ANSI INCITS ISO IEC 24727-2-2008 Identification cards Integrated circuit card programming interfaces Part 2 Generic card interface.pdf

1、INCITS/ISO/IEC 24727-2-20082009 (ISO/IEC 24727-2:2008, IDT) Identification cards Integrated circuit card programming interfaces Part 2: Generic card interfaceINCITS/ISO/IEC 24727-2-20082009 (ISO/IEC 24727-2:2008, IDT)INCITS/ISO/IEC 24727-2-20082009 ii ITIC 2009 All rights reserved PDF disclaimer Thi

2、s PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept the

3、rein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; t

4、he PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (Inter

5、National Committee for Information Technology Standards) as an American National Standard. Date of ANSI Approval: 7/27/2009Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2009 by Information Technology Industry Council (ITI). All rights res

6、erved. These materials are subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication ma

7、y be reproduced in any form, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America INCITS/ISO/IEC 24727-2-20082009 I

8、TIC 2009 All rights reserved iiiContents Page 1 Scope.1 2 Normative references .1 3 Terms and definitions.1 4 Abbreviated terms 2 5 Organization for interoperability2 5.1 Command-response pairs for interoperability2 5.1.1 Command and response encoding .2 5.1.2 Class byte3 5.1.3 Instruction byte .3 5

9、.1.4 File descriptor byte.5 5.2 Card states for interoperability6 5.3 Status words for interoperability .7 5.4 Data structures for interoperability .8 5.5 Card-applications for interoperability .9 5.5.1 Alpha card-application .9 5.5.2 Cryptographic information application .9 6 Capability description

10、s.10 6.1 Card capability description (CCD) .10 6.2 Application capability description (ACD)11 6.3 Procedural elements.11 6.3.1 Model of computation for procedural elements .12 6.3.2 Use of procedural elements .12 6.4 Determining the value of capability descriptions.13 6.4.1 General principle.13 6.4.

11、2 Determining the value of the CCD .13 6.4.3 Determining the value of an ACD 13 Annex A (informative) Profiles for the cryptographic information application on the generic card interface.14 A.1 Profile A .14 A.1.1 EF.CIAInfo .14 A.1.2 EF.OD.14 A.1.3 EF.PrKD .14 A.1.4 EF.PuKD 14 A.1.5 EF.SKD.15 A.1.6

12、 EF.CD.15 A.1.7 EF.AOD 15 A.1.8 EF.DCOD15 Annex B (informative) Instances of profile A 16 B.1 eSign K Specification .16 Annex C (normative) Cryptographic information application for card-application service description.23 Annex D (informative) Example of cryptographic information application for car

13、d-application service description .28 Annex E (informative) DID Discovery .33 Bibliography.35 INCITS/ISO/IEC 24727-2-20082009 iv ITIC 2009 All rights reservedForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized

14、 system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committe

15、es collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International S

16、tandards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Public

17、ation as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such

18、 patent rights. ISO/IEC 24727-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 17, Cards and personal identification. ISO/IEC 24727 consists of the following parts, under the general title Identification cards Integrated circuit card programming inte

19、rfaces: Part 1: Architecture Part 2: Generic card interface Part 3: Application interface Part 4: API administration The following parts are under preparation: Part 5: Testing Part 6: Registration authority procedures for the authentication protocols for interoperability INCITS/ISO/IEC 24727-2-20082

20、009 ITIC 2009 All rights reserved vIntroduction ISO/IEC 24727 defines interoperable programming interfaces to integrated circuit cards. Programming interfaces are defined for all card lifecycle stages and for use with integrated circuit cards. ISO/IEC 24727 is written with sufficient detail and comp

21、leteness that independent implementations of each part are interchangeable and can interoperate with independent implementations of the other parts. This part of ISO/IEC 24727 specifies a command-level programming interface to contactless integrated circuit cards and cards with contacts that is a co

22、ncretization of the concepts, data structures and commands found in the following documents: ISO/IEC 7816-4, Identification cards Integrated circuit cards Part 4: Organization, security and commands for interchange ISO/IEC 7816-8, Identification cards Integrated circuit cards Part 8: Commands for se

23、curity operations ISO/IEC 7816-9, Identification cards Integrated circuit cards Part 9: Commands for card management ISO/IEC 7816-15, Identification cards Integrated circuit cards Part 15: Cryptographic information application ISO/IEC 20060, Information technology Open Terminal Architecture (OTA) sp

24、ecification Virtual machine specification The commands and data objects described in this part of ISO/IEC 24727 are consistent with the commands and data objects found in these documents which will be referred to as the base documents. This part of ISO/IEC 24727 maximizes the fungibility of independ

25、ent realizations of its prescriptions. This property of this part of ISO/IEC 24727 is realized by positing a minimally sufficient subset of the base standards which realizes their core functionality through the minimization of the number of options provided. AMERICAN NATIONAL STANDARD INCITS/ISO/IEC

26、 24727-2-20082009 ITIC 2009 All rights reserved 1Identification cards Integrated circuit card programming interfaces Part 2: Generic card interface 1 Scope This part of ISO/IEC 24727 defines a generic card interface for integrated circuit cards. This interface is presented as: command-response pairs

27、 for interoperability, card and application capability description and determination. This part of ISO/IEC 24727 is based on ISO/IEC 7816-4, ISO/IEC 7816-8, ISO/IEC 7816-9, and ISO/IEC 7816-15. 2 Normative references The following referenced documents are indispensable for the application of this do

28、cument. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 24727-1, Identification cards Integrated circuit card programming interfaces Part 1: Architecture ISO/IEC 7816-4, Identifica

29、tion cards Integrated circuit cards Part 4: Organization, security and commands for interchange ISO/IEC 7816-8, Identification cards Integrated circuit cards Part 8: Commands for security operations ISO/IEC 7816-9, Identification cards Integrated circuit cards Part 9: Commands for card management IS

30、O/IEC 7816-15, Identification cards Integrated circuit cards Part 15: Cryptographic information application 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 24727-1 and the following apply. 3.1 data object information seen at the interface consist

31、ing of the concatenation of a mandatory ISO/IEC 8825 DER-encoded tag field, a mandatory ISO/IEC 8825 DER-encoded length field and a conditional value field INCITS/ISO/IEC 24727-2-20082009 2 ITIC 2009 All rights reserved3.2 file structure for application and/or data in the card, as seen at the generi

32、c card interface when processing commands 3.3 translation code procedural software that transforms commands on the generic card interface to commands implemented on an integrated circuit card 4 Abbreviated terms For the purposes of this document, the abbreviated terms given in ISO/IEC 24727-1 and th

33、e following apply. ATS answer to select, as defined in ISO/IEC 14443-3 DF dedicated file DO data object FCP file control parameters FID file identifier RFU reserved for further use 5 Organization for interoperability This clause specifies a subset of the structure, commands and data structure define

34、d in ISO/IEC 7816-4, ISO/IEC 7816-8 and ISO/IEC 7816-9. The following can not be specified at the generic card interface: short file identifiers; logical channels; files with record structure. The physical card mapped to the generic card interface by the translation code may use a short EF identifie

35、r, logical channels, and record structure files. 5.1 Command-response pairs for interoperability 5.1.1 Command and response encoding Requests at the GCI are logically equivalent to command APDUs as specified in ISO/IEC 7816-4, ISO/IEC 7816-8 and ISO/IEC 7816-9. Confirmations at the GCI are logically

36、 equivalent to response APDUs as specified in ISO/IEC 7816-4, ISO/IEC 7816-8 and ISO/IEC 7816-9. The following interface may be used to send a generic card interface command directly to an implementation of this part of ISO/IEC 24727: sequence-of-bytes ExecuteCommand(sequence-of-bytes command) This

37、interface sends a command to the ISO/IEC 24727-2 implementation and returns as its value the response of the ISO/IEC 24727-2 implementation. Further interfaces may be defined in other parts of ISO/IEC 24727. INCITS/ISO/IEC 24727-2-20082009 ITIC 2009 All rights reserved 35.1.2 Class byte Table 1 list

38、s the class byte values that shall be used in commands on the generic card interface. Table 1 CLA Values on the GCI b8 b7 b6 b5 b4 b3 b2 b1 Description 0 - - 0 - - - - The command is the last or only command of a chain 0 - - 1 - - - - The command is not the last command of a chain 1 1 1 1 1 1 1 1 Th

39、e command is for the Part 2 implementation This part of ISO/IEC 24727 shall support command chaining only for the transmission of data strings too long for a single command; i.e. constant INS, P1 and P2 across all commands in the chain. For transmission of requests acted upon by the ISO/IEC 24727-2

40、implementation, generally without transmission of APDUs to the card, CLA = FF shall be used. 5.1.3 Instruction byte Tables 2 and 3 list the instruction byte values that should be used in commands at the GCI as these commands guarantee the standardized independence of the ISO/IEC 24727-2 and ISO/IEC

41、24727-3 implementations. A GCI request with an INS not found in Table 2 shall be sent directly to the card and the card-interface response shall be returned to the entity having made the GCI request. Commands with instruction bytes listed in Table 3 shall be acted on by the ISO/IEC 24727-2 implement

42、ation and shall not be provided to the translation script. Table 2 Requests on the GCI Handled by the Translation Script Command Name INS Package Limitations SELECT A4 A SELECT by file identifier (P1-P2 = 00-04 or 00-0C) and SELECT by DF name (P1-P2 = 04-04 or 04-0C) with return of FCP data object o

43、r no data shall be supported. (See Note) READ BINARY B0 A Bit 8 of P1 shall be set to 0. READ BINARY B1 A P1 and P2 shall be set to 00. UPDATE BINARY D6 A Bit 8 of P1 shall be set to 0. UPDATE BINARY D7 A P1 and P2 shall be set to 00. GET DATA CA CB A None. PUT DATA DA DB A When PUT DATA references

44、a data object that already exists it shall be overwritten. GENERATE ASYMMETRIC KEY PAIR 46 47 B Out of scope VERIFY 20 A P2 is not zero. VERIFY 21 A P2 is not zero. CHANGE REFERENCE DATA 24 A None. INCITS/ISO/IEC 24727-2-20082009 4 ITIC 2009 All rights reservedGET CHALLENGE 84 A None. INTERNAL AUTHE

45、NTICATE 88 A None. EXTERNAL AUTHENTICATE 82 A None. MUTUAL AUTHENTICATE 82 A None. GENERAL AUTHENTICATE 86 87 A None. PERFORM SECURITY OPERATION: COMPUTE DIGITAL SIGNATURE 2A A P1=9E P2=9A Command data field: - Absent (hash value provided via PERFORM SECURITY OPERATION:HASH PERFORM SECURITY OPERATIO

46、N: VERIFY DIGITAL SIGNATURE 2A A P1=00 P2=A8 Command data field: - DO 9E PERFORM SECURITY OPERATION: HASH 2A A P1=90 P2=80 or 9A Command data field: 1) - DO 90 (intermediate hash value | amount of bits already hashed ) | DO 80 (final text block) or 2)- DO 90 hash value PERFORM SECURITY OPERATION:VER

47、IFY CERTIFICATE 2A A P1-00 P2=AE or BE Command data field: - DO 7F21 (card verifiable certificate) PERFORM SECURITY OPERATION: ENCIPHER 2A A P1=86 P2=80 Command data field: data to be enciphered PERFORM SECURITY OPERATION: DECIPHER 2A A P1=80 P2=86 Command data field: data to be deciphered (Pl | cry

48、ptogram) MANAGE SECURITY ENVIRONMENT 22 A SET (P1=x1) and RESTORE (P1=F3) CREATE FILE E0 B Only FCP data objects in Table 9 are supported. The created file becomes the current file. DELETE FILE E4 B Only P1-P2 = 00-00 is supported. After deletion of the file the parent of the deleted file becomes th

49、e currently selected dedicated file. ACTIVATE FILE 44 B Only P1-P2 = 00-00 is supported DEACTIVATE FILE 04 B Only P1-P2 = 00-00 is supported RESET RETRY COUNTER 2C A None GET RESPONSE C0 A Only P1-P2 = 00-00 is supported The status word 6985 means there are no data to retrieveNote: In the case of SELECT by DF name with return o