NIST revamps crypto requirements for PIV cards
- By William Jackson
- Jul 05, 2006
The National Institute of Standards and Technology has revised guidelines for the cryptographic elements on new smart government ID cards, which agencies are scheduled to begin issuing in October.
The draft specifications strengthen and reduce the number of approved algorithms to bring specs into line with national security requirements and to simplify application development and interoperability.Special Publication 800-78-1
specifies cryptographic algorithms and key sizes required for Personal Identity Verification cards under Homeland Security Presidential Directive 12
. It has been released for public comment and, if adopted, would replace SP 800-78.
HSPD-12 mandates use of interoperable smart cards as IDs for government employees and contractors. The cards will include digital certificates and private keys for use in public-key cryptography to encrypt and sign documents. Federal Information Processing Standard 201 establishes the requirements for these identity credentials, and the special publications provide technical specifications for meeting FIPS 201.
The revision reduces the number of elliptic curve algorithms approved for use on PIV cards from six to two, aligning it with the National Security Agency's Suite B Cryptography requirements. Elliptic curve cryptography is a family of algorithms used in PKI. The new specs eliminate the shortest, weakest algorithms and recognize only Curve P-256 and Curve P-384. They also specify the use of SHA-256 and SHA-384 hashing algorithms for generating signatures.
The changes should simplify interoperability of PIV cards and the development of applications that will be accessed with the cards. The cards also could be used to secure the highest levels of classified data.
NSA has specified that Elliptic Curve P-256 and SHA-256 can be used to protect classified information up to the Secret level, and that Curve P-384 and SHA-384 can be used up to Top Secret.
'With appropriate testing, evaluation and certification, PIV Cards supporting elliptic curve cryptography may also be certified as Suite B products and used to protect classified information,' NIST said in the draft document.
Comments on SP 800-78-1 should be e-mailed to PIV_comments@nist.gov
by 5 p.m. Oct. 2. Include 'comments on draft SP 800-78-1' in the subject line.
William Jackson is a Maryland-based freelance writer.