NIST SP800-85B：PIV数据模型测试指南

需积分: 5 173 浏览量更新于2024-07-16 收藏 1.45MB PDF 举报

"NIST SP800-85b-072406-final.pdf" 是一份关于美国国家标准与技术研究所（NIST）特殊出版物800-85B的文档，该文件提供了个人身份验证（PIV）数据模型测试指南。这份指南是为了确保联邦政府的组件或系统符合FIPS 201（联邦信息处理标准201）及其相关的技术规范，如SP800-73、SP800-76和SP800-78。 FIPS 201是美国政府为验证员工或承包商身份而设立的标准，旨在确保身份验证过程的可靠性、安全性和互操作性。它要求对持卡人的身份进行验证，并由相应授权机构确认其对凭证的需求。该标准也涉及了多种认证机制，包括加密机制和生物特征数据的使用。 NIST SP800-85B文档详细阐述了测试PIV系统的数据元素所需的要求、详细的测试断言和一致性测试。这些测试旨在确保系统按照FIPS 201和其他相关规范的功能执行。然而，文档并不涵盖整个PIV系统中的所有软件测试，例如后端访问控制软件、卡片发行软件以及专门的服务提供商软件的测试。特别地，它不包含对PIV卡接口、FIPS 140-2验证、密钥生成和证书绑定、加密算法、生物特征注册和验证流程、生物特征产品的性能以及外部生物特征标准和配置文件的非PIV方面的测试要求。这份文档对于理解和支持联邦政府的个人信息验证基础设施的构建和测试过程至关重要。它为政府机构提供了实施和验证FIPS 201兼容系统的指导，以确保联邦政府内部的安全身份验证和信息交换。通过遵循这些测试指南，可以增强政府系统之间的互信和协同，提高整体信息安全水平。

Special Publication 800-85B PIV Data Model Testing Specification

include purpose of the test, starting conditions and prerequisites, success criteria, and post-test

di le.

The following four sets of test assertions are included in this document —

BER-

Biometric data object (Section 9)

under PIV data model testing and are

d DTR sections. Overall there is a many-to-many relationship from the

ns with respect to tests.

con tions, when applicab

TLV (Section 8)

Signed data element (Section 10)

PKI certificate profile (Section 11)

All the test assertions provided in this document come

based on DTRs in Sections 4, 5, 6, and 7. Specifically, each test assertion makes specific

references to the relate

test assertions to the DTRs (i.e., one test can map to many DTRs and one DTR can map to many

tests). To narrow the search space for cross references, Table 3-1 presents a cross-referencing

guide showing the relevant DTR sections and test assertion sectio

Category/Classes of Test DTR Section(s) Test Assertion Section(s)

(1) BER-TLV

Section 4 (Derived from

SP80073)

Section 8

(2) Biometric Data

Section 5 (Derived from

SP80076)

Section 9

(3) Signed Data Elements

Section 6 (Derived from

FIPS201

Section 10

and

SP80078)

(4) PKI Certificate Profile

Section 7 (Derived from

FIPS201

and

SP80078)

Section 11

Table 3-1. Cross-referencing Guide

Page 8

Special Publication 800-85B PIV Data Model Testing Specification

4. BER-TLV DTRs

4.1 BER-TLV Testing

AS04.01.01: Part 3 conformant cards shall return all the Tag-Length-Value (TLV)

eleme physical order listed for that container in this data model.

pecify in its documentation that the information provided

container conforms to

SP80073.

01: The vendor shall specify in its documentation the tags and associated values in

the CCC container.

VE04.02.01.02: The vendor shall specify presence of the optional fields.

f all the elements in CCC

ginst the vendor provided

4.3 Card Holder Unique Identifier (CHUID)

ency Smart Credential Number (FASC-N) shall be consistent with the

System

(TIG SCEPACS) Option for “System Code || Credential Number” to establish a credential

number space of 9,999,999,999 credentials.

The Global Unique Identifier (GUID) field must be present, and may include either an

35 and value is within the next five years. This field shall

nts of a container in the

VE04.01.01.01: The vendor shall specify in its documentation the format (TLV) and the content

of all the elements in each data container on the card.

VE04.01.01.02: The vendor shall s

conforms to

SP80073.

TE04.01.01.01: The tester shall validate that the formatting, encoding and the content of all th

elements in each data

4.2 Card Capability Container (CCC)

AS04.02.01: The CCC shall identify the registered data model number 0x10.

VE04.02.01.

TE04.02.01.01: The tester shall validate the format and the content o

data container on the card. Data read from the card will be validated a

data.

TE04.02.01.02: The tester shall validate that the Registered Data Model value is

0x10.

AS04.03.01: The CHUID on a PIV card shall meet the following requirements:

The Federal Ag

Technical Implementation Guidance Smart Card Enabled Physical Access Control

issuer assigned IPv6 address or be coded as all zeros. The GUID is included to enable

future migration away from the FASC-N into a robust numbering scheme for all issued

credentials.

The Expiration Date is tagged

be 8 bytes in length and shall be encoded as YYYYMMDD.

Page 9

Special Publication 800-85B PIV Data Model Testing Specification

TE05.01.06.01: The tester shall verify that the BDB Format Owner field contains 0x001B.

AS05.01.07: For the mandatory fingerprint template on the PIV card, the BDB Format

Type value shall be 0x0201. For the optional facial image on the PIV card, the BDB

Format Type value shall be 0x0501.

No requirements for vendor.

r fingerprint

ntation of "YYYYMMDDhhmmssZ". Each pair of characters (for example, "DD")

is coded in 8 bits as an unsigned integer where the last byte is the binary representation of

or.

with the assertion.

AS05.01.09: The Validity Period in the PIV Patron Format (Row 8 in Table 8 of

SP80076)

dates in compliance with the

mplate and shall be 0x000002 for facial images. The value for other biometric

en in CBEFF, 5.2.1.5. For modalities not listed there the value

TE05 c Type field contains 0x000008 for

fingerprint im ages.

BEFF

e b001xxxxx

Type value is b100xxxxx for

processed fingerprint template and b001xxxxx for facial image.

TE05.01.07.01: The tester shall verify that the BDB Format Type field is 0x0201 fo

template and 0x0501 for facial image.

AS05.01.08: The Creation Date in the PIV Patron Format (see Row 7 in Table 8 of

SP80076)

shall be the date of acquisition of the parent sample, encoded in eight bytes using a binary

represe

the ASCII character Z which is included to indicate that the time is represented in

Coordinated Universal Time (UTC). The field "hh" shall code a 24 hour clock value.

No requirements for vend

TE05.01.08.01: The tester shall verify the date field is in compliance

contains two dates.

No requirements for vendor.

TE05.01.09.01: The tester shall verify that the headers contain two

assertion.

AS05.01.10: Biometric Type field within the PIV Patron Format shall be 0x000008 for

fingerprint te

modalities shall be that giv

shall be 0x00.

No requirements for vendor.

.01.10.01: The tester shall verify that the Biometri

ages or templates and 0x000002 for facial im

AS05.01.11: For the mandatory fingerprint template on the PIV card, the CBEFF

Biometric Data Type encoding value shall be b100xxxxx, which corresponds to biometric

data that has been processed. For the optional facial image on the PIV card, the C

Biometric Data Type encoding value shall b

No requirements for vendor.

TE05.01.11.01: The tester shall verify that the Biometric Data

Page 12

剩余165页未读，继续阅读

艾米的爸爸

粉丝: 791
资源: 314

NIST SP800-85B：PIV数据模型测试指南

NIST SP800-85A-2-final.pdf

NIST SP800-73-2_part1-datamodel-final.pdf

NIST SP800-65-Final.pdf

NIST SP800-53-rev2-final.pdf

NIST SP800-137 Final.pdf

NIST SP800-73-2_part3_end-point-client-api-final.pdf

NIST SP800-87_Rev1-April2008Final.pdf

NIST SP800-85A-2：PIV组件测试指南

NIST SP800-73-2：个人身份验证接口更新概览

NIST.SP.800-207-Zero Trust Architecture（final）.pdf

最新资源