5.1 PIV card application administration key (9B)

You must enter the values of secret shared keys (9B keys) to enable the smart card management system to authenticate (and therefore manage) the smart cards. If you do not have this factory key, you cannot issue cards.

9B keys and related specifications are defined in SP 800-73 Interfaces for Personal Identity Verification available at csrc.nist.gov.

5.1.1 Factory 9B keys

When PIV cards are manufactured, they are provided with a factory key. You will have been given this factory 9B key by your smart card supplier; this is either 32 or 48 characters in hexadecimal format.

  1. From the Configuration category, select Key Manager.

    You can also launch this workflow from the Configuration Settings section of the More category in the MyID Operator Client. See the Using Configuration Settings workflows section in the MyID Operator Client guide for details.

  2. From the Select Key Type to Manage list, select PIV 9B Card Administration Key and click Next.
  3. Click Add New Key.
  4. Select the Credential Type from the drop-down list. This is the type of card you are using.

  5. Select the attributes for the key if required:

    • Exportable – the key can subsequently be exported.
  6. Select Factory from the Key Type drop-down list. This means that you are using the key provided by your supplier.

  7. From the Key Diversity drop-down list, select Static for static keys, or one of the Diverse options for diversified keys.

    See the Smart Card Integration Guide for the key diversity option for your type of card.

  8. From the Encryption Type drop-down list, select the encryption used.

    See the Smart Card Integration Guide for the encryption option for your type of card.

    Warning: Make sure you select the Encryption Type supported by the devices you are using. If you select the wrong length of key, you will not be able to issue cards.

  9. Type a Description for the key.

  10. If you are storing the key in the database, choose one of the following options:

    • Automatically Generate Encryption Key in Software and Store on Database – this option automatically creates an encryption key.
    • Encryption Key – type the hexadecimal key in the box. Optionally, you can include the KeyChecksum Value.
    • Use Key Ceremony – if you have the key in key ceremony format (encrypted by a Transport Key), select this option. When you click Enter Keys, the key ceremony wizard will launch, allowing you to enter the key ceremony data into the database.

  11. If you are storing the key on an HSM, and have selected Diverse key diversity, select one of the following options:

    • Automatically Generate Encryption Key on HSM and Store on HSM – this option generates a key on the HSM.
    • Existing HSM Key Label – if you have an existing key on your HSM that you want to use, type its label.
    • Use Key Ceremony – if you have the key in key ceremony format (encrypted by a Transport Key), select this option. When you click Enter Keys, the key ceremony wizard will launch, allowing you to enter the key ceremony data into the HSM.

    Note: If an HSM is available, Intercede recommends it is used as it provides stronger protection for the key.

  12. Click Save.

5.1.2 Customer 9B keys

You can configure a customer 9B key for PIV systems. When issuing a card, MyID will change the factory 9B key to the customer 9B key.

Note: If the customer 9B key for a PIV card is not created, the card will continue to use the factory 9B key after issue. The factory 9B key may be known to third parties, so may not be secure. We recommend that a diverse customer 9B key is generated in the HSM for all PIV device types to be issued. PIV compliant installations must specify diverse customer 9B keys in the HSM.

This means that if you need to be able to reuse the card in different installations, you must cancel the card – canceling a card changes the customer 9B key back to the factory 9B key so the card can be reused.

Note: if you lose the key data held in the database, you will no longer be able to cancel or unlock the card.

  1. From the Configuration category, select Key Manager.

    You can also launch this workflow from the Configuration Settings section of the More category in the MyID Operator Client. See the Using Configuration Settings workflows section in the MyID Operator Client guide for details.

  2. From the Select Key Type to Manage list, select PIV 9B Card Administration Key and click Next.
  3. Click Add New Key.
  4. Select the Credential Type from the drop-down list. This is the type of card you are using.

  5. Select the attributes for the key if required:

    • Exportable – the key can subsequently be exported.
  6. Select Customer from the Key Type drop-down list.

  7. Select Static, Diverse2, or Diverse108 from the Key Diversity drop-down list.

    Intercede recommends using diverse 9B customer keys as this enhances the security of the solution.

    See the Smart Card Integration Guide for the appropriate diversity option for your type of card. If the guide does not list the diversification algorithm for your card type, choose Diverse2.

  8. Select the same Encryption Type as you specified for the factory key.
  9. Type a Description for the key.

  10. If you are storing the key in the database, choose one of the following options:

    • Automatically Generate Encryption Key in Software and Store on Database – this option automatically creates an encryption key.
    • Encryption Key – type the hexadecimal key in the box. Optionally, you can include the KeyChecksum Value.
    • Use Key Ceremony – if you have the key in key ceremony format (encrypted by a Transport Key), select this option. When you click Enter Keys, the key ceremony wizard will launch, allowing you to enter the key ceremony data into the database or HSM (if available).

    If you are storing the key on an HSM, and have selected Diverse key diversity, select one of the following options:

    • Automatically Generate Encryption Key on HSM and Store on HSM – this option generates a key on the HSM.
    • Existing HSM Key Label – if you have an existing key on your HSM that you want to use, type its label.

    Note: If an HSM is available, Intercede recommends it is used as it provides stronger protection for the key.

  11. Click Save.