<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>
UnitedStatesPIV – OpenSC
</title><style type="text/css">
@import url(trac.css);
</style></head><body><div id="content" class="wiki">
<div class="wikipage searchable">
<h1 id="USPIV">US PIV</h1>
<p>
The <a class="ext-link" href="http://www.nist.gov/" shape="rect"><span class="icon"> </span>National Institute of Standards and Technology</a>, U.S. Department of Commerce has defined a
smart card application. Although not a "national ID card", it is expected to be used widely in the
U.S.federal government and its contractors. Cards with this application are commonly referred to as PIV cards.
</p>
<p>
NIST Spical Publication 800-73-2 (See below) and related
documents define PIV. Part 2 of 800-73-2 defines the ADPU commands accepted
by the PIV application on the card. The standard does not define all the commands needed to
administer a card, leaving this up to the card vendors and card administration software vendors.
</p>
<p>
The non-administrative commands are standardized, and so any vendor's card with the PIV application
should inter operate with any vendor's client software. The
<a href="http://www.opensc-project.org/doc/opensc/html/tools.html#pkcs11-tool" shape="rect">pkcs11-tool</a> can be used
to read the objects on the card and to change the user PIN.
</p>
<p>
The <a class="wiki" href="PivTool.html" shape="rect">piv-tool</a> is provided to allow for some card administration in testing, such as generating
a key pair, and loading a certificate or other object on the card. You may need more information
from your card vendor.
</p>
<p>
The PIV is not a PKCS#15 type card, but rather an object based application. OpenSC provides
a PKCS#15 emulator to access the four certificates and keys, along with the data objects.
Thus for example the "X.509 Certificate for PIV Authentication" can be used with PKCS#11 for
login or web access.
</p>
<p>
OpenSC 0.11.1 did not search arbitrary cards for the PIV application, and set the max_send_size and max_recv_size
to low for PIV cards. With 0.11.1 you needed to add the ATR of specific vendor's cards to the opensc.conf.
The ATR of your card can be read using the <a href="http://www.opensc-project.org/doc/opensc/html/tools.html#opensc-tool" shape="rect">opensc-tool</a>.
</p>
<p>
OpenSC 0.11.2 added support for certificates that are gzip'ed. But only 1024 bit RSA keys are supported.
</p>
<p>
OpenSC 0.11.3 added support for 2048 and 3072 bit RSA keys.
</p>
<p>
OpenSC 0.11.4 added support to read all the objects on the card via PKCS#11, pkcs11-tool and pkcs15-tool.
</p>
<p>
OpenSC 0.11.5 added support for 800-73-2.
</p>
<p>
OpenSC 0.11.9 fixed bug: highly compressed certificates were only being partially read. If any problems are found in previous versions, please update to at least this version.
</p>
<p>
OpenSC 0.11.10 fixed bug when using piv-tool to authenticate to card using 3DES key.
</p>
<p>
OpenSC (commited for 0.12) The card serial number is derived from the CHUID using the FASC-N. If the Agency Code = 9999, and a GUID is present, it is used as the serial number. Piv-tool can now write any object to the card. (Piv-tool continues to be for creating test cards only.)
</p>
<p>
No changes are needed to the opensc.conf file when using 0.11.4 and above, but here are sample changes needed for 0.11.1 in the opensc.conf file to use some GemAalto and Oberthur PIV cards. If other vendors produce PIV cards, you may have to add their ATRs:
</p>
<pre class="wiki" xml:space="preserve">...
reader_driver xxxxx {
...
max_send_size = 255;
max_recv_size = 256;
...
}
...
card_atr 3B:7D:96:00:00:80:31:80:65:B0:83:11:11:AC:83:00:90:00 {
# GemAlto
name = "PIV-II";
driver = "piv";
}
card_atr 3b:db:96:00:81:b1:fe:45:1f:03:80:f9:a0:00:00:03:08:00:00:10:00:18 {
# Oberthur
name = "PIV-II";
driver = "piv";
}
...
framework pkcs15 {
...
emulate PIV-II {
}
...
}
...
</pre><h1 id="Links">Links</h1>
<h2 id="PIVOverview">PIV Overview</h2>
<blockquote>
<p>
<a class="ext-link" href="http://csrc.ncsl.nist.gov/piv-program/" shape="rect"><span class="icon"> </span>http://csrc.ncsl.nist.gov/piv-program/</a>
</p>
</blockquote>
<h2 id="PIVPIVInteroperableandPIVCompatible">PIV, PIV Interoperable and PIV Compatible</h2>
<blockquote>
<p>
<a class="ext-link" href="http://www.idmanagement.gov/documents/PIV_IO_NonFed_Issuers_May2009.pdf" shape="rect"><span class="icon"> </span>http://www.idmanagement.gov/documents/PIV_IO_NonFed_Issuers_May2009.pdf</a>
</p>
</blockquote>
<p>
Recomendations on how PIV cards can used outside of the U.S. Goverenment.
</p>
<h2 id="NISTSpecialPublications-800-73-3">NIST Special Publications - 800-73-3</h2>
<blockquote>
<p>
<a class="ext-link" href="http://csrc.nist.gov/publications/PubsSPs.html" shape="rect"><span class="icon"> </span>http://csrc.nist.gov/publications/PubsSPs.html</a>
</p>
</blockquote>
<p>
Look for 800-73-3 (draft). Part 2 has the ADPU commands. All four parts:
</p>
<h2 id="PIVApprovedCardsReadersMiddlewareetc">PIV Approved Cards, Readers, Middleware etc</h2>
<blockquote>
<p>
<a class="ext-link" href="http://fips201ep.cio.gov/apl.php" shape="rect"><span class="icon"> </span>http://fips201ep.cio.gov/apl.php</a>
</p>
</blockquote>
</div><ul class="tags"><li class="header">Tags</li><li><a href="/opensc/tags/%27eID%27" rel="tag" shape="rect">eID</a> </li><li><a href="/opensc/tags/%27supported%27" rel="tag" shape="rect">supported</a> </li></ul>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>
