NIST Revises FIPS And PIV Technical Requirements.
NIST Revises FIPS And PIV – U.S. National Institute of Standards and Technology (NIST) has revised the technical requirements of Federal Information Processing Standard 201 (FIPS 201) for the Personal Identity Verification (PIV) credentials that are issued to U.S. federal employees and contractors.
The many revisions to NIST’s FIPS 201 since 2004 are designed to enhance both the security and interoperability of PIV credentials and the systems that use and support them. By revising NIST Special Publication (SP) 800-73-5 and SP 800-78-5, NIST said these standards better align with FIPS 201, and better support the secure identification and authentication needs of federal agencies that rely on PIV credentials for facility and other access.
According to NIST, the “updates are meant to ensure that the cryptographic standards keep pace with advancements in security technology and provide robust protection for PIV credentials.”
As NIST Revises FIPS, NIST PIV standards contain the technical specifications for the Interfaces for Personal Identity Verification and describe the technical specifications for using PIV credentials, the PIV data model, the card edge interface, and the application programming interface.
FIPS 201 specifies the credentials that must be used by federal employees and contractors to access federal sites and is the standard that covers the activities involved in issuing a PIV card, such as identity proofing and enrolment, as well as the lifecycle activities for updating, using, and maintaining PIV cards.
The NIST standards inevitably have a flow-on effect and impact on standards around the world, particularly for US-allied Five Eyes nations, including Australia and New Zealand.
The “significant” changes announced by NIST involve the removal of the previously deprecated CHUID authentication mechanism and SYM-CAK and VIS authentication mechanisms for PIV credentials. CHUID is an outdated method that was used to identify a person using a unique number on the person’s PIV card while SYM-CAK is a security method that uses a unique shared key for authentication. VIS is a method that relies on a visual check of a PIV card.
An optional 1-factor secure messaging authentication mechanism (SM-Auth) has also been added for secure facility access applications, as well as the additional use of the facial image biometric for general authentication using the BIO and BIO-A authentication methods.
The revised SP 800-73-5 also includes an optional cardholder identifier in the PIV Authentication Certificate which identifies a PIV credential holder within their PIV credential set issued during eligibility, and places restrictions on the number of activation attempts for both PIN and On-Card Comparison attempts, limiting them to ten or less consecutive attempts at access.
Also removed is the PIV Middleware specification. Under the new revision, this requirement is optional, which will provide much more flexibility in PIV deployment.
As NIST Revises FIPS, the revision to NIST SP 800-78-5 – which defines the cryptographic capabilities required for PIV Cards and their supporting systems – updates the Cryptographic Algorithms and Key Sizes for PIVs. The important changes include the deprecation of certain Triple Data Encryption Algorithm identifiers and the removal of the retired Random Number Generator from Cryptographic Algorithm Validation Program (CAVP) PIV component testing.
The now retired FIPS 186-2 key generation method has been removed from CAVP PIV component testing where it’s applicable and modified to add additional algorithm and key size requirements for CAVP validation testing, including deprecation of 3TDEA algorithms with identifier 00 and 03; accommodation of the Secure Messaging Authentication key; and use of higher strength keys with at least 128-bit security, which will be required for authentication starting in 2031.
Around 5 million PIV cards have been issued to provide multifactor authentication access to federal IT resources and facilities. Each PIV card includes a photo of the cardholder and lists the sponsoring agency, the cardholder’s name, and an expiration date. Each card also has an embedded chip with certificates and keys to verify the authenticity of the card, which allows cardholders to access secured areas and information systems.
The U.S. Department of Homeland Security (DHS) has said that it considers PIV cards, which can remain active for up to 6 years, sensitive and high-value items with “grave potential for misuse if lost, stolen, or compromised.”
You can find more detail about the upgrades here or read more SEN news here.
“NIST Revises FIPS And PIV Technical Requirements.”