PIV Toolkit Overview
This section provides Identity Proofing and Registration System (IDPRS) vendors and integrators an overview of the processes and ActivID CMS public interface usage patterns required to achieve device issuance in a FIPS 201-compliant manner. This documentation focuses on the interface between an Identity Management System (IDMS) and the ActivID CMS.
If you want to configure the PIV Toolkit, refer to Configuring ActivID CMS for PIV and CIV. If you do not have a PIV-compliant CA available, and you want to configure a PIV environment for testing purposes, then refer to Configuring Microsoft Certificate Authority for PIV and CIV Deployments.
Since ActivID CMS 4.3, PIV and PIV-I support is natively integrated into the ActivID CMS installer; the PIV Toolkit is no longer released as a separate package. Configuration of the PIV Toolkit remains similar as in previous versions.
This release also supports PIV and PIV-I configuration for Entrust®, Microsoft®, OpenTrust®, and Symantec® Certificate Authorities.
In addition, this release supports the issuance of CIV cards without requiring any integration with an IDMS; ActivID CMS then automatically determines the data required to issue cards without requiring any specific integration by System Integrators. This document is not applicable to such CIV deployments; no integration is required for such deployments.
Related ActivID CMS Technical Publications
For additional information, refer to the following documentation:
About PIV and FIPS 201
FIPS 201 defines smart cards as the devices to be used to provide the appropriate security and rapid electronic authentication required by HSPD-12. FIPS 201-compliant smart cards contain multiple electronic credentials, including cryptographic keys, digital certificates, biometric templates, and other data. There are two parts to FIPS 201: PIV1 and PIV2.
-
PIV1 describes the minimum requirements for a system that meets the specified control and security objectives including the identity proofing process.
-
PIV2 provides detailed technical specifications to support the control and security objectives in PIV1 and the details for technical interoperability of PIV cards with authentication, access control and management systems across the U.S. Federal Government.
The interfaces and card architecture for storing and retrieving identity credentials from a smart card are specified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-73. Credentials issued for HSPD-12 must be:
-
Issued based on sound criteria for verifying an individual’s identity.
-
Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation.
-
Rapidly authenticated electronically.
-
Issued only by providers whose reliability has been established by an official process.
In response to HSPD-12, standards organizations (including the Interagency Advisory Board (IAB) for Equipment Standardization and Interoperability, and the National Institute of Standards and Technology (NIST)) have defined the processes and specifications necessary to satisfy the security and interoperability requirements.
About Standard Updates
In 2013, NIST published FIPS 201-2, an update to the FIPS 201 standard.
This standard has been further refined by a number of Special Publications such as SP 800-73-4, released in 2015.
By default, ActivID CMS is configured to issue PIV cards that are compliant with all mandatory requirements of FIPS 201-2 and SP 800-73-4.
Specifically, the card UUID is now included, in addition to the FASC-N, in the CHUID and in the subject alternative name attribute for the PIV Authentication and Card Authentication certificates.
To issue FIPS 201-2-compliant devices, you must:
-
Make sure that you are using one of the supported card types,
-
Install the new device profiles and create new card policies using the correct device profile (SP 800-73-3 compliant),
-
Upgrade the Card Personalization Request used, using the new CPR 2.1.8 schema, and
-
Make sure that within the PIVEnrollment.properties configuration, Standard Revision is set to 800-73-3 (StandardRevision=800-73-3).
-
Change the policy from the default “PIV” to “PIV-201-2” in the %PROGRAMDATA%\HID Global\Credential Management System\Shared Files\PIVEnrollment.properties” file.
-
Update the PIV CPR request XML file by changing the policy from “PIV” to “PIV-201-2”.
It is recommended that the use of the CPR 2.1.8 schema to issue PIV cards to be in compliance with SP 800-73-3. This guide assumes that your system will be configured to comply with this new revision. However, ActivID CMS will continue to issue cards with a system configured using previous CPR’s in compliance with SP 800-73-1 until the CPR schema has been upgraded.
Additional External References
-
FIPS 201-2 – Personal Identity Verification (PIV) of Federal Employees and Contractors:
-
NIST SP 800-73-4 – Interfaces for Personal Identity Verification (4 parts):
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf
-
Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems:
https://www.idmanagement.gov/wp-content/uploads/sites/1171/uploads/TIG_SCEPACS_v2.3.pdf
-
NIST SP 800-76-2 – Biometric Specifications for Personal Identity Verification:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-76-2.pdf