1_KEK

Diversification

OP202

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000074

PhysicalDescriptionID

000000000B

PackageConfigID

FREE

Contact RequirementID

0000000020

Contact KeyConfigID

0000000093

Contact LogicalDescription

0000000040

Contactless RequirementID

0000000020

Contactless KeyConfigID

0000000093

Contactless LogicalDescription

0000000040

CIV – AI 1024-2048 pivCLASS

CIV profile for pivCLASS.

  • Unique Identifier (stored in the card): 2011FD000000000000000006

  • Based on ActivID Applet 2.7.1.

  • Profile aligned with NIST SP 800-73-3, for Commercial Identity Verification (CIV) cards: similar card edge as PIV for US Government employees, but for the commercial world, without any trust to the US Federal bridge.

  • 20 1024/2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication, 16 Retired Key Management Keys) loaded by ActivID CMS

  • PIV EP Buffer Objects, including Iris, Key History

  • Synchronous SKI Object: Download by the server

  • Offline / Online Unlock done via XAUTH

  • FIPS 140-2 L2 Compliant Profile

  • Compatible with Apple Mac TokenD

  • CHUID, Printed Information, PKI AUTHENTICATE objects are mandatory. All other objects are optional.

Supported Devices

Supported Pre-Issuance IDs
HID pivCLASS v1.0 (JCOP v2.4.2 R0)

Description

Cards with 2.7.1 Applets Preloaded and with PIV TEST Keys

Manufacturer Key Set

KMC_CM_HIDCRESC_PIV_TEST_OPSC_1_ENC

KMC_CM_HIDCRESC_PIV_TEST_OPSC_1_MAC

KMC_CM_HIDCRESC_PIV_TEST_OPSC_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000071

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

Contact RequirementID

0000000007

Contact KeyConfigID

0000000095

Contact LogicalDescription

0000000047

Contactless RequirementID

0000000007

Contactless KeyConfigID

0000000095

Contactless LogicalDescription

0000000047

Description

Cards with 2.7.1 Applets Preloaded and with PIV PROD Keys

Manufacturer Key Set

KMC_CM_HIDCRESC_PIV_PROD_OPSC_1_ENC

KMC_CM_HIDCRESC_PIV_PROD_OPSC_1_MAC

KMC_CM_HIDCRESC_PIV_PROD_OPSC_1_KEK

Diversification

OP202

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000071

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

Contact RequirementID

0000000007

Contact KeyConfigID

0000000096

Contact LogicalDescription

0000000047

Contactless RequirementID

0000000007

Contactless KeyConfigID

0000000096

Contactless LogicalDescription

0000000047

CIV – AI 1024-2048 pivCLASS (2)

CIV profile for pivCLASS. More flexible card content with addition of client-managed certificates.

  • Unique Identifier (stored in the card): 20110000000000000000012C

  • Based on ActivID Applet 2.7.1.

  • Profile aligned with NIST SP 800-73-3, for Commercial Identity Verification (CIV) cards: similar card edge as PIV for US Government employees, but for the commercial world, without any trust to the US Federal bridge.

  • 12 1024/2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication, 8 Retired Key Management Keys) loaded by ActivID CMS.

  • 4 1024/2048-bit keys PKI Objects loaded by ActivID CMS – additional certificates for flexible usage (authentication, digital signature or encryption).

  • 4 1024/2048-bit keys PKI Objects loaded by end user (PIN protected) – additional certificates for flexible usage (authentication, digital signature or encryption).

  • PIV EP Buffer Objects, except Iris.

  • Synchronous SKI Object: Download by the server

  • Offline / Online Unlock done by XAUTH

  • Profile is not FIPS 140 compliant due to the 4 PIN-protected PKI

  • Compatible with Apple Mac TokenD

  • CHUID, Printed Information, PKI AUTHENTICATE objects are mandatory. All other objects are optional.

Supported Devices

Supported Pre-Issuance IDs
HID pivCLASS v1.0 (JCOP v2.4.2 R0)

Description

Cards with 2.7.1 Applets Preloaded and with PIV TEST Keys

Manufacturer Key Set

KMC_CM_HIDCRESC_PIV_TEST_OPSC_1_ENC

KMC_CM_HIDCRESC_PIV_TEST_OPSC_1_MAC

KMC_CM_HIDCRESC_PIV_TEST_OPSC_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000071

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

Contact RequirementID

0000000007

Contact KeyConfigID

0000000095

Contact LogicalDescription

0000000047

Contactless RequirementID

0000000007

Contactless KeyConfigID

0000000095

Contactless LogicalDescription

0000000047

Description

Cards with 2.7.1 Applets Preloaded and with PIV PROD Keys

Manufacturer Key Set

KMC_CM_HIDCRESC_PIV_PROD_OPSC_1_ENC

KMC_CM_HIDCRESC_PIV_PROD_OPSC_1_MAC

KMC_CM_HIDCRESC_PIV_PROD_OPSC_1_KEK

Diversification

OP202

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000071

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

Contact RequirementID

0000000007

Contact KeyConfigID

0000000096

Contact LogicalDescription

0000000047

Contactless RequirementID

0000000007

Contactless KeyConfigID

0000000096

Contactless LogicalDescription

0000000047

CIV – AI 2048 Crescendo 144K FIPS

CIV profile, with extended PKI, for Crescendo 144K FIPS

  • Unique Identifier (stored in the card): 201100000000000000000130

  • Cards with ActivID Applets v2.7.3 packages preloaded (ASClib, ACA, GC/PKI, PIV and SMA V3).

  • Based on ActivID Applet 2.7.3.

  • Profile aligned with NIST SP 800-73-3, for Commercial Identity Verification (CIV) cards: similar card edge as PIV for US Government employees, but for the commercial world, without any trust to the US Federal bridge.

  • 4 2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication, 5 Retired Key Management Keys) loaded by ActivID CMS

  • 7 2048-bit keys PKI Objects loaded by ActivID CMS

  • PIV EP Buffer Objects, except Iris

  • PIV AUTHENTICATION, CHUID and Printed Information objects are mandatory. All other objects are optional.

  • In addition to the card pre-issuance keys, the following keys must be present in the HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system. for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:

    • MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK (16-byte AES keys)

    • MK_ID_ACE_UNLCK_1_TRIPLE (24-byte DES keys)

Note: This device profile does not provide One-Time Password capability compatible with current versions of HID authentication servers. Do not use an SKI application in your device policy. Contact HID Global for additional information.

Supported Devices

Supported Pre-Issuance IDs

Crescendo 144K FIPS (G&D SCE 7.0 144K)
preloaded with ActivID Applet

Description

HID Crescendo 144K FIPS Cards with Default Key and Applets 2.7.3 Pre-loaded

Manufacturer Key Set

VOP_ISK_AES_16_1_ENC

VOP_ISK_AES_16_1_MAC

VOP_ISK_AES_16_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000082

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000007

ContactKeyConfigID

VOP_ISK_AES_16

ContactLogicalDescription

0000000054

ContactlessRequirementID

0000000007

ContactlessKeyConfigID

VOP_ISK_AES_16

ContactlessLogicalDescription

0000000054

Description

HID Crescendo 144K FIPS (Dual Interface) Cards with CUSTOM Key and Applets 2.7.3 Pre-loaded

Manufacturer Key Set

KMC_CM_HIDCRESC_CUST_AES_16_1

Diversification

GPSCP03

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000082

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000007

ContactKeyConfigID

0000000118

ContactLogicalDescription

0000000054

ContactlessRequirementID

0000000007

ContactlessKeyConfigID

0000000118

ContactlessLogicalDescription

0000000054

CIV – AI 2048 Crescendo PIV

CIV profile, with extended PKI, for Crescendo PIV.

  • Unique Identifier (stored in the card): 201100000000000000000136

  • Cards with ActivID Applets v2.7.5 packages preloaded (ASClib, ACA, GC/PKI, PIV and SMA V3).

  • Based on ActivID Applet 2.7.5.

  • Profile aligned with NIST SP 800-73-3, for Commercial Identity Verification (CIV) cards: similar card edge as PIV for US Government employees, but for the commercial world, without any trust to the US Federal bridge.

  • 9 2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication, 5 Retired Key Management Keys) loaded by ActivID CMS

  • 7 2048-bit keys PKI Objects loaded by ActivID CMS

  • PIV EP Buffer Objects, except Iris

  • PIV AUTHENTICATION, CHUID and Printed Information objects are mandatory. All other objects are optional.

  • PIN Numeric Only

  • In addition to the card pre-issuance keys, the following keys must be present in the HSM for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:

    • For the pre-issuance Card AES 128: MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK (16-byte AES keys)

    • For the pre-issuance Card AES 256: MK_CM_ACE_AES_32_OPSC_1_ENC, _MAC, _KEK (32-byte AES keys)

    • MK_ID_ACE_UNLCK_1_TRIPLE (24-byte DES keys)

Supported Devices

Supported Pre-Issuance IDs

Crescendo PIV (G&D SCE 7.0 144K)
preloaded with ActivID Applet

Description

HID Crescendo PIV (Dual Interface) Cards with Default Key and Applets 2.7.5 Pre-loaded

Manufacturer Key Set

VOP_ISK_AES_16_1_ENC

VOP_ISK_AES_16_1_MAC

VOP_ISK_AES_16_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000082

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000007

ContactKeyConfigID

VOP_ISK_AES_16

ContactLogicalDescription

0000000055

ContactlessRequirementID

0000000007

ContactlessKeyConfigID

VOP_ISK_AES_16

ContactlessLogicalDescription

0000000055

Description

HID Crescendo PIV (Dual Interface) Cards with CUSTOM Key and Applets 2.7.5 Pre-loaded

Manufacturer Key Set

KMC_CM_HIDCRESC_CUST_AES_16_1

Diversification

GPSCP03

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000082

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000007

ContactKeyConfigID

0000000118

ContactLogicalDescription

0000000055

ContactlessRequirementID

0000000007

ContactlessKeyConfigID

0000000118

ContactlessLogicalDescription

0000000055

Description

HID Crescendo PIV (Dual Interface) Cards with Default Key and Applets 2.7.5 Pre-loaded

Manufacturer Key Set

VOP_ISK_AES_32_1_ENC

VOP_ISK_AES_32_1_MAC

VOP_ISK_AES_32_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000082

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000007

ContactKeyConfigID

VOP_ISK_AES_32

ContactLogicalDescription

0000000055

ContactlessRequirementID

0000000007

ContactlessKeyConfigID

VOP_ISK_AES_32

ContactlessLogicalDescription

0000000055

Description

HID Crescendo PIV (Dual Interface) Cards with CUSTOM Key and Applets 2.7.5 Pre-loaded

Manufacturer Key Set

KMC_CM_HIDCRESC_CUST_AES_32_1

Diversification

GPSCP03

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000082

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000007

ContactKeyConfigID

0000000123

ContactLogicalDescription

0000000055

ContactlessRequirementID

0000000007

ContactlessKeyConfigID

0000000123

ContactlessLogicalDescription

0000000055

Description

HID Crescendo PIV (Dual Interface) Cards with Default Key and Applets 2.7.5 Pre-loaded

Manufacturer Key Set

VOP_ISK_AES_32_1_ENC

VOP_ISK_AES_32_1_MAC

VOP_ISK_AES_32_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000082

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000008

ContactKeyConfigID

VOP_ISK_AES_32

ContactLogicalDescription

0000000055

Description

HID Crescendo PIV (Dual Interface) Cards with CUSTOM Key and Applets 2.7.5 Pre-loaded

Manufacturer Key Set

KMC_CM_HIDCRESC_CUST_AES_32_1

Diversification

GPSCP03

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000082

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000008

ContactKeyConfigID

0000000123

ContactLogicalDescription

0000000055

Enterprise - Crescendo

Enterprise profile compatible with devices that contain the SEOS and FIDO applets.

  • Unique Identifier (stored in the card): 201100000000000000000151

  • Devices with ActivID Applets v3.0.3 packages preloaded (SEOS, ASClib, ACA, HMAClib, PIVEXT, OATH and FIDO).

  • Based on ActivID Applets 3.0.3.

  • 4 2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature PIN Once, PIV Encryption, 1 Retired Key Management Keys) loaded by ActivID CMS.

  • PIV EP Buffer Objects: Discovery Object, CHUID, CCC, Printed Information, Key History Object

  • FIDO Applet (CTAP2 / U2F support) (*)

  • PIN can be shared between PIV and FIDO applet.

  • Minimum PIN length: 4 / Maximum PIN Length: 25

    Note: If the Maximum PIN Length is set to a value greater than 8, then the card will not be usable with the Microsoft PIV Minidriver, whatever the PIN-shared configuration, nor with FIDO when the PIN is shared between PIV and FIDO. To manage PINs with more than 8 characters, this profile requires ActivClient 7.4.1 (or higher) and HID Crescendo 2300 Mini Driver 1.2 (or higher).

  • PIN can be configured to be Alphanumeric or Numeric Only.

    Note: If the Maximum PIN Length is set to a value greater than 8, then the PIN cannot be configured as Numeric Only.

  • Contactless firewall can be enabled / disabled in the policy (when disabled, the PIV / OATH operations can be done with a contactless reader).

    Note: For Crescendo C2300 iCLASS CL cards, the contactless firewall must be disabled.

  • OATH HOTP, TOTP and OCRA support

  • In addition to the card pre-issuance keys, the following keys must be present in the HSM for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:

    • MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_16 (16-byte AES keys)

(*) During a recycle operation (that is, card re-issuance), the FIDO credentials are reset.

Supported Devices

Supported Pre-Issuance IDs

Crescendo C2300 FIPS (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0.3

Description

HID Crescendo 2300 (Dual Interface) Cards with Default Key and Applets 3.0.3 Pre-loaded

Manufacturer Key Set

VOP_ISK_AES_16_1_ENC

VOP_ISK_AES_16_1_MAC

VOP_ISK_AES_16_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000085

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000007

ContactKeyConfigID

VOP_ISK_AES_16

ContactLogicalDescription

0000000061

ContactlessRequirementID

0000000007

ContactlessKeyConfigID

VOP_ISK_AES_16

ContactlessLogicalDescription

0000000061
Crescendo Key (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0.3

Description

HID Crescendo Key with Default Key and Applets 3.0.3 Pre-loaded

Manufacturer Key Set

VOP_ISK_AES_16_1_ENC

VOP_ISK_AES_16_1_MAC

VOP_ISK_AES_16_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000086

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000007

ContactKeyConfigID

VOP_ISK_AES_16

ContactLogicalDescription

0000000062

ContactlessRequirementID

0000000007

ContactlessKeyConfigID

VOP_ISK_AES_16

ContactlessLogicalDescription

0000000062
Crescendo C2300 iCLASS (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0.3

Description

HID Crescendo 2300 iCLASS Cards with Default Key and Applets 3.0.3 Pre-loaded

Manufacturer Key Set

VOP_ISK_AES_16_1_ENC

VOP_ISK_AES_16_1_MAC

VOP_ISK_AES_16_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000087

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000007

ContactKeyConfigID

VOP_ISK_AES_16

ContactLogicalDescription

0000000061

ContactlessRequirementID

0000000007

ContactlessKeyConfigID

VOP_ISK_AES_16

ContactlessLogicalDescription

0000000061

Enterprise - Crescendo (No FIDO)

Enterprise profile compatible with devices containing SEOS applet.

  • Unique Identifier (stored in the card): 201100000000000000000152

  • Devices with ActivID Applets v3.0.3 packages preloaded (SEOS, ASClib, ACA, HMAClib, PIVEXT and OATH).

  • Based on ActivID Applets 3.0.3.

  • 7 2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature PIN Once, PIV Encryption, 4 Retired Key Management Keys) loaded by ActivID CMS.

  • PIV EP Buffer Objects: Discovery Object, CHUID, CCC, Printed Information, Key History Object

  • Minimum PIN length: 4 / Maximum PIN Length: 25

    Note: If the Maximum PIN Length is set to a value greater than 8, then the card will not be usable with the Microsoft PIV Minidriver. To manage PINs with more than 8 characters, this profile requires ActivClient 7.4.1 (or higher) and HID Crescendo 2300 Mini Driver 1.2 (or higher).

  • PIN can be configured to be Alphanumeric or Numeric Only.

    Note: If the Maximum PIN Length is set to a value greater than 8, then the PIN cannot be configured as Numeric Only.

  • Contactless firewall can be enabled / disabled in the policy (when disabled, the PIV / OATH operations can be done with a contactless reader).

  • OATH HOTP, TOTP and OCRA support

  • In addition to the card pre-issuance keys, the following keys must be present in the HSM for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:

    • MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_16 (16-byte AES keys)

Note: Devices issued with this profile that are recycled cannot be issued with the other Enterprise - Crescendo profiles.

Supported Devices

Supported Pre-Issuance IDs

Crescendo C2300 FIPS (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0.3

Description

HID Crescendo 2300 (Dual Interface) Cards with Default Key and Applets 3.0.3 Pre-loaded

Manufacturer Key Set

VOP_ISK_AES_16_1_ENC

VOP_ISK_AES_16_1_MAC

VOP_ISK_AES_16_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000085

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000007

ContactKeyConfigID

VOP_ISK_AES_16

ContactLogicalDescription

0000000061

ContactlessRequirementID

0000000007

ContactlessKeyConfigID

VOP_ISK_AES_16

ContactlessLogicalDescription

0000000061
Crescendo Key (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0.3

Description

HID Crescendo Key with Default Key and Applets 3.0.3 Pre-loaded

Manufacturer Key Set

VOP_ISK_AES_16_1_ENC

VOP_ISK_AES_16_1_MAC

VOP_ISK_AES_16_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000086

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000007

ContactKeyConfigID

VOP_ISK_AES_16

ContactLogicalDescription

0000000062

ContactlessRequirementID

0000000007

ContactlessKeyConfigID

VOP_ISK_AES_16

ContactlessLogicalDescription

0000000062
Crescendo C2300 iCLASS (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0.3

Description

HID Crescendo 2300 iCLASS Cards with Default Key and Applets 3.0.3 Pre-loaded

Manufacturer Key Set

VOP_ISK_AES_16_1_ENC

VOP_ISK_AES_16_1_MAC

VOP_ISK_AES_16_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000087

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000007

ContactKeyConfigID

VOP_ISK_AES_16

ContactLogicalDescription

0000000061

ContactlessRequirementID

0000000007

ContactlessKeyConfigID

VOP_ISK_AES_16

ContactlessLogicalDescription

0000000061

Enterprise - Crescendo (No SEOS)

Enterprise profile compatible with devices containing FIDO applet and no SEOS.

  • Unique Identifier (stored in the card): 20110000000000000000014F

  • Compatible with the HID Crescendo C2300 Mini Driver v1.2.

  • 10 2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature PIN Once, PIV Encryption, 7 Retired Key Management Keys) loaded by ActivID CMS.

  • PIV EP Buffer Objects: Discovery Object, CHUID, CCC, Printed Information, Key History Object.

  • FIDO Applet (CTAP2 / U2F support) (*)

  • PIN can be shared between PIV and FIDO applet.

  • Minimum PIN length: 4 / Maximum PIN Length: 25

    Note: If the Maximum PIN Length is set to a value greater than 8, then the card will not be usable with the Microsoft PIV Minidriver, whatever the PIN-shared configuration, nor with FIDO when the PIN is shared between PIV and FIDO. To manage PINs with more than 8 characters, this profile requires ActivClient 7.4.1 (or higher) and HID Crescendo 2300 Mini Driver 1.2 (or higher).

  • PIN can be configured to be Alphanumeric or Numeric Only.

    Note: If the Maximum PIN Length is set to a value greater than 8, then the PIN cannot be configured as Numeric Only.

  • Contactless firewall can be enabled / disabled in the policy (when disabled, the PIV / OATH operations can be done with a contactless reader).

  • OATH HOTP, TOTP and OCRA support

  • In addition to the card pre-issuance keys, the following keys must be present in the HSM for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:

    • MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_16 (16-byte AES keys)

(*) During a recycle operation (that is, card re-issuance), the FIDO credentials are reset.

Supported Devices

Supported Pre-Issuance IDs

Crescendo C2300 FIPS (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0.3

Description

HID Crescendo 2300 (Dual Interface) Cards with Default Key and Applets 3.0.3 Pre-loaded

Manufacturer Key Set

VOP_ISK_AES_16_1_ENC

VOP_ISK_AES_16_1_MAC

VOP_ISK_AES_16_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000085

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000007

ContactKeyConfigID

VOP_ISK_AES_16

ContactLogicalDescription

0000000061

ContactlessRequirementID

0000000007

ContactlessKeyConfigID

VOP_ISK_AES_16

ContactlessLogicalDescription

0000000061
Crescendo Key (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0.3

Description

HID Crescendo Key with Default Key and Applets 3.0.3 Pre-loaded

Manufacturer Key Set

VOP_ISK_AES_16_1_ENC

VOP_ISK_AES_16_1_MAC

VOP_ISK_AES_16_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000086

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000007

ContactKeyConfigID

VOP_ISK_AES_16

ContactLogicalDescription

0000000062

ContactlessRequirementID

0000000007

ContactlessKeyConfigID

VOP_ISK_AES_16

ContactlessLogicalDescription

0000000062
Crescendo C2300 iCLASS (JCOP 3 SecID P60 CS) preloaded with ActivID Applet 3.0.3

Description

HID Crescendo 2300 iCLASS Cards with Default Key and Applets 3.0.3 Pre-loaded

Manufacturer Key Set

VOP_ISK_AES_16_1_ENC

VOP_ISK_AES_16_1_MAC

VOP_ISK_AES_16_1_KEK

Diversification

NONE

Key Set Version / Index

0x01/0x00

Logical Scheme

2

ManufacturerID

HID-01

CardProductID

0000000087

PhysicalDescriptionID

0000000005

PackageConfigID

FREE

ContactRequirementID

0000000007

ContactKeyConfigID

VOP_ISK_AES_16

ContactLogicalDescription

0000000061

ContactlessRequirementID

0000000007

ContactlessKeyConfigID

VOP_ISK_AES_16

ContactlessLogicalDescription

0000000061