SlideShare a Scribd company logo

NIST Guide to Cardholder Authentication for PIV Digital Signatures

R
RepentSinner

This document provides guidance for implementing authentication requirements for the digital signature key stored on Personal Identity Verification (PIV) cards. It clarifies that explicit user action, such as PIN entry, is required each time the digital signature key is used. The document outlines two architectures for PIV card usage and specifies minimum security objectives and controls for implementations that do and do not allow caching of the PIN. These controls are intended to ensure explicit user authorization of each digital signature operation.

1 of 9
Download to read offline
NISTIR 7863 Cardholder Authentication for the PIV Digital Signature Key W. Timothy Polk Hildegard Ferraiolo David Cooper This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.IR.7863
NISTIR 7863 Cardholder Authentication for the PIV Digital Signature Key W. Timothy Polk Hildegard Ferraiolo David Cooper Computer Security Division Information Technology Laboratory This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.IR.7863 June 2015 U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Willie May, Under Secretary of Commerce for Standards and Technology and Director
ii National Institute of Standards and Technology Internal Report 7863 9 pages (June 2015) This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.IR.7863 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by Federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, Federal agencies may wish to closely follow the development of these new publications by NIST. Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. All NIST Computer Security Division publications, other than the ones noted above, are available at http://csrc.nist.gov/publications. Comments on this publication may be submitted to: National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 Email: piv_comments@nist.gov
iii Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in Federal information systems. Abstract FIPS 201-2 requires explicit user action by the Personal Identity Verification (PIV) cardholder as a condition for use of the digital signature key stored on the card. This document clarifies the requirement for explicit user action to encourage the development of compliant applications and middleware that use the digital signature key. Keywords personal identification number; personal identity verification; PIN caching; PIV
iv Table of Contents 1. INTRODUCTION ...................................................................................................................................1 2. BACKGROUND .....................................................................................................................................1 3. ARCHITECTURES.................................................................................................................................2 4. MINIMUM SECURITY OBJECTIVES & CONTROLS.............................................................................2 4.1 Per-Transaction PIN Entry ..........................................................................................................2 4.2 Explicit User Action with PIN Caching ......................................................................................2 APPENDIX A— ACRONYMS.........................................................................................................................4 APPENDIX B— REFERENCES ......................................................................................................................4
NISTIR 7863 Cardholder Authentication for the PIV Digital Signature Key 1 1. Introduction Federal Information Processing Standard (FIPS) 201 defines the Personal Identity Verification (PIV) Card and supporting process requirements. A private cryptographic key, the digital signature key (DSK), is specified for digitally signing messages and data. The DSK is generated on the card and is never exported; all operations with this private key are performed by the PIV Card. FIPS 201 requires authentication of the cardholder via “explicit user action” each time the DSK is used to perform a cryptographic operation. NIST Special Publication 800-73 specifies the “PIN ALWAYS” access condition for the DSK to ensure that the Personal Identification Number (PIN) is submitted to the card for each requested cryptographic operation. However, FIPS 201 does not mandate the use of card readers with integrated PIN entry pads. As a result, the PIV Card itself cannot differentiate between a freshly supplied PIN and a PIN cached by the calling application or system. This specification clarifies the requirement for “explicit user action” and specifies a range of implementation options that satisfy this requirement, in order to ensure a consistent and reliable level of security. 2. Background The digital signature key (DSK) is intended to sign data, such as electronic forms, documents or electronic mail. Operations using the DSK can be performed after the PIV Card has been activated. To protect the DSK against misuse after activation, each subsequent private key operation requires an explicit user action. The PIV Card incorporates a single mechanism for both authenticating the cardholder and expressing explicit user action: entry of the user PIN.1 The user PIN must be presented to the PIV Card to activate the card for privileged/protected operations or to perform a signing operation with the DSK. If the user is prompted for the PIN, and that value is presented to the PIV Card for each operation, the requirement for explicit user action is clearly satisfied. This ensures that the user is present and intended to generate a signature with the DSK each time a signature generation operation is performed. However, ensuring that the PIN is re-entered by the user for each signature operation requires system level controls outside the boundaries of the PIV Card. In addition, for some applications it is considered impractical to require the cardholder to enter the PIN for each signature. For example, users may be required by policy to sign every email message. When the user is sending a large number of email messages in a short period, repeatedly entering the PIN greatly decreases usability. In such cases, the application or middleware can be designed to retain (or cache) the smart card PIN and present it on behalf of the user. However, caching the PIN may allow the application or middleware to present the PIN without the cardholder’s knowledge. The following sections identify possible architectures for systems that use the DSK, and define the minimum security objectives and controls that constitute explicit user action for the PIN ALWAYS access condition of the DSK. 1 FIPS 201-2 introduces the option for PIV Cards to implement on-card fingerprint biometric comparison, in addition to the PIN, as a mechanism to authenticate the cardholder to the card; however, the recommendations in this document only apply to the PIN.
NISTIR 7863 Cardholder Authentication for the PIV Digital Signature Key 2 3. Architectures There are two basic configurations for a PIV compliant system that leverages the DSK: (1) A computing system can be designed so that the PIN is never exposed to the operating system, middleware, or applications. The components of this system are the host computer with an external smart card reader with keypad, and the PIV Card. In this case, the PIN is submitted from the user “directly” to the PIV Card. The application or operating system cannot cache the PIN so enforcing the PIN ALWAYS requirement is sufficient to confirm explicit user action for each DSK private key operation. (2) A computing system can be designed so that the PIN is entered via the host computer’s keyboard. The components of this system are the host computer system with an internal or external smart card reader without keypad, and the PIV Card. In this case, the PIN is entered into the keyboard and is processed by the operating system, middleware, or application before submission to the PIV Card. In configuration (1), it is the external reader’s responsibility to ensure that the PIN is supplied to the PIV Card as a result of an explicit action. In configuration (2), the host system software, in combination, has the responsibility to ensure that the PIN is supplied to the PIV Card as a result of an explicit action. The following section specifies implementation guidelines for PIV system components. 4. Minimum Security Objectives & Controls This section specifies minimum security controls and objectives for system implementations that leverage the DSK to ensure that each presentation of the PIN represents an explicit user action. Section 4.1 describes functional requirements for systems that prohibit PIN caching. Section 4.2 specifies the minimum security objectives and controls for system implementations that support DSK PIN caching. 4.1 Per-Transaction PIN Entry Entering the PIN each time is the most direct and strongest mechanism to achieve explicit user action for the PIN ALWAYS access condition of the DSK. This can be achieved by any of the following methods: (1) PIN entry is performed exclusively using an external card reader with key pad,2 and the card reader itself does not cache the PIN; or (2) PIN entry is performed using the host system, and the operating system, middleware, and all applications are configured so that the PIN is never cached. In combination with the PIV Card’s native controls, both solutions confirm user action for each DSK private key operation simply by enforcing the PIN ALWAYS requirement. 4.2 Explicit User Action with PIN Caching If the PIN is cached by any component of the system, it is the system’s responsibility to ensure an explicit user action occurs before the PIN is presented to the PIV Card. Examples of affirmative action could include clicking “OK” in a pop-up box or by user selection of an appropriate menu option or commit button within the application. PIN caching implementations for the DSK should ensure that the following are satisfied: 2 Note that the card reader needs to intercept and discard any Application Protocol Data Units (APDUs) that contain the PIN originating from the host system.
NISTIR 7863 Cardholder Authentication for the PIV Digital Signature Key 3 1. The PIN cache is limited to a single process or application instance. That is, a PIN presented by an email application to digitally sign email is not accessible to other applications resident on the host system, such as workflow or document signing applications. 2. The cached PIN is not presented to the smart card without an associated explicit user action. The explicit user action may be handled by either of the following methods: a. The component that confirms the explicit user action is the component that caches the PIN (e.g., the application or the middleware); or b. The programming interface between the component that confirms the explicit user action and the component that caches the PIN can convey the difference between a request associated with explicit user action and a request that was not associated with an explicit user action. 3. The PIN cache is cleared if any of the following conditions apply: a. The system is shut down or rebooted; b. The PIV Card is removed from the system; c. The associated process or application instance is terminated; or d. The PIN has not been presented to the PIV Card for more than N minutes. (In other words, more than N minutes have passed since the user performed an explicit action authorizing a signature.) The value of N is an agency (or Identity, Credential, and Access Management Subcommittee—ICAMSC) decision but should not exceed thirty minutes.
NISTIR 7863 Cardholder Authentication for the PIV Digital Signature Key 4 Appendix A—Acronyms APDU Application Protocol Data Unit DSK Digital Signature Key FIPS Federal Information Processing Standard ICAMSC Identity, Credential, and Access Management Subcommittee ITL Information Technology Laboratory NIST National Institute of Standards and Technology NISTIR National Institute of Standards and Technology Internal Report PIN Personal Identification Number PIV Personal Identity Verification SP Special Publication Appendix B—References [FIPS201] Federal Information Processing Standard 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors, August 2013. http://dx.doi.org/10.6028/NIST.FIPS.201-2 [SP800-73] NIST Special Publication 800-73-4, Interfaces for Personal Identity Verification, May 2015. http://dx.doi.org/10.6028/NIST.SP.800-73-4

Recommended

Document Verification through C-One E-Id - Copy
Document Verification through C-One E-Id - CopyDocument Verification through C-One E-Id - Copy
Document Verification through C-One E-Id - CopyRima Hajou
 
Iot security and Authentication solution
Iot security and Authentication solutionIot security and Authentication solution
Iot security and Authentication solutionPradeep Jeswani
 
Advanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMAdvanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMIRJET Journal
 
The Future of Authentication for IoT
The Future of Authentication for IoTThe Future of Authentication for IoT
The Future of Authentication for IoTFIDO Alliance
 
2FA OTP Token
2FA OTP Token2FA OTP Token
2FA OTP Token2FA, Inc.
 
IRJET - RFID based Automatic Entry Restricted Mechanism for Home Security
IRJET - RFID based Automatic Entry Restricted Mechanism for Home SecurityIRJET - RFID based Automatic Entry Restricted Mechanism for Home Security
IRJET - RFID based Automatic Entry Restricted Mechanism for Home SecurityIRJET Journal
 
IRJET- An Approach to Authenticating Devise in IoT using Blockchain
IRJET- An Approach to Authenticating Devise in IoT using BlockchainIRJET- An Approach to Authenticating Devise in IoT using Blockchain
IRJET- An Approach to Authenticating Devise in IoT using BlockchainIRJET Journal
 
An Online secure ePassport Protocol
An Online secure ePassport ProtocolAn Online secure ePassport Protocol
An Online secure ePassport ProtocolVijay Pasupathinathan, PhD
 

Recommended

Document Verification through C-One E-Id - Copy
Document Verification through C-One E-Id - CopyDocument Verification through C-One E-Id - Copy
Document Verification through C-One E-Id - CopyRima Hajou
 
Iot security and Authentication solution
Iot security and Authentication solutionIot security and Authentication solution
Iot security and Authentication solutionPradeep Jeswani
 
Advanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMAdvanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMIRJET Journal
 
The Future of Authentication for IoT
The Future of Authentication for IoTThe Future of Authentication for IoT
The Future of Authentication for IoTFIDO Alliance
 
2FA OTP Token
2FA OTP Token2FA OTP Token
2FA OTP Token2FA, Inc.
 
IRJET - RFID based Automatic Entry Restricted Mechanism for Home Security
IRJET - RFID based Automatic Entry Restricted Mechanism for Home SecurityIRJET - RFID based Automatic Entry Restricted Mechanism for Home Security
IRJET - RFID based Automatic Entry Restricted Mechanism for Home SecurityIRJET Journal
 
IRJET- An Approach to Authenticating Devise in IoT using Blockchain
IRJET- An Approach to Authenticating Devise in IoT using BlockchainIRJET- An Approach to Authenticating Devise in IoT using Blockchain
IRJET- An Approach to Authenticating Devise in IoT using BlockchainIRJET Journal
 
An Online secure ePassport Protocol
An Online secure ePassport ProtocolAn Online secure ePassport Protocol
An Online secure ePassport ProtocolVijay Pasupathinathan, PhD
 
Draft SP 800-157 - Derived PIV Credentials
Draft SP 800-157 - Derived PIV CredentialsDraft SP 800-157 - Derived PIV Credentials
Draft SP 800-157 - Derived PIV Credentialspuffyduffduff
 
Fu3111411144
Fu3111411144Fu3111411144
Fu3111411144IJERA Editor
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Alliance
 
IRJET - Securing Communication among IoT Devices using Blockchain Proxy
IRJET - Securing Communication among IoT Devices using Blockchain ProxyIRJET - Securing Communication among IoT Devices using Blockchain Proxy
IRJET - Securing Communication among IoT Devices using Blockchain ProxyIRJET Journal
 
Fast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standardsFast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standards.NET Crowd
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpickidsecconf
 
IRJET - BI: Blockchain in Insurance
IRJET - BI: Blockchain in InsuranceIRJET - BI: Blockchain in Insurance
IRJET - BI: Blockchain in InsuranceIRJET Journal
 
Formal Security Analysis of Australian ePassport Implementation
Formal Security Analysis of Australian ePassport ImplementationFormal Security Analysis of Australian ePassport Implementation
Formal Security Analysis of Australian ePassport ImplementationVijay Pasupathinathan, PhD
 
ePassport reloaded goes mobile
ePassport reloaded goes mobileePassport reloaded goes mobile
ePassport reloaded goes mobileJeroen van Beek
 
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...SyedImranAliKazmi1
 
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...IRJET Journal
 
A Meeting Master Picture for a Patent
A Meeting Master Picture for a PatentA Meeting Master Picture for a Patent
A Meeting Master Picture for a PatentClarity Thinker
 
Sdfgh
SdfghSdfgh
Sdfghmirzapur
 
Authenticate 2021: Welcome Address
Authenticate 2021: Welcome AddressAuthenticate 2021: Welcome Address
Authenticate 2021: Welcome AddressFIDO Alliance
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Brian Spector
 
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET Journal
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideNick Owen
 
predefense presentation
predefense presentationpredefense presentation
predefense presentationAlphonse Bisangabagabo
 
The State of FIDO
The State of FIDOThe State of FIDO
The State of FIDOFIDO Alliance
 
karsof systems e-visa
karsof systems e-visakarsof systems e-visa
karsof systems e-visaColin Valencia
 
Ars electronica asks faa to fly 200 quadcopters
Ars electronica asks faa to fly 200 quadcoptersArs electronica asks faa to fly 200 quadcopters
Ars electronica asks faa to fly 200 quadcoptersRepentSinner
 
2015 amendments to the manual for courts martial eo13696
2015 amendments to the manual for courts martial eo136962015 amendments to the manual for courts martial eo13696
2015 amendments to the manual for courts martial eo13696RepentSinner
 

More Related Content

What's hot

Draft SP 800-157 - Derived PIV Credentials
Draft SP 800-157 - Derived PIV CredentialsDraft SP 800-157 - Derived PIV Credentials
Draft SP 800-157 - Derived PIV Credentialspuffyduffduff
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Alliance
 
IRJET - Securing Communication among IoT Devices using Blockchain Proxy
IRJET - Securing Communication among IoT Devices using Blockchain ProxyIRJET - Securing Communication among IoT Devices using Blockchain Proxy
IRJET - Securing Communication among IoT Devices using Blockchain ProxyIRJET Journal
 
Fast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standardsFast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standards.NET Crowd
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpickidsecconf
 
IRJET - BI: Blockchain in Insurance
IRJET - BI: Blockchain in InsuranceIRJET - BI: Blockchain in Insurance
IRJET - BI: Blockchain in InsuranceIRJET Journal
 
Formal Security Analysis of Australian ePassport Implementation
Formal Security Analysis of Australian ePassport ImplementationFormal Security Analysis of Australian ePassport Implementation
Formal Security Analysis of Australian ePassport ImplementationVijay Pasupathinathan, PhD
 
ePassport reloaded goes mobile
ePassport reloaded goes mobileePassport reloaded goes mobile
ePassport reloaded goes mobileJeroen van Beek
 
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...SyedImranAliKazmi1
 
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...IRJET Journal
 
A Meeting Master Picture for a Patent
A Meeting Master Picture for a PatentA Meeting Master Picture for a Patent
A Meeting Master Picture for a PatentClarity Thinker
 
Authenticate 2021: Welcome Address
Authenticate 2021: Welcome AddressAuthenticate 2021: Welcome Address
Authenticate 2021: Welcome AddressFIDO Alliance
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Brian Spector
 
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET Journal
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideNick Owen
 

What's hot (20)

Draft SP 800-157 - Derived PIV Credentials
Draft SP 800-157 - Derived PIV CredentialsDraft SP 800-157 - Derived PIV Credentials
Draft SP 800-157 - Derived PIV Credentials
 
Fu3111411144
Fu3111411144Fu3111411144
Fu3111411144
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
 
IRJET - Securing Communication among IoT Devices using Blockchain Proxy
IRJET - Securing Communication among IoT Devices using Blockchain ProxyIRJET - Securing Communication among IoT Devices using Blockchain Proxy
IRJET - Securing Communication among IoT Devices using Blockchain Proxy
 
Fast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standardsFast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standards
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpick
 
IRJET - BI: Blockchain in Insurance
IRJET - BI: Blockchain in InsuranceIRJET - BI: Blockchain in Insurance
IRJET - BI: Blockchain in Insurance
 
Formal Security Analysis of Australian ePassport Implementation
Formal Security Analysis of Australian ePassport ImplementationFormal Security Analysis of Australian ePassport Implementation
Formal Security Analysis of Australian ePassport Implementation
 
ePassport reloaded goes mobile
ePassport reloaded goes mobileePassport reloaded goes mobile
ePassport reloaded goes mobile
 
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
 
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...
 
A Meeting Master Picture for a Patent
A Meeting Master Picture for a PatentA Meeting Master Picture for a Patent
A Meeting Master Picture for a Patent
 
Sdfgh
SdfghSdfgh
Sdfgh
 
Authenticate 2021: Welcome Address
Authenticate 2021: Welcome AddressAuthenticate 2021: Welcome Address
Authenticate 2021: Welcome Address
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016
 
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guide
 
predefense presentation
predefense presentationpredefense presentation
predefense presentation
 
The State of FIDO
The State of FIDOThe State of FIDO
The State of FIDO
 
karsof systems e-visa
karsof systems e-visakarsof systems e-visa
karsof systems e-visa
 

Viewers also liked

Ars electronica asks faa to fly 200 quadcopters
Ars electronica asks faa to fly 200 quadcoptersArs electronica asks faa to fly 200 quadcopters
Ars electronica asks faa to fly 200 quadcoptersRepentSinner
 
2015 amendments to the manual for courts martial eo13696
2015 amendments to the manual for courts martial eo136962015 amendments to the manual for courts martial eo13696
2015 amendments to the manual for courts martial eo13696RepentSinner
 
Probabilistic mitigation of control channel jamming via random key distributi...
Probabilistic mitigation of control channel jamming via random key distributi...Probabilistic mitigation of control channel jamming via random key distributi...
Probabilistic mitigation of control channel jamming via random key distributi...RepentSinner
 
Common lines of flight towards the open city
Common lines of flight towards the open cityCommon lines of flight towards the open city
Common lines of flight towards the open cityRepentSinner
 
How to deal with cia isis army - cia.gov employees email addresses directory
How to deal with cia isis army - cia.gov employees email addresses directoryHow to deal with cia isis army - cia.gov employees email addresses directory
How to deal with cia isis army - cia.gov employees email addresses directoryRepentSinner
 
Hogans first-federal-complaint
Hogans first-federal-complaintHogans first-federal-complaint
Hogans first-federal-complaintRepentSinner
 
Expect declining living standards from decaying economic freedom
Expect declining living standards from decaying economic freedomExpect declining living standards from decaying economic freedom
Expect declining living standards from decaying economic freedomRepentSinner
 
Bilderberg 2015 meeting participants list and photos telfs buchen, austria 11...
Bilderberg 2015 meeting participants list and photos telfs buchen, austria 11...Bilderberg 2015 meeting participants list and photos telfs buchen, austria 11...
Bilderberg 2015 meeting participants list and photos telfs buchen, austria 11...RepentSinner
 
Report of the independent commission of inquiry on the 2014 gaza conflict ­ ...
Report of the independent commission of inquiry on the 2014 gaza conflict ­ ...Report of the independent commission of inquiry on the 2014 gaza conflict ­ ...
Report of the independent commission of inquiry on the 2014 gaza conflict ­ ...RepentSinner
 
Us government agencies ip rang
Us government agencies ip rangUs government agencies ip rang
Us government agencies ip rangRepentSinner
 
Do d doj-cia-nsa-odni inspectors general report on the president’s surveillan...
Do d doj-cia-nsa-odni inspectors general report on the president’s surveillan...Do d doj-cia-nsa-odni inspectors general report on the president’s surveillan...
Do d doj-cia-nsa-odni inspectors general report on the president’s surveillan...RepentSinner
 
Gawkers foia-complaint
Gawkers foia-complaintGawkers foia-complaint
Gawkers foia-complaintRepentSinner
 
Dennis hastert judge asked recusal for conflict
Dennis hastert judge asked recusal for conflictDennis hastert judge asked recusal for conflict
Dennis hastert judge asked recusal for conflictRepentSinner
 

Viewers also liked (13)

Ars electronica asks faa to fly 200 quadcopters
Ars electronica asks faa to fly 200 quadcoptersArs electronica asks faa to fly 200 quadcopters
Ars electronica asks faa to fly 200 quadcopters
 
2015 amendments to the manual for courts martial eo13696
2015 amendments to the manual for courts martial eo136962015 amendments to the manual for courts martial eo13696
2015 amendments to the manual for courts martial eo13696
 
Probabilistic mitigation of control channel jamming via random key distributi...
Probabilistic mitigation of control channel jamming via random key distributi...Probabilistic mitigation of control channel jamming via random key distributi...
Probabilistic mitigation of control channel jamming via random key distributi...
 
Common lines of flight towards the open city
Common lines of flight towards the open cityCommon lines of flight towards the open city
Common lines of flight towards the open city
 
How to deal with cia isis army - cia.gov employees email addresses directory
How to deal with cia isis army - cia.gov employees email addresses directoryHow to deal with cia isis army - cia.gov employees email addresses directory
How to deal with cia isis army - cia.gov employees email addresses directory
 
Hogans first-federal-complaint
Hogans first-federal-complaintHogans first-federal-complaint
Hogans first-federal-complaint
 
Expect declining living standards from decaying economic freedom
Expect declining living standards from decaying economic freedomExpect declining living standards from decaying economic freedom
Expect declining living standards from decaying economic freedom
 
Bilderberg 2015 meeting participants list and photos telfs buchen, austria 11...
Bilderberg 2015 meeting participants list and photos telfs buchen, austria 11...Bilderberg 2015 meeting participants list and photos telfs buchen, austria 11...
Bilderberg 2015 meeting participants list and photos telfs buchen, austria 11...
 
Report of the independent commission of inquiry on the 2014 gaza conflict ­ ...
Report of the independent commission of inquiry on the 2014 gaza conflict ­ ...Report of the independent commission of inquiry on the 2014 gaza conflict ­ ...
Report of the independent commission of inquiry on the 2014 gaza conflict ­ ...
 
Us government agencies ip rang
Us government agencies ip rangUs government agencies ip rang
Us government agencies ip rang
 
Do d doj-cia-nsa-odni inspectors general report on the president’s surveillan...
Do d doj-cia-nsa-odni inspectors general report on the president’s surveillan...Do d doj-cia-nsa-odni inspectors general report on the president’s surveillan...
Do d doj-cia-nsa-odni inspectors general report on the president’s surveillan...
 
Gawkers foia-complaint
Gawkers foia-complaintGawkers foia-complaint
Gawkers foia-complaint
 
Dennis hastert judge asked recusal for conflict
Dennis hastert judge asked recusal for conflictDennis hastert judge asked recusal for conflict
Dennis hastert judge asked recusal for conflict
 

Similar to NIST Guide to Cardholder Authentication for PIV Digital Signatures

IRJET- Technical Review of different Methods for Multi Factor Authentication
IRJET- Technical Review of different Methods for Multi Factor AuthenticationIRJET- Technical Review of different Methods for Multi Factor Authentication
IRJET- Technical Review of different Methods for Multi Factor AuthenticationIRJET Journal
 
Sp800 63 v1-0_2
Sp800 63 v1-0_2Sp800 63 v1-0_2
Sp800 63 v1-0_2Hai Nguyen
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Editor IJARCET
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Editor IJARCET
 
IRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET Journal
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsUlf Mattsson
 
IRJET- Authentic and Anonymous Data Sharing with Enhanced Key Security
IRJET- Authentic and Anonymous Data Sharing with Enhanced Key SecurityIRJET- Authentic and Anonymous Data Sharing with Enhanced Key Security
IRJET- Authentic and Anonymous Data Sharing with Enhanced Key SecurityIRJET Journal
 
IRJET- Easykey - Multipurpose RFID Card based IoT System
IRJET- Easykey - Multipurpose RFID Card based IoT SystemIRJET- Easykey - Multipurpose RFID Card based IoT System
IRJET- Easykey - Multipurpose RFID Card based IoT SystemIRJET Journal
 
NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationNIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationFIDO Alliance
 
Abstract ppt slides stalin babau m 116 f1a0471
Abstract ppt slides stalin babau m 116 f1a0471Abstract ppt slides stalin babau m 116 f1a0471
Abstract ppt slides stalin babau m 116 f1a0471STALIN BABU
 
REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...
REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...
REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...IJNSA Journal
 
IRJET- Configurable Intelligent Secures - 3FA Smart Lock
IRJET- Configurable Intelligent Secures - 3FA Smart LockIRJET- Configurable Intelligent Secures - 3FA Smart Lock
IRJET- Configurable Intelligent Secures - 3FA Smart LockIRJET Journal
 
Overview fips2012 workshop presentations
Overview fips2012 workshop presentationsOverview fips2012 workshop presentations
Overview fips2012 workshop presentationspuffyduffduff
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseHai Nguyen
 
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...SafeNet
 
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...IJRTEMJOURNAL
 
Digital Certificate Verification using Blockchain
Digital Certificate Verification using BlockchainDigital Certificate Verification using Blockchain
Digital Certificate Verification using BlockchainIRJET Journal
 

Similar to NIST Guide to Cardholder Authentication for PIV Digital Signatures (20)

IRJET- Technical Review of different Methods for Multi Factor Authentication
IRJET- Technical Review of different Methods for Multi Factor AuthenticationIRJET- Technical Review of different Methods for Multi Factor Authentication
IRJET- Technical Review of different Methods for Multi Factor Authentication
 
Bg24375379
Bg24375379Bg24375379
Bg24375379
 
Sp800 63 v1-0_2
Sp800 63 v1-0_2Sp800 63 v1-0_2
Sp800 63 v1-0_2
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310
 
IRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor Authentication
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private clouds
 
IRJET- Authentic and Anonymous Data Sharing with Enhanced Key Security
IRJET- Authentic and Anonymous Data Sharing with Enhanced Key SecurityIRJET- Authentic and Anonymous Data Sharing with Enhanced Key Security
IRJET- Authentic and Anonymous Data Sharing with Enhanced Key Security
 
IRJET- Easykey - Multipurpose RFID Card based IoT System
IRJET- Easykey - Multipurpose RFID Card based IoT SystemIRJET- Easykey - Multipurpose RFID Card based IoT System
IRJET- Easykey - Multipurpose RFID Card based IoT System
 
NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationNIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO Authentication
 
Abstract ppt slides stalin babau m 116 f1a0471
Abstract ppt slides stalin babau m 116 f1a0471Abstract ppt slides stalin babau m 116 f1a0471
Abstract ppt slides stalin babau m 116 f1a0471
 
REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...
REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...
REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...
 
IRJET- Configurable Intelligent Secures - 3FA Smart Lock
IRJET- Configurable Intelligent Secures - 3FA Smart LockIRJET- Configurable Intelligent Secures - 3FA Smart Lock
IRJET- Configurable Intelligent Secures - 3FA Smart Lock
 
Overview fips2012 workshop presentations
Overview fips2012 workshop presentationsOverview fips2012 workshop presentations
Overview fips2012 workshop presentations
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
 
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
 
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
 
Digital Certificate Verification using Blockchain
Digital Certificate Verification using BlockchainDigital Certificate Verification using Blockchain
Digital Certificate Verification using Blockchain
 
Passwordless Mobile Banking.pdf
Passwordless Mobile Banking.pdfPasswordless Mobile Banking.pdf
Passwordless Mobile Banking.pdf
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 

NIST Guide to Cardholder Authentication for PIV Digital Signatures

  • 1. NISTIR 7863 Cardholder Authentication for the PIV Digital Signature Key W. Timothy Polk Hildegard Ferraiolo David Cooper This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.IR.7863
  • 2. NISTIR 7863 Cardholder Authentication for the PIV Digital Signature Key W. Timothy Polk Hildegard Ferraiolo David Cooper Computer Security Division Information Technology Laboratory This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.IR.7863 June 2015 U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Willie May, Under Secretary of Commerce for Standards and Technology and Director
  • 3. ii National Institute of Standards and Technology Internal Report 7863 9 pages (June 2015) This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.IR.7863 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by Federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, Federal agencies may wish to closely follow the development of these new publications by NIST. Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. All NIST Computer Security Division publications, other than the ones noted above, are available at http://csrc.nist.gov/publications. Comments on this publication may be submitted to: National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 Email: piv_comments@nist.gov
  • 4. iii Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in Federal information systems. Abstract FIPS 201-2 requires explicit user action by the Personal Identity Verification (PIV) cardholder as a condition for use of the digital signature key stored on the card. This document clarifies the requirement for explicit user action to encourage the development of compliant applications and middleware that use the digital signature key. Keywords personal identification number; personal identity verification; PIN caching; PIV
  • 5. iv Table of Contents 1. INTRODUCTION ...................................................................................................................................1 2. BACKGROUND .....................................................................................................................................1 3. ARCHITECTURES.................................................................................................................................2 4. MINIMUM SECURITY OBJECTIVES & CONTROLS.............................................................................2 4.1 Per-Transaction PIN Entry ..........................................................................................................2 4.2 Explicit User Action with PIN Caching ......................................................................................2 APPENDIX A— ACRONYMS.........................................................................................................................4 APPENDIX B— REFERENCES ......................................................................................................................4
  • 6. NISTIR 7863 Cardholder Authentication for the PIV Digital Signature Key 1 1. Introduction Federal Information Processing Standard (FIPS) 201 defines the Personal Identity Verification (PIV) Card and supporting process requirements. A private cryptographic key, the digital signature key (DSK), is specified for digitally signing messages and data. The DSK is generated on the card and is never exported; all operations with this private key are performed by the PIV Card. FIPS 201 requires authentication of the cardholder via “explicit user action” each time the DSK is used to perform a cryptographic operation. NIST Special Publication 800-73 specifies the “PIN ALWAYS” access condition for the DSK to ensure that the Personal Identification Number (PIN) is submitted to the card for each requested cryptographic operation. However, FIPS 201 does not mandate the use of card readers with integrated PIN entry pads. As a result, the PIV Card itself cannot differentiate between a freshly supplied PIN and a PIN cached by the calling application or system. This specification clarifies the requirement for “explicit user action” and specifies a range of implementation options that satisfy this requirement, in order to ensure a consistent and reliable level of security. 2. Background The digital signature key (DSK) is intended to sign data, such as electronic forms, documents or electronic mail. Operations using the DSK can be performed after the PIV Card has been activated. To protect the DSK against misuse after activation, each subsequent private key operation requires an explicit user action. The PIV Card incorporates a single mechanism for both authenticating the cardholder and expressing explicit user action: entry of the user PIN.1 The user PIN must be presented to the PIV Card to activate the card for privileged/protected operations or to perform a signing operation with the DSK. If the user is prompted for the PIN, and that value is presented to the PIV Card for each operation, the requirement for explicit user action is clearly satisfied. This ensures that the user is present and intended to generate a signature with the DSK each time a signature generation operation is performed. However, ensuring that the PIN is re-entered by the user for each signature operation requires system level controls outside the boundaries of the PIV Card. In addition, for some applications it is considered impractical to require the cardholder to enter the PIN for each signature. For example, users may be required by policy to sign every email message. When the user is sending a large number of email messages in a short period, repeatedly entering the PIN greatly decreases usability. In such cases, the application or middleware can be designed to retain (or cache) the smart card PIN and present it on behalf of the user. However, caching the PIN may allow the application or middleware to present the PIN without the cardholder’s knowledge. The following sections identify possible architectures for systems that use the DSK, and define the minimum security objectives and controls that constitute explicit user action for the PIN ALWAYS access condition of the DSK. 1 FIPS 201-2 introduces the option for PIV Cards to implement on-card fingerprint biometric comparison, in addition to the PIN, as a mechanism to authenticate the cardholder to the card; however, the recommendations in this document only apply to the PIN.
  • 7. NISTIR 7863 Cardholder Authentication for the PIV Digital Signature Key 2 3. Architectures There are two basic configurations for a PIV compliant system that leverages the DSK: (1) A computing system can be designed so that the PIN is never exposed to the operating system, middleware, or applications. The components of this system are the host computer with an external smart card reader with keypad, and the PIV Card. In this case, the PIN is submitted from the user “directly” to the PIV Card. The application or operating system cannot cache the PIN so enforcing the PIN ALWAYS requirement is sufficient to confirm explicit user action for each DSK private key operation. (2) A computing system can be designed so that the PIN is entered via the host computer’s keyboard. The components of this system are the host computer system with an internal or external smart card reader without keypad, and the PIV Card. In this case, the PIN is entered into the keyboard and is processed by the operating system, middleware, or application before submission to the PIV Card. In configuration (1), it is the external reader’s responsibility to ensure that the PIN is supplied to the PIV Card as a result of an explicit action. In configuration (2), the host system software, in combination, has the responsibility to ensure that the PIN is supplied to the PIV Card as a result of an explicit action. The following section specifies implementation guidelines for PIV system components. 4. Minimum Security Objectives & Controls This section specifies minimum security controls and objectives for system implementations that leverage the DSK to ensure that each presentation of the PIN represents an explicit user action. Section 4.1 describes functional requirements for systems that prohibit PIN caching. Section 4.2 specifies the minimum security objectives and controls for system implementations that support DSK PIN caching. 4.1 Per-Transaction PIN Entry Entering the PIN each time is the most direct and strongest mechanism to achieve explicit user action for the PIN ALWAYS access condition of the DSK. This can be achieved by any of the following methods: (1) PIN entry is performed exclusively using an external card reader with key pad,2 and the card reader itself does not cache the PIN; or (2) PIN entry is performed using the host system, and the operating system, middleware, and all applications are configured so that the PIN is never cached. In combination with the PIV Card’s native controls, both solutions confirm user action for each DSK private key operation simply by enforcing the PIN ALWAYS requirement. 4.2 Explicit User Action with PIN Caching If the PIN is cached by any component of the system, it is the system’s responsibility to ensure an explicit user action occurs before the PIN is presented to the PIV Card. Examples of affirmative action could include clicking “OK” in a pop-up box or by user selection of an appropriate menu option or commit button within the application. PIN caching implementations for the DSK should ensure that the following are satisfied: 2 Note that the card reader needs to intercept and discard any Application Protocol Data Units (APDUs) that contain the PIN originating from the host system.
  • 8. NISTIR 7863 Cardholder Authentication for the PIV Digital Signature Key 3 1. The PIN cache is limited to a single process or application instance. That is, a PIN presented by an email application to digitally sign email is not accessible to other applications resident on the host system, such as workflow or document signing applications. 2. The cached PIN is not presented to the smart card without an associated explicit user action. The explicit user action may be handled by either of the following methods: a. The component that confirms the explicit user action is the component that caches the PIN (e.g., the application or the middleware); or b. The programming interface between the component that confirms the explicit user action and the component that caches the PIN can convey the difference between a request associated with explicit user action and a request that was not associated with an explicit user action. 3. The PIN cache is cleared if any of the following conditions apply: a. The system is shut down or rebooted; b. The PIV Card is removed from the system; c. The associated process or application instance is terminated; or d. The PIN has not been presented to the PIV Card for more than N minutes. (In other words, more than N minutes have passed since the user performed an explicit action authorizing a signature.) The value of N is an agency (or Identity, Credential, and Access Management Subcommittee—ICAMSC) decision but should not exceed thirty minutes.
  • 9. NISTIR 7863 Cardholder Authentication for the PIV Digital Signature Key 4 Appendix A—Acronyms APDU Application Protocol Data Unit DSK Digital Signature Key FIPS Federal Information Processing Standard ICAMSC Identity, Credential, and Access Management Subcommittee ITL Information Technology Laboratory NIST National Institute of Standards and Technology NISTIR National Institute of Standards and Technology Internal Report PIN Personal Identification Number PIV Personal Identity Verification SP Special Publication Appendix B—References [FIPS201] Federal Information Processing Standard 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors, August 2013. http://dx.doi.org/10.6028/NIST.FIPS.201-2 [SP800-73] NIST Special Publication 800-73-4, Interfaces for Personal Identity Verification, May 2015. http://dx.doi.org/10.6028/NIST.SP.800-73-4