4.1 PIV 9B keys

Note: 9B keys are applicable only for PIV cards, and cards based on PIV technology.

The PIV 9B key (also known as the PIV admin key) is a symmetric key on every PIV card. MyID needs to know the 9B key to write data or generate RSA keypairs on a PIV card.

Cards are delivered with a fixed factory PIV 9B key. You must set up MyID with the factory key for the appropriate device type. This allows MyID to authenticate to the card and write PIV data during the issuance.

4.1.1 Risks

• The factory PIV 9B key is the same on every card of that type; two cards of the same model from the same manufacturer will have the same factory 9B key. Therefore, it is possible that the key is known to unauthorized parties.
• An unauthorized party with the PIV 9B key can modify the content of the PIV card.
• A PIV card that has an unchanged factory PIV 9B key is not FIPS 201 compliant. You must issue your cards with diversified customer keys that are stored on an HSM.

4.1.2 Solution

Set up MyID to replace the factory PIV 9B key with a customer PIV 9B key – this is a key known only to the customer's system. Unauthorized parties will not have access to this customer PIV 9B key, and therefore cannot perform any unauthorized modifications of the PIV cards issued by MyID.

Set the following options on your customer keys:

• Key Diversity: Diverse – each card is issued with a different key, derived from a master key. Even in the unlikely situation that one card is compromised, no other cards would be compromised. Use static keys only for test systems; you must use diverse keys when you issue production cards.
• Automatically Generate Encryption Key on HSM – the PIV 9B master key, used to derive the keys for the cards, is randomly generated on your HSM. It is a requirement of FIPS 201 that you generate keys on a FIPS 201-approved HSM for your PIV system.

4.1.3 Implementation

Use the Key Manager workflow to set up your customer PIV 9B keys, using the Key Diversity: Diverse and Automatically Generate Encryption Key on HSM options.

See the PIV card application administration key (9B) section of the PIV Integration Guide for details of using the Key Manager workflow.

To verify that the system has been configured correctly, issue a card, then examine the audit logs for the issuance. A row should appear in the audit logs indicating that the PIV 9B keyset was changed to Customer.

4.1.4 Considerations

When you issue a card with a customer PIV 9B key, if you intend to use the card on a different MyID installation, you must first cancel the card on the system on which it was issued – this changes the PIV 9B key back to the factory setting.

4.1.5 Recommendations

• You must configure your system for customer PIV 9B keys before your production system goes live.
• You must set up the PIV 9B keys to be diversified and HSM-generated.
• If you add a new device type to your system, you must set up the customer PIV 9B key for it separately.
• Use the audit logs to confirm that the PIV 9B keys are being changed to customer values.