PIV/CIV Device Profile

This tutorial helps you to add a device profile so that you can handle the keys related to PIV/CIV-supported devices.

  1. Navigate to Configuration > Device Profiles.
  2. Select + Add Device Profile.
  3. Select OK to continue.
  4. Enter the following information:
    1. Category: Select a device Category as Personal Identity Verification (PIV).
    2. Supplier: Select the name of the supplier from the drop-down list for the selected category. The supported suppliers are
      1. IDEMIA
      2. ZTPass
      3. Thales
      4. Yubico
      5. Giesecke+Devrient
  5. Product Name: Select the Product Name which is the product model for the selected supplier.
  6. Select OK.

For each product category, you need to configure parameters in two sections - General Information and Key Manager. Ensure to provide the required values under these two sections.

General Information

The general information section is common for all the product categories. In this section, provide the general details such as name and a brief description of the device profile.

  1. Enter a name for the device profile.
  2. Provide a brief description of the profile being created.

The category, Supplier, and Product Name are populated based on the details provided during the creation of the device profile. You cannot edit these fields.

Key Manager

NOTE

Factory Master Key is a key which is created by appending the global platform keys (ENC, MAC, and KEK) in a sequence. Ensure that there are no spaces or special characters while entering the factory master key.
For example, if
  • ENC = 123
  • MAC = 789
  • KEK = ABC
then Factory Master Key = 123789ABC

In the Key Manager section, based on the category and the model selected, you will have to configure the device profile parameters. You have to define the place to store the keys and provide the values for the Issuer Security Domain Keys. These keys enable Unifyia to oversee card applications and data, as well as facilitate tasks such as establishing a secure channel, resetting the card to factory configuration, unlocking writing privileges, and updating application data.

Refer to the table below to understand the meaning of the different keys that are present in the PIV-supported smart devices.

Terms related to Issuer Domain Security Keys

Term Description
Factory Management Key This is the PIV application administrative key (9B Key) provided by the Yubikeys manufacturer and is used to update application data and keys during card personalization.
Factory Master Key This is the default manufacturer/factory key (Global Platform keys) and is required to open a secure channel and also to reset the card to factory settings.
Factory Admin Key or Factory Management Key This is the PIV application administrative key (9B) provided by the PIV card manufacturer and is used to update application data and keys during card personalization.
Customer Master Key This is the key generated by the customer and would replace the factory master key. This is used for opening a secure channel for card authentication and encryption of the data.
Customer Admin Key or Customer Management Key This key is the PIV application administrative key (9B) generated by the customer and is used to update application data and keys during card personalization.
  • Based on the PIV category, supplier, and product model selected, you will see 2 or 4 fields to enter the keys. You can enter the manufacturer's Master and Admin keys for the chosen product and also provide the corresponding customer Master and Admin keys to replace the manufacturer keys. Refer to the table that lists the details of the issuer domain security keys.
  • For IDEMIA ID-One PIV V2.4.1 on Cosmo V8.1 and IDEMIA ID-One PIV V2.4.1 on Cosmo V8.2, additionally, you will find an option to diversify the keys using the Master Key or Key Ceremony (currently not implemented). Choose to diversify the Master Key.
  • Enter the values as required by referring to the table below to understand what type of keys are to be provided for configuring the device profile and the length of the keys for the selected product.
  • Select Save to complete the creation of the device profile.

Details of the Issuer Domain Security Keys

Product Required Keys Key Length
IDEMIA ID-One PIV V2.4.1 on Cosmo V8.1
  • Factory Master Key
  • Factory Admin Key
  • Customer Master Key
  • 64 Characters
  • 64 Characters
  • 64 Characters
IDEMIA ID-One PIV V2.4.1 on Cosmo V8.2
  • Factory Master Key
  • Factory Admin Key
  • Customer Master Key
  • 64 Characters
  • 64 Characters
  • 64 Characters
G+D SCE 7.0 with PIV Applet V1.0
  • Factory Master Key
  • Factory Admin Key
  • Customer Master Key
  • Customer Admin Key
  • 96 Characters
  • 32 Characters
  • 96 Characters
  • 32 Characters
Thales IDPrime PIV v3.0
  • Factory Master Key
  • Factory Admin Key
  • Customer Master Key
  • Customer Admin Key
  • 32 Characters
  • 32 Characters
  • 32 Characters
  • 32 Characters
ZTPass - ZTPass on NXP P71D600
  • Factory Master Key
  • Factory Admin Key
  • Customer Master Key
  • Customer Admin Key
  • 96 Characters
  • 32 Characters
  • 96 Characters
  • 32 Characters
Yubikey 5
  • Factory Admin Key
  • Customer Admin Key
  • 48 Characters
  • 48 Characters
ID Wallet
  • Not applicable
  • Not applicable
ID Card
  • Not applicable
  • Not applicable

Back Next
On this page