FIPS 201 PIV Profiles (Third-Party Applets, Face to Face)

Note:

For Gemalto PIV profile (that is, the card with Gemalto PIV applet v1.20), it is necessary to obtain a Gemalto PIV card with configuration “USG 010”.
For Oberthur PIV profile, ActivID CMS 4.0 SP2 expects Cosmo card with BAP# 81758.

PIV FIPS201 F2F Java Card – OT 2.3.2 – 2048

PIV2 Profile with OT End-Point applets v2.3.2 (SP 800-73-3)

Supports SP 800-73-3 objects, including PIV Discovery, Iris, Key History and Key Management Key objects. It can accommodate 2048-bit PKI keys and the full set of PIV objects is loaded by ActivID CMS (PIV mandatory and optional objects).
Only for Oberthur PIV cards with PIV applet v2.3.2.

Note: For Oberthur PIV profiles with Oberthur PIV applet 2.3.2, use BAP #087282.
In addition to the card pre-issuance keys, the following keys must be present in the HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system. for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:
- MK_SD_ACE_AES_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_16 (16-byte AES keys)

Supported Devices

Supported Pre-Issuance IDs

Oberthur ID-One PIV 2.3.2 on Cosmo v7

5_OCS_PIV_232_TEST_OPSC_1

Description	OT 7.0 128K FIPS PIV 2.3.2 Sample Stack with PIV TEST Key
CM Manufacturer Key Set	KMC_CM_OCS_PIV_TEST_OPSC_1_ENC KMC_CM_OCS_PIV_TEST_OPSC_1_MAC KMC_CM_OCS_PIV_TEST_OPSC_1_KEK
SD Manufacturer Key Set	KMC_SD_OCS_PIV_TEST_AES_OPSC_1_ENC KMC_SD_OCS_PIV_TEST_AES_OPSC_1_MAC KMC_SD_OCS_PIV_TEST_AES_OPSC_1_KEK
CM/SD Diversification	GP211
Key Set Version / Index	0x01/0x0
Initial 9B key Label	PIV_OCS_CARD_ADMIN_KEY_SB_TRIPLE
Initial 9B Key AlgoID	03
Logical Scheme	2
ManufacturerID	Oberthur-01
CardProductID	0000000061
PhysicalDescriptionID	0000000005
PackageConfigID	0000000002
ContactRequirementID	0000000007
ContactKeyConfigID	0000000052
ContactLogicalDescription	000000003A
ContactlessRequirementID	0000000007
ContactlessKeyConfigID	0000000052
ContactlessLogicalDescription	000000003A

5_OCS_PIV_232_PROD_OPSC_1

Description	OT 7.0 128K FIPS PIV 2.3.2 Sample Stack with PIV PROD Key
CM Manufacturer Key Set	KMC_CM_OCS_PIV_PROD_OPSC_1_ENC KMC_CM_OCS_PIV_PROD_OPSC_1_MAC KMC_CM_OCS_PIV_PROD_OPSC_1_KEK
SD Manufacturer Key Set	KMC_SD_OCS_PIV_PROD_AES_OPSC_1_ENC KMC_SD_OCS_PIV_PROD_AES_OPSC_1_MAC KMC_SD_OCS_PIV_PROD_AES_OPSC_1_KEK
CM/SD Diversification	GP211
Key Set Version / Index	0x01/0x0
Initial 9B key Label	PIV_OCS_CARD_ADMIN_KEY_SB_TRIPLE
Initial 9B Key AlgoID	03
Logical Scheme	2
ManufacturerID	Oberthur-01
CardProductID	0000000061
PhysicalDescriptionID	0000000005
PackageConfigID	0000000002
ContactRequirementID	0000000007
ContactKeyConfigID	0000000053
ContactLogicalDescription	000000003B
ContactlessRequirementID	0000000007
ContactlessKeyConfigID	0000000053
ContactlessLogicalDescription	000000003B

100_OCS_PIV_232_PROD_OPSC_1

Description	OT 7.0 128K FIPS PIV 2.3.2 Full Stack with PIV PROD Key
CM Manufacturer Key Set	KMC_CM_OCS_PIV_PROD_OPSC_1_ENC KMC_CM_OCS_PIV_PROD_OPSC_1_MAC KMC_CM_OCS_PIV_PROD_OPSC_1_KEK
SD Manufacturer Key Set	KMC_SD_OCS_PIV_PROD_AES_OPSC_1_ENC KMC_SD_OCS_PIV_PROD_AES_OPSC_1_MAC KMC_SD_OCS_PIV_PROD_AES_OPSC_1_KEK
CM/SD Diversification	GP211
Key Set Version / Index	0x01/0x0
Initial 9B key Label	PIV_OCS_CARD_ADMIN_KEY_SB_TRIPLE
Initial 9B Key AlgoID	03
Logical Scheme	2
ManufacturerID	Oberthur-01
CardProductID	0000000061
PhysicalDescriptionID	0000000005
PackageConfigID	0000000001
ContactRequirementID	0000000007
ContactKeyConfigID	0000000053
ContactLogicalDescription	000000003B
ContactlessRequirementID	0000000007
ContactlessKeyConfigID	0000000053
ContactlessLogicalDescription	000000003B

PIV FIPS201 F2F Java Card – OT 2.3.5 / 2.4.0 – 2048

PIV2 Profile with OT End-Point applets v2.3.5 / 2.4.0 (SP 800-73-4)

Supports SP 800-73-3 objects, including PIV Discovery, Iris, Key History and Key Management Key objects. It can accommodate 2048-bit PKI keys and the full set of PIV objects is loaded by ActivID CMS (PIV mandatory and optional objects).
Only for Oberthur PIV cards with PIV applet v2.3.5 or v2.4.0.
Note:
- For Oberthur PIV profiles with Oberthur PIV applet 2.3.5, use BAP #087420 / #087424 / #087465.
- For Oberthur PIV profiles with Oberthur PIV applet 2.4.0, use BAP #087434.
In addition to the card pre-issuance keys, the following keys must be present in the HSM for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:
- For the pre-issuance Card AES 128: MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_16 (16-byte AES keys)
- For the pre-issuance Card AES 256: MK_CM_ACE_AES_32_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_32 (32-byte AES keys)

Supported Devices

Supported Pre-Issuance IDs

Oberthur ID-One PIV 2.3.5 on Cosmo v8

5_OCS_PIV_235_TEST_OPSC_1

Description	OT 8.0 FIPS PIV 2.3.5 Sample Stack with PIV TEST Key
Card specification	PIV 2.3.5 AES 256	PIV 2.3.5 AES 128
Key length supported	256-bit Keys	128-bit Keys
CM Manufacturer Key Set	KMC_CM_OCS_PIV_TEST_AES_32_1_ENC KMC_CM_OCS_PIV_TEST_AES_32_1_MAC KMC_CM_OCS_PIV_TEST_AES_32_1_KEK	KMC_CM_OCS_PIV_TEST_AES_16_1_ENC KMC_CM_OCS_PIV_TEST_AES_16_1_MAC KMC_CM_OCS_PIV_TEST_AES_16_1_KEK
CM Diversification	GPSCP03
Key Set Version / Index	0x01/0x00
Initial 9B key Label	PIV_OCS_CARD_ADMIN_KEY_SB_AES_32	PIV_OCS_CARD_ADMIN_KEY_SB_AES_16
Initial 9B Key AlgoID	0C	08
Logical Scheme	2
ManufacturerID	Oberthur-01
CardProductID	0000000081
PhysicalDescriptionID	0000000005
PackageConfigID	0000000002
ContactRequirementID	0000000007
ContactKeyConfigID	0000000110
ContactLogicalDescription	0000000052
ContactlessRequirementID	0000000007
ContactlessKeyConfigID	0000000110
ContactlessLogicalDescription	0000000052

5_OCS_PIV_235_PROD_OPSC_1

Description	OT 8.0 FIPS PIV 2.3.5 Sample Stack with PIV PROD Key
Card specification	PIV 2.3.5 AES 256	PIV 2.3.5 AES 128
Key length supported	256-bit Keys	128-bit Keys
CM Manufacturer Key Set	KMC_CM_OCS_PIV_PROD_AES_32_1_ENC KMC_CM_OCS_PIV_PROD_AES_32_1_MAC KMC_CM_OCS_PIV_PROD_AES_32_1_KEK	KMC_CM_OCS_PIV_PROD_AES_16_1_ENC KMC_CM_OCS_PIV_PROD_AES_16_1_MAC KMC_CM_OCS_PIV_PROD_AES_16_1_KEK
CM Diversification	GPSCP03
Key Set Version / Index	0x01/0x0
Initial 9B key Label	PIV_OCS_CARD_ADMIN_KEY_SB_AES_32	PIV_OCS_CARD_ADMIN_KEY_SB_AES_16
Initial 9B Key AlgoID	0C	08
Logical Scheme	2
ManufacturerID	Oberthur-01
CardProductID	0000000081
PhysicalDescriptionID	0000000005
PackageConfigID	0000000002
ContactRequirementID	0000000007
ContactKeyConfigID	0000000111
ContactLogicalDescription	0000000052
ContactlessRequirementID	0000000007
ContactlessKeyConfigID	0000000111
ContactlessLogicalDescription	0000000052

100_OCS_PIV_235_PROD_OPSC_1

Description	OT 8.0 FIPS PIV 2.3.5 Full Stack with PIV PROD Key
Card specification	PIV 2.3.5 AES 256	PIV 2.3.5 AES 128
Key length supported	256-bit Keys	128-bit Keys
CM Manufacturer Key Set	KMC_CM_OCS_PIV_PROD_AES_32_1_ENC KMC_CM_OCS_PIV_PROD_AES_32_1_MAC KMC_CM_OCS_PIV_PROD_AES_32_1_KEK	KMC_CM_OCS_PIV_PROD_AES_16_1_ENC KMC_CM_OCS_PIV_PROD_AES_16_1_MAC KMC_CM_OCS_PIV_PROD_AES_16_1_KEK
CM Diversification	GPSCP03
Key Set Version / Index	0x01/0x0
Initial 9B key Label	PIV_OCS_CARD_ADMIN_KEY_SB_AES_32	PIV_OCS_CARD_ADMIN_KEY_SB_AES_16
Initial 9B Key AlgoID	0C	08
Logical Scheme	2
ManufacturerID	Oberthur-01
CardProductID	0000000081
PhysicalDescriptionID	0000000005
PackageConfigID	0000000001
ContactRequirementID	0000000007
ContactKeyConfigID	0000000111
ContactLogicalDescription	0000000052
ContactlessRequirementID	0000000007
ContactlessKeyConfigID	0000000111
ContactlessLogicalDescription	0000000052

Oberthur ID-One PIV 2.4.0 on Cosmo v8

5_OCS_PIV_240_TEST_OPSC_1

Description	OT 8.0 FIPS 2.4.0 Sample Stack with PIV TEST Key
CM Manufacturer Key Set	KMC_CM_OCS_PIV_TEST_AES_32_1_ENC KMC_CM_OCS_PIV_TEST_AES_32_1_MAC KMC_CM_OCS_PIV_TEST_AES_32_1_KEK
CM Diversification	GPSCP03
Key Set Version / Index	0x01/0x00
Initial 9B key Label	PIV_OCS_CARD_ADMIN_KEY_SB_AES_32
Initial 9B Key AlgoID	0C
Logical Scheme	2
ManufacturerID	Oberthur-01
CardProductID	0000000081
PhysicalDescriptionID	0000000005
PackageConfigID	0000000002
ContactRequirementID	0000000007
ContactKeyConfigID	0000000110
ContactLogicalDescription	0000000053
ContactlessRequirementID	0000000007
ContactlessKeyConfigID	0000000110
ContactlessLogicalDescription	0000000053

5_OCS_PIV_240_PROD_OPSC_1

Description	OT 8.0 FIPS PIV 2.4.0 Sample Stack with PIV PROD Key
CM Manufacturer Key Set	KMC_CM_OCS_PIV_PROD_AES_32_1_ENC KMC_CM_OCS_PIV_PROD_AES_32_1_MAC KMC_CM_OCS_PIV_PROD_AES_32_1_KEK
CM Diversification	GPSCP03
Key Set Version / Index	0x01/0x0
Initial 9B key Label	PIV_OCS_CARD_ADMIN_KEY_SB_AES_32
Initial 9B Key AlgoID	0C
Logical Scheme	2
ManufacturerID	Oberthur-01
CardProductID	0000000081
PhysicalDescriptionID	0000000005
PackageConfigID	0000000002
ContactRequirementID	0000000007
ContactKeyConfigID	0000000111
ContactLogicalDescription	0000000053
ContactlessRequirementID	0000000007
ContactlessKeyConfigID	0000000111
ContactlessLogicalDescription	0000000053

100_OCS_PIV_240_PROD_OPSC_1

Description	OT 8.0 FIPS PIV 2.4.0 Full Stack with PIV PROD Key
CM Manufacturer Key Set	KMC_CM_OCS_PIV_PROD_AES_32_1_ENC KMC_CM_OCS_PIV_PROD_AES_32_1_MAC KMC_CM_OCS_PIV_PROD_AES_32_1_KEK
CM Diversification	GPSCP03
Key Set Version / Index	0x01/0x0
Initial 9B key Label	PIV_OCS_CARD_ADMIN_KEY_SB_AES_32
Initial 9B Key AlgoID	0C
Logical Scheme	2
ManufacturerID	Oberthur-01
CardProductID	0000000081
PhysicalDescriptionID	0000000005
PackageConfigID	0000000001
ContactRequirementID	0000000007
ContactKeyConfigID	0000000111
ContactLogicalDescription	0000000053
ContactlessRequirementID	0000000007
ContactlessKeyConfigID	0000000111
ContactlessLogicalDescription	0000000053

PIV FIPS201 F2F Java Card - IDEMIA ID-One PIV 2.4.X - 2048

PIV / CIV Profile with IDEMIA End-Point applets v2.4.1 and v2.4.2 (SP800-73-4)

24 keys PIV PKI Objects (PIV Authentication, PIV Digital Signature PIN Always, PIV Key Management Key, PIV Card Authentication (RSA 2048, ECC 256 or ECC 384), and 20 Retired Key Management Keys) loaded by ActivID CMS.

Note: ECC templates for encryption are not supported.
Supports SP 800-73-4 objects, including PIV Discovery, Iris, Key History and Key Management Key objects.
Only for IDEMIA PIV cards with PIV applet v2.4.1 or v2.4.2.
Note:
- For IDEMIA PIV profiles with IDEMIA PIV applet 2.4.1, use BAP #087484.
- For IDEMIA PIV profiles with IDEMIA PIV applet 2.4.2, use BAP #087584.
VCI application is available.
PIN is numeric only.
In addition to the card pre-issuance keys, the following keys must be present in the HSM for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:
- For the pre-issuance Card AES 128: MK_CM_ACE_AES_16_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_16 (16-byte AES keys)
- For the pre-issuance Card AES 256: MK_CM_ACE_AES_32_OPSC_1_ENC, _MAC, _KEK, PIV_CARD_ADMINISTRATOR_KEY_9B_AES_32 (32-byte AES keys)

Supported Devices

Supported Pre-Issuance IDs

Oberthur ID-One PIV 2.4.1 on Cosmo v8.1 (BAP 087484)

5_IDEMIA_PIV_241_TEST_OPSC_1

Description	IDEMIA v8.1 with ID-One PIV 2.4.1 Sample Stack with PIV TEST Key
CM Manufacturer Key Set	KMC_CM_OCS_PIV_TEST_AES_32_1_ENC KMC_CM_OCS_PIV_TEST_AES_32_1_MAC KMC_CM_OCS_PIV_TEST_AES_32_1_KEK
CM Diversification	GPSCP03
Key Set Version / Index	0x01/0x00
Initial 9B key Label	PIV_OCS_CARD_ADMIN_KEY_SB_AES_32
Initial 9B Key AlgoID	0C
Logical Scheme	2
ManufacturerID	IDEMIA-01
CardProductID	0000000083
PhysicalDescriptionID	0000000005
PackageConfigID	0000000002
ContactRequirementID	0000000007
ContactKeyConfigID	0000000110
ContactLogicalDescription	0000000056
ContactlessRequirementID	0000000007
ContactlessKeyConfigID	0000000110
ContactlessLogicalDescription	0000000056

5_IDEMIA_PIV_241_PROD_OPSC_1

Description	IDEMIA v8.1 with ID-One PIV 2.4.1 Sample Stack with PIV PROD Key
CM Manufacturer Key Set	KMC_CM_OCS_PIV_PROD_AES_32_1_ENC KMC_CM_OCS_PIV_PROD_AES_32_1_MAC KMC_CM_OCS_PIV_PROD_AES_32_1_KEK
CM Diversification	GPSCP03
Key Set Version / Index	0x01/0x0
Initial 9B key Label	PIV_OCS_CARD_ADMIN_KEY_SB_AES_32
Initial 9B Key AlgoID	0C
Logical Scheme	2
ManufacturerID	IDEMIA-01
CardProductID	0000000083
PhysicalDescriptionID	0000000005
PackageConfigID	0000000002
ContactRequirementID	0000000007
ContactKeyConfigID	0000000111
ContactLogicalDescription	0000000056
ContactlessRequirementID	0000000007
ContactlessKeyConfigID	0000000111
ContactlessLogicalDescription	0000000056

100_IDEMIA_PIV_241_PROD_OPSC_1

Description	IDEMIA v8.1 with ID-One PIV 2.4.1 Full Stack with PIV PROD Key
CM Manufacturer Key Set	KMC_CM_OCS_PIV_PROD_AES_32_1_ENC KMC_CM_OCS_PIV_PROD_AES_32_1_MAC KMC_CM_OCS_PIV_PROD_AES_32_1_KEK
CM Diversification	GPSCP03
Key Set Version / Index	0x01/0x0
Initial 9B key Label	PIV_OCS_CARD_ADMIN_KEY_SB_AES_32
Initial 9B Key AlgoID	0C
Logical Scheme	2
ManufacturerID	IDEMIA-01
CardProductID	0000000083
PhysicalDescriptionID	0000000005
PackageConfigID	0000000001
ContactRequirementID	0000000007
ContactKeyConfigID	0000000111
ContactLogicalDescription	0000000056
ContactlessRequirementID	0000000007
ContactlessKeyConfigID	0000000111
ContactlessLogicalDescription	0000000056

Oberthur ID-One PIV 2.4.2 on Cosmo v8.2 (BAP 087584)

IDEMIA_PIV_242_TEST_OPSC_1

Description	IDEMIA v8.2 with ID-One PIV 2.4.2 Sample Stack with PIV TEST Key
CM Manufacturer Key Set	KMC_CM_OCS_PIV_TEST_AES_32_1_ENC KMC_CM_OCS_PIV_TEST_AES_32_1_MAC KMC_CM_OCS_PIV_TEST_AES_32_1_KEK
CM Diversification	GPSCP03
Key Set Version / Index	0x01/0x00
Initial 9B key Label	PIV_OCS_CARD_ADMIN_KEY_SB_AES_32
Initial 9B Key AlgoID	0C
Logical Scheme	2
ManufacturerID	IDEMIA-01
CardProductID	0000000088
PhysicalDescriptionID	0000000005
PackageConfigID	FREE
ContactRequirementID	0000000007
ContactKeyConfigID	0000000110
ContactLogicalDescription	0000000056
ContactlessRequirementID	0000000007
ContactlessKeyConfigID	0000000110
ContactlessLogicalDescription	0000000056

IDEMIA_PIV_242_PROD_OPSC_1

Description	IDEMIA v8.2 with ID-One PIV 2.4.2 Sample Stack with PIV PROD Key
CM Manufacturer Key Set	KMC_CM_OCS_PIV_PROD_AES_32_1_ENC KMC_CM_OCS_PIV_PROD_AES_32_1_MAC KMC_CM_OCS_PIV_PROD_AES_32_1_KEK
CM Diversification	GPSCP03
Key Set Version / Index	0x01/0x0
Initial 9B key Label	PIV_OCS_CARD_ADMIN_KEY_SB_AES_32
Initial 9B Key AlgoID	0C
Logical Scheme	2
ManufacturerID	IDEMIA-01
CardProductID	0000000088
PhysicalDescriptionID	0000000005
PackageConfigID	FREE
ContactRequirementID	0000000007
ContactKeyConfigID	0000000111
ContactLogicalDescription	0000000056
ContactlessRequirementID	0000000007
ContactlessKeyConfigID	0000000111
ContactlessLogicalDescription	0000000056