ANSI INCITS ISO IEC 7816-13-2007 Identification cards - Integrated circuit cards - Part 13 Commands for application management in a multi-application environment.pdf

1、INCITS/ISO/IEC 7816-13:20072008(ISO/IEC 7816-13:2007, IDT) Identification cards Integrated circuit cards Part 13: Commands for applicationmanagement in a multi-applicationenvironmentIICITS/ISO/IEC 7816-13:20072008(ISO/IEC 7816-13:2007, IDT)INCITS/ISO/IEC 7816-13:20072008ii ITIC 2008 All rights reser

2、ved PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this fi

3、le, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info r

4、elative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Ad

5、opted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard. Date of ANSI Approval: 7/2/2008 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2008 by Information Technology Industry Council

6、 (ITI). All rights reserved. These materials are subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part

7、of this publication may be reproduced in any form, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America INCITS/ISO/

8、IEC 7816-13:20072008 ITIC 2008 All rights reserved iii Contents Page Foreword iv Introduction .v 1 Scope 1 2 Normative references .1 3 Terms and definitions 1 4 Abbreviations and notation2 5 Multi-application environment and application life cycle .2 5.1 Multi-application environment .2 5.2 Applicat

9、ion life cycle 3 5.3 Memory resource assignment data objects for interoperability 5 6 Card management service recognition .6 6.1 Card management service template 6 6.2 Card management service template retrieval7 7 Commands for application management 7 7.1 APPLICATION MANAGEMENT REQUEST command 8 7.2

10、 LOAD APPLICATION command .9 7.3 REMOVE APPLICATION command 10 7.4 Application management considerations 11 Annex A (informative) An example of card application management on an independent card issuer and application provider model 12 Annex B (informative) A practical example of card application ma

11、nagement 14 Annex C (informative) A further practical example of card application management 18 Annex D (informative) A further practical example of card application management 21 Bibliography 23 INCITS/ISO/IEC 7816-13:20072008 iv ITIC 2008 All rights reserved Foreword ISO (the International Organiz

12、ation for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respe

13、ctive organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of informati

14、on technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International

15、Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the s

16、ubject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 7816-13 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 17, Cards and personal identification. ISO/IEC 7816 consists of the follo

17、wing parts, under the general title Identification cards Integrated circuit cards: Part 1: Cards with contacts Physical characteristics Part 2: Cards with contacts Dimensions and location of the contacts Part 3: Cards with contacts Electrical interface and transmission protocols Part 4: Organization

18、, security and commands for interchange Part 5: Registration of application providers Part 6: Interindustry data elements for interchange Part 7: Interindustry commands for Structured Card Query Language (SCQL) Part 8: Commands for security operations Part 9: Commands for card management Part 10: Ca

19、rds with contacts Electronic signals and answer to reset for synchronous cards Part 11: Personal verification through biometric methods Part 12: Cards with contacts USB electrical interface and operating procedures Part 13: Commands for application management in a multi-application environment Part

20、15: Cryptographic information application INCITS/ISO/IEC 7816-13:20072008 ITIC 2008 All rights reserved v Introduction ISO/IEC 7816 is a series of International Standards specifying integrated circuit cards and the use of such cards for interchange. These cards are identification cards intended for

21、information exchange negotiated between the outside world and the integrated circuit in the card. As a result of an information exchange, the card delivers information (computation result, stored data), and/or modifies its content (data storage, event memorization). Five parts are specific to cards

22、with galvanic contacts and three of them specify electrical interfaces. ISO/IEC 7816-1 specifies physical characteristics for cards with contacts. ISO/IEC 7816-2 specifies dimensions and location of the contacts. ISO/IEC 7816-3 specifies electrical interface and transmission protocols for asynchrono

23、us cards. ISO/IEC 7816-10 specifies electrical interface and answer to reset for synchronous cards. ISO/IEC 7816-12 specifies electrical interface and operating procedures for USB cards. All the other parts are independent of the physical interface technology. They apply to cards accessed by contact

24、s and/or by contactless methods. ISO/IEC 7816-4 specifies organization, security and commands for interchange. ISO/IEC 7816-5 specifies registration of application providers. ISO/IEC 7816-6 specifies interindustry data elements for interchange. ISO/IEC 7816-7 specifies commands for structured card q

25、uery language. ISO/IEC 7816-8 specifies commands for security operations. ISO/IEC 7816-9 specifies commands for card management. ISO/IEC 7816-11 specifies personal verification through biometric methods. ISO/IEC 7816-13 specifies commands for application management in a multi-application environment

26、. ISO/IEC 7816-15 specifies cryptographic information application. ISO/IEC 10536 specifies access by close coupling. ISO/IEC 14443 and ISO/IEC 15693 specify access by radio frequency. Such cards are also known as contactless cards. AMERICAN NATIONAL STANDARD INCITS/ISO/IEC 7816-13:20072008 ITIC 2008

27、 All rights reserved 1 Identification cards Integrated circuit cards Part 13: Commands for application management in a multi-application environment 1 Scope This part of ISO/IEC 7816 specifies commands for application management in a multi-application environment. These commands cover the entire lif

28、e cycle of applications in a multi-application integrated circuit card, and the commands can be used before and after the card is issued to the cardholder. This part of ISO/IEC 7816 does not cover the implementation within the card and/or the outside world. 2 Normative references The following refer

29、enced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 7816-4:2005, Identification cards Integrated circuit cards O

30、rganization, security and commands for interchange ISO/IEC 7816-9:2004, Identification cards Integrated circuit cards Commands for card management ISO/IEC 8825-1:2002, Information technology ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Disting

31、uished Encoding Rules (DER) 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 application structures, data elements and program modules needed for performing a specific functionality ISO/IEC 7816-4 3.2 application provider entity providing the

32、components that make up an application in the card ISO/IEC 7816-4 3.3 card platform on-card component responsible for basic card functions INCITS/ISO/IEC 7816-13:20072008 2 ITIC 2008 All rights reserved 3.4 card manager application card application providing card application management functionality

33、 and supervising assignment of the cards resources 4 Abbreviations and notation AID application identifier APP application DF dedicated file DO data object ICC integrated circuit card P1-P2 parameter bytes (inserted for clarity, the dash is not significant) RID registered application provider identi

34、fier 5 Multi-application environment and application life cycle 5.1 Multi-application environment A multi-application environment in the context of this document has the following characteristics. a) An application is a uniquely addressable set of functionalities on a multi-application card that pro

35、vides data storage and computational services. b) An application may be added to the card before or after the card is issued to the cardholder. c) More than one application may be added to the card. d) The card platform provides mechanisms for managing card resources e.g. memory. e) The card platfor

36、m provides a security boundary mechanism for each application to prevent unauthorized interaction and security violation from any other application on the card. f) An application provider is an entity that provides services to the cardholder using a cards application and is responsible for the appli

37、cations behavior. g) An application provider for an application on a card may be distinct from the card issuer. h) The life cycle of an application is independent from the life cycle of any other application in the same card. i) The life cycle of an application is independent from the life cycle of

38、the card except when the card is in the termination state, as defined in ISO/IEC 7816-9. j) All applications shall be at least selectable using the SELECT command by specifying its AID as the DF name, as defined in ISO/IEC 7816-4. k) A card manager application shall be present, unique, and selectabl

39、e using the SELECT command by specifying its AID as the DF name. Other applications on the card may offer application management functionality. INCITS/ISO/IEC 7816-13:20072008 ITIC 2008 All rights reserved 3 l) The default AID of the card manager application is “E8 28 BD 08 0D”. Figure 1 is a concep

40、tual representation of a possible structure of a multi-application IC card. C ar d M anag er App l i cat i on C ar d Pl at f or m C ar d App l i cat i on ( AP P 1) C ar d App l i cat i on ( AP P 2) Sec ur i t y Bou n dar y C ar d App l i cat i on ( AP P 3) Figure 1 Possible structure of a multi-appl

41、ication card 5.2 Application life cycle A life cycle status shall be associated with each application. An application may use its life cycle status, in combination with its security attributes, to ensure that any operation it performs complies with that applications security policy. The card manager

42、 application shall provide a life cycle transition path from Non Existent to Operational Activated state. The following commands initiate life cycle state transitions: APPLICATION MANAGEMENT REQUEST; LOAD APPLICATION; REMOVE APPLICATION. Figure 2 is a conceptual representation of the life cycle stat

43、es and the commands that invoke each state transition. This diagram shows only the stable (permanent) states an application can reach at the completion of a life cycle transition. Other, intermediate, states may exist during a life cycle transition (e.g. from Non-Existent to Creation state) but are

44、not maintained when the process is interrupted. INCITS/ISO/IEC 7816-13:20072008 4 ITIC 2008 All rights reserved R em ov e A p p li cat i on ( P 1= 0 1 ) R em ov e A p p li cat i on ( P 1= 06 ) C re atio n state O p erat io nal A ct iv ate d state Ini t ia li s atio n state R em ov e A p p li cat i o

45、n ( P 1= 02 ) A p p li c atio n Ma nage m ent R eq ue st ( P 1= 04 ) A ct iv ate F i le D eact ivat e F i le O p erat io nal D eact ivat ed state A p p li c atio n Ma nage m ent R eq ue st ( P 1= 0C ) A p p li c atio n No n E xi st e nt state A p p li c atio n Ma nagem en t R eq ues t ( P 1= 0E ) +

46、L o ad ( s) A p p li cat io n A p p li c atio n Ma nagem en t R eq ue st ( P 1= 02 ) + L oa d ( s) A p p l icat io n A p p li c atio n Ma nage m ent R eq ue st ( P 1= 08 ) R em ov e A p p li cat i on ( P 1= 03 ) A p p li c atio n R em ov ed R em ov e A p p li cat i on ( P 1= 07 ) R em ov e A p p li

47、cat i on ( P 1= 0 7 ) R em ov e A p p li cat i on ( P 1= 0 6 ) A p p li c atio n Ma nagem en t R eq ues t ( P 1= 06 ) + L oa d ( s) A p p l icat io n Figure 2 Application life cycle diagram NOTE 1 This diagram reads as follows: for example, after the execution of the APPLICATION MANAGEMENT REQUEST (

48、P1=“0E”) and LOAD APPLICATION commands, the application is in the Operational Activated life cycle state i.e. executable and selectable. NOTE 2 Squares represent states of the card memory, and circles represent application life cycle states. Dotted circles represent optional application life cycle s

49、tates. NOTE 3 The ACTIVATE FILE and DEACTIVATE FILE commands are defined in ISO/IEC 7816-9. Application life cycle states are defined as in Table 1. The coding of the application life cycle states shall comply with the coding of the life cycle status byte (LCS byte) defined in ISO/IEC 7816-4. INCITS/ISO/IEC 7816-13:20072008 ITIC 2008 All rights reserved 5 Table 1 Ap