Crypto rules changing for ID cards

NIST is revising guidelines to bring specification into line with FIPS

Specifications for cryptographic algorithms and keys for use on smart government ID cards are being updated to better align them with Federal Information Processing Standards and to extend the use of the SHA-1 hashing algorithm for limited purposes.

The National Institute of Standards and Technology has released a draft of the third revision of Special Publication 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, for comment. The previous version, SP 800-78 Revision 2, was published early this year. That version was updated to re-align with the Suite B Cryptography specification and with then recently published FIPS standards.

Homeland Security Presidential Directive 12 mandated the creation of new standards for interoperable identity credentials for physical and logical access to federal government facilities and systems. Those standards are implemented in the PIV Card, the civilian counterpart of the military’s Common Access Card. FIPS 201, “Personal Identity Verification of Federal Employees and Contractors,” established standards for identity credentials. SP 800-78 specifies the cryptographic algorithms and key sizes for PIV systems and is a companion document to FIPS 201.


Related coverage:

NIST updates guide for testing PIV card applications and middleware

NIST revises conformance-testing guidelines for PIV data models


It identifies acceptable symmetric and asymmetric encryption algorithms, digital signature algorithms, key establishment schemes, and message digest algorithms. It also specifies mechanisms to identify the algorithms associated with PIV keys or digital signatures. All cryptographic algorithms employed in this specification provide at least 80 bits of security strength.

Crypto keys specified in FIPS 201 for the cards are an asymmetric PIV authentication key, a card authentication key that may be either symmetric or asymmetric, and an asymmetric key management key that supports key establishment or key transport. These keys are used for protecting data and applications stored on the card, including X.509 digital certificates, a digitally signed Card Holder Unique Identifier, digitally signed biometrics, and a digitally signed hash table. The publication specifies the algorithms, key sizes and parameters used to protect these objects.

Changes in the draft revision include alterations to the maximum value allowed for the RSA public-key exponent, and rules on the use of certain algorithms for status queries.

The old SHA-1 algorithm, used to authenticate digital data, is due to be retired at the end of this year because of weaknesses. The Public Key Cryptography Standard Version 1.5 published by RSA also is obsolete, but their use is being extended for these limited purposes.

Send comments to PIV_comments@nist.gov with "Comments on draft SP 800-78-3" in the subject line by close of business Dec. 3. Comments should use the template form available here.



About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Wed, Dec 1, 2010 Bob Donelson Washington DC

Identity Management has moved up the priority list to the number 5 slot this FY from last years number 9 position according to the National Association of State Chief Information Officers NASCIO. You would think that Industry would resolve issues in cryptography in a more rational fashion than the recent SHA 1 to SHA 256 fashion to assist States in mitigation of major hurdles recently experienced by the Federal Government. The Federal Procurement Community and the CIO community has work to do to collaborate on changes that are not secrets. Current Contracts need to be modified to include projected technology refresh requirements keeping technology abreast of these future events versus waiting till the crash occurs and modifying contracts at the last minute to accommodate a need that has been known for over 3 years. Planning, planning, planning is the key for the continued successful implementation of this new frontier of Trust and Interoperability which is the newest commodity that is being identified as a value and sought by so many across the Public and Private Sector.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above