Personal Identity Verification (PIV) Interfaces, Cryptographic Algorithms, and Key Sizes: NIST Revises SP 800-73 and SP 800-78

In January 2022, NIST revised Federal Information Processing Standard (FIPS) 201, which establishes standards for the use of Personal Identity Verification (PIV) credentials, including those on PIV Cards. NIST Special Publication (SP) 800-73-5: Parts 1–3 and SP 800-78-5 have subsequently been revised to align with FIPS 201.

SP 800-73-5: Parts 1–3
SP 800-73-5: Parts 1–3, Interfaces for Personal Identity Verification, describe the technical specifications for using PIV Cards. The three parts cover the PIV data model (Part 1), the card edge interface (Part 2), and the application programming interface (Part 3). Major changes to the documents include:

  • Removal of the previously deprecated CHUID authentication mechanism
  • Deprecation of the SYM-CAK and VIS authentication mechanisms
  • Addition of an optional 1-factor secure messaging authentication mechanism (SM-Auth) for facility access applications
  • Additional use of the facial image biometric for general authentication via BIO and BIO-A authentication mechanisms
  • Addition of an optional Cardholder identifier in the PIV Authentication Certificate to identify a PIV credential holder to their PIV credential set issued during PIV eligibility
  • Restriction on the number of consecutive activation retries for each of the activation methods (i.e., PIN and OCC attempts) to be 10 or less
  • SP 800-73-5: Part 3 on PIV Middleware specification marked as optional to implement

SP 800-78-5
SP 800-78-5Cryptographic Algorithms and Key Sizes for Personal Identity Verification, defines the requirements for the cryptographic capability of the PIV Card and supporting systems in coordination with FIPS 201-3. It has been modified to add additional algorithm and key size requirements and to update the requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing, including:

  • Deprecation of 3TDEA algorithms with identifier ‘00’ and ‘03’
  • Removal of the retired RNG from CAVP PIV component testing where applicable
  • Removal of retired FIPS 186-2 key generation from CAVP PIV component testing where applicable
  • Accommodation of the Secure Messaging Authentication key
  • Update to Section 3.1 and Table 1 to reflect additional higher strength keys with at least 128-bit security for use in authentication beginning in 2031
Read More