Home

OpenFIPS201

An open source implementation of the card application for the NIST Personal Identity Verification standard as specified by FIPS PUB 201-2.

What is FIPS PUB 201-2

Straight from the horses mouth:

This Standard specifies the architecture and technical requirements for a common identification standard for Federal employees and contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to Federally controlled government facilities and logical access to government information systems.

While FIPS PUB 201-2 lays out the overall architecture, requirements and procedures, it is more of an umbrella specification. The detailed technical specifications are described in a number of other documents, the most important of these is NIST SP800-73-4. This document defines the data model, card application, security and off-card interface (middleware).

This project implements the PIV Card Application portion of this document.

What is the PIV Card Application?

The PIV Card Application provides a number of features:

• It contains a file system that allows reading and writing of a number of files (or Data Objects). It controls access to each Data Object using access control conditions, which require some form of authentication by either the cardholder or the Card Management System.
• It provides a number of authentication mechanisms utilising PIN's, symmetric and asymmetric (PKI) algorithms to authenticate the off-card entity
• It allows digital signatures to be generated and also key establishment mechanisms.
• It provides a means to generate asymmetric keys on-card to provide high assurance, especially where digital signatures are involved

What are the goals of this project?

This project aims to be a straight-forward reference implementation of the card application as specified in NIST SP800-73-4.

It's development goals are:

• Simplicity and Readability - The code is designed to be clean and as close an interpretation of the document as possible, using the document terms wherever possible.
• Flexibility - The file system, access control rules and applet behaviour are all configured from a single class before compilation, allowing for strict compliance to PIV or to allow for additional data objects or security requirements (PIV-I or CIV for example).
• Backwards Compatible - The target JavaCard Runtime Environment (JCRE) is 2.2.2, allowing for compatibility with as many hardware platforms as possible.
• Production Quality - The project aims to be of a quality that can be used directly in a production environment and (eventually) be submitted for certification.
• Low Memory Footprint - Although the file system itself is capable of taking up enormous amounts of EEPROM, the applet itself is designed to reduce the EEPROM and RAM footprint. Data Object arrays are only allocated when first written to and the APDU buffer is used where possible for intermediate operations.

Getting Started

• I want to use OpenFIPS201 in my environment
• I am a developer and want to get coding!
• I want to learn more about Personal Identity Verification
• I want to see a list of tasks, bugs, ideas, etc
• Frequently Asked Questions