CEN TS 15480-3-2014 Identification card systems - European Citizen Card - Part 3 European Citizen Card Interoperability using an application interface《识别卡系统 欧洲公民卡 第3部分 使用英译界面的欧洲公民卡.pdf

1、BSI Standards PublicationIdentification card systems European Citizen CardPart 3: European Citizen Card Interoperability using an application interfacePD CEN/TS 15480-3:2014National forewordThis Published Document is the UK implementation of CEN/TS 15480-3:2014. It supersedes DD CEN/TS 15480-3:2010

2、which is withdrawn.The UK participation in its preparation was entrusted to TechnicalCommittee IST/17, Cards and personal identification.A list of organizations represented on this committee can be obtained onrequest to its secretary.This publication does not purport to include all the necessary pro

3、visions ofa contract. Users are responsible for its correct application. The British Standards Institution 2014.Published by BSI Standards Limited 2014ISBN 978 0 580 82884 3ICS 35.240.15Compliance with a British Standard cannot confer immunity fromlegal obligations.This Published Document was publis

4、hed under the authority of theStandards Policy and Strategy Committee on 30 April 2014.Amendments/corrigenda issued since publicationDate Text affectedPUBLISHED DOCUMENTPD CEN/TS 15480-3:2014TECHNICAL SPECIFICATION SPCIFICATION TECHNIQUE TECHNISCHE SPEZIFIKATION CEN/TS 15480-3 April 2014 ICS 35.240.

5、15 Supersedes CEN/TS 15480-3:2010English Version Identification card systems - European Citizen Card - Part 3: European Citizen Card Interoperability using an application interface Systmes de carte didentification - Carte Europenne du Citoyen - Partie 3 : Interoprabilit de la Carte europenne du Cito

6、yen utilisant une interface applicative Identifikationskartensysteme - Europische Brgerkarte - Teil 3: Anwendungsschnittstelle fr die Interoperabilitt von Europischen Brgerkarten This Technical Specification (CEN/TS) was approved by CEN on 14 October 2013 for provisional application. The period of v

7、alidity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to submit their comments, particularly on the question whether the CEN/TS can be converted into a European Standard. CEN members are required to announce the existence of this CEN/TS in t

8、he same way as for an EN and to make the CEN/TS available promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in parallel to the CEN/TS) until the final decision about the possible conversion of the CEN/TS into an EN is reached. CEN m

9、embers are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Por

10、tugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2014 CEN All rights of exploitation in any

11、form and by any means reserved worldwide for CEN national Members. Ref. No. CEN/TS 15480-3:2014 EPD CEN/TS 15480-3:2014CEN/TS 15480-3:2014 (E) 2 Contents Page Foreword 5 1 Scope 7 2 Normative references 7 3 Terms and definitions .8 4 Symbols and abbreviations 8 5 ECC fitting in ISO/IEC 24727 model 1

12、0 5.1 ISO/IEC 24727 main features . 10 5.2 General security issues Applicable ISO/IEC 24727-4 Stack Configurations for the ECC environment 12 5.3 ECC-3 Middleware Architecture 16 5.3.1 General . 16 5.3.2 Service Access Layer (SAL) 17 5.3.3 Generic Card Access Layer (GCAL) . 17 5.3.4 Interface Device

13、 Layer and API (IFD API) . 17 5.3.5 ECC-3 Stack Distribution and Connection Handling 17 5.3.6 Multi-stack composed configuration 20 5.3.7 A Web Service based architecture for ECC-3 framework . 22 5.3.8 XML-based SAL interface 27 6 Card Discovery Mechanisms . 28 6.1 General . 28 6.2 Discovery decisio

14、n tree . 29 6.3 Migration path towards ECC and provision for legacy cards 29 6.3.1 General . 29 6.3.2 Interoperable access to the Repository . 30 6.4 Set of data for interoperability . 30 6.5 Application and Card Capability Descriptors 31 6.6 ISO/IEC 7816-15 implementation . 34 6.6.1 General . 34 6.

15、6.2 Profile designation within EF.DIR . 34 6.6.3 ISO/IEC 24727-3 data structures mapping . 35 6.6.4 ISO/IEC 24727-3 data structures storage onto the card . 35 6.6.5 General discovery mechanism 37 6.7 Other data descriptor . 39 7 Authentication protocols . 39 7.1 General . 39 7.2 Authentication Mecha

16、nisms based on ISO/IEC 24727 SAL-API 39 7.3 Asymmetric internal authentication 40 7.4 Asymmetric external authentication . 40 7.5 Symmetric internal authentication 41 7.6 Symmetric external authentication . 41 7.7 Mutual authentication with key establishment 41 7.8 Device authentication with non tra

17、ceability . 41 7.9 Key transport protocol based on RSA . 41 7.10 Terminal Authentication . 42 8 IFD-API Web Service Binding 42 9 Card-Info Structure Introduction 42 PD CEN/TS 15480-3:2014CEN/TS 15480-3:2014 (E) 3 10 XML-based Service Access Layer Interface . 43 11 Federative Framework-wise Authentic

18、ate API . 43 11.1 General . 43 11.2 Authenticate method . 44 11.3 Web Service Binding for Authenticate API . 47 11.3.1 General . 47 11.3.2 Authenticate.XSD definition . 47 11.3.3 Authenticate.WSDL definition 48 Annex A (informative) Interface Device Layer Architecture and Management . 51 A.1 Scope 5

19、1 A.2 IFD-Layer Architecture 51 A.3 Resource Manager 52 A.3.1 General . 52 A.3.2 IFD-Handlers 52 A.3.3 Card transactions 52 A.3.4 Application threads . 52 A.4 Administrative functions 52 A.4.1 IFD-Handler related functions 52 A.4.2 Interface Device related functions . 53 Annex B (informative) IFD-AP

20、I C Language Binding 54 Annex C (informative) SAL-API Post-issuance personalisation requests 60 C.1 General . 60 C.2 Post-issuance personalisation requests 60 C.3 Canonical protocol 60 C.3.1 General . 60 C.3.2 DataSetCreate 61 C.3.3 DSICreate 68 C.3.4 DIDCreate . 70 C.3.5 DIDUpdate 71 C.3.6 CardAppl

21、icationServiceCreate . 72 C.4 General recommendation and conclusion 74 Annex D (informative) Additional features versus ISO/IEC 24727 (all parts) 75 D.1 General . 75 D.2 Discovery Mechanism . 75 D.3 General Procedures (SAL) 75 D.4 Architecture . 77 D.5 Differences between IFD-API in ISO/IEC 24727-4

22、and ECC-3 . 77 D.5.1 More generale SlotCapabilityType . 77 D.5.2 Transmit with support for batch processing 80 D.5.3 Additional error code for SignalEvent . 82 Annex E (informative) C-Language Binding for ExecuteSAL function . 83 Annex F (informative) Java-Language Binding for ExecuteSAL function 84

23、 Annex G (informative) Application Discovery Profile: card requirements to access/offer services in ISO/IEC 24727 framework . 85 G.1 General . 85 G.2 OID 85 G.3 General . 85 G.4 interfaces / transport protocols . 85 G.5 Data elements and data structures 86 G.6 Command set . 88 G.7 Data structure of

24、Card Applications 89 G.7.1 General . 89 G.7.2 DF/ADF content . 89 PD CEN/TS 15480-3:2014CEN/TS 15480-3:2014 (E) 4 G.7.3 EF DCOD content 89 G.7.4 EF AOD content 90 G.7.5 EF SKD content . 90 G.7.6 Ef PrKD content 90 Bibliography . 91 PD CEN/TS 15480-3:2014CEN/TS 15480-3:2014 (E) 5 Foreword This docume

25、nt (CEN/TS 15480-3:2014) has been prepared by Technical Committee CEN/TC 224 “Personal identification, electronic signature and cards and their related systems and operations”, the secretariat of which is held by AFNOR. Attention is drawn to the possibility that some of the elements of this document

26、 may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. This document supersedes CEN/TS 15480-3:2010. CEN/TS 15480, Identification card systems European Citizen Card, is composed of the following parts: Part 1: Physical, e

27、lectrical and transport protocol characteristics; Part 2: Logical data structures and security services; Part 3: European Citizen Card Interoperability using an application interface (the present document); Part 4: Recommendations for European Citizen Card issuance, operation and use; Part 5: Genera

28、l Introduction. The following technical changes have been made in this new edition of CEN/TS 15480-3: addition of mention of SAL Lite component, abstraction of GCI and GCAL through Registry processed at SAL level, decision tree update, scope update, etc (5.3.5.3); removal of all subclauses under 6.6

29、.3 (Data structures mapping) that were already incorporated in ISO/IEC 24727-4; removal of Annex J dedicated to ECC-3 API (handling ISO/IEC 7816-15 objects) considered not appropriate in ECC-3 because implementation-specific and not fundamental to interoperability; removal of XML Binding details for

30、 SAL API from Clause 10 and Annex G (removal of Annex G); it was incorporated in ISO/IEC 24727-3:2008/DAmd 1, Annex F; maintainance of the annex investigating SAL post-issuance personalisation; removal of Annex H describing XML binding for Authentication protocols since these protocols are now part

31、of ISO/IEC 24727-3:2008/DAmd 1, i.e. EACv2 protocol binding doesnt need to be reflected in ECC-3 since it is incorporated in ISO/IEC 24727-3:2008, Annex E; removal of Annex D “example of CIA implementation for Card Application Service description” since it is updated and incorporated in ISO/IEC 2472

32、7-4:2008/DAmd 1; removal of XML-based CardInfo Types (XML Registry) since it is incorporated in ISO/IEC 24727-3:2008/DAmd 1, Annex D, Clause D.3; IFD-API shows enhancements in comparison with ISO/IEC 24727 (e.g. SlotCapabilityType with support of transmission protocol descriptor, Transmit command wi

33、th support of batch APDU, SignalEvent error coding with additional error code), therefore IFD API Annex B are removed from ECC-3 and the clauses describing enhancements are reflected in ECC-3, Annex D amongst the differences with ISO/IEC 24727; PD CEN/TS 15480-3:2014CEN/TS 15480-3:2014 (E) 6 additio

34、n of Annex D, Additional features versus ISO/IEC 24727 (all parts), to incorporate the description of IFD API extensions in terms of API definition and binding; removal of 6.2.1.1, Definition for CardInfoRepository.XSD, and 6.2.1.2, Definition for CardInfoRepository.WSDL, since these binding descrip

35、tions are now part of ISO/IEC 24727-4:2008/DAmd, 1; addition of a new Clause 11 dedicated to Authenticate API: the Authenticate() call makes the service layer module transparent to the Service Provider, it occurs above SAL layer; provision of an introductory text describing the layout where Authenti

36、cate API fits; IFD API C-Language Binding remains in ECC-3 till its endorsement in ISO/IEC 24727 if deemed useful; maintainance of ExecuteSAL API in ECC-3 (both C-language binding and java binding); incorporation under Annex G of “Application Discovery Profile” for the purposes of integration in ISO

37、/IEC 24727 framework. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to announce this Technical Specification: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republi

38、c of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. PD CEN/TS 15480-3:2014CEN/TS 15480-3:2014 (E) 7 1 Scope This

39、 Technical Specification provides an Interoperability Model, which will enable an eService compliant with technical requirements, to interoperate with different implementations of the European Citizen Card. This Interoperability model will be developed as follows: starting from the ECC Part 2, Part

40、3 of the ECC series provides additional technical specifications for a middleware architecture based on ISO/IEC 24727 (all parts); this middleware will provide an API to an eService as per ISO/IEC 24727-3. a set of additional API provides the middleware stack with means to facilitate ECC services. a

41、 standard mechanism for the validation of the e-ID credential is stored in the ECC and retrieved by the eService. In order to support the ECC services over an ISO/IEC 24727 middelware configuration, this part of the standard specifies the following: a set of mandatory requests to be supported by the

42、 middleware implementation based on ISO/IEC 24727 (all parts). data set content for interoperability to be personalised in the ECC. three middleware architecture solutions: one based on a stack of combined ISO/IEC 24727 configurations and the other based on Web Service configuration whereas the thir

43、d one is relying on a SAL Lite component. an Application DiscoveryProfile featuring the guidelines for card-applications to fit in ISO/IEC 24727 framework. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its a

44、pplication. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. CEN/TS 15480-2:2012, Identification card systems European Citizen Card Part 2: Logical data structures and security services CEN

45、/TS 15480-4, Identification card systems European Citizen Card Part 4: Recommendations for European Citizen Card issuance, operation and use ISO/IEC 7816-4, Identification cards Integrated circuit cards Part 4: Organization, security and commands for interchange ISO/IEC 7816-15, Identification cards

46、 Integrated circuit cards Part 15: Cryptographic information application ISO/IEC 24727-1, Identification cards Integrated circuit card programming interfaces Part 1: Architecture PD CEN/TS 15480-3:2014CEN/TS 15480-3:2014 (E) 8 ISO/IEC 24727-2:20081), Identification cards Integrated circuit card prog

47、ramming interfaces Part 2: Generic card interface ISO/IEC 24727-3:20082), Identification cards Integrated circuit card programming interfaces Part 3: Application interface ISO/IEC 24727-4:20083), Identification cards Integrated circuit card programming interfaces Part 4: Application programming inte

48、rface (API) administration ISO/IEC 24727-5, Identification cards Integrated circuit card programming interfaces Part 5: Testing procedures ISO/IEC 24727-6, Identification cards Integrated circuit card programming interfaces Part 6: Registration authority procedures for the authentication protocols f

49、or interoperability 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 descriptive elements information nested in data objects and intended for the discovery mechanism and encapsulated along with procedural elements in the ACD and CCD 3.2 procedural elements translation code to process any request at the Generic Card Interface (GCI) and every relevant card response Note 1 to entry: The translation has o