PIV+FIDO2/DPIV+DFIDO2 Device Profile

This tutorial helps you to add a device profile so that you can handle the keys related to PIV+FIDO2/DPIV+DFIDO2 supported devices. This helps you to issue Personal Identity Verification (PIV) or FIDO2 credentials or Derived Personal Identity Verification (DIV) and Derived FIDO2 (DFIDO2) credentials.

Prerequisites

  • Ensure that you are logged in to the Unifyia platform with your admin credentials.
  • You have the manufacturer and customer master and admin keys.

Configure Device Profile

Whether you are configuring the device profile for the issuance of a PIV+FIDO2 or DPIV+DFIDO2 device profile, the process is same expect that the category should be select based on the type of ID being issued. The configuration involves following three steps:

  1. Selection of category, supplier, and product model.
  2. Adding general information regarding the device profile
  3. Selecting to save the keys either in the database or Hardware Security Module (HSM)
  4. Configuring the device manufacturer and customer security keys.

Follow the below steps to configure the device profile for PIV/PIV-I/CIV/DPIV supported devices:

  1. Navigate to Configuration > Device Profiles.
  2. Select + Add Device Profile.
  3. Enter the following information:
    1. Category: Select a device profile category.
      • For issuing PIV and FIDO2 credentials, select the category as PIV+FIDO2.
      • For issuing DPIV and DFIDO2 credentials, select the category as DPIV+DFIDO2.
    2. Supplier: Select the name of the supplier from the drop-down list for the selected category. The supported suppliers are
      1. IDEMIA
      2. ZTPass
      3. Yubico
  4. Product Name: Select the Product Name which is the product model for the selected supplier. The following are the supported product models:
    5. Supplier Supported Product Model
    IDEMIA
    • ID-One PIV v2.4.2 on Cosmo V8.2
    ZTPass
    • ZTPass on NXP P71D600
    • Arculus AuthentiKey
    Yubico
    • YubiKey 5 Series
  5. Select OK.

For the selected product model, you need to configure parameters in two sections - General Information and Key Manager. Ensure to provide the required values under these two sections.

General Information

The general information section is common for all the product categories. In this section, provide the general details such as name and a brief description of the device profile.

  1. Enter a name for the device profile.
  2. Enter a display name for the device profile. This display name will be populated in the Device Profile dropdown list while creating a workflow.
  3. Provide a brief description of the profile being created.
  4. The category, Supplier, and Product Name are populated based on the details provided during the creation of the device profile. You cannot edit these fields.
  5. Under additional configurations, you can set the following policies:
    1. Clear PIV Containers During Issuance: Enable this option to clear any existing data in the all Personal Identity Verification (PIV) containers during card issuance to ensure secure reissuance of credentials.
    2. Set PIN Retry Limit: Specify the maximum number of incorrect PIN attempts allowed before the card/device is locked.
    3. Set PUK Retry Limit: Set the PUK (PIN Unblock Key) retry limit to control the recovery options after a locked PIN for strong protection against unauthorized access.
    4. Configure Application Interfaces: Enabling this option allows you to control which interfaces and applications can be enabled for the selected product model. Once enabled, the supported supported interfaces and applications for the product model is displayed. You can customize the device interaction points by enabling or disabling the applications (such as PIV, FIDO2, OTP) for specific interfaces (such as USB, NFC). After selecting the desired applications, a lock code can be applied to prevent any changes to the enabled applications. This feature is supported on the following models because they contain both the PIV and FIDO2 applications:
    5. Lock Code: Set a code to lock the configured interface.
      • ZTPass - ZTPass on NXP P71D600 (Lock Code Length = 8 characters)
      • Arculus Authentikey (Lock Code Length = 8 characters)
      • Yubico - YubiKey 5 Series (Lock Code Length = 12 characters)
      6. As you are configuring the PIV+FIDO2 supported device profile, select PIV and FIDO2 applications for either USB, NFC, or both interfaces as per your organization's security requirements and operational preferences.
      Interface and Application Options
      Product Model USB Interface Options NFC Interface Options
      ZTPass - ZTPass on NXP P71D600
      • PIV
      • FIDO2
      • PIV
      • FIDO2
      Arculus Authentikey
      • PIV
      • FIDO2
      • PIV
      • FIDO2
      Yubico – Yubikey 5 Series
      • PIV
      • FIDO2
      • OTP
      • OATH
      • FIDO2 U2F
      • OpenPGP
      • PIV
      • FIDO2
      • OTP
      • OATH
      • FIDO2 U2F
      • OpenPGP
    6. Lock Configured Interfaces: Enable this option to securely lock selected interfaces to prevent unauthorized access or use.
    7. Lock Code: Set a code to lock the configured interface.
      • ZTPass - ZTPass on NXP P71D600 (Lock Code Length = 8 characters)
      • Arculus Authentikey (Lock Code Length = 8 characters)
      • Yubico - YubiKey 5 Series (Lock Code Length = 12 characters)

Key Manager

NOTE

Manufacturer Master Key is a key which is created by appending the global platform keys (ENC, MAC, and KEK) in a sequence. Ensure that there are no spaces or special characters while entering the Manufacturer master key.
For example, if
  • ENC = 123
  • MAC = 789
  • KEK = ABC
then Manufacturer Master Key = 123789ABC
  1. In the Key Manager section, based on the category and the model selected, you will have to configure the device profile parameters. The number of keys may vary based on the product model selected. For example, a IDEMIA ID-One PIV V2.4.2 on Cosmo V8.2 device requires three keys (Manufacturer Master, Manufacturer Admin and Customer Master keys) whereas a Yubikey 5 series device requires two keys (Manufacturer Admin and Customer Admin keys). Refer to the section Required Keys and Their Length for Product Models.
  2. You have to define the place to store the cryptographic keys - Database or HSM. Refer to the below table for the typical configurations in the Key Management section based on the place to store the keys.
    3. Database HSM
    1. Based on the product model, provide the values for the Issuer Security Domain Keys
    2. If you need to diversify the Manufacturer Master Key using the Master Key Ceremony, select the checkbox Diversify Manufacturer Master Key Using Key Ceremony and provide the following details for key computation:
      1. Algorithm: Select the algorithm for diversification. Available options are AES-128 ECB and AES-256 ECB.
      2. Encryption Key: Provide the encryption key.
      3. Check value: Provide the check value corresponding to the encryption key.
      4. Transport Key Part 1: Provide the first Part of the transport key.
      5. Check value: Provide the check value corresponding to the first Part of the transport key.
      6. Transport Key Part 2: Provide the second Part of the transport key.
      7. Check value: Provide the check value corresponding to the c Part of the transport key.
      8. Transport Key Part 3: Provide the third Part of the transport key.
      9. Check value: Provide the check value corresponding to the third Part of the transport key.
      10. Select Master Key Ceremony to complete the key ceremony process. A master key will be displayed for the field labelled Manufacturer Master Key. You cannot edit this field.
    3. Select Save to save the configuration.
    1. Select the HSM Type.
    2. Based on the product model, provide the values for the Issuer Security Domain Keys.
    3. If you need to diversify the Manufacturer Master Key using the Master Key Ceremony, select the checkbox Diversify Manufacturer Master Key Using Key Ceremony and provide the following details for key computation:
      1. Algorithm: Select the algorithm for diversification. Available options are AES-128 ECB and AES-256 ECB.
      2. Encryption Key: Provide the encryption key.
      3. Check value: Provide the check value corresponding to the encryption key.
      4. Transport Key Part 1: Provide the first Part of the transport key.
      5. Check value: Provide the check value corresponding to the first Part of the transport key.
      6. Transport Key Part 2: Provide the second Part of the transport key.
      7. Check value: Provide the check value corresponding to the c Part of the transport key.
      8. Transport Key Part 3: Provide the third Part of the transport key.
      9. Check value: Provide the check value corresponding to the third Part of the transport key.
      10. Select Master Key Ceremony to complete the key ceremony process. A master key will be displayed for the field labelled Manufacturer Master Key. You cannot edit this field.
    4. Enable Factory Reset: Enable this option, to allow resetting a card to its factory settings. The Manufacturer Master and/or Admin keys (factory keys) will be encrypted and stored using the tenant key associated with the selected HSM. These encrypted factory keys will be used during a factory reset of the device.
    5. Select Save to save the configuration.

Details of Issuer Security Domain Keys

Issuer Security Domain Keys enable Unifyia platform to oversee card applications and data, as well as facilitate tasks such as establishing a secure channel, resetting the card to Manufacturer configuration, unlocking writing privileges, and updating application data. Refer to the table below to understand the meaning of the different keys that are present in the PIV-supported smart devices.

Term Description
Manufacturer Master Key This is the default manufacturer/factory key (Global Platform keys) and is required to open a secure channel and also to reset the card to factory settings. If you have selected to diversify the key and generate it using the key ceremony process, then the key value will be automatically computed from the three Parts and their corresponding check values provided by the three custodians of the key. You cannot edit this field.
Manufacturer Admin Key This is the PIV application administrative key (9B) provided by the PIV card manufacturer and is used to update application data and keys during card personalization.
Customer Master Key This is the key generated by the customer and would replace the factory master key. This is used for opening a secure channel for card authentication and encryption of the data.
Customer Admin Key This key is the PIV application administrative key (9B) generated by the customer and is used to update application data and keys during card personalization.

You have completed the configuration of the device profiles for PIV+FIDO2 and DPIV+FIDO2.


Back Next
On this page