Home

Awesome

OpenFIPS201 License: MIT

This project has been commissioned and funded by the Australian Department of Defence, to provide an open source implementation of the card application for the NIST Personal Identity Verification (PIV) standard as specified by NIST FIPS PUB 201-2 and NIST SP 800-73-4.

OpenFIPS201 implements the following functionality:

To get started, please head on over to the OpenFIPS201 Wiki The latest binary release is: OpenFIPS201 v1.10.0

Want to get in touch?

Contact us at piv@makina.com.au if you want to talk about the project, or just to even say how you're using it!

To contact the author directly, email kim@makina.com.au

This project makes use of the following Open Source tools:


UPDATE 4th April 2022 - OpenFIPS201 v1.10.0 Release

The latest revision of OpenFIPS201 is ready! Here are a few features and enhancements that have been added:

Documentation

Dynamic Configuration

All FEATURE compilation constants are now gone and been replaced with a more extensive set of configuration registers for controlling aspects of applet behaviour. This means there is no longer a need to modify or build from source code in order to configure it.

All configuration elements can be updated either individually, or batched into a single command (using OPTIONAL ASN.1 elements). If you choose not to update the configuration, you can just use the default values that have all been defined to adhere to PIV, or if PIV doesn't specify something then sensible default values have been used.

Pre-Personalisation Interface

The PUT DATA ADMIN command has changed a bit due to dynamic configuration. The following BER-TLV structures are defined:

Your current pre-perso will still work via the Legacy Operation, but you will not be able to take advantage of some of the extended features, notably dynamic configuration. We encourage you to migrate over to the new commands, which have been kept as similar as possible to ease the transition.

Bulk Pre-Personalisation

You can combine any number of the above pre-perso commands into the same APDU to reduce the command overheads of sending so many of them!

The command is identical to the normal PUT DATA ADMIN format, with the exception that you have an outer BER-TLV tag that contains a SEQUENCE OF individual commands.

You can also mix and match different kinds of updates in one (i.e. Keys, Data Objects and Config).

PIN Enhancements

The applet supports a number of additional useful enhancements to PIN functionality:

<u>PIV Impacts:</u>

Dynamic Admin Keys

For each data object and asymmetric key, you can now optionally define which symmetric key is responsible for managing it. This gives you the capacity to give write / key generation access to targeted objects. This feature is optional and if you do not specify an admin key, objects will default to the9B key.

<u>PIV Impact</u>: PIV defaults to the 9B key as the administrative key, so to maintain compatibility, simply define this key or don't specify the key.

User Manageable Data Objects

For asymmetric keys and data objects, it is possible to now add the User Admin access mode privilege. If this is set, the data object can be written to, or the key generated as long as the access conditions for that card have been met. This can be separated for contact / contactless and the special 'always' access mode may not be paired with this.

This has been included to permit the possibility of lower security applications whereby it is useful for regularly-changing operational data to be managed on the card without the requirement for administrative keys. Of course if the thought of this horrifies you, do nothing to your pre-perso scripts and the functionality will stay disabled.

Optional Cryptographic Mechanisms

The applet now attempts to instantiate all the required cryptographic mechanisms, but if there are any that it can't this now only results in those corresponding mechanisms being disabled, not prevention of the entire applet install.

<u>PIV Impact:</u> None, provided the card is able to support at least one of the asymmetric key pair types.

Other


UPDATE - 25th July 2021

The applet has been updated (and will continue to be) over the next few months for accreditation. Below is a summary of changes, with wiki updates to follow shortly:

Note that because of issue #29 there is a minor breaking change to the pre-personalisation interface. Details are in the comments and will be updated in the documentation. Feedback is still sought on whether this can be improved as things are flexible up until validation starts.


<u>UPDATE - 23th April 2021</u>

Things have been a bit quiet here, but behind the scenes we are in the process of preparing OpenFIPS201 for CMVP / FIPS 140-3 accreditation!

This is a very steep learning curve, but out of the process is coming a number of changes that will need to be made to the applet in order to comply with direct requirements or smooth the way through the process. In the next few weeks, I'll be adding these to the issues register to open up the changes to discussion, as some of the changes will impact pre-personalisation and configuration (whilst of course maintaining compatibility with the actual PIV spec).

The (somewhat simplified) phases of accreditation are:

One additional aspect, because this is a PIV implementation is that we will also need to undergo NPIVP accreditation. This is effectively an interoperability and functional compliance test rather than security and as I understand it is largely about passing the PIV Test Runner test suite.

If you have any specific questions or issues, please raise them on the issues list or contact us at piv@makina.com.au.


<u>UPDATE - 27th August 2020</u>

Thanks largely to the efforts of @dmercer-google we now have support for Elliptic Curve! You can now generate key objects with ECC256 (#11) and ECC384 (#14) mechanisms and make use of them in General Authenticate for authentication, signing and key establishment. VCI / SM is not yet included in this, but watch this space. Thanks Dave!


<u>UPDATE - 22nd July 2020</u>

OpenFIPS201 has attempted to maintain compatibility with Javacard 2.2.x, however it is clear that there are a number of very good reasons to move away from it in the context of the PIV standard:

Going forward, OpenFIPS201 will target Javacard SDK 3.0.4 as a minimum. To continue to support Javacard 2.2.x we have added a new repository OpenFIPS201-jc22, which will serve as the compatibility release going forward.