1、BRITISH STANDARD BS ISO/IEC 7816-13:2007 Identification cards Integrated circuit cards Part 13: Commands for application management in a multi-application environment ICS 35.240.15 BS ISO/IEC 7816-13:2007 This British Standard was published under the authority of the Standards Policy and Strategy Co
2、mmittee on 30 April 2007 BSI 2007 ISBN 978 0 580 50478 5 National foreword This British Standard was published by BSI. It is the UK implementation of ISO/IEC 7816-13:2007. The UK participation in its preparation was entrusted to Technical Committee IST/17, Cards and personal identification. A list o
3、f organizations represented on IST/17 can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. Compliance with a British Standard cannot confer immunity from legal obligati
4、ons. Amendments issued since publication Amd. No. Date Comments Reference number ISO/IEC 7816-13:2007(E)INTERNATIONAL STANDARD ISO/IEC 7816-13 First edition 2007-03-15 Identification cards Integrated circuit cards Part 13: Commands for application management in a multi-application environment Cartes
5、 didentification Cartes circuit intgr Partie 13: Commandes pour la gestion dapplication dans un environnement de plusieurs applications BS ISO/IEC 7816-13:2007 ii iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references . 1 3 Terms and definitions. 1 4 Abbreviations and notati
6、on . 2 5 Multi-application environment and application life cycle. 2 5.1 Multi-application environment. 2 5.2 Application life cycle 3 5.3 Memory resource assignment data objects for interoperability 5 6 Card management service recognition 6 6.1 Card management service template . 6 6.2 Card manageme
7、nt service template retrieval 7 7 Commands for application management . 7 7.1 APPLICATION MANAGEMENT REQUEST command 8 7.2 LOAD APPLICATION command 9 7.3 REMOVE APPLICATION command. 10 7.4 Application management considerations 11 Annex A (informative) An example of card application management on an
8、independent card issuer and application provider model. 12 Annex B (informative) A practical example of card application management. 14 Annex C (informative) A further practical example of card application management 18 Annex D (informative) A further practical example of card application management
9、 21 Bibliography . 23 BS ISO/IEC 7816-13:2007 iv Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the deve
10、lopment of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governme
11、ntal, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of t
12、he joint technical committee is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Atten
13、tion is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 7816-13 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, S
14、ubcommittee SC 17, Cards and personal identification. ISO/IEC 7816 consists of the following parts, under the general title Identification cards Integrated circuit cards: Part 1: Cards with contacts Physical characteristics Part 2: Cards with contacts Dimensions and location of the contacts Part 3:
15、Cards with contacts Electrical interface and transmission protocols Part 4: Organization, security and commands for interchange Part 5: Registration of application providers Part 6: Interindustry data elements for interchange Part 7: Interindustry commands for Structured Card Query Language (SCQL) P
16、art 8: Commands for security operations Part 9: Commands for card management Part 10: Cards with contacts Electronic signals and answer to reset for synchronous cards Part 11: Personal verification through biometric methods Part 12: Cards with contacts USB electrical interface and operating procedur
17、es Part 13: Commands for application management in a multi-application environment Part 15: Cryptographic information application BS ISO/IEC 7816-13:2007 v Introduction ISO/IEC 7816 is a series of International Standards specifying integrated circuit cards and the use of such cards for interchange.
18、These cards are identification cards intended for information exchange negotiated between the outside world and the integrated circuit in the card. As a result of an information exchange, the card delivers information (computation result, stored data), and/or modifies its content (data storage, even
19、t memorization). Five parts are specific to cards with galvanic contacts and three of them specify electrical interfaces. ISO/IEC 7816-1 specifies physical characteristics for cards with contacts. ISO/IEC 7816-2 specifies dimensions and location of the contacts. ISO/IEC 7816-3 specifies electrical i
20、nterface and transmission protocols for asynchronous cards. ISO/IEC 7816-10 specifies electrical interface and answer to reset for synchronous cards. ISO/IEC 7816-12 specifies electrical interface and operating procedures for USB cards. All the other parts are independent of the physical interface t
21、echnology. They apply to cards accessed by contacts and/or by contactless methods. ISO/IEC 7816-4 specifies organization, security and commands for interchange. ISO/IEC 7816-5 specifies registration of application providers. ISO/IEC 7816-6 specifies interindustry data elements for interchange. ISO/I
22、EC 7816-7 specifies commands for structured card query language. ISO/IEC 7816-8 specifies commands for security operations. ISO/IEC 7816-9 specifies commands for card management. ISO/IEC 7816-11 specifies personal verification through biometric methods. ISO/IEC 7816-13 specifies commands for applica
23、tion management in a multi-application environment. ISO/IEC 7816-15 specifies cryptographic information application. ISO/IEC 10536 specifies access by close coupling. ISO/IEC 14443 and ISO/IEC 15693 specify access by radio frequency. Such cards are also known as contactless cards. BS ISO/IEC 7816-13
24、:2007 blank1 Identification cards Integrated circuit cards Part 13: Commands for application management in a multi-application environment 1 Scope This part of ISO/IEC 7816 specifies commands for application management in a multi-application environment. These commands cover the entire life cycle of
25、 applications in a multi-application integrated circuit card, and the commands can be used before and after the card is issued to the cardholder. This part of ISO/IEC 7816 does not cover the implementation within the card and/or the outside world. 2 Normative references The following referenced docu
26、ments are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 7816-4:2005, Identification cards Integrated circuit cards Organizatio
27、n, security and commands for interchange ISO/IEC 7816-9:2004, Identification cards Integrated circuit cards Commands for card management ISO/IEC 8825-1:2002, Information technology ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Enc
28、oding Rules (DER) 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 application structures, data elements and program modules needed for performing a specific functionality ISO/IEC 7816-4 3.2 application provider entity providing the components
29、 that make up an application in the card ISO/IEC 7816-4 3.3 card platform on-card component responsible for basic card functions BS ISO/IEC 7816-13:2007 2 3.4 card manager application card application providing card application management functionality and supervising assignment of the cards resourc
30、es 4 Abbreviations and notation AID application identifier APP application DF dedicated file DO data object ICC integrated circuit card P1-P2 parameter bytes (inserted for clarity, the dash is not significant) RID registered application provider identifier 5 Multi-application environment and applica
31、tion life cycle 5.1 Multi-application environment A multi-application environment in the context of this document has the following characteristics. a) An application is a uniquely addressable set of functionalities on a multi-application card that provides data storage and computational services. b
32、) An application may be added to the card before or after the card is issued to the cardholder. c) More than one application may be added to the card. d) The card platform provides mechanisms for managing card resources e.g. memory. e) The card platform provides a security boundary mechanism for eac
33、h application to prevent unauthorized interaction and security violation from any other application on the card. f) An application provider is an entity that provides services to the cardholder using a cards application and is responsible for the applications behavior. g) An application provider for
34、 an application on a card may be distinct from the card issuer. h) The life cycle of an application is independent from the life cycle of any other application in the same card. i) The life cycle of an application is independent from the life cycle of the card except when the card is in the terminat
35、ion state, as defined in ISO/IEC 7816-9. j) All applications shall be at least selectable using the SELECT command by specifying its AID as the DF name, as defined in ISO/IEC 7816-4. k) A card manager application shall be present, unique, and selectable using the SELECT command by specifying its AID
36、 as the DF name. Other applications on the card may offer application management functionality. BS ISO/IEC 7816-13:2007 3 l) The default AID of the card manager application is “E8 28 BD 08 0D”. Figure 1 is a conceptual representation of a possible structure of a multi-application IC card. Card Manag
37、er Application Card Platform Card Application (APP 1) Card Application (APP 2) Security Boundary Card Application (APP 3) Figure 1 Possible structure of a multi-application card 5.2 Application life cycle A life cycle status shall be associated with each application. An application may use its life
38、cycle status, in combination with its security attributes, to ensure that any operation it performs complies with that applications security policy. The card manager application shall provide a life cycle transition path from Non Existent to Operational Activated state. The following commands initia
39、te life cycle state transitions: APPLICATION MANAGEMENT REQUEST; LOAD APPLICATION; REMOVE APPLICATION. Figure 2 is a conceptual representation of the life cycle states and the commands that invoke each state transition. This diagram shows only the stable (permanent) states an application can reach a
40、t the completion of a life cycle transition. Other, intermediate, states may exist during a life cycle transition (e.g. from Non- Existent to Creation state) but are not maintained when the process is interrupted. BS ISO/IEC 7816-13:2007 4 Remove Application (P1=01) Remove Application (P1=06) Creati
41、on state Operational Activated state Initialisation state Remove Application (P1=02) Application Management Request (P1=04) Activate File Deactivate File Operational Deactivated state Application Management Request (P1=0C) Application Non Existent Application Management Request (P1=0E) + Load(s) App
42、lication Application Management Request (P1=02) + Load(s) Application Application Management Request (P1= 08) Remove Application (P1=03) Application Removed Remove Application (P1=07) Remove Application (P1=07) Remove Application (P1=06) Application Management Request (P1=06) + Load(s) Application F
43、igure 2 Application life cycle diagram NOTE 1 This diagram reads as follows: for example, after the execution of the APPLICATION MANAGEMENT REQUEST (P1=“0E”) and LOAD APPLICATION commands, the application is in the Operational Activated life cycle state i.e. executable and selectable. NOTE 2 Squares
44、 represent states of the card memory, and circles represent application life cycle states. Dotted circles represent optional application life cycle states. NOTE 3 The ACTIVATE FILE and DEACTIVATE FILE commands are defined in ISO/IEC 7816-9. Application life cycle states are defined as in Table 1. Th
45、e coding of the application life cycle states shall comply with the coding of the life cycle status byte (LCS byte) defined in ISO/IEC 7816-4. BS ISO/IEC 7816-13:2007 5 Table 1 Application life cycle states Application Non Existent Application is, from the point of view of the card manager applicati
46、on, not present. Creation State Application is, from the point of view of the card manager application, present, not executable, and not selectable. Initialisation State Application is present, executable with limited functionality, and not selectable. Operational Activated State Application is pres
47、ent, executable, and selectable. Operational Deactivated State Application is present, executable with limited functionality, and the SELECT command returns the warning that the application is deactivated. Application Removed Application is not present, not selectable, and not executable. The previo
48、usly assigned memory resources may be only partially released and reusable. Some card platforms may have additional life cycle specific state. Additional states are outside the scope of this document. If the card supports additional life cycle states and state transitions, they shall not interfere w
49、ith the life cycle states and state transitions described in Figure 2. States in italics represent card memory states. States in regular characters represent application life cycle states. 5.3 Memory resource assignment data objects for interoperability A memory resource assignment template (tag “7F65”) describing the assignment of memory resou