Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

Two PIV Special Publications (SP) have been released: (1) SP 800-73-4, Interfaces for Personal Identity Verification, AND (2) SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification
June 01, 2015

#1: NIST is pleased to announce the release of Special Publication 800-73-4Interfaces for Personal Identity Verification. This document has been updated to align with Final FIPS 201-2 and to reflect the disposition of comments that were received on the first and second draft of SP 800-73-4, published in May 2013 and May 2014, respectively. The complete set of comments and dispositions is provided below. 
 
High level changes from SP 800-73-3 to SP 800-73-4 include:

  • Removal of Part 4, The PIV Transitional Data Model and Interfaces;
  • The addition of specifications for secure messaging and the virtual contact interface, both of which are optional to implement;
  • Inclusion of clarifying information about the virtual contact interface and the use of the pairing code;
  • The specification of an optional Cardholder Universally Unique Identifier (UUID) as a unique identifier for a cardholder;
  • The specification of an optional on-card biometric comparison mechanism, which may be used as a means of performing card activation and as a PIV authentication mechanism;
  • The addition of a requirement for the PIV Card Application to enforce a minimum PIN length of six digits;
  • In collaboration with the FICAM FIPS 201 Test Program reduced some of the PIV Card options where possible.

The complete set of comments and dispositions is provided below.

#2: NIST announces the release of Special Publication 800-78-4Cryptographic Algorithms and Key Sizes for Personal Identity Verification. The document has been updated to align with updates in SP 800-73-4. The document reflects the disposition of comments that were received on the first and second draft of SP 800-78-4, which was published in May, 2013 and May 2014, respectively. In particular, the following changes were introduced in SP 800-78-4:

  • Removal of information about algorithms and key sizes that can no longer be used because their "Time Period for Use" is in the past;
  • Addition of algorithm and key size requirements for the optional PIV Secure Messaging key.
  • Addition of requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing.
  • Clarified that RSA public keys may only have a public exponent of 65 537. (Client applications are still encouraged to be able to process RSA public keys that have any public exponent that is an odd positive integer greater than or equal to 65 537 and less than 2256.)

The complete set of comments and dispositions is provided below.

Created December 21, 2016, Updated April 25, 2017