NIST to update guidelines for testing PIV card apps, middleware
Draft revision of special publication reflects changes made to PIV specifications
- By William Jackson
- Feb 18, 2009
The National Institute of Standards and Technology is revising guidelines for compliance testing of personal identity verification (PIV) applications and middleware to reflect changes in the specifications for PIV cards and access control systems.
NIST has released a draft of Special Publication 800-85A-1, “PIV Card Application and Middleware Interface Test Guidelines,” for public comment. The revisions include additional tests necessary to evaluate some of the optional features added to the PIV data model and card interface and PIV middleware as specified in SP 800-73-2, “Interfaces for Personal Identity Verification.”
Homeland Security Presidential Directive 12 mandated adoption of interoperable, electronic ID cards for government employees and contractors to use to access IT systems and government facilities. Standards for the PIV card system are defined in Federal Information Processing Standard (FIPS) 201, and technical specifications and implementation guidance are provided in a series of NIST special publications, including SP 800-73-2. That document specifies the PIV data model, command interface, client application programming interface and transitional interface standards for the government’s interoperable PIV cards.
The latest revision of SP 800-73 was released in September 2008 in four volumes that replaced the previous single document, which was published in 2006. The four volumes can be downloaded separately or in a single zipped file.
The purpose of SP 800-85A-1 “is to provide test requirements and test assertions that could be used to validate the compliance/conformance of two PIV components — PIV middleware and PIV card application — with the specifications in NIST SP 800-73-2,” the document states. “Because NIST SP 800-73-2 specifications were developed for meeting interoperability goals of FIPS 201, the conformance tests in this document provide the assurance that the set of PIV middleware and PIV card applications that have passed these tests are interoperable. This in turn facilitates marketing and procurement of FIPS 201-conformant products that meet the goals of HSPD-12.”
The publication contains guidelines for conformance testing for three classes of specifications contained in NIST SP 800-73-2:
- Endpoint data objects and endpoint data types and their representations.
- Endpoint PIV card application card command interface.
- Endpoint client/application programming interface.
The primary changes in this revision include:
- Tests for retrieving and parsing the newly added optional discovery object through the PIV cards’ contact and contactless interfaces.
- Test for populating the newly added discovery object on the PIV card.
- Tests for verifying the correct behavior of the Card Activation command and PIN Management commands in the context of the PIN usage value specified in the discovery object.
- Tests for verifying that the access control behavior of the card conforms with the PIN usage value in the discovery object.
- Dynamic generation of tests for cryptographic operation commands for key reference/algorithm combinations supported on a given PIV card.
Comments on the revised guidelines should be sent to PIVtesting@nist.gov with "Comments on Public Draft SP 800-85A-1" in the subject line by close of business Feb. 28.
William Jackson is freelance writer and the author of the CyberEye blog.