1、raising standards worldwideNO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBSI Standards PublicationDD CEN/TS 15480-3:2010Identification card systems European Citizen CardPart 3: European Citizen CardInteroperability using an applicationinterfaceLicensed Copy: Wang Bin, ISO/EXC
2、HANGE CHINA STANDARDS, 09/05/2011 07:07, Uncontrolled Copy, (c) BSIDD CEN/TS 15480-3:2010 DRAFT FOR DEVELOPMENTNational forewordThis Draft for Development is the UK implementation of CEN/TS15480-3:2010.This publication is not to be regarded as a British Standard.It is being issued in the Draft for D
3、evelopment series of publicationsand is of a provisional nature. It should be applied on thisprovisional basis, so that information and experience of its practicalapplication can be obtained.Comments arising from the use of this Draft for Developmentare requested so that UK experience can be reporte
4、d to theinternational organization responsible for its conversion toan international standard. A review of this publication willbe initiated not later than 3 years after its publication by theinternational organization so that a decision can be taken on itsstatus. Notification of the start of the re
5、view period will be made inan announcement in the appropriate issue of Update Standards.According to the replies received by the end of the review period,the responsible BSI Committee will decide whether to support theconversion into an international Standard, to extend the life of theTechnical Spec
6、ification or to withdraw it. Comments should be sentto the Secretary of the responsible BSI Technical Committee at BritishStandards House, 389 Chiswick High Road, London W4 4AL.The UK participation in its preparation was entrusted to TechnicalCommittee IST/17, Cards and personal identification.A lis
7、t of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. BSI 2011ISBN 978 0 580 69792 0ICS 35.240.15Compliance with a British S
8、tandard cannot confer immunity fromlegal obligations.This Draft for Development was published under the authority ofthe Standards Policy and Strategy Committee on 31 January 2011.Amendments issued since publicationDate Text affectedLicensed Copy: Wang Bin, ISO/EXCHANGE CHINA STANDARDS, 09/05/2011 07
9、:07, Uncontrolled Copy, (c) BSIDD CEN/TS 15480-3:2010TECHNICAL SPECIFICATION SPCIFICATION TECHNIQUE TECHNISCHE SPEZIFIKATION CEN/TS 15480-3 December 2010 ICS 35.240.15 English Version Identification card systems - European Citizen Card - Part 3: European Citizen Card Interoperability using an applic
10、ation interface Systmes dIdentification par Carte - Carte Europenne de Citoyen - Partie 3: Interoperabilit de la Carte europenne de Citoyen par interface applicative Identifikationskartensysteme - Europische Brgerkarte - Teil 3: Anwendungsschnittstelle fr die Interoperabilitt von Europischen Brgerka
11、rten This Technical Specification (CEN/TS) was approved by CEN on 12 July 2010 for provisional application. The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to submit their comments, particularly on the question whether t
12、he CEN/TS can be converted into a European Standard. CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS available promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (i
13、n parallel to the CEN/TS) until the final decision about the possible conversion of the CEN/TS into an EN is reached. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ir
14、eland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG Management Centre: Avenue Marnix
15、 17, B-1000 Brussels 2010 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. CEN/TS 15480-3:2010: ELicensed Copy: Wang Bin, ISO/EXCHANGE CHINA STANDARDS, 09/05/2011 07:07, Uncontrolled Copy, (c) BSIDD CEN/TS 15480-3:2010CEN/TS 15480-3:20
16、10 (E) 2 Contents Page Foreword 61 Scope 72 Normative references 73 Terms and definitions .84 Symbols and abbreviations 84.1 Abbreviations .85 ECC fitting in ISO/IEC 24727 model 115.1 ISO/IEC 24727 main features . 115.2 General security issues Applicable 24727-4 Stack Configurations for the ECC envi
17、ronment 135.3 ECC-3 Middleware Architecture 165.3.1 Service Access Layer (SAL) 175.3.2 Generic Card Access Layer (GCAL) . 175.3.3 Interface Device Layer and API (IFD API) . 175.3.4 ECC-3 Stack Distribution and Connection Handling 175.3.5 A Web Service based architecture for ECC-3 framework . 215.3.6
18、 XML-based SAL interface 265.3.7 Smart card profile fitting with ECC-3 stack 266 Card Discovery Mechanisms . 276.1 Discovery decision tree . 286.2 Migration path towards ECC and provision for legacy cards 296.2.1 Interoperable access to the Repository . 306.3 Set of data for interoperability . 326.4
19、 Application and Card Capability Descriptors 326.5 ISO/IEC 7816-15 implementation . 346.5.1 Profile designation within EF.DIR . 356.5.2 ISO/IEC 24727-3 data structures mapping . 356.5.3 SAL-API Action mapping onto ISO/IEC 7816-15 attributes 516.5.4 ISO/IEC 24727-3 data structures storage onto the ca
20、rd . 536.5.5 General discovery mechanism 556.6 Other data descriptor . 577 Authentication protocols . 577.1 Authentication Mechanisms based on ISO/IEC 24727 SAL-API 577.2 Asymmetric internal authentication 587.3 Asymmetric external authentication . 587.4 Symmetric internal authentication 587.5 Symme
21、tric external authentication . 597.6 Mutual authentication with key establishment 597.7 Device authentication with non traceability . 597.8 Key transport protocol based on RSA . 597.9 Terminal Authentication . 608 IFD-API Web Service Binding 608.1 Specification of ISOCommon.XSD 608.2 Specification o
22、f ISOIFD.XSD 618.3 Specification of CENIFD.WSDL . 748.4 Specification of CENIFDCallback.XSD . 838.5 Definition of CENCallback.WSDL 84Licensed Copy: Wang Bin, ISO/EXCHANGE CHINA STANDARDS, 09/05/2011 07:07, Uncontrolled Copy, (c) BSIDD CEN/TS 15480-3:2010CEN/TS 15480-3:2010 (E) 3 9 Card-Info Structur
23、e 859.1 Introduction 859.2 Overview . 869.3 CardType 879.4 CardIdentification 889.5 CardCapabilities 949.6 ApplicationCapabilities . 1039.7 Signature 1099.8 Complete XML-Schema Definition . 10910 XML-based Service Access Layer Interface . 11210.1 XML-Schema definitions for Service Access Layer funct
24、ions . 11210.2 WSDL definitions for Service Access Layer functions . 137Annex A (informative) Interface Device Layer Architecture and Management . 161A.1 Scope 161A.2 IFD-Layer Architecture 161A.3 Resource Manager 162A.3.1 IFD-Handlers 162A.3.2 Card transactions 162A.3.3 Application threads . 162A.4
25、 Administrative functions 162A.4.1 IFD-Handler related functions 162A.4.2 Interface Device related functions . 163A.5 IFD-Handler-API . 163Annex B (informative) Interface Device API . 164B.1 Card terminal related functions . 164B.1.1 EstablishContext . 164B.1.2 ReleaseContext 165B.1.3 ListIFDs. 165B
26、.1.4 GetIFDCapabilities . 166B.1.5 GetStatus 168B.1.6 Wait . 170B.1.7 Cancel . 171B.1.8 ControlIFD 172B.2 Card related functions 172B.2.1 Connect 173B.2.2 Disconnect . 174B.2.3 BeginTransaction 174B.2.4 EndTransaction . 175B.2.5 Transmit 175B.3 User related functions . 176B.3.1 VerifyUser . 177B.3.2
27、 ModifyVerificationData 179B.3.3 Output . 181Annex C (informative) IFD-API C Language Binding 183Annex D (informative) Examples of Cryptographic Information Application for Card-Application Service Description . 189D.1 Fetching a certificate for internal asymmetric authentication 189D.2 Creating a n
28、ew service 190D.2.1 Features of eVoting Service . 190Annex E (informative) SAL-API Post-issuance personalization requests . 204E.1 Post-issuance personalization requests . 204E.2 Canonical protocol 204E.2.1 DataSetCreate 205E.2.2 DSICreate 213E.2.3 DIDCreate . 214E.2.4 DIDUpdate 216Licensed Copy: Wa
29、ng Bin, ISO/EXCHANGE CHINA STANDARDS, 09/05/2011 07:07, Uncontrolled Copy, (c) BSIDD CEN/TS 15480-3:2010CEN/TS 15480-3:2010 (E) 4 E.2.5 CardApplicationServiceCreate 216Annex F (informative) Additional features versus ISO/IEC 24727 219F.1 Discovery Mechanism 219F.2 General Procedures (SAL) . 220F.3 A
30、rchitecture . 221F.4 eURI support (through ControlIFD() call) . 222F.5 Differences between IFD-API in ISO/IEC 24727-4 and ECC-3 . 222F.5.1 More generale SlotCapabilityType 222F.5.2 Transmit with support for batch processing . 222F.5.3 Additional error code for Signalevent 222F.6 Miscellaneous correc
31、tions . 222Annex G (informative) C-Language Binding for ExecuteSAL function . 223Annex H (informative) Java-Language Binding for ExecuteSAL function 224Annex I (informative) XML-Binding for Authentication Protocols 225I.1 PIN Compare . 225I.1.1 Marker 225I.1.2 DIDCreate . 232I.2 Mutual authenticatio
32、n . 234I.2.1 Marker 235I.3 RSA Authentication 240I.3.1 Marker 241I.3.2 DIDCreate . 244I.3.3 DIDUpdate 244I.3.4 DIDGet 244I.3.5 CardApplicationStartSession 244I.3.6 DIDAuthenticate 245I.4 Generic cryptography 248I.4.1 Marker 249I.4.2 DIDCreate . 254I.4.3 DIDUpdate 254I.4.4 DIDGet 254I.4.5 Encipher .
33、254I.4.6 Decipher . 254I.4.7 GetRandom 254I.4.8 Hash . 254I.4.9 Sign 254I.4.10 VerifySignature . 254I.4.11 VerifyCertificate 254I.4.12 DIDAuthenticate 255Annex J (informative) API for ISO/IEC 7816-15 data structures handling 257J.1 C-language Binding for the ECC3-API 259J.1.1 ECC3RESULT 259J.1.2 ECC
34、3CONTEXT . 259J.1.3 ECC3INFO 259J.1.4 ECC3VERSION 260J.1.5 CioChoice 260J.1.6 CommonObjectFlags 260J.1.7 SecurityEnvironmentInfo . 260J.1.8 AlgorithmInfo 261J.1.9 PasswordType . 261J.1.10 Validity . 261J.1.11 ObjectValueType . 261J.1.12 FileType . 262J.1.13 FileState . 262J.1.14 IdType 262J.1.15 Acc
35、essModes 263J.1.16 Operations . 263Licensed Copy: Wang Bin, ISO/EXCHANGE CHINA STANDARDS, 09/05/2011 07:07, Uncontrolled Copy, (c) BSIDD CEN/TS 15480-3:2010CEN/TS 15480-3:2010 (E) 5 J.1.17 ContextTag . 263J.1.18 SecurityConditionType . 264J.1.19 DataSetNameType . 264J.1.20 DSINameType 264J.2 Interfa
36、ce functions 265J.2.1 General Purposes Functions 265J.2.2 Reader and Card management Functions 265J.3 Objects 266J.3.1 Basic objects . 266J.3.2 File Objects 275J.3.3 Data Objects . 283J.4 Macros 292J.4.1 _HB: HexaBlob convertions . 292J.4.2 AsString 293J.5 Example of use (C+ Language) 293Annex K (in
37、formative) Global Profile 4: card requirements to access/offer services in ISO/IEC 24727 framework . 295K.1 Global Profile 4: Card requirements 295K.1.1 OID 295K.1.2 General . 295K.1.3 interfaces / transport protocols . 295K.1.4 Data elements and data structures 296K.1.5 Command set . 298K.1.6 Data
38、structure of Card Applications 299Bibliography 300Licensed Copy: Wang Bin, ISO/EXCHANGE CHINA STANDARDS, 09/05/2011 07:07, Uncontrolled Copy, (c) BSIDD CEN/TS 15480-3:2010CEN/TS 15480-3:2010 (E) 6 Foreword This document (CEN/TS 15480-3:2010) has been prepared by Technical Committee CEN/TC 224 “Perso
39、nal identification, electronic signature and cards and their related systems and operations”, the secretariat of which is held by AFNOR. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsi
40、ble for identifying any or all such patent rights. According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following countries are bound to announce this Technical Specification: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Fin
41、land, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and the United Kingdom. Licensed Copy: Wang Bin, ISO/EXCHANGE CHINA STANDARDS, 09/05/2011 07:07, Uncon
42、trolled Copy, (c) BSIDD CEN/TS 15480-3:2010CEN/TS 15480-3:2010 (E) 7 1 Scope ECC part 3 will provide an Interoperability Model, which will enable an eService compliant with technical requirements, to interoperate with different implementations of the European Citizen Card. This Interoperability mode
43、l will be developed as follows: starting from the ECC part 2, part 3 of the ECC series will provide additional technical specifications for a middleware architecture based on ISO/IEC 24727. This middleware will provide an API to an eService as per ISO/IEC 24727-3; a set of additional API provide the
44、 middleware stack with means to facilitate ECC services; a standard mechanism for the validation of the e-ID credential stored in the ECC and retrieved by the service. In order to support the ECC services over an ISO/IEC 24727 middelware configuration, this part of the standard specifies the followi
45、ng: a set of mandatory requests to be supported by the middleware implementation based on ISO/IEC 24727; data set content for interoperability to be personalized in the ECC; two middleware architecture solutions: one based on a stack of combined ISO/IEC 24727 configurations and the other based on We
46、b Service configuration; a Global Profile featuring the guidelines for card-applications to fit in ISO/IEC 24727 framework. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For unda
47、ted references, the latest edition of the referenced document (including any amendments) applies. EN 14890-1:2008, Application Interface for smart cards used as Secure Signature Creation Devices Part 1: Basic services ISO/IEC 7816-3:2008, Identification cards Integrated circuit cards Part 3: Cards w
48、ith contacts Electrical interface and transmission protocols ISO/IEC 7816-4:2005 Identification cards Integrated circuit cards Part 4:Organization, security and commands for interchange ISO/IEC 7816-8:2004, Identification cards Integrated circuit cards Part 8: Commands for security operations ISO/IEC 7816-9, Identification cards Integrated circuit cards Part 9: Commands for card management ISO/IEC 7816-15:2004, Identification cards Integrated circuit cards with conta
