1、INCITS/ISO/IEC 7816-15-2004 (ISO/IEC 7816-15:2004, IDT) Identification cards Integrated circuit cards with contacts Part 15: Cryptographic informationapplicationINCITS/ISO/IEC 7816-15-2004(ISO/IEC 7816-15:2004,IDT)INCITS/ISO/IEC 7816-15-2004 ii ITIC 2005 All rights reserved PDF disclaimer This PDF f
2、ile may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein th
3、e responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-
4、creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (InterNationa
5、l Committee for Information Technology Standards) as an American National Standard. Date of ANSI Approval: 12/29/2005 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2005 by Information Technology Industry Council (ITI). All rights reserved
6、. These materials are subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be
7、reproduced in any form, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America INCITS/ISO/IEC 7816-15-2004 ITIC 2005
8、All rights reserved iii Contents Page Foreword vi Introduction . vii 1 Scope 1 2 Normative references .2 3 Terms and definitions 2 4 Symbols and abbreviated terms 5 4.1 Symbols 5 4.2 Abbreviated terms 6 5 Conventions .7 6 Cryptographic information objects7 6.1 Introduction 7 6.2 CIO classes .7 6.3 A
9、ttributes 8 6.4 Access restrictions 8 7 CIO files 8 7.1 Overview .8 7.2 IC card requirements 8 7.3 Card file structure.9 7.4 EF.DIR .9 7.5 Contents of DF.CIA . 10 7.5.1 Overview . 10 7.5.2 The CIAInfo EF 10 7.5.3 EF.OD 11 7.5.4 CIO Directory files 11 7.5.5 DF.CIA selection . 12 8 Information syntax
10、in ASN.1 13 8.1 Guidelines and encoding conventions 13 8.2 Basic ASN.1 defined types . 13 8.2.1 Identifier 13 8.2.2 Reference 13 8.2.3 Label . 13 8.2.4 CredentialIdentifier . 13 8.2.5 ReferencedValue and Path . 14 8.2.6 ObjectValue 15 8.2.7 PathOrObjects 15 8.2.8 CommonObjectAttributes 15 8.2.9 Comm
11、onKeyAttributes . 17 8.2.10 CommonPrivateKeyAttributes . 18 8.2.11 CommonPublicKeyAttributes 19 8.2.12 CommonSecretKeyAttributes 19 8.2.13 GenericKeyAttributes . 19 8.2.14 KeyInfo 19 8.2.15 CommonCertificateAttributes 20 8.2.16 GenericCertificateAttributes 21 8.2.17 CommonDataContainerObjectAttribut
12、es 21 8.2.18 CommonAuthenticationObjectAttributes 21 8.2.19 The CIO type . 21 8.3 The CIOChoice type . 22 INCITS/ISO/IEC 7816-15-2004 iv ITIC 2005 All rights reserved 8.4 Private key information objects . 23 8.4.1 PrivateKeyChoice . 23 8.4.2 Private RSA key attributes . 23 8.4.3 Private Elliptic Cur
13、ve key attributes 23 8.4.4 Private Diffie-Hellman key attributes . 24 8.4.5 Private DSA key attributes . 24 8.4.6 Private KEA key attributes . 24 8.4.7 Generic Private key information objects . 24 8.5 Public key information objects 24 8.5.1 PublicKeyChoice 24 8.5.2 Public RSA key attributes 25 8.5.3
14、 Public Elliptic Curve key attributes . 25 8.5.4 Public Diffie-Hellman key attributes 26 8.5.5 Public DSA key attributes 26 8.5.6 Public KEA key attributes 26 8.5.7 Generic public key information objects 27 8.6 Secret key information objects 27 8.6.1 SecretKeyChoice 27 8.6.2 Algorithm independent ke
15、y attributes . 27 8.6.3 The GenericSecretKey type . 27 8.7 Certificate information objects 27 8.7.1 CertificateChoice 27 8.7.2 X.509 certificate attributes . 28 8.7.3 X.509 attribute certificate attributes 28 8.7.4 SPKI certificate attributes 28 8.7.5 PGP (Pretty Good Privacy) certificate attributes
16、 29 8.7.6 WTLS certificate attributes 29 8.7.7 ANSI X9.68 domain certificate attributes 29 8.7.8 Card Verifiable Certificate attributes . 29 8.7.9 Generic certificate attributes . 30 8.8 Data container information objects . 30 8.8.1 DataContainerObjectChoice 30 8.8.2 Opaque data container object att
17、ributes . 30 8.8.3 ISO/IEC 7816 data object attributes . 30 8.8.4 Data container information objects identified by OBJECT IDENTIFIERS 30 8.9 Authentication information objects . 31 8.9.1 AuthenticationObjectChoice 31 8.9.2 Password attributes . 31 8.9.3 Biometric reference data attributes . 33 8.9.4
18、 Authentication objects for external authentication 35 8.10 The cryptographic information file, EF.CIAInfo 35 Annex A (normative) ASN.1 module . 38 Annex B (informative) CIA example for cards with digital signature and authentication functionality 52 B.1 Introduction 52 B.2 CIOs 52 B.3 Access contro
19、l . 53 Annex C (informative) Example topologies 55 Annex D (informative) Examples of CIO values and their encodings . 57 D.1 Introduction 57 D.2 EF.OD 57 D.2.1 ASN.1 value notation . 57 D.2.2 ASN.1 description, tags, lengths and values 58 D.2.3 Hexadecimal DER-encoding 58 D.3 EF.CIAInfo 59 D.3.1 ASN
20、.1 value notation . 59 D.3.2 ASN.1 description, tags, lengths and values 59 D.3.3 Hexadecimal DER-encoding 59 INCITS/ISO/IEC 7816-15-2004 ITIC 2005 All rights reserved v D.4 EF.PrKD 59 D.4.1 ASN.1 value notation 59 D.4.2 ASN.1 description, tags, lengths and values 60 D.4.3 Hexadecimal DER-encoding 6
21、1 D.5 EF. CD . 62 D.5.1 ASN.1 value notation 62 D.5.2 ASN.1 description, tags, lengths and values 63 D.5.3 Hexadecimal DER-encoding 64 D.6 EF.AOD . 64 D.6.1 ASN.1 value notation 64 D.6.2 ASN.1 description, tags, lengths and values 65 D.6.3 Hexadecimal DER-encoding 66 D.7 EF.DCOD . 67 D.7.1 ASN.1 val
22、ue notation 67 D.7.2 ASN.1 description, tags, lengths and values 67 D.7.3 Hexadecimal DER-encoding of DCOD . 67 D.8 Application Template (within the EF.DIR) 68 D.8.1 ASN.1 value notation 68 D.8.2 ASN.1 description, tags, lengths and values in ApplicationTemplate . 68 D.8.3 Hexadecimal DER-encoding o
23、f ApplicationTemplate . 68 Bibliography 70 INCITS/ISO/IEC 7816-15-2004 vi ITIC 2005 All rights reserved Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies
24、 that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other int
25、ernational organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules give
26、n in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval b
27、y at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 7816-15 was prepared by Joint
28、Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 17, Cards and personal identification. ISO/IEC 7816 consists of the following parts, under the general title Identification cards Integrated circuit cards with contacts: Part 1: Physical characteristics Part 2: Dimensions and
29、 location of the contacts Part 3: Electronic signals and transmission protocols Part 4: Organisation, security and commands for interchange Part 5: Registration of application providers Part 6: Interindustry data elements for interchange Part 7: Interindustry commands for Structured Card Query Langu
30、age (SCQL) Part 8: Commands for security operations Part 9: Commands for card management Part 10: Electronic signals and answer to reset for synchronous cards Part 11: Personal verification through biometric methods Part 15: Cryptographic information application INCITS/ISO/IEC 7816-15-2004 ITIC 2005
31、 All rights reserved vii Introduction Integrated circuit cards with cryptographic functions can be used for secure identification of users of information systems as well as for other core security services such as non-repudiation with digital signatures and distribution of enciphering keys for confi
32、dentiality. The objective of this part of ISO/IEC 7816 is to provide a framework for such services based on available international standards. A main goal has been to provide a solution that may be used in large-scale systems with several issuers of compatible cards, providing for international inte
33、rchange. It is flexible enough to allow for many different environments, while still preserving the requirements for interoperability. A number of data structures have been provided to manage private keys and key fragments, to support a public key certificate infrastructure and flexible management o
34、f user and entity authentication. This part of ISO/IEC 7816 is based on PKCS #15 v1.1 (see the bibliography). The relationship between these documents is as follows: a common core is identical in both documents; those components of PKCS #15 which do not relate to IC cards have been removed; this par
35、t of ISO/IEC 7816 includes enhancements to meet specific IC card requirements. AMERICAN NATIONAL STANDARD INCITS/ISO/IEC 7816-15-2004 ITIC 2005 All rights reserved 1 Identification cards Integrated circuit cards with contacts Part 15: Cryptographic information application 1 Scope This part of ISO/IE
36、C 7816 specifies an application in a card. This application contains information on cryptographic functionality. This part of ISO/IEC 7816 defines a common syntax and format for the cryptographic information and mechanisms to share this information whenever appropriate. The objectives of this part o
37、f ISO/IEC 7816 are to: facilitate interoperability among components running on various platforms (platform neutral); enable applications in the outside world to take advantage of products and components from multiple manufacturers (vendor neutral); enable the use of advances in technology without re
38、writing application-level software (application neutral); and maintain consistency with existing, related standards while expanding upon them only where necessary and practical. It supports the following capabilities: storage of multiple instances of cryptographic information in a card; use of the c
39、ryptographic information; retrieval of the cryptographic information, a key factor for this is the notion of Directory Files, which provides a layer of indirection between objects on the card and the actual format of these objects; cross-referencing of the cryptographic information with DOs defined
40、in other parts of ISO/IEC 7816 when appropriate; different authentication mechanisms; and multiple cryptographic algorithms (the suitability of these is outside the scope of this part of ISO/IEC 7816). This part of ISO/IEC 7816 does not cover the internal implementation within the card and/or the ou
41、tside world. It shall not be mandatory for implementations complying with this International Standard to support all options described. In case of discrepancies between ASN.1 definitions in the body of the text and the module in Annex A, Annex A takes precedence. INCITS/ISO/IEC 7816-15-2004 2 ITIC 2
42、005 All rights reserved 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. IS
43、O/IEC 7816 (all parts), Identification cards Integrated circuit cards with contacts ISO/IEC 8824-1:1998, Information technology Abstract Syntax Notation One (ASN.1): Specification of basic notation ISO/IEC 8824-2:1998, Information technology Abstract Syntax Notation One (ASN.1): Information object s
44、pecification ISO/IEC 8824-3:1998, Information technology Abstract Syntax Notation One (ASN.1): Constraint specification ISO/IEC 8824-4:1998, Information technology Abstract Syntax Notation One (ASN.1): Parameterization of ASN.1 specifications ISO/IEC 8825-1:1998, Information technology ASN.1 encodin
45、g rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) ISO 9564-1:2002, Banking Personal Identification Number (PIN) management and security Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems I
46、SO/IEC 9594-8:1998, Information technology Open Systems Interconnection The Directory: Authentication framework ISO/IEC 10646-1:2000, Information technology Universal Multiple-Octet Coded Character Set (UCS) Part 1: Architecture and Basic Multilingual Plane ANSI X9.42-2001, Public Key Cryptography f
47、or the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography ANSI X9.62-1998, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA) 3 Terms and definitions For the purposes of this document, the fo
48、llowing terms and definitions apply. 3.1 absolute path path that starts with the file identifier 3F00 3.2 application data structures, data elements and program modules needed for performing a specific functionality ISO/IEC 7816-4 3.3 application identifier data element that identifies an applicatio
49、n in a card NOTE Adapted from ISO/IEC 7816-4. INCITS/ISO/IEC 7816-15-2004 ITIC 2005 All rights reserved 3 3.4 application provider entity providing the components required for performing an application in the card ISO/IEC 7816-4 3.5 authentication information object cryptographic information object that provides information about authentication related data, e.g. a password 3.6 authentication object directory file elementary file containing authentication information
