Additions include derived credentials, adding photo to chip, more contactless functionality

The revised draft of FIPS 201-2 has been released and several additions have been made from the March 2011 draft.

Some of the more significant changes include:

• Adding a mandatory facial image to the smart card
• Additional functionality of the contactless interface including optional biometric match on card
• Improved interoperability of the contactless interface by making the card authentication certificate and keys and other previously optional certificates and keys mandatory.
• Less reliance on the Cardholder Unique Identifier
• General movement away from visual inspection to electronic authentication

NIST went back and revised the draft due to the volume of comments on key issues. The most vocal concerns centered on the absence of a plan to use the PIV with mobile devices. NIST recognized this and included the concept of using derived credentials on mobile devices.

This derived credential has the PIV presented to a mobile device manager that then assigns a sub-credential to a device using a parent/child model. The derived credential would be placed on a secure element within the handset or tablet. Only a portion of the PIV functionality would be available with the derived credential and it’s possible that different derived credentials could be issued depending on the level of assurance necessary.

Derived credentials were mentioned in NIST’s Special Publication 800-63-1 which focuses on electronic authentication. But this prior mention of derived credentials was in a generic form and not specific to PIV.

There are also changes to the contactless interface on the horizon. Commenters wanted the contact application of the PIV to be available on the contactless portion as well. The revised draft introduces the concept of a virtual contact interface, over which all functionality of the PIV Card would be accessible.

Biometric changes

The revised draft calls for facial images to be stored on the chip, whereas previously they had been stored on the backend databases and only printed on the card. Security guards can add to the security of the credential by checking the image on it as well as the one stored in it to make sure it’s the same individual. The credential will store two fingerprint templates for off-card comparison and optionally store two iris templates and two fingerprint templates for on-card matching.

Other changes on the authentication front include less reliance on visual inspection and on the cardholder unique identifier from the card. The revised draft acknowledges that the visual inspection and the CHUID authentication mechanisms provide little or no identity assurance of the cardholder.

The draft also proposes use of the Unique Universal Identifier, which had not been the case previously. The PIV must also contain PIV authentication data and card authentication data, each of which includes an asymmetric key pair and corresponding certificates.

If the applicant already has a federal government email address the credential will also have an asymmetric key pair and corresponding certificate for digital signatures and another for key management.

Other optional keys include a symmetric card authentication key for supporting physical access applications and a symmetric PIV Card Application Administration key associated with the card management system.

NIST will hold a public workshop on Revised Draft FIPS 201-2 on July 25 at NIST in Gaithersburg, Md.