Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Personal Identity Verification (PIV) Interfaces, Cryptographic Algorithms, and Key Sizes: Drafts of SP 800-73-5 and SP 800-78-5 Available for Public Comment

Two PIV publications are being revised: "Interfaces for Personal Identity Verification" (SP 800-73-5, 3 parts), and "Cryptographic Algorithms and Key Sizes for Personal Identity Verification" (SP 800-78-5). Submit your public comments through November 15

In January 2022, NIST revised Federal Information Processing Standard (FIPS) 201, which establishes standards for the use of Personal Identity Verification (PIV) Credentials – including the credentials on PIV Cards. NIST Special Publication (SP) 800-73-5: Parts 1–3 and SP 800-78-5 have subsequently been revised to align with FIPS 201 and are now available for public comment.

SP 800-73-5: Parts 1–3 ipd (Initial Public Draft)

SP 800-73-5: Parts 1–3 ipd, Interfaces for Personal Identity Verification, describes the technical specifications for using the PIV cards including a PIV data model (Part 1), card edge interface (Part 2), and application programming interface (Part 3). Major changes to the documents include:

  • Removal of the previously deprecated CHUID authentication mechanism
  • Deprecation of the SYM-CAK and VIS authentication mechanisms
  • Addition of an optional 1-factor secure messaging authentication mechanism (SM-Auth) for contactless interfaces for facility access applications
  • Additional use of the facial image biometric for general authentication via BIO and BIO-A authentication mechanisms
  • Restriction on the number of consecutive activation retries for each of the activation methods (i.e., PIN and OCC attempts) to be 10 or less
  • SP 800-73-5: Part 3 on PIV Middleware specification marked as optional to implement

SP 800-78-5 ipd

SP 800-78-5 ipd, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, defines the requirements for cryptographic capability of the PIV Card and supporting systems in coordination with FIPS 201-3. It been modified to add additional algorithm and key size requirements and to update the requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing including:

  • Deprecation of 3TDEA algorithms with identifier ‘00’ and ‘03’
  • Removal of the retired RNG from CAVP PIV component testing where applicable
  • Accommodation of the Secure Messaging Authentication key
  • Update to Section 3.1 and Table 1 to reflect additional higher strength keys with at least 128-bit security for use in authentication beginning in 2031

NIST specifically seeks input from federal agencies on the suitability of the digital signature algorithms and key sizes specified in SP 800-78-5. The draft revisions accommodate RSA signatures with 2048-bit and 3072-bit keys, and ECDSA signatures with the P-256 and P-384 curves, for authentication services. NIST requests feedback on the potential need to support RSA with 4096-bit keys, or for the need to add support for the EdDSA signature algorithm that is now specified in FIPS 186-5.

Submit Comments

The comment period for these drafts is open through November 15, 2023. See the publication details (linked above) to download the drafts and comment templates. Comments and inquiries should be sent to piv_comments [at] nist.gov (piv_comments[at]nist[dot]gov).

Workshop

Additionally, NIST will host a public workshop on November 8, 2023, to discuss both SP 800-73-5 ipd and SP 800-78-5 ipd. Information about that event will soon be posted on CSRC Events and announced via email using the NIST Cybersecurity Events list on GovDelivery.

Released September 27, 2023