DoD Implementation Guide for CAC PIV End-Point - Common ...

DoD Implementation Guide for CAC PIV End-Point
5.2 CHUID (0x3000)
Clarifications of CHUID fields not covered in this document are specified in the “DoD
Implementation Guide for CAC Next Generation (NG)” [NG]. These include FASC-N, Global
Unique Identifier (GUID), Expiration Date, Authentication Key Map, and Error Detection
Code.
See Appendix “Sample Java program: Accessing the CHUID” for a code sample on retrieving
the CHUID.
5.2.1 CHUID Usage
As outlined in the NIST Special Publication 800-73-1 the CHUID is defined by the following
table:
Table 6. CHUID Container
Card Holder Unique Identifier 0x3000 Always Read
Data Element (TLV) Tag Type Max Bytes M/O
FASC-N 0x30 Fixed Text 25 M
GUID 0x34 Fixed Numeric 16 M
Expiration Date 0x35 Date (YYYYMMDD) 8 M
Authentication Key Map 0x3D Variable 512 O
Issuer Asymmetric Signature 0x3E Variable 2048 M
Error Detection Code 0xFE LRC 0 O
• The CHUID includes an element, the Federal Agency Smart Credential Number
(FASC-N), which uniquely identifies each card and cardholder.
• The PIV CHUID is a free read from both the contact and contactless interfaces of the
PIV Card 12 .
• The FASC-N is not allowed to be modified post-issuance.
• In machine readable format, the expiration date data element specifies when the
card expires. The expiration date format and encoding rules are as specified in
SP800-73-1. This date is the same as that on the printed card surface. The optional
Printed Information Buffer is not included.
• Includes the issuer Public Key Certificate in the container.
• The Asymmetric Signature data element of the PIV CHUID has been encoded as a
Cryptographic Message Syntax (CMS) external digital signature, as defined in RFC
3852 [RFC3852].
• Algorithm and key size requirements for the asymmetric signature are detailed in
[SP800-78].
• Optional fields are not implemented (Grayed out on table above).
12 Applies to both DoD PIV Auth Activated and Non-activated mode.
15