1、INCITS/ISO/IEC 24727-3-20082009 (ISO/IEC 24727-3:2008, IDT) Identification cards Integrated circuit card programming interfaces Part 3: Application interfaceINCITS/ISO/IEC 24727-3-20082009 (ISO/IEC 24727-3:2008, IDT)INCITS/ISO/IEC 24727-3-20082009 ii ITIC 2009 All rights reserved PDF disclaimer This
2、 PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept ther
3、ein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; th
4、e PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (InterN
5、ational Committee for Information Technology Standards) as an American National Standard. Date of ANSI Approval: 7/27/2009Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2009 by Information Technology Industry Council (ITI). All rights rese
6、rved. These materials are subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may
7、 be reproduced in any form, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America INCITS/ISO/IEC 24727-3-20082009 IT
8、IC 2009 All rights reserved iiiContents Page Foreword v Introduction.vi 1 Scope.1 2 Normative references .1 3 Terms and definitions.1 4 Abbreviated terms 3 5 Organization for interoperability4 5.1 General 4 5.2 Computation model 4 5.3 Entity relationships on the application interface5 5.4 Security m
9、odel 13 6 Card-application-service access .16 6.1 General 16 6.2 Initialize16 6.3 Terminate.17 6.4 CardApplicationPath.18 7 Connection service.19 7.1 General 19 7.2 CardApplicationConnect 20 7.3 CardApplicationDisconnect .21 7.4 CardApplicationStartSession.22 7.5 CardApplicationEndSession23 8 Card-a
10、pplication service 24 8.1 General 24 8.2 CardApplicationList25 8.3 CardApplicationCreate .26 8.4 CardApplicationDelete27 8.5 CardApplicationServiceList .28 8.6 CardApplicationServiceCreate.29 8.7 CardApplicationServiceLoad .30 8.8 CardApplicationServiceDelete.31 8.9 CardApplicationServiceDescribe.32
11、 8.10 ExecuteAction.33 9 Named data service 34 9.1 General 34 9.2 DataSetList 35 9.3 DataSetCreate .36 9.4 DataSetSelect37 9.5 DataSetDelete38 9.6 DSIList .39 9.7 DSICreate.40 9.8 DSIDelete .41 9.9 DSIWrite.42 9.10 DSIRead .43 10 Cryptographic service 44 10.1 General 44 10.2 Encipher 45 INCITS/ISO/I
12、EC 24727-3-20082009 iv ITIC 2009 All rights reserved10.3 Decipher.46 10.4 GetRandom47 10.5 Hash .48 10.6 Sign49 10.7 VerifySignature .50 10.8 VerifyCertificate 51 11 Differential-identity service 52 11.1 General 52 11.2 DIDList .53 11.3 DIDCreate.54 11.4 DIDGet55 11.5 DIDUpdate56 11.6 DIDDelete.57 1
13、1.7 DIDAuthenticate 58 12 Authorization service59 12.1 General 59 12.2 ACLList 60 12.3 ACLModify.61 Annex A (normative) Authentication protocols .62 A.1 General 62 A.2 Common Definitions.63 A.3 Simple Assertion.64 A.4 Asymmetric Internal Authenticate .66 A.5 Asymmetric External Authenticate69 A.6 Sy
14、mmetric Internal Authenticate .72 A.7 Symmetric External Authenticate 75 A.8 Compare 78 A.9 PIN Compare .81 A.10 Biometric Compare.84 A.11 Mutual Authentication with Key Establishment87 A.12 Client-Application Mutual Authentication with Key Establishment 90 A.13 Client-Application Asymmetric Externa
15、l Authenticate.93 A.14 Modular Extended Access Control Protocol (M-EAC)96 A.15 Key Transport with mutual authentication based on RSA.100 A.16 Age Attainment .104 A.17 Asymmetric Session Key Establishment 107 A.18 Secure PIN Compare.114 A.19 EC Key Agreement with Card-Application Authentication 118 A
16、.20 EC Key Agreement with Mutual Authentication .122 A.21 Simple EC-DH Key Agreement.128 A.22 GP Asymmetric Authentication .132 A.23 GP Symmetric Authentication (Explicit Mode) .138 A.24 GP Symmetric Authentication (Implicit Mode)142 Annex B (normative) Cryptographic algorithms145 B.1 Interoperabili
17、ty requirements.145 B.2 Symmetric Algorithms146 B.3 Asymmetric Algorithms149 B.4 Elliptic Curve Algorithms .150 B.5 Hash Functions .151 B.6 Message Authentication Codes .152 B.7 Key Establishment153 Annex C (normative) ASN.1 Representation154 C.1 General 154 Bibliography.193 INCITS/ISO/IEC 24727-3-2
18、0082009 ITIC 2009 All rights reserved vForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of
19、 International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in l
20、iaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint t
21、echnical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention
22、is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 24727-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcom
23、mittee SC 17, Cards and personal identification. ISO/IEC 24727 consists of the following parts, under the general title Identification cards Integrated circuit card programming interfaces: Part 1: Architecture Part 2: Generic card interface Part 3: Application interface Part 4: Application programmi
24、ng interface (API) administration Part 5: Testing Part 6: Registration authority procedures for the authentication protocols for interoperability INCITS/ISO/IEC 24727-3-20082009 vi ITIC 2009 All rights reservedIntroduction ISO/IEC 24727 is a set of programming interfaces for interactions between int
25、egrated circuit cards (ICCs) and external applications to include generic services for multi-sector use. The organization and the operation of the ICC conform to ISO/IEC 7816-4. ISO/IEC 24727 is relevant to ICC applications desiring interoperability among diverse application domains. This part of IS
26、O/IEC 24727 specifies a language-independent and implementation-independent application level interface that allows information and transaction interchange with a card. ISO/IEC 7498-1 is used as the layered architecture of the application interface. That is, the application interface assumes that th
27、ere is a protocol stack through which it will exchange information and transactions among cards using commands conveyed through the message structures defined in ISO/IEC 7816. The semantics of commands accessed by the application interface refers to application protocol data units (APDUs) as charact
28、erized in ISO/IEC 24727-2, and in the following standards: ISO/IEC 7816-4, Identification cards Integrated circuit cards Part 4: Organization, security and commands for interchange ISO/IEC 7816-8, Identification cards Integrated circuit cards Part 8: Commands for security operations ISO/IEC 7816-9,
29、Identification cards Integrated circuit cards Part 9: Commands for card management The goal of this part of ISO/IEC 24727 is to maximize the applicability and solution space of software tools that provide application interface support to card-aware applications. This effort includes supporting the e
30、volution of card systems as the cards become more powerful, peer-level partners with existing and future applications while minimizing the impact to existing solutions conforming to this part of ISO/IEC 24727. AMERICAN NATIONAL STANDARD INCITS/ISO/IEC 24727-3-20082009 ITIC 2009 All rights reserved 1
31、Identification cards Integrated circuit card programming interfaces Part 3: Application interface 1 Scope This part of ISO/IEC 24727 defines services as representations of action requests and action responses to be supported at the client-application service interface. The services are described in
32、a programming-language-independent way. This part of ISO/IEC 24727 is the application interface of the Open Systems Interconnection Reference Model defined in ISO/IEC 7498-1. It provides a high-level interface for a client-application making use of information storage and processing operations of a
33、card-application as viewed on the generic card interface. This part of ISO/IEC 24727 does not mandate a specific implementation methodology for this interface. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only
34、 the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 7816-11, Identification cards Integrated circuit cards Part 11: Personal verification through biometric methods ISO/IEC 24727-1, Identification cards Integrat
35、ed circuit card programming interfaces Part 1: Architecture ISO/IEC 24727-2, Identification cards Integrated circuit card programming interfaces Part 2: Generic card interface IETF RFC 2141, URN Syntax, May 1997 3 Terms and definitions For the purposes of this document, the terms and definitions giv
36、en in ISO/IEC 24727-1, ISO/IEC 24727-2 and the following apply. 3.1 access control list set of access rules 3.2 access permission granted capability to perform an action INCITS/ISO/IEC 24727-3-20082009 2 ITIC 2009 All rights reserved3.3 access rule association of an action and a security condition i
37、n the context of a card-application 3.4 action operation that a client-application can request of a card-application at the ISO/IEC 24727-3 application interface 3.5 alpha card-application administrative card-application, specific to ISO/IEC 24727, providing card and application discoverability and
38、administrative services 3.6 card-application-path ordered set of protocol termination points in the network that connects the client-application to the card-application 3.7 card-application-service set of actions 3.8 channel physical pathway allowing movement of bits of information between a client-
39、application and a card-application 3.9 client-application software component running on a platform that uses data storage and computational services offered by a card-application 3.10 connection logically referenced channel 3.11 global differential-identity differential-identity recognized in all ca
40、rd-applications that are managed by the same alpha card-application 3.12 local differential-identity differential-identity recognized only within a specific card-application in which it is defined 3.13 parameter information required to define or effect an action 3.14 return code information, includi
41、ng status, returned as a consequence of an action 3.15 security condition boolean expression in terms of differential-identity authentication states 3.16 session connection used under a particular security context INCITS/ISO/IEC 24727-3-20082009 ITIC 2009 All rights reserved 33.17 target persistent
42、entity that shall be manipulated through the actions of a card-application-service 4 Abbreviated terms For the purposes of this document, the abbreviated terms given in ISO/IEC 24727-1 and the following apply. ACL access control list AR access rule DID differential-identity DSI data structure for in
43、teroperability INCITS/ISO/IEC 24727-3-20082009 4 ITIC 2009 All rights reserved5 Organization for interoperability 5.1 General A client-application and a card-application comprise two peer-level entities that interact through well-defined transaction and communication mechanisms. The ISO/IEC 24727-3
44、application interface shall be the sole mechanism through which a client-application interacts with a card-application. This clause defines the model of computation and persistent entities on the ISO/IEC 24727-3 application interface by which the client-application and the card-application interact.
45、 A security model governs the security mechanisms through which trust in this interaction is achieved. Clause 5.2 introduces the conceptual entities on the ISO/IEC 24727-3 application interface and describes their operational behavior and relationships. Clause 5.3 specifies the entities and relation
46、ships presented on the ISO/IEC 24727-3 application interface. Clause 5.4 specifies the security model provided on the ISO/IEC 24727-3 application interface. 5.2 Computation model Using the terminology defined in ISO/IEC 24727-1: 5.2.1 A client-application may know a card-application-path to a card-a
47、pplication. Using this card-application-path, a client-application can initiate a connection to a card-application. The card-application shall be known as the current card-application for the connection. 5.2.2 The ISO/IEC 24727-3 application interface is the set of card-application-services provided
48、 to the client-application. Each card-application-service shall be comprised of actions that may be requested by a client-application and confirmations returned by the SAL. 5.2.3 If the client-application does not know a card-application-path to a card-application, it may make a request at the ISO/I
49、EC 24727-3 application interface to discover a card-application-path to the requested card-application. 5.2.4 A card-application shall be uniquely identified by an AID. 5.2.5 The alpha card-application provides the basis for trusted management of card-applications by the client-application. 5.2.6 A client-application may open more than one connection. A client-application may open more than one connection with the same card-application, each connection being referenced by a different c