DoD Implementation Guide for CAC PIV End-Point - Common ...
DoD Implementation Guide for CAC PIV End-Point - Common ...
DoD Implementation Guide for CAC PIV End-Point - Common ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>DoD</strong> <strong>Implementation</strong> <strong>Guide</strong> <strong>for</strong> <strong>CAC</strong> <strong>PIV</strong> <strong>End</strong>-<strong>Point</strong><br />
Appendix E <strong>DoD</strong> <strong>CAC</strong> <strong>PIV</strong> Transitional and <strong>End</strong>-<strong>Point</strong> Quick <strong>Guide</strong><br />
Buffer Description ContainerID<br />
Maximum<br />
Access Rule<br />
Length (Bytes)<br />
Contact /Contactless M/O<br />
Card Capabilities Container 0xDB00 266<br />
Always Read Contact<br />
M<br />
Card Holder Unique<br />
Identifier<br />
0x3000 3377<br />
Always Read Contact and Contactless M<br />
X.509 Certificate <strong>for</strong> <strong>PIV</strong><br />
Authentication<br />
0xA001 1651<br />
PIN<br />
Contact<br />
M<br />
Card Holder Fingerprints 0x6010 7768<br />
PIN<br />
Contact<br />
M<br />
Card Holder Facial Image 0x6030<br />
X.509 Certificate <strong>for</strong> Digital 0x0100<br />
Signature<br />
X.509 Certificate <strong>for</strong> Key 0x0102<br />
Management<br />
X.509 Certificate <strong>for</strong> Card 0x0500<br />
Authentication<br />
Security Object<br />
0x9000<br />
Card Capabilities Container *<br />
Data Element (TLV)<br />
Card Identifier<br />
Capability Container version number<br />
Capability Grammar version number<br />
Applications CardURL<br />
PKCS#15<br />
Registered Data Model number<br />
Access Control Rule Table<br />
CARD APDUs<br />
Redirection Tag<br />
Capability Tuples (CTs)<br />
Status Tuples(STs)<br />
Card Holder Unique Identifier *<br />
Data Element (TLV)<br />
FASC- N<br />
GUID<br />
Expiration Date<br />
Authentication Key Map (Optional)<br />
Issuer Asymmetric Signature<br />
Error Detection Code<br />
X.509 Certificate <strong>for</strong> <strong>PIV</strong> Authentication<br />
Data Element (TLV)<br />
Certificate<br />
CertInfo<br />
MSCUID (Optional)<br />
Error Detection Code<br />
Card Holder Fingerprints<br />
Data Element (TLV)<br />
Fingerprint I and II<br />
Error Detection Code<br />
Security Object<br />
Data Element (TLV)<br />
Mapping of DG to ContainerID<br />
Security Object (Issuer Signature)<br />
Error Detection Code<br />
RID = A0 00 00 00 79<br />
PIX =<br />
0x0100<br />
PKI<br />
Applet<br />
12704<br />
1651<br />
1651<br />
1651<br />
1000<br />
Tag Tag<br />
0x70<br />
0x71<br />
0x72<br />
0xFE<br />
Tag Tag<br />
0xBC<br />
0xFE<br />
Tag Tag<br />
0xBA<br />
0xBB<br />
0xFE<br />
PIN<br />
PIN<br />
Tag Tag<br />
0xF0<br />
0xF1<br />
0xF2<br />
0xF3<br />
0xF4<br />
0xF5<br />
0xF6<br />
0xF7<br />
0xFA<br />
0xFB<br />
0xFC<br />
Get Data<br />
Verify/Change Pin<br />
Sign<br />
PIX =<br />
0x0102<br />
PKI<br />
Applet<br />
<strong>DoD</strong> <strong>CAC</strong> <strong>PIV</strong> Transitional and <strong>End</strong>-<strong>Point</strong> SP 800-73-v1<br />
Tag<br />
0x30<br />
0x34<br />
0x35<br />
0x3D<br />
0x3E<br />
0xFE<br />
PIN Always<br />
Always<br />
Contact<br />
Contact<br />
Contact<br />
Always Read Contact<br />
0xDB00<br />
Type Type<br />
Fixed<br />
Fixed<br />
Fixed<br />
Variable<br />
Fixed<br />
Fixed<br />
Fixed<br />
Fixed<br />
Fixed<br />
Fixed<br />
Fixed<br />
0x3000<br />
Type Type<br />
Fixed Text<br />
Fixed Numeric<br />
Date (YYYYMMDD)<br />
Variable<br />
Variable<br />
LRC<br />
0x0101<br />
Type<br />
Variable<br />
Fixed<br />
Variable<br />
LRC<br />
0x6010<br />
Type Type<br />
Variable<br />
LRC<br />
0x9000<br />
Type Type<br />
Variable<br />
Variable<br />
LRC<br />
PIX =<br />
0x0200<br />
GC<br />
Applet<br />
O<br />
O<br />
O<br />
Contact and Contactless O<br />
PIX =<br />
0x0201<br />
M<br />
Always Read<br />
Max. Max. Bytes Bytes<br />
21<br />
1<br />
1<br />
128<br />
1<br />
1<br />
17<br />
0<br />
0<br />
0<br />
0<br />
Always Read<br />
Max. Bytes<br />
25<br />
16<br />
8<br />
512<br />
2816<br />
0<br />
pkiCompute - PIN<br />
Max. Bytes<br />
1856<br />
1<br />
38<br />
0<br />
PIN<br />
Max. Bytes<br />
2000<br />
0<br />
Always Read<br />
Max. Bytes<br />
100<br />
900<br />
0<br />
<strong>DoD</strong><br />
Default<br />
Container<br />
GC<br />
Applet<br />
0x0100 0x0102 0x0101 0x0200 0x0201<br />
<strong>CAC</strong><br />
ID<br />
* Mapped to <strong>PIV</strong><br />
Key Mgmt Key<br />
& <strong>PIV</strong> Digital<br />
Sign Key<br />
<strong>CAC</strong><br />
Enc*<br />
PIX =<br />
0x0101<br />
PKI<br />
Applet<br />
<strong>CAC</strong><br />
Sign*<br />
<strong>CAC</strong><br />
Per -<br />
son<br />
Per -<br />
sonel<br />
Global Plat<strong>for</strong>m<br />
PIX =<br />
0x0300<br />
Access<br />
Control<br />
Applet<br />
All Applets rely on GP Card Manager services<br />
33<br />
NIST SP-800-73<br />
<strong>CAC</strong><br />
Access<br />
Access<br />
Read M<br />
Read M<br />
Key Cert / /<br />
Key Cert / /<br />
Key Name Purpose Sign OID O Key Name Purpose<br />
PKI Logical<br />
Sign OID O<br />
Login<br />
Used to<br />
(Outlook)<br />
Authenticate<br />
Digital Sign<br />
<strong>PIV</strong><br />
the card and<br />
Authentication the cardholder PIN/PIN<br />
Key<br />
using PIN.<br />
PKI<br />
0x010<br />
M Signature<br />
1<br />
Key<br />
with non-<br />
0x010<br />
repudiation, ALW/PIN<br />
1<br />
logical access,<br />
M<br />
Identity key <strong>for</strong><br />
PIN. Outlook<br />
logical access.<br />
requires<br />
special<br />
extension.<br />
Can be used<br />
Digital Sign <strong>for</strong><br />
Digital<br />
PIN/PIN- 0x010 PKI Identity<br />
nonrepudiation<br />
O<br />
Signature Key<br />
Always 0 Key<br />
Contact only<br />
<strong>for</strong> non<br />
0x010<br />
repudiation ALW/PIN<br />
0<br />
signing outside<br />
Outlook.<br />
M<br />
Key<br />
Management<br />
Encryption<br />
key. Contact<br />
only<br />
PIN/PIN<br />
not<br />
needed<br />
PKI<br />
0x010<br />
O Encryption<br />
2<br />
Key<br />
Key<br />
Encipherment<br />
0x010<br />
ALW/PIN<br />
2<br />
M<br />
FASC-N (10 BCD Digits)<br />
Field Name<br />
L (BCD) Field description<br />
AGENCY CODE 4 Identifies the government agency issuing the<br />
credential<br />
SYSTEM CODE<br />
CREDENTIAL<br />
NUMBER<br />
CS<br />
ICI<br />
PI<br />
OC<br />
OI<br />
POA<br />
SS<br />
FS<br />
ES<br />
LRC<br />
RID = A0 00 00 0116<br />
PIX =<br />
0xDB00 0 xDB 00<br />
PIX = 0x3000<br />
4<br />
6<br />
1<br />
1<br />
10<br />
1<br />
4<br />
1<br />
1<br />
1<br />
1<br />
1<br />
<strong>PIV</strong><br />
Transitional Applet<br />
0x3000 0x6010 0x6030<br />
0xA001 0x9000<br />
Identifies the system the card is enrolled in, is<br />
unique <strong>for</strong> each site<br />
Encoded by the issuing agency. For a given system<br />
no duplicate numbers are active<br />
CREDENTIAL SERIES<br />
(SERIES CODE) Field is available to reflect major<br />
system changes<br />
INDIVIDUAL CREDENTIAL ISSUE<br />
(CREDENTIAL CODE)<br />
Initially encoded as “1”, will be incremented if a card<br />
is replaced due to loss or damage<br />
PERSON IDENTIFIER<br />
Numeric Code used by the identity source to<br />
uniquely identify the token carrier. (e.g. <strong>DoD</strong> EDIPI)<br />
ORGANIZATIONAL CATEGORY<br />
1- Federal Government Agency<br />
2- State Government Agency<br />
3- Commercial Enterprise<br />
4- Foreign Government<br />
ORGANIZATIONAL INDENTIFIER<br />
OC=1 – FIPS 95-2 Agency Code<br />
OC=2 – State Code<br />
OC=3 – Company Code<br />
OC=4 – Numeric Country Code<br />
PERSON/ORGANIZATION<br />
ASSOCIATION CATEGORY<br />
1 – Employee<br />
2 – Civil<br />
3 – Executive Staf<br />
4 – Uni<strong>for</strong>med Service<br />
5 – Contractor<br />
6 – Organizational Affiliate<br />
7 – Organizational Beneficiary<br />
Start Sentinel. Leading character which is read first<br />
when card is swiped<br />
Field Separator<br />
<strong>End</strong> Sentinel<br />
Longitudinal Redundancy Character<br />
Notes:<br />
1. CHUID signature BER/TLV<br />
2. Transitional <strong>PIV</strong> CHUID encoded BER/TLV except tags 2 bytes <strong>for</strong> BC<br />
3. <strong>PIV</strong> Auth cert OID is 0x101 if accessed through <strong>End</strong>-<strong>Point</strong> card edge, and 0xA001 if accessed through the <strong>PIV</strong> Transitional in <strong>PIV</strong><br />
Auth Activated mode.<br />
CCC<br />
0xDB00<br />
CCC<br />
Concaten.<br />
Unique<br />
Per card<br />
<strong>DoD</strong><br />
EDIPI<br />
Static<br />
<strong>for</strong><br />
given<br />
card<br />
holder<br />
DMDC CTIS/Technical Advisory Group (TAG) 6-14-08<br />
CHUID<br />
(Deflt.)<br />
<strong>PIV</strong> EP & Transitional<br />
2 FP<br />
<strong>PIV</strong><br />
Auth<br />
Face<br />
Sec<br />
Obj<br />
RID =<br />
A0 00 00 03 08<br />
PIX =<br />
0x0000100<br />
00100<br />
<strong>PIV</strong> <strong>End</strong> -<br />
<strong>Point</strong><br />
Card Edge<br />
&<br />
Encoding<br />
Translation<br />
Card Edge(s)<br />
Container(s) /<br />
Applet(s)<br />
Data<br />
Element(s)<br />
Applet-to-Applet<br />
Communication