AIR FORCE FIPS-PUB-201-1 CHG NOTICE 1-2006 Personal Identity Verification (PIV) of Federal Employees and Contractors.pdf

1、 FIPS PUB 201-1 Change Notice 1FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Personal Identity Verification (PIV) of Federal Employees and Contractors Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8900 March

2、2006 U.S. DEPARTMENT OF COMMERCE Carlos M. Gutierrez, Secretary NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY William A. Jeffrey, Director Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-PERSONAL IDENTITY VERIFICATION (PIV) OF FEDERAL EMPLOYEES AND

3、CONTRACTORS Acknowledgements NIST would like to acknowledge the significant contributions of the Federal Identity Credentialing Committee (FICC) and the Smart Card Interagency Advisory Board (IAB) for providing valuable contributions to the development of technical frameworks on which this standard

4、is based. Special thanks to those who have participated in the workshops and provided valuable technical suggestions in shaping this standard. NIST also acknowledges the comments received from government and industry organizations during the preliminary draft review period. ii Provided by IHSNot for

5、 ResaleNo reproduction or networking permitted without license from IHS-,-,-PERSONAL IDENTITY VERIFICATION (PIV) OF FEDERAL EMPLOYEES AND CONTRACTORS FOREWORD The Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) is the official

6、series of publications relating to standards and guidelines adopted and promulgated under the provisions of the Federal Information Security Management Act (FISMA) of 2002. Comments concerning FIPS publications are welcomed and should be addressed to the Director, Information Technology Laboratory,

7、National Institute of Standards and Technology, 100 Bureau Drive, Stop 8900, Gaithersburg, MD 20899-8900. Dr. Shashi Phoha, Director Information Technology Laboratory ABSTRACT This standard specifies the architecture and technical requirements for a common identification standard for Federal employe

8、es and contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to Federally controlled government facilities and electronic access to government information systems. The

9、standard contains two major sections. Part one describes the minimum requirements for a Federal personal identity verification system that meets the control and security objectives of Homeland Security Presidential Directive 12, including personal identity proofing, registration, and issuance. Part

10、two provides detailed specifications that will support technical interoperability among PIV systems of Federal departments and agencies. It describes the card elements, system interfaces, and security controls required to securely store, process, and retrieve identity credentials from the card. The

11、physical card characteristics, storage media, and data elements that make up identity credentials are specified in this standard. The interfaces and card architecture for storing and retrieving identity credentials from a smart card are specified in Special Publication 800-73, Interfaces for Persona

12、l Identity Verification. Similarly, the interfaces and data formats of biometric information are specified in Special Publication 800-76, Biometric Data Specification for Personal Identity Verification. This standard does not specify access control policies or requirements for Federal departments an

13、d agencies. Keywords: Architecture, authentication, authorization, biometrics, credential, cryptography, Federal Information Processing Standards (FIPS), HSPD 12, identification, identity, infrastructure, model, Personal Identity Verification, PIV, validation, verification. iii Provided by IHSNot fo

14、r ResaleNo reproduction or networking permitted without license from IHS-,-,-PERSONAL IDENTITY VERIFICATION (PIV) OF FEDERAL EMPLOYEES AND CONTRACTORS Federal Information Processing Standards 201 2005 Announcing the Standard for Personal Identity Verification of Federal Employees and Contractors Fed

15、eral Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology (NIST) after approval by the Secretary of Commerce pursuant to the Federal Information Security Management Act (FISMA) of 2002. 1. Name of Standard. FIPS PUB 201: Personal

16、Identity Verification (PIV) of Federal Employees and Contractors. 2. Category of Standard. Information Security. 3. Explanation. Homeland Security Presidential Directive 12 (HSPD 12), dated August 27, 2004, entitled “Policy for a Common Identification Standard for Federal Employees and Contractors,”

17、 directed the promulgation of a Federal standard for secure and reliable forms of identification for Federal employees and contractors. It further specified secure and reliable identification that + Is issued based on sound criteria for verifying an individual employees identity + Is strongly resist

18、ant to identity fraud, tampering, counterfeiting, and terrorist exploitation + Can be rapidly authenticated electronically + Is issued only by providers whose reliability has been established by an official accreditation process. The directive stipulated that the standard include graduated criteria,

19、 from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application. As promptly as possible, but in no case later than eight months after the date of promulgation, executive departments and agencies are required to implement the standard for

20、identification issued to Federal employees and contractors in gaining physical access to controlled facilities and logical access to controlled information systems. 4. Approving Authority. Secretary of Commerce. iv Provided by IHSNot for ResaleNo reproduction or networking permitted without license

21、from IHS-,-,-PERSONAL IDENTITY VERIFICATION (PIV) OF FEDERAL EMPLOYEES AND CONTRACTORS 5. Maintenance Agency. Department of Commerce, NIST, Information Technology Laboratory (ITL). 6. Applicability. This standard is applicable to identification issued by Federal departments and agencies to Federal e

22、mployees and contractors (including contractor employees) for gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems except for “national security systems” as defined by 44 U.S.C. 3542(b)(2). Except as provided in HSPD 12, nothing in

23、 this standard alters the ability of government entities to use the standard for additional applications. Special-Risk Security ProvisionThe U.S. Government has personnel, facilities, and other assets deployed and operating worldwide under a vast range of threats (e.g., terrorist, technical, intelli

24、gence), particularly heightened overseas. For those agencies with particularly sensitive OCONUS threats, the issuance, holding, and/or use of PIV credentials with full technical capabilities as described herein may result in unacceptably high risk. In such cases of extant risk (e.g., to facilities,

25、individuals, operations, the national interest, or the national security), by the presence and/or use of full-capability PIV credentials, the head of a Department or independent agency may issue a select number of maximum security credentials that do not contain (or otherwise do not fully support) t

26、he wireless and/or biometric capabilities otherwise required/referenced herein. To the greatest extent practicable, heads of Departments and independent agencies should minimize the issuance of such special-risk security credentials so as to support inter-agency interoperability and the Presidents p

27、olicy. Use of other risk-mitigating technical (e.g., high-assurance on-off switches for the wireless capability) and procedural mechanisms in such situations is preferable, and as such is also explicitly permitted and encouraged. As protective security technology advances, this need for this provisi

28、on will be re-assessed as the standard undergoes the normal review and update process. 7. Specifications. Federal Information Processing Standards (FIPS) 201 Personal Identity Verification (PIV) of Federal Employees and Contractors. 8. Implementations. The PIV standard consists of two partsPIV-I and

29、 PIV-II. PIV-I satisfies the control objectives and meets the security requirements of HSPD 12, while PIV-II meets the technical interoperability requirements of HSPD 12. PIV-II specifies implementation and use of identity credentials on integrated circuit cards for use in a Federal personal identit

30、y verification system. PIV Cards must be personalized with identity information for the individual to whom the card is issued, in order to perform identity verification both by humans and automated systems. Humans can use the physical card for visual comparisons, whereas automated systems can use th

31、e electronically stored data on the card to conduct automated identity verification. Federal departments and agencies may self-accredit, or use other accredited issuers, to issue identity credentials for Federal employees and contractors until a government-wide PIV-II accreditation process is establ

32、ished. The standard also covers security and interoperability requirements for PIV Cards. Funding permitting, NIST plans to develop a PIV Validation Program that will test implementations for conformance with this standard. Additional information on this program will be published at http:/csrc.nist.

33、gov/npivp/ as it becomes available. v Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-PERSONAL IDENTITY VERIFICATION (PIV) OF FEDERAL EMPLOYEES AND CONTRACTORS The respective numbers of agency-issued 1) general credentials and 2) Special-risk credent

34、ials (issued under the Special-Risk Security Provision) shall be subject to annual reporting to the Office of Management and Budget (OMB) under the annual reporting process in a manner prescribed by OMB. 9. Effective Date. This standard is effective immediately. Federal departments and agencies shal

35、l meet the requirements of PIV-I no later than October 27, 2005, in accordance with the timetable specified in HSPD 12. The OMB has advised NIST that it plans to issue guidance regarding the transition from PIV-I to PIV-II. It is anticipated that some Federal departments and agencies may begin with

36、PIV-II, which would eliminate the need for such a transition. 10. Qualifications. The security provided by the PIV system is dependent on many factors outside the scope of this standard. Upon adopting this standard, organizations must be aware that the overall security of the personal identification

37、 system relies on + Assurance provided by the issuer of an identity credential that the individual in possession of the credential has been correctly identified + Protection provided to an identity credential stored within the PIV Card and transmitted between the card and the PIV issuance and usage

38、infrastructure + Protection provided to the identity verification system infrastructure and components throughout the entire life cycle. Although it is the intent of this standard to specify mechanisms and support systems that provide high assurance personal identity verification, conformance to thi

39、s standard does not assure that a particular implementation is secure. It is the implementers responsibility to ensure that components, interfaces, communications, storage media, managerial processes, and services used within the identity verification system are designed and built in a secure manner

40、. Similarly, the use of a product that conforms to this standard does not guarantee the security of the overall system in which the product is used. The responsible authority in each department and agency shall ensure that an overall system provides the acceptable level of security. Because a standa

41、rd of this nature must be flexible enough to adapt to advancements and innovations in science and technology, the NIST will review this standard within five years to assess its adequacy. NIST plans to seek agency input in one year to see whether a full review of the standard is needed. 11. Waivers.

42、As per the Federal Information Security Management Act of 2002, waivers to Federal Information Processing Standards are not allowed. 12. Where to Obtain Copies. This publication is available through the Internet by accessing http:/csrc.nist.gov/publications/. vi Provided by IHSNot for ResaleNo repro

43、duction or networking permitted without license from IHS-,-,-PERSONAL IDENTITY VERIFICATION (PIV) OF FEDERAL EMPLOYEES AND CONTRACTORS Table of Contents 1. Introduction .1 1.1 Purpose.1 1.2 Scope1 1.3 Document Organization 2 2. Common Identification, Security, and Privacy Requirements5 2.1 Control O

44、bjectives.5 2.2 PIV Identity Proofing and Registration Requirements.5 2.3 PIV Issuance and Maintenance Requirements.6 2.4 PIV Privacy Requirements 7 3. PIV System Overview10 3.1 Functional Components 10 3.1.1 PIV Front-End Subsystem .11 3.1.2 PIV Card Issuance and Management Subsystem.12 3.1.3 Acces

45、s Control Subsystem12 3.2 PIV Card Life Cycle Activities .13 4. PIV Front-End Subsystem15 4.1 Physical PIV Card Topology .15 4.1.1 Printed Material .15 4.1.2 Tamper Proofing and Resistance15 4.1.3 Physical Characteristics and Durability .16 4.1.4 Visual Card Topography17 4.1.5 Logical Credentials29

46、4.1.6 PIV Card Activation .29 4.2 Cardholder Unique Identifier (CHUID) 30 4.2.1 PIV CHUID Data Elements30 4.2.2 Asymmetric Signature Field in CHUID 30 4.3 Cryptographic Specifications 31 4.4 Biometric Data Specifications .33 4.4.1 Biometric Data Collection, Storage, and Usage 34 4.4.2 Biometric Data

47、 Representation and Protection .35 4.4.3 Biometric Data Content .36 4.5 Card Reader Specifications 36 4.5.1 Contact Reader Specifications 37 4.5.2 Contactless Reader Specifications37 4.5.3 PIN Input Device Specifications 37 5. PIV Card Issuance and Management Subsystem 38 5.1 Control Objectives and

48、Interoperability Requirements38 5.2 PIV Identity Proofing and Registration Requirements.38 5.3 PIV Issuance and Maintenance Requirements.39 5.3.1 PIV Card Issuance.39 5.3.2 PIV Card Maintenance 39 5.4 PIV Key Management Requirements41 5.4.1 Architecture .41 5.4.2 PKI Certificate41 vii Provided by IH

49、SNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-PERSONAL IDENTITY VERIFICATION (PIV) OF FEDERAL EMPLOYEES AND CONTRACTORS 5.4.3 X.509 CRL Contents43 5.4.4 Migration from Legacy PKIs 43 5.4.5 PKI Repository and OCSP Responder(s)43 5.5 PIV Privacy Requirements 44 6. PIV Card Holder Authentication.45 6.1 Identity Authentication Assurance Levels .45 6