FIPS 201 originally required that all PIV credentials and associated keys be stored in a PIV Card. While the use of the PIV Card for electronic authentication works well with traditional desktop and laptop computers, it is not optimized for mobile devices. In response to the growing use of mobile devices within the Federal government, FIPS 201 was revised to permit the issuance of an additional credential, a Derived PIV Credential, for which the corresponding private key is stored in a cryptographic module with an alternative form factor to the PIV Card. Derived PIV Credentials leverage the current investment in the PIV infrastructure for electronic authentication and build upon the solid foundation of well-vetted and trusted identity of the PIV cardholder – achieving substantial cost savings by leveraging the identity-proofing results that were already performed to issue PIV cards. This document provides the technical guidelines for the implementation of Derived PIV Credentials. The use of a Derived PIV Credential is one possible way to PIV-enable a mobile device. In other cases it may be practical to use the PIV Card itself with the mobile device, using either the PIV Card’s contact or contactless interface, rather than issuing a Derived PIV Credential. Mobile devices are generally too small to integrate smart card readers into the device itself, requiring alternative approaches for communicating between the PIV Card and the mobile device. Some of these approaches are possible by today’s set of available products. Other, newer technologies are addressed by new guidelines in the existing set of PIV Special Publications. The current solution for PIV enablement directly uses PIV Cards with mobile devices through smart card readers. This has the advantage of avoiding the additional time and expense required to issue and manage Derived PIV Credentials. The approach requires smart card readers that are separate from, but attached to, the mobile device itself. These readers interface with the mobile device over a wired interface (e.g., USB) or wireless interface. The use of PIV Cards with mobile devices is functionally similar to their use with laptop and desktop computers. It does not involve new or different requirements to communicate with the PIV Card. Instead, the existing contact interface specifications of the PIV Card, as outlined in SP 800-73, form the basis for these types of readers to communicate with the PIV Card. Newer technology on mobile devices can directly communicate with and use PIV Cards over a contactless interface using Near Field Communication (NFC). Similarly to the mobile devices and attached reader scenario, the use of NFC technology with PIV cards also avoids the additional time and expense required to issue and manage Derived PIV Credentials. NFC uses radio frequency to establish communication between NFC-enabled devices. An NFC-enabled mobile device can interact with a PIV Card over its contactless interface at a very close range, allowing the mobile device to use the keys on the PIV Card without a physical connection. The user would need to hold or place the card next to the mobile device. Earlier PIV specifications did not allow the use of certain keys over the contactless interface, as existing technologies and standards did not support a secure channel between the smart card and the mobile device over NFC. SP 800-73-4 will include a new capability to enable access to all non-card-
- 粉丝: 693
- 资源: 314
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助