NIST Describes Standards for Identity Credentials, Authentication Systems
October 12, 2009 // Published as a news service by IHS
The National Institute of Standards and Technology (NIST) issued Use of ISO/IEC 24727 and Special Publication 800-73-3, which describe new capabilities for authentication systems using smart cards or other personal security devices within and outside federal government applications.
Use of ISO/IEC 24727 describes the NIST-led international standard, ISO/IEC 24727, which defines a general-purpose identity application programming interface (API).
Special Publication 800-73-3 is a draft publication on refinements to the personal identity verification (PIV) specification.
NIST developed specifications for PIV cards required for the government under Homeland Security Presidential Directive 12.
These smart cards have embedded chips that hold information and biometric data, such as specific types of patterns in fingerprints called minutiae, along with a unique identifying number.
Experts said the goal is to develop methods that allow each worker to have a PIV card that works with PIV equipment at all government agencies and with all card-reader equipment regardless of the manufacturer.
Because of the interest in using secure identity credentials like PIV cards for multiple applications beyond the federal workplace, NIST developed ISO/IEC 24727 - Identification cards - Integrated circuit card programming interfaces - that provides a set of authentication protocols and services common to identity management frameworks.
The NIST report, Use of ISO/IEC 24727 is an introduction to that standard. It describes the standard's general purpose identity application programming interface, the "Service Access Layer Interface for Identity," which allows cards and readers to communicate and operate with applications.
The report also describes a proof-of-concept experiment demonstrating that existing PIV cards and readers can work interoperably with ISO/IEC 24727. The applications tested included logging on to Windows or Linux systems, signing and encrypting e-mail and performing web authentications.
NIST researchers are also working to improve PIV components and provide guidelines that the private sector and municipalities can use with a similar smart ID card.
They drafted an update to an earlier publication that contains the technical specifications for interfacing with the PIV card to retrieve and use identity credentials.
Special Publication 800-73-3, Interfaces for Personal Identity Verification, provides specifications for PIV-interoperable and PIV-compatible cards issued by nonfederal issuers, which may be used with the federal PIV system.
It also provides specifications designed to ease implementation, facilitate interoperability and ensure performance of PIV applications in the federal workplace.
The publication specifies a PIV data model, card edge interface and application programming interface. The report also provides editorial changes to clarify information in the earlier version.
Source: National Institute of Standards and Technology (NIST).