ANSI INCITS ISO IEC 7816-15-2004 Identification cards - Integrated circuit cards with contacts - Part 15 Cryptographic information application《识别卡.带触点的集成电路卡..第15部分 密码信息应用》.pdf

1、INCITS/ISO/IEC 7816-15-2004 (ISO/IEC 7816-15:2004, IDT) Identification cards Integrated circuit cards with contacts Part 15: Cryptographic informationapplicationINCITS/ISO/IEC 7816-15-2004(ISO/IEC 7816-15:2004,IDT)Copyright American National Standards Institute Provided by IHS under license with ANS

2、I Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-INCITS/ISO/IEC 7816-15-2004 ii ITIC 2005 All rights reserved PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not

3、be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe

4、is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO mem

5、ber bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard. Date of ANSI Approval: 12/29/2005 Published b

6、y American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2005 by Information Technology Industry Council (ITI). All rights reserved. These materials are subject to copyright claims of International Standardization Organization (ISO), International Electrotechn

7、ical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be reproduced in any form, including an electronic retrieval system, without the prior written permission of ITI. All requests perta

8、ining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-

9、,-,-INCITS/ISO/IEC 7816-15-2004 ITIC 2005 All rights reserved iii Contents Page Foreword vi Introduction . vii 1 Scope 1 2 Normative references .2 3 Terms and definitions 2 4 Symbols and abbreviated terms 5 4.1 Symbols 5 4.2 Abbreviated terms 6 5 Conventions .7 6 Cryptographic information objects7 6

10、.1 Introduction 7 6.2 CIO classes .7 6.3 Attributes 8 6.4 Access restrictions 8 7 CIO files 8 7.1 Overview .8 7.2 IC card requirements 8 7.3 Card file structure.9 7.4 EF.DIR .9 7.5 Contents of DF.CIA . 10 7.5.1 Overview . 10 7.5.2 The CIAInfo EF 10 7.5.3 EF.OD 11 7.5.4 CIO Directory files 11 7.5.5 D

11、F.CIA selection . 12 8 Information syntax in ASN.1 13 8.1 Guidelines and encoding conventions 13 8.2 Basic ASN.1 defined types . 13 8.2.1 Identifier 13 8.2.2 Reference 13 8.2.3 Label . 13 8.2.4 CredentialIdentifier . 13 8.2.5 ReferencedValue and Path . 14 8.2.6 ObjectValue 15 8.2.7 PathOrObjects 15

12、8.2.8 CommonObjectAttributes 15 8.2.9 CommonKeyAttributes . 17 8.2.10 CommonPrivateKeyAttributes . 18 8.2.11 CommonPublicKeyAttributes 19 8.2.12 CommonSecretKeyAttributes 19 8.2.13 GenericKeyAttributes . 19 8.2.14 KeyInfo 19 8.2.15 CommonCertificateAttributes 20 8.2.16 GenericCertificateAttributes 2

13、1 8.2.17 CommonDataContainerObjectAttributes 21 8.2.18 CommonAuthenticationObjectAttributes 21 8.2.19 The CIO type . 21 8.3 The CIOChoice type . 22 Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without li

14、cense from IHS-,-,-INCITS/ISO/IEC 7816-15-2004 iv ITIC 2005 All rights reserved 8.4 Private key information objects . 23 8.4.1 PrivateKeyChoice . 23 8.4.2 Private RSA key attributes . 23 8.4.3 Private Elliptic Curve key attributes 23 8.4.4 Private Diffie-Hellman key attributes . 24 8.4.5 Private DSA

15、 key attributes . 24 8.4.6 Private KEA key attributes . 24 8.4.7 Generic Private key information objects . 24 8.5 Public key information objects 24 8.5.1 PublicKeyChoice 24 8.5.2 Public RSA key attributes 25 8.5.3 Public Elliptic Curve key attributes . 25 8.5.4 Public Diffie-Hellman key attributes 2

16、6 8.5.5 Public DSA key attributes 26 8.5.6 Public KEA key attributes 26 8.5.7 Generic public key information objects 27 8.6 Secret key information objects 27 8.6.1 SecretKeyChoice 27 8.6.2 Algorithm independent key attributes . 27 8.6.3 The GenericSecretKey type . 27 8.7 Certificate information obje

17、cts 27 8.7.1 CertificateChoice 27 8.7.2 X.509 certificate attributes . 28 8.7.3 X.509 attribute certificate attributes 28 8.7.4 SPKI certificate attributes 28 8.7.5 PGP (Pretty Good Privacy) certificate attributes 29 8.7.6 WTLS certificate attributes 29 8.7.7 ANSI X9.68 domain certificate attributes

18、 29 8.7.8 Card Verifiable Certificate attributes . 29 8.7.9 Generic certificate attributes . 30 8.8 Data container information objects . 30 8.8.1 DataContainerObjectChoice 30 8.8.2 Opaque data container object attributes . 30 8.8.3 ISO/IEC 7816 data object attributes . 30 8.8.4 Data container inform

19、ation objects identified by OBJECT IDENTIFIERS 30 8.9 Authentication information objects . 31 8.9.1 AuthenticationObjectChoice 31 8.9.2 Password attributes . 31 8.9.3 Biometric reference data attributes . 33 8.9.4 Authentication objects for external authentication 35 8.10 The cryptographic informati

20、on file, EF.CIAInfo 35 Annex A (normative) ASN.1 module . 38 Annex B (informative) CIA example for cards with digital signature and authentication functionality 52 B.1 Introduction 52 B.2 CIOs 52 B.3 Access control . 53 Annex C (informative) Example topologies 55 Annex D (informative) Examples of CI

21、O values and their encodings . 57 D.1 Introduction 57 D.2 EF.OD 57 D.2.1 ASN.1 value notation . 57 D.2.2 ASN.1 description, tags, lengths and values 58 D.2.3 Hexadecimal DER-encoding 58 D.3 EF.CIAInfo 59 D.3.1 ASN.1 value notation . 59 D.3.2 ASN.1 description, tags, lengths and values 59 D.3.3 Hexad

22、ecimal DER-encoding 59 Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-INCITS/ISO/IEC 7816-15-2004 ITIC 2005 All rights reserved v D.4 EF.PrKD 59 D.4.1 ASN.1 value notation 59 D

23、.4.2 ASN.1 description, tags, lengths and values 60 D.4.3 Hexadecimal DER-encoding 61 D.5 EF. CD . 62 D.5.1 ASN.1 value notation 62 D.5.2 ASN.1 description, tags, lengths and values 63 D.5.3 Hexadecimal DER-encoding 64 D.6 EF.AOD . 64 D.6.1 ASN.1 value notation 64 D.6.2 ASN.1 description, tags, leng

24、ths and values 65 D.6.3 Hexadecimal DER-encoding 66 D.7 EF.DCOD . 67 D.7.1 ASN.1 value notation 67 D.7.2 ASN.1 description, tags, lengths and values 67 D.7.3 Hexadecimal DER-encoding of DCOD . 67 D.8 Application Template (within the EF.DIR) 68 D.8.1 ASN.1 value notation 68 D.8.2 ASN.1 description, t

25、ags, lengths and values in ApplicationTemplate . 68 D.8.3 Hexadecimal DER-encoding of ApplicationTemplate . 68 Bibliography 70 Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-IN

26、CITS/ISO/IEC 7816-15-2004 vi ITIC 2005 All rights reserved Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate i

27、n the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and no

28、n-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main

29、 task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies castin

30、g a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 7816-15 was prepared by Joint Technical Committee ISO/IEC JTC 1, Informatio

31、n technology, Subcommittee SC 17, Cards and personal identification. ISO/IEC 7816 consists of the following parts, under the general title Identification cards Integrated circuit cards with contacts: Part 1: Physical characteristics Part 2: Dimensions and location of the contacts Part 3: Electronic

32、signals and transmission protocols Part 4: Organisation, security and commands for interchange Part 5: Registration of application providers Part 6: Interindustry data elements for interchange Part 7: Interindustry commands for Structured Card Query Language (SCQL) Part 8: Commands for security oper

33、ations Part 9: Commands for card management Part 10: Electronic signals and answer to reset for synchronous cards Part 11: Personal verification through biometric methods Part 15: Cryptographic information application Copyright American National Standards Institute Provided by IHS under license with

34、 ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-INCITS/ISO/IEC 7816-15-2004 ITIC 2005 All rights reserved vii Introduction Integrated circuit cards with cryptographic functions can be used for secure identification of users of information systems as well as f

35、or other core security services such as non-repudiation with digital signatures and distribution of enciphering keys for confidentiality. The objective of this part of ISO/IEC 7816 is to provide a framework for such services based on available international standards. A main goal has been to provide

36、 a solution that may be used in large-scale systems with several issuers of compatible cards, providing for international interchange. It is flexible enough to allow for many different environments, while still preserving the requirements for interoperability. A number of data structures have been p

37、rovided to manage private keys and key fragments, to support a public key certificate infrastructure and flexible management of user and entity authentication. This part of ISO/IEC 7816 is based on PKCS #15 v1.1 (see the bibliography). The relationship between these documents is as follows: a common

38、 core is identical in both documents; those components of PKCS #15 which do not relate to IC cards have been removed; this part of ISO/IEC 7816 includes enhancements to meet specific IC card requirements. Copyright American National Standards Institute Provided by IHS under license with ANSI Not for

39、 ResaleNo reproduction or networking permitted without license from IHS-,-,-Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-AMERICAN NATIONAL STANDARD INCITS/ISO/IEC 7816-15-200

40、4 ITIC 2005 All rights reserved 1 Identification cards Integrated circuit cards with contacts Part 15: Cryptographic information application 1 Scope This part of ISO/IEC 7816 specifies an application in a card. This application contains information on cryptographic functionality. This part of ISO/IE

41、C 7816 defines a common syntax and format for the cryptographic information and mechanisms to share this information whenever appropriate. The objectives of this part of ISO/IEC 7816 are to: facilitate interoperability among components running on various platforms (platform neutral); enable applicat

42、ions in the outside world to take advantage of products and components from multiple manufacturers (vendor neutral); enable the use of advances in technology without rewriting application-level software (application neutral); and maintain consistency with existing, related standards while expanding

43、upon them only where necessary and practical. It supports the following capabilities: storage of multiple instances of cryptographic information in a card; use of the cryptographic information; retrieval of the cryptographic information, a key factor for this is the notion of Directory Files, which

44、provides a layer of indirection between objects on the card and the actual format of these objects; cross-referencing of the cryptographic information with DOs defined in other parts of ISO/IEC 7816 when appropriate; different authentication mechanisms; and multiple cryptographic algorithms (the sui

45、tability of these is outside the scope of this part of ISO/IEC 7816). This part of ISO/IEC 7816 does not cover the internal implementation within the card and/or the outside world. It shall not be mandatory for implementations complying with this International Standard to support all options describ

46、ed. In case of discrepancies between ASN.1 definitions in the body of the text and the module in Annex A, Annex A takes precedence. Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,

47、-,-INCITS/ISO/IEC 7816-15-2004 2 ITIC 2005 All rights reserved 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document

48、 (including any amendments) applies. ISO/IEC 7816 (all parts), Identification cards Integrated circuit cards with contacts ISO/IEC 8824-1:1998, Information technology Abstract Syntax Notation One (ASN.1): Specification of basic notation ISO/IEC 8824-2:1998, Information technology Abstract Syntax Notation One (ASN.1): Information object specification ISO/IEC 8824-3:1998, Information technology Abstract Syntax Notation One (ASN.1): Constraint specification ISO/IEC 8824-4:1998, Information technology Abstract Syntax Notation One (AS