BS EN 726-2-1996 Identification card systems - Telecommunications - Integrated circuit(s) cards and terminals - Security framework《识别卡系统 电讯 集成电路卡和终端的要求 安全性结构》.pdf

1、BRITISH STANDARD BS EN 726-2:1996 Identification card systems Telecommunications integrated circuit(s) cards and terminals Part 2: Security framework The European Standard EN 726-2:1995 has the status of a British Standard ICS 33.120.00; 35.240.60BSEN726-2:1996 This British Standard, having been pre

2、pared under the directionof the Information Systems Technology Assembly,was published underthe authorityof the Standards Boardand comes intoeffecton 15April1996 BSI 01-2000 The following BSI references relate to the work on this standard: Committee reference IST/17 Draft for comment 93/652140 DC ISB

3、N 0 580 25451 8 Committees responsible for this BritishStandard The preparation of this British Standard was entrusted to Technical Committee IST/17, Identification cards and related devices, upon which the following bodies were represented: Ailec Associates APACS Barclaycard APACS Barclays Bank APA

4、CS Girobank APACS Lloyds Bank APACS Midland Bank APACS Nat West Bank Association for Payment Clearing Services (APACS) BT Laboratories Cellnet Consumer Policy Committee of BSI Electricity Association GEC Card Technology HMSO News Datacom Ltd. Rochford Thompson Equipment Shell UK Thorn Transit System

5、s International Vodafone Ltd. Westinghouse Cubic Ltd. Amendments issued since publication Amd. No. Date CommentsBSEN726-2:1996 BSI 01-2000 i Contents Page Committees responsible Inside front cover National foreword ii Foreword 2 Text of EN 726-2 5 List of references Inside back coverBSEN726-2:1996 i

6、i BSI 01-2000 National foreword This Part of BS EN 726 has been prepared by Technical Committee IST/17 and is the English language version of EN726, Identification card systems Telecommunications integrated circuit(s) cards and terminals Part 2:1995 Security framework, published by the European Comm

7、ittee for Standardization (CEN). This British Standard is the English language version of EN726-2:1995and implements it as the UK national standard. This British Standard is published under the direction of the Information Systems Technology Standards Assembly whose Technical Committee IST/17has the

8、 responsibility to: aid enquirers to understand the text; present to the responsible European committee any enquiries on interpretation, or proposals for change, and keep UK interests informed; monitor related international and European developments and promulgate them in the UK. NOTEInternational a

9、nd European Standards, as well as overseas standards, are available from Customer Services, BSI,389Chiswick High Road, London W44AL. Textual error: EN 726-2:1995 makes reference to EN27498:1989 which is now withdrawn, and has been superseded by ENISO/IEC7498-1:1995. A British Standard does not purpo

10、rt to include all the necessary provisions of a contract. Users of British Standards are responsible for their correct application. Compliance with a British Standard does not of itself confer immunity from legal obligations. Cross-references Publication referred to Corresponding British Standard BS

11、 EN 726 Identification card systems Telecommunications integrated circuit(s) cards and terminals EN 726-1 Part 1:1995 System overview EN 726-3:1994 Part 3:1996 Application independent card requirements BS ISO 7498 Information processing systems Open Systems Interconnection Basic reference model ISO

12、7498-2:1989 Part 2:1989 Security architecture BS ISO/IEC 9798 Information technology Security techniques Entity authentication mechanisms ISO/IEC 9798-2 Part 2:1994 Mechanisms using symmetric encipherment algorithms ISO/IEC 9798-3 Part 3:1993 Entity authentication using a public key algorithm ISO 10

13、202-1:1991 BS EN 30202-1 Financial transaction cards Security architecture of financial transaction systems using integrated circuit cards Part 1:1995 Card life cycle Summary of pages This document comprises a front cover, an inside front cover, pages i and ii, theEN title page, pages 2 to 34, an in

14、side back cover and a back cover. This standard has been updated (see copyright date) and may have had amendments incorporated. This will be indicated in the amendment table on the inside front cover.EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN 726-2 November 1995 ICS 33.120.00; 35.240.60 De

15、scriptors: Telecommunications, telecommunication terminals, IC cards, specifications, utilization, safety English version Identification card systems Telecommunications integrated circuit(s) cards and terminals Part 2: Security framework Systmes de cartes didentification Cartes circuit intgr et term

16、inaux pour les tlcommunications Partie 2: Cadre gnral pour la scurit Identifikationskartensysteme Chipkarten und Endgerte fr Telekommunikationszwecke Teil 2: Sicherheitsgrundgerst This European Standard was approved by CEN on1995-10-18. CEN members are bound to comply with the CEN/CENELEC Internal R

17、egulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the Central Secretariat or to any CEN member. Thi

18、s European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the Central Secretariat has the same status as the official versions. CEN members are th

19、e national standards bodies of Austria, Belgium, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Luxembourg, Netherlands, Norway, Portugal, Spain, Sweden, Switzerland and UnitedKingdom. CEN European Committee for Standardization Comit Europen de Normalisation Europisches Komitee

20、fr Normung Central Secretariat: rue de Stassart 36, B-1050 Brussels 1995 All rights of reproduction and communication in any form and by any means reserved in all countries to CEN and its members Ref. No. EN 726-2:1995 EEN726-2:1995 BSI 01-2000 2 Foreword This European Standard has been prepared by

21、the Technical Committee CEN/TC224, Machine readable cards, related device interfaces and operations, of which the secretariat is held by AFNOR. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by May1

22、996, and conflicting national standards shall be withdrawn at the latest by May1996. According to the CEN/CENELEC Internal Regulations, the following countries are bound to implement this European Standard: Austria, Belgium, Denmark, Finland, France, Germany, Greece, Iceland, Italy, Luxembourg, Neth

23、erlands, Norway, Portugal, Spain, Sweden, Switzerland and the UnitedKingdom. This European Standard consists of the following parts, under the general title Identification card systems Telecommunications integrated circuit(s) cards and terminals: Part 1: System overview; Part 2: Security framework;

24、Part 3: Application independent card requirements; Part 4: Application independent card related terminal requirements; Part 5: Payment methods; Part 6: Telecommunication features; Part 7: Security module. Contents Page Foreword 2 1 Scope 5 2 Normative references 5 3 Definitions and abbreviations 5 3

25、.1 Definitions 5 3.2 Abbreviations 6 4 Reference model 6 5 General security approach 7 5.1 Methodology 7 5.2 Identifying security requirements 7 5.2.1 Manufacturing of IC and IC card (phase 1) 7 5.2.2 Card preparation phase (phase 2) 7 5.2.3 Application preparation (phase 3) 7 5.2.4 Usage phase (pha

26、se 4) 8 5.2.5 Termination of use (phase 5) 8 5.3 General security services 8 5.3.1 Access control service 8 5.3.2 Authentication service 8 5.3.3 Confidentiality service 8 5.3.4 Integrity service 8 5.3.5 Non-repudiation service 8 5.3.6 Audit service 9 5.4 General security mechanisms 9 6 Application i

27、ndependent security 9 6.1 Application independent security requirements 9 6.1.1 Manufacturing of IC and IC card (phase 1) 9 6.1.2 Card preparation phase (phase 2) 10 6.1.3 Application preparation phase (phase 3) 11 6.1.4 Usage phase (phase 4) 12 6.1.5 Termination of use (phase 5) 12 6.2 Application

28、independent security services 13 6.3 Application independent security mechanisms 13 6.3.1 Access control information 13 6.3.2 PIN mechanism 16 6.3.3 Internal authentication 16 6.3.4 External authentication 16 6.3.5 Protected mode 16 6.3.6 Stamped mode 16 6.3.7 Load key file 16EN726-2:1995 BSI 01-200

29、0 3 Page 7 Application dependent security 17 7.1 Methodology 17 7.2 Flowchart 18 Annex A (normative) Usage of TESA-7 algorithm in telecommunication applications in accordance with EN 726 19 A.1 Introduction 19 A.2 General specification of external interfaces for TESA-7 modes: 19 A.2.1 Key Establishm

30、ent Function 19 A.2.2 Authentication Function 20 A.2.3 Mac mode 21 A.2.4 Inverse Key Establishment Function 22 A.2.5 Key diversification mode 22 A.3 Usage of TESA-7 algorithm 23 A.3.1 INTERNAL AUTHENTICATION/VERIFY CRYPTOGRAM 23 A.3.2 EXTERNAL AUTHENTICATION/COMPUTE CRYPTOGRAM 24 A.3.3 Protected mod

31、e/COMPUTE MAC (SM) or DECREASE (SM) 26 A.3.4 Stamped mode/VERIFY MAC or INCREASE (SM) or UPDATE (SM) 28 A.3.5 COMPUTE LOAD KEY 30 A.3.6 LOAD KEY FILE 31 A.3.7 Diversify keyset 33 Figure 1 Reference model 7 Figure 2 Reference model for chip and card manufacturing phase 10 Figure 3 Reference model for

32、 card preparation phase 10 Figure 4 Reference model for application preparation phase 11 Figure 5 Reference model for usage phase 12 Figure 6 Reference model for termination phase 13 Figure 7 Access control information for card application 15 Figure 8 Application privilege information for external a

33、pplication 15 Figure 9 Internal authentication mechanism 15 Figure 10 External authentication mechanism 16 Figure 11 Protected mode mechanism 16 Figure 12 Stamped mode mechanism 17 Page Figure 13 Load key file mechanism 17 Figure 14 Diagram of application of the application dependent security 18 Fig

34、ure A.1 External interface for key establishment function 19 Figure A.2 External interface for authentication function 20 Figure A.3 External interface for MAC mode 21 Figure A.4 External interface for inverse key establishment function 22 Figure A.5 External interface for key diversification mode 2

35、2 Figure A.6 Parameters and TESA-7 mechanisms for INTERNAL AUTHENTICATION command 23 Figure A.7 Parameters and TESA-7 mechanisms for VERIFY CRYPTOGRAM command 24 Figure A.8 Parameters and TESA-7 mechanisms for EXTERNAL AUTHENTICATION command 25 Figure A.9 Parameters and TESA-7 mechanisms for COMPUTE

36、 CRYPTOGRAM command 26 Figure A.10 Parameters and TESA-7 mechanisms for commands in protected mode 27 Figure A.11 Parameters and TESA-7 mechanisms for COMPUTE MAC or DECREASE (SM) commands 28 Figure A.12 Parameters and TESA-7 mechanisms for commands in stamped mode 28 Figure A.13 Parameters and TESA

37、-7 mechanisms for VERIFY MAC or INCREASE (SM) or UPDATE (SM) commands 29 Figure A.14 Parameters and TESA-7 mechanisms for COMPUTE LOAD KEY command 30 Figure A.15 Parameters and TESA-7 mechanisms for LOAD KEY FILE command 32 Figure A.16 Parameters and TESA-7 mechanisms for DIVERSIFY KEY SET command 3

38、3 Table 1 14 Table 2 144 blankEN726-2:1995 BSI 01-2000 5 1 Scope This Part of EN 726 specifies a security framework for telecommunication use of IC cards. This specification does not describe any implementation details. It describes: a general security approach resulting in a methodology, different

39、card phases for identifying security requirements and a description of security services which can be offered by the IC card; the implementation of the general security approach to the application independent IC card, resulting in a list of application independent security requirements, a selection

40、of needed security services and a description of a common set of application independent security mechanisms; the implementation of the general security approach to applications using IC cards, resulting in a methodology which is used to design the set of security mechanisms for specific application

41、s. 2 Normative references This European Standard incorporates by dated or undated reference, provisions from other publications. These normative references are cited at the appropriate places in the text and the publications listed hereafter. For dated references, subsequent amendments to, or revisi

42、ons of any of these publications apply to this Standard only when incorporated in it by amendments or revision. For undated references the latest edition of the publication referred to applies. EN 726-1, Identification card systems Telecommunications integrated circuit(s) cards and terminals Part 1:

43、 System overview. EN 726-3:1994, Identification card systems Telecommunications integrated circuit(s) cards and terminals Part 3: Application independent card requirements. prEN 726-7:1994, Identification card systems Telecommunications integrated circuit(s) cards and terminals Part 7: Security modu

44、le. EN 27498:1989, Information Processing Systems Open Systems Interconnection, Basic Reference Model. ISO 7498-2:1989, Information Processing Systems Open Systems Interconnection Basic Reference Model Part 2: Security Architecture. ISO/IEC 9798-2, Information technology Security techniques Entity a

45、uthentication Part 2: Mechanisms using symmetric encipherment algorithms. ISO 9798-3, Information technology Security techniques Entity authentication mechanisms Part 3: Entity authentication using a public key algorithm. ISO 10202-1:1991, Financial transaction cards Security architecture of financi

46、al transaction systems using integrated circuit cards Part 1: Card life cycle. 3 Definitions and abbreviations 3.1 Definitions For the purposes of this standard, the following definitions apply: 3.1.1 access control information information describing for each action which can be performed on a file

47、in the card, the conditions to fulfil 3.1.2 action an action performed by an external application on a card means a command followed by a response. There are two kinds of actions: normal actions on files of the card (e.g. Read, Write, Select, Execute, Invalidate, Rehabilitate.), management actions o

48、n files of the card (e.g. Create, Delete, Extend.) 3.1.3 application an application consists of a set of security mechanisms, files, data, protocols (excluding transmission protocols) which are located and used in the IC card and outside of the IC card (external application) 3.1.4 application privil

49、ege information external application capabilities used to perform the rights of the external application 3.1.5 application provider the entity which is responsible for the application after its allocation. One application provider may have several applications in one card. The files allocated in the card corresponding to one application are called a card-application. There may exist several appli