ANSI INCITS ISO IEC 7816-4-2013 Identification cards - Integrated circuit cards - Part 4 Organization security and commands for interchange.pdf

1、 INCITS/ISO/IEC 7816-4:2013 (2016) (ISO/IEC 7816-4:2013, IDT) Identification cards - Integrated circuit cards - Part 4: Organization, security and commands for interchange INCITS/ISO/IEC 7816-4:2013 (2016) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensi

2、ng policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO C

3、entral Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been

4、taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American Nati

5、onal Standard. Date of ANSI Approval: 11/11/2016 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2016 by Information Technology Industry Council (ITI). All rights reserved. These materials are subject to copyright claims of International St

6、andardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be reproduced in any form, including an electronic retrieval system, wit

7、hout the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1101 K Street NW, Suite 610, Washington DC 20005. Printed in the United States of America ii ITIC 2016 All rights reserved Reference numberISO/IEC 7816-4:2013(E)ISO/IEC 2013INTERNATIONAL ST

8、ANDARD ISO/IEC7816-4Third edition2013-04-15Identification cards Integrated circuit cards Part 4: Organization, security and commands for interchange Cartes didentification Cartes circuit intgr Partie 4: Organisation, scurit et commandes pour les changes ISO/IEC 7816-4:2013(E) COPYRIGHT PROTECTED DOC

9、UMENT ISO/IEC 2013 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member

10、 body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2013 All rights reservedISO/IEC 7816-4:2013(E) ISO/IEC 2013 All rights reserved iiiCo

11、ntents Page Foreword . vii Introduction viii 1 Scope 1 2 Normative references 1 3 Terms and definitions . 2 4 Symbols and abbreviated terms 7 5 Command-Response pairs . 8 5.1 Conditions of operation 8 5.2 Syntax . 9 5.3 Chaining procedures . 10 5.3.1 General . 10 5.3.2 Payload fragmentation 10 5.3.3

12、 Command chaining . 10 5.3.4 Response chaining 11 5.4 Class byte . 12 5.4.1 Coding 12 5.4.2 Logical channels . 13 5.5 Instruction byte 14 5.6 Status bytes . 14 6 Data objects . 17 6.1 SIMPLE-TLV data objects . 18 6.2 BER-TLV data objects . 18 6.3 Constructed DOs versus primitive DOs 18 7 Structures

13、for applications and data . 19 7.1 Available structures 19 7.2 Validity area . 20 7.2.1 Definitions and attributes . 20 7.2.2 Basic rules for VA handling and use . 20 7.3 Structure selection 21 7.3.1 Structure selection methods 21 7.3.2 File reference data element and DO 22 7.3.3 General reference d

14、ata element and DO . 23 7.3.4 Data referencing methods in elementary files . 23 7.4 File and data control information 23 7.4.1 File control information retrieval . 23 7.4.2 Data control information retrieval 24 7.4.3 Control parameters . 24 7.4.4 Short EF identifier . 26 7.4.5 File descriptor byte .

15、 26 7.4.6 Profile indicator . 27 7.4.7 Data descriptor byte 27 7.4.8 DF and EF list data elements . 27 7.4.9 Instance number data element . 28 7.4.10 Life cycle status . 28 7.4.11 Indirect referencing by short EF identifier using DOA2 28 7.4.12 Interface and life cycle status dependent security attr

16、ibute template . 29 8 Specific use of DOs and related concepts 30 8.1 BER-TLV payloads and padding . 30 ISO/IEC 7816-4:2013(E) iv ISO/IEC 2013 All rights reserved8.1.1 Padding conditions30 8.1.2 Padding procedure 30 8.2 Current template and data object generations .31 8.2.1 Current template and curr

17、ent DO .31 8.2.2 Template extension .31 8.2.3 Data object sub-tree 31 8.2.4 Data object life cycle .32 8.3 Identification of data elements and data objects .32 8.3.1 Principles 32 8.3.2 Tag interpretation in command and response data fields or payloads .32 8.3.3 Tag allocation .32 8.3.4 Standard tag

18、 allocation scheme .33 8.3.5 Compatible tag allocation scheme .33 8.3.6 Coexistent tag allocation scheme 34 8.3.7 Avoidance of independent tag allocation schemes .34 8.4 Referencing and retrieval of DOs and data elements 34 8.4.1 General 34 8.4.2 Element list .35 8.4.3 Tag list 35 8.4.4 Header list

19、.35 8.4.5 Extended header and extended header list 35 8.4.6 Resolving an extended header .36 8.4.7 Resolving an extended header list .37 8.4.8 Wrapper 37 8.4.9 Tagged wrapper .38 9 Security architecture .38 9.1 General 38 9.2 Cryptographic mechanism identifier template .39 9.3 Security attributes .4

20、0 9.3.1 Security attributes targets 40 9.3.2 Compact format .40 9.3.3 Expanded format 44 9.3.4 Access rule references .48 9.3.5 Security attributes for data objects .49 9.3.6 Security parameters template 49 9.3.7 Security attributes for logical channels 55 9.4 Security support data elements .56 10 S

21、ecure messaging .57 10.1 SM fields and SM DOs .57 10.1.1 SM protection of command payloads 57 10.1.2 SM protection of chained commands and responses .57 10.1.3 SM DOs .57 10.2 Basic SM DOs .58 10.2.1 SM DOs for encapsulating plain values 58 10.2.2 SM DOs for confidentiality 59 10.2.3 SM DOs for auth

22、entication 60 10.3 Auxiliary SM DOs .61 10.3.1 Control reference templates .61 10.3.2 Control reference DOs in control reference templates 61 10.3.3 Security environments 63 10.3.4 Response descriptor template .65 10.4 SM impact on command-response pairs 65 11 Commands for interchange 67 11.1 Select

23、ion .67 11.1.1 SELECT command 67 11.1.2 MANAGE CHANNEL command .69 11.2 Data unit handling70 11.2.1 Data units 70 ISO/IEC 7816-4:2013(E) ISO/IEC 2013 All rights reserved v11.2.2 General . 70 11.2.3 READ BINARY command . 71 11.2.4 WRITE BINARY command . 71 11.2.5 UPDATE BINARY command . 72 11.2.6 SEA

24、RCH BINARY command . 72 11.2.7 ERASE BINARY command . 72 11.2.8 COMPARE BINARY function . 73 11.3 Record handling 73 11.3.1 Records 73 11.3.2 General . 74 11.3.3 READ RECORD (S) command 74 11.3.4 WRITE RECORD command 76 11.3.5 UPDATE RECORD command . 77 11.3.6 APPEND RECORD command . 77 11.3.7 SEARC

25、H RECORD command . 78 11.3.8 ERASE RECORD (S) command 79 11.3.9 ACTIVATE RECORD (s) command . 80 11.3.10 DEACTIVATE RECORD (s) command . 80 11.3.11 COMPARE RECORD function 81 11.4 Data object handling . 81 11.4.1 General . 81 11.4.2 SELECT DATA command 82 11.4.3 GET DATA/GET NEXT DATA commands - eve

26、n INS code 86 11.4.4 GET DATA/GET NEXT DATA command - odd INS codes . 87 11.4.5 General properties of PUT/PUT NEXT/UPDATE DATA commands 89 11.4.6 PUT DATA command 89 11.4.7 PUT NEXT DATA command . 90 11.4.8 UPDATE DATA command 91 11.4.9 COMPARE DATA function 91 11.5 Basic security handling 91 11.5.1

27、 General . 91 11.5.2 INTERNAL AUTHENTICATE command 92 11.5.3 GET CHALLENGE command 92 11.5.4 EXTERNAL AUTHENTICATE command 93 11.5.5 GENERAL AUTHENTICATE command . 94 11.5.6 VERIFY command 95 11.5.7 CHANGE REFERENCE DATA command . 96 11.5.8 ENABLE VERIFICATION REQUIREMENT command . 96 11.5.9 DISABLE

28、 VERIFICATION REQUIREMENT command 97 11.5.10 RESET RETRY COUNTER command . 97 11.5.11 MANAGE SECURITY ENVIRONMENT command 97 11.6 Miscellaneous 99 11.6.1 COMPARE command 99 11.6.2 GET ATTRIBUTE command . 101 11.7 Transmission handling . 101 11.7.1 GET RESPONSE command 101 11.7.2 ENVELOPE command . 1

29、01 12 Application-independent card services 102 12.1 Card identification . 102 12.1.1 Historical bytes 102 12.1.2 Initial data string recovery 106 12.2 Application identification and selection . 107 12.2.1 EF.DIR . 107 12.2.2 EF.ATR/INFO 107 12.2.3 Application identifier . 108 12.2.4 Application tem

30、plate and related data elements 109 12.2.5 Application selection 110 12.3 Selection by path . 111 12.4 Data retrieval 111 ISO/IEC 7816-4:2013(E) vi ISO/IEC 2013 All rights reserved12.5 Card-originated byte strings 111 12.5.1 Triggering by the card 112 12.5.2 Queries and replies 112 12.5.3 Formats 11

31、2 12.6 General feature management 112 12.6.1 On-card services . 113 12.6.2 Interface services 113 12.6.3 Profile services . 113 12.6.4 Provision of additional information 114 12.7 APDU management 114 12.7.1 Extended length information . 114 12.7.2 List of supported INS codes 114 Annex A (informative

32、) Examples of object identifiers and tag allocation schemes 115 A.1 Object identifiers . 115 A.2 Tag allocation schemes . 115 Annex B (informative) Examples of secure messaging . 117 B.1 Cryptographic checksum . 117 B.2 Cryptograms 121 B.3 Control references 121 B.4 Response descriptor 121 B.5 ENVEL

33、OPE command 122 B.6 Synergy between secure messaging and security operations 122 Annex C (informative) Examples of AUTHENTICATE functions by GENERAL AUTHENTICATE commands . 125 C.1 GENERAL AUTHENTICATE using witness-challenge-response triples . 125 C.2 GENERAL AUTHENTICATE for a multi-step authentic

34、ation protocol . 129 NA.1.1 Terminal Authentication protocol 131 NA.1.2 Chip Authentication protocol . 132 Annex D (informative) Application identifiers using issuer identification numbers . 133 D.1 Background information 133 D.2 Format 133 Annex E (informative) BER Encoding Rules . 134 E.1 BER-TLV

35、tag fields 134 E.2 BER-TLV length fields . 135 E.3 BER-TLV value fields . 135 Annex F (informative) BER-TLV data object handling . 136 F.1 Generations and templates in a constructed DO 136 F.2 Referencing by an extended header . 137 F.3 Use of the UPDATE DATA command . 139 F.4 Security attribute for

36、 one DO . 141 F.5 Example of key referencing in a self-controlled DO . 142 Annex G (informative) Template extension by tagged wrapper 144 G.1 General . 144 G.2 Referencing within the current EF 144 G.3 Referencing within the current application DF, first example . 145 G.4 Referencing in the current

37、application DF, second example . 146 G.5 Referencing out of the current application DF 147 G.6 Warnings 147 Annex H (informative) Parsing an extended header against its target DO . 148 Bibliography . 149 ISO/IEC 7816-4:2013(E) ISO/IEC 2013 All rights reserved viiForeword ISO (the International Organ

38、ization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the res

39、pective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of informa

40、tion technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft Internationa

41、l Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may b

42、e the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 7816-4 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 17, Cards and personal identification. This third edition cancels a

43、nd replaces the second edition (ISO/IEC 7816-4:2005), and incorporates the Amendment ISO/IEC 7816-4:2005/Amd.1:2008. ISO/IEC 7816 consists of the following parts, under the general title Identification cards Integrated circuit cards: Part 1: Cards with contacts Physical characteristics Part 2: Cards

44、 with contacts Dimensions and location of the contacts Part 3: Cards with contacts Electrical interface and transmission protocols Part 4: Organization, security and commands for interchange Part 5: Registration of application providers Part 6: Interindustry data elements for interchange Part 7: Int

45、erindustry commands for Structured Card Query Language (SCQL) Part 8: Commands for security operations Part 9: Commands for card management Part 10: Electronic signals and answer to reset for synchronous cards Part 11: Personal verification through biometric methods Part 12: Cards with contacts USB

46、electrical interface and operating procedures Part 13: Commands for application management in a multi-application environment Part 15: Cryptographic information application ISO/IEC 7816-4:2013(E) viii ISO/IEC 2013 All rights reservedIntroduction ISO/IEC 78166is a series of standards specifying integ

47、rated circuit cards and the use of such cards for interchange. These cards are identification cards intended for information exchange negotiated between the outside world and the integrated circuit in the card. As a result of an information exchange, the card delivers information (computation result

48、, stored data), and/or modifies its content (data storage, event memorization). Five parts are specific to cards with galvanic contac ts and three of them specify electrical interfaces. ISO/IEC 7816-1 specifies physical characteristics for cards with contacts. ISO/IEC 7816-2 specifies dimensions and

49、 location of the contacts. ISO/IEC 7816-3 specifies electrical interface and transmission protocols for asynchronous cards. ISO/IEC 7816-10 specifies electrical interface and answer to reset for synchronous cards. ISO/IEC 7816-12 specifies electrical interface and operating procedures for USB cards. All the other parts are independent from the physical interface technology. They apply to cards access