- CSRC Home
- Projects / Research
- news & events
Beginning in 2016, the CMVP enforced RNG transition, requiring new modules to implement the SP 800-90A DRBGs, and requiring vendors to update previously validated modules to remain on the active validation list. NPIVP, which relies on the CMVP for cryptographic module testing, also enforced this transition, and is requiring the use of validated DRBGs in PIV cards.
However, feedback from agencies has indicated that vendors are not yet able to migrate to SP 800-90A DRBG PIV cards. As a result, the legacy RNG PIV cards will continue to be issued and used until DRBG PIV cards are available with compatible card management software.
To support the migration of PIV cards to DRBGs, the PIV Validation Program proposes a one-year conditional transition plan ending by June 30, 2017, that allows the continued issuance and use of previously validated PIV cards using legacy RNGs that do not pose an immediate security risk.
According to this transition plan, agencies may continue to procure and issue cards using implementations marked as “legacy” on the NPIVP validation list until June 30, 2017. However, the agencies should migrate to fully compliant cards implementing approved DRBGs as soon as DRBG PIV cards and the compatible card management software are commercially available. Once issued, these “legacy” RNG PIV cards may be used until their expiration date - up to June 30, 2023.
SUNSET of RNG
To comply with NIST SP 800-131A, “Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths,” the CMVP has removed cryptographic modules implementing RNG from the FIPS 140-2 validation list as of 1/1/16. These modules have moved to the legacy/historic validation list as they are no longer suited for government procurement. According to CMVP’s announcement, affected modules can be re-introduced into the FIPS 140-2 validation list by 6/30/16 after corrective actions have been taken to replace RNG from affected the modules. More information from CMVP about updating the module in an efficiently manner is provided at http://csrc.nist.gov/groups/STM/cmvp/notices.html.
The sunset of RNG affects PIV Card Applications’ cryptographic modules residing on PIV Cards’ ICC. To reflect the sunset, the NPIVP will mark all PIV Card Applications with affected modules as LEGACY in the PIV Card Application validation list. This change will be effective 2/12/16.
Once corrective actions have been taken to relist the module on the CMVP’s FIPS 140-2 validation list, the NPVIP will lift the LEGACY designation from the PIV Card Application validation list. If the module does not reappear in the CMVP’s FIPS 140-2 validation list by 06/30/16, NPIVP has no other choice but to remove affected PIV Card Applications from the validation list on 07/01/16 and place them in the removed products list. This will signify that procurement of these implementations are not appropriate for government.
The NIST PIV Validation Program (NPIVP) has updated its PIV Middleware and PIV Card Application Validation lists to reflect the FIPS 201-2 implementation schedule. This schedule requires that beginning 09/05/14, new and replacement cards issued by Department and Agencies have to conform to FIPS 201-2 when on-boarding or when replacing PIV Cards as they expire over the next 5 years.
The impact for the NPIVP Validation Program is that some cards with FIPS 201-1 conformant PIV Card Applications have to be removed from the validation list. Only a few cards on the validated list are affected. This is due to the fact that to meet the FIPS 201-2 compliance requirements all that is required is that some of the previously optional PIV Card credentials under FIPS 201-1 must be present in FIPS 201-2 (as they are now mandatory). The Removed Products List (RPL) is now available. The effect on validated PIV Middleware, is broader. PIV Middleware is required to support all functionality (function calls/credentials) of a fully loaded PIV Card. Since SP 800-73-1 and SP 800-73-2 PIV Middleware do NOT support new FIPS 201-2-functionality, they have to be placed on the RPL. The PIV Middleware RPL is also available. Note: The PIV Middleware listed in the SP 800-73-3 PIV Middleware Validation list remains valid and will not be removed. These implementations support the optional credentials/functionality, which now are mandatory under FIPS 201-2.
Finally, the NPIVP validation Authority also removed validated PIV Card Applications that remain in a ‘pending’ state for FIPS 140-2 lasting 3 years or longer. These card applications never received FIPS 140-2 validation, and thus are not allowed to be used by USG.
As of 11/29/2010, NPIVP hereby authorizes all NPIVP Test Facilities to commence certification of PIV cards for conformance to NIST SP 800-73-3 specifications. However certifications of PIV cards for conformance to NIST SP 800-73-2 that are currently under testing will be accepted till December 31, 2010.Effective January 1, 2011, NPIVP will not be accepting test reports from laboratories for NIST SP 800-73-2 cards. From that date, PIV Card Application products claiming conformance to SP 800-73-3 specifications alone will be accepted for validation and issuance of certificates. NIST will be shortly making an announcement regarding the acceptance of test reports for NIST SP 800-73-3 PIV Middleware. If you need any clarifications please do not hesitate to contact us at firstname.lastname@example.org. Thanks for your cooperation.
Effective July 11, 2009, NPIVP will not be accepting test reports from laboratories submitting test evidence for PIV Card Application and PIV Middlware based on SP 800-73-1 specifications. Test Results for PIV Middleware or PIV Card Application products claiming conformance to SP 800-73-2 specifications alone will be accepted for validation and issuance of certificates. If you need any clarifications please do not hesitate to contact us at email@example.com. Thanks for your cooperation.
Effective January 1, 2009, NPIVP will not accept test reports from laboratories submitting test evidence for RSA-1024-based DSK and/or KMK, since these keys do not comply with the cryptographic timelines established in SP 800-78-1, Table 3-1.
Beginning January 1, 2009, PIV Card Applications implementing the PIV Digital Signature Key (DSK) and/or the PIV Key Management Key (KMK) are required to support cryptographic keys that provide a minimum of 112 bits of security strength. RSA 1024-based DSK and KMK provide only 80 bit security strength. These keys, as per SP 800-78-1, Table 3-1, are to be discontinued by the end of 2008. As a result, the validation listing on NPIVPs validation web page will be revised to mark RSA 1024-based DSK and KMK that are no longer valid with respect to the scope of the validation, since they do not comply with the cryptographic timelines established in SP 800-78-1, Table 3-1.
Effective January 1, 2009, affected PIV card application validation entry will appears as follows:
Optional PIV Data Object Implemented:
1) Card Holder Facial Image
2) Card Holder Printed Information
3) X.509 Certificate for Digital Signature
4) X.509 Certificate for PIV Key Management
5) X.509 Certificate for Card Authentication
As of January 1, 2009, PIV card applications implementing the PIV Digital Signature Key (DSK) and/or the PIV Key Management Key (KMK) are required to support cryptographic keys that provide a minimum of 112 bits of security strength. The private key (corresponding to the X.509 certificate in gray font) provides only 80 bit security strength. This key is no longer valid, since it does not comply with the cryptographic timelines established in SP 800-78-1, Table 3-1 and is therefore out of the scope of the validation.
All current NPIVP test facilities are now fully accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) to conduct PIV card application and PIV middleware testing.
As a reminder, NVLAP has announced the addition of the PIV Test Methods to the NVLAP Cryptographic Module Testing LAP (CMT LAP) on 4/26/06.
Due to numerous inquiries about the READ BINARY command, the NIST would like to clarify its use on the contact and contacless cards chip of the PIV card. View Full Report
The NIST has initiated the PIV Biometric Product Testing Resource Center to inform the biometric vendor community of existing product testing procedures.