Ambimat Group Ambimat AmbiSecure eSIM Initiative Engineering Blog Ahmedabad · India · Est. 1981
ASAmbiSecureHardware-rooted security
Contact
PIV Applet / Nano SIM

AmbiSecure PIV Nano-Card Applet

A PIV-compatible JavaCard applet on a nano-card (4FF) secure element. Four certificate slots, on-card key generation, RSA + ECC. Designed against the NIST SP 800-73 / FIPS 201 surface so workforce-identity stacks that expect PIV semantics — PKINIT, smart-card logon, certificate-based VPN — can run unchanged on a nano-card form factor.

PIVFIPS 201 surfaceRSA 2048/3072ECC P-256/384Nano SIM (4FF)
Request datasheet
AmbiSecure PIV nano-card applet — NIST SP 800-73 PIV on a nano-card secure element
Why a PIV applet on a nano-card

The PIV applet model on the trust boundary you already deploy.

PIV semantics, nano-card form factor

Existing PIV middleware (PIVKey, OpenSC, Microsoft Smart Card BaseCSP) talks to the applet exactly as if it were on a contact card. The host doesn’t care that the silicon is in a nano-card (4FF) package rather than an ID-1 card.

Four standard slots

PIV Authentication, Card Authentication, Digital Signature, Key Management. RSA 2048 / 3072 and ECC P-256 / P-384 supported in each, per FIPS 201.

On-card key generation

Private keys are generated inside the secure element. They never leave. Public keys plus on-card attestation are emitted for the issuance CA to sign.

Physical + logical convergence

Pair with a separate physical-access credential (DESFire, MIFARE) on the same chip variant where the use case demands one card for door and computer.

Standards-aligned

Designed against NIST SP 800-73-4 command set and FIPS 201-3. AmbiSecure has not yet submitted this applet for formal certification — standards conformance is a design property, not a published certification claim.

Lifecycle-aware

Slot replay, key history retention, and CHUID generation match the PIV lifecycle expectations. Migrating from a contact card to a nano-card form factor is a personalisation change, not a stack change.

Specifications

What is in the applet.

Form factorISO/IEC 7810 4FF nano SIM, 12.3 × 8.8 × 0.67 mm. eUICC variant for soldered deployments.
InterfacesISO/IEC 7816 contact (T=0 / T=1) via a contact reader bay; NFC where the host supports it.
Standard surfaceNIST SP 800-73-4 PIV applet command set. Targets the FIPS 201-3 functional profile; not yet submitted for FIPS / CC evaluation.
Keys per slotPIV Authentication, Card Authentication, Digital Signature, Key Management — RSA 2048 or 3072, ECC P-256 or P-384.
Crypto operationsSign, verify, decrypt, key generation, PIN policy, key-history retention.
Operating systemJavaCard 3.x on a Common Criteria EAL5+ secure element.
IssuanceLoaded over GlobalPlatform SCP03. Issuance CA can be customer-operated or run through AmbiSecure personalisation.
Companion appletsFIDO2 nano-card applet, OpenPGP applet, DESFire applet can co-reside on the same chip variant subject to memory budget.
Lifecycle

Issuance through revocation.

PIV is a lifecycle, not a primitive. Here is what an issuance line looks like.

01

Enrolment

User identity proofing per the issuer’s authority. Out of scope for the silicon; in scope for the workflow design.

02

Personalisation

Applet load, slot key generation, CHUID write, attestation chain. Done in a controlled facility.

03

CA signing

Public keys exported from the card go to the issuance CA. Signed certificates injected back into the matching slots.

04

Issue

Card or SIM handed to the user. Credential active across the enterprise / agency identity surface.

05

Revoke

OCSP / CRL update at the CA. Slot status set to inactive at the next admin contact.

Connected reading

Where this fits in the bigger picture.

Solution: Government identity

Where a PIV-compatible applet fits in a national or workforce identity programme.

View solution →

Solution: Workforce identity

Issuance, daily auth, recovery, off-boarding — on a PIV-shaped applet.

View solution →

Blog: PIV vs USB vs embedded SE

Decision matrix for workforce identity hardware classes.

Read article →

Blog: PKI credential issuance

The issuance and revocation pipeline behind a PIV deployment.

Read article →

Service: ePassport Platform

The wider government identity engineering capability that pairs with PIV applets.

View service →

Product: PKCS Signature Suite

Cross-platform PKCS#11 middleware that consumes the PIV signing slot.

View product →

Pilot a PIV applet in nano SIM.

Tell us your target issuance CA, certificate policy, and slot configuration. We can ship engineering samples and an issuance reference flow in 6–8 weeks.

Request a pilot