Skip to content

Home

Jump to bottom
makinako edited this page Oct 30, 2017 · 33 revisions

OpenFIPS201 License

OpenFIPS201 is an open-source implementation of the FIPS 201-2 Personal Identity Verification (PIV) standard. In particular, it implements the on-card PIV applet.

To learn more about PIV and this project, head on over to the Frequently Asked Questions.

Getting Started

The OpenFIPS201 release can be used as-is, however if you want to customise the applet using the advanced compilation options, you'll need to head over to Development first and build the applet from source code.

For those that just want to use the default options, the latest release can be downloaded here.

Once you have downloaded or generated a CAP file, you are now ready to install.

Installation

OpenFIPS201 (and PIV in general) places a number of minimum requirements on any smart-card it is installed and used on. If the applet fails to load, it is most likely because the smartcard fails to meet one or more criteria.

The requirements are:

  1. Javacard 2.2.2 or above. Your JCRE/JVM must support the following implementations:
    • Cipher.ALG_AES_BLOCK_128_ECB_NOPAD
    • Cipher.ALG_RSA_NOPAD
    • Cipher.ALG_DES_ECB_NOPAD
    • RandomData.ALG_SECURE_RANDOM
    • OwnerPIN
  2. GlobalPlatform 2.1.1 or above
    • Support for Secure Channel Protocol authentication with encryption and integrity (CENC+CMAC)
    • Support for org.globalplatform.CVM
  3. A minimum of 12-15KB of EEPROM and 512 bytes of CLEAR_ON_RESET transient memory (RAM) (note that a full complement of PIV objects/keys can consume huge amounts of non-volatile memory).

When loading the applet onto the card, the following notes apply:

  • As per SP800-73-4 specification, OpenFIPS201 must be set as the default applet for interoperability
  • If the GLOBAL PIN functionality is enabled, the 'CVM MANAGEMENT' attribute must also be set or Global PIN updates will fail.
  • If OpenFIPS201 is to be managed by an entity other than the card manager, a Supplementary Security Domain should be created for the applet and separate key values should be used to that of the Issuer Security Domain values.

Pre Personalisation

To maintain a high level of flexibility, OpenFIPS201 deliberately does not define any Data Objects or Keys. Instead, it provides a simple pre-personalisation interface where these can be defined by the card/application management system.

Click here to see how to define the file system and key listing in your OpenFIPS201 applet. Also, a pre-defined script that complies with NIST SP800-73-4 is provided.

Personalisation

Although the PIV standard defines commands to write data objects, generate asymmetric keys and change PIN values, it does not define any administrative mechanism to inject key values manually. This is always necessary for symmetric keys (such as 9B and optionally 9E), but only required for asymmetric keys (9A, 9C, 9D, 9E and retired keys) if they have been generated off-card (i.e. inside a HSM).

OpenFIPS201 supports key injection to address this need, as well as securely configuring default PIN/PUK values.

Click here to see how to define the file system and key listing in your OpenFIPS201 applet.

Clone this wiki locally