1、BRITISH STANDARD Identification card systems - Telecommunications integrated circuit( s) cards and terminals - Part 7: Security module The European Standard EN 72671999 has the status of a British Standard ICs 35.240.15 BS EN 726-7:1999 NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRI
2、GHT LAW STD-BSI BS EN 72b-7-ENGL 1979 D 1b24bb9 08080b1 Yb2 Amd. No. Date BS EN 726-7:1999 Comments National foreword “his British Standard is the English language version of EN 7267: 1999. The UK participation in its preparation was entrusted to Technical Committee IST47, Identification cards and r
3、elated devices, which has the responsibility to: - aid enquirers to understand the text; - present to the responsible European committee any enquiries on the - monitor related international and European developments and promulgate interpretation, or proposais for change, and keep the K interests inf
4、ormed; them in the UK. A list of organizations represented on this committee can be obtained on request to its secretary. Cross-references The British Standards which implement international or European publications referred to in this document may be found in the BSI Standards Catalogue under the s
5、ection entitled “International Standards Correspondence Index“, or by using the “Find facility of the BSI Standards Electronic Catalogue. A British Standard does not purport to include all the necessary provisions of a contract. Users of British Standards are responsible for their correct applicatio
6、n. Compliance with a British Standard does not of itself confer immunity from legal obligations. Summary of pages This document comprises a front cover, an inside front cover, the EN title page, pages 2 to 48, an inside back cover and a back cover. The BSI copyright notice displayed in this document
7、 indicates when the document was last issued. This British Standard, having been prepared under the direction of the DISC Board, was published under the authority of the Standards Committee and comes into effect on 15 November 1999 0 BSI 11-1999 ISBN O 680 35472 5 I l - STD-BSI BS EN 72b-7-ENGL 1999
8、 Lb24bb9 0Ob2 T9 II EUROPEAN STANDARD EN 726-7 NORME EuROP - the general card related functions embedded in the SM-terminal protocols including minimum dah exchange; The data elements and cryptographic processing described in annex A for the case where the SM is an ICC should be supported if the SM
9、is not an ICC or the configuration of the system, e.g. where the SM handles more than one tenninalhise r card Configurations where the SM handles more than one tenninal/user card are not fully specified in this standard Further mechanisms may be required to enable these - the necessary security serv
10、ices and mechanisms to provide application and cryptographic security information for the processing of telecommunication lmnsactions. considering several types of SMs at different locations in the system and different system configurations. This part of EN 726 allows interaction between the Integra
11、ted Circuit Card (IC card) and the SM via the terminal in a way that may be functionaliy transparent to the terminai and possibly also the network(s). This provides the flexibility to use different techniques, commands and message formats at the terminai-SM interface. This part of EN 726 supports IC
12、 cards with payment applications following EN 7265 and ali card applications foiowing ciauses 4 to 7 of this part of the standard. This part of EN 726 supports IC cards following EN 7231994. Other telecommunication cards which are not in accordance with EN 726, e.g. simple memory cards, may also be
13、supported by the SM described in this part. configurations; 2 Normative references This European Standard incorporates by dated or undated reference, provisions from other publications. These normative references are cited at the appropriate places in the text and the publications listed hereafter.
14、For dated references, subsequent amendments to, or revisions of any of these publications apply to this European Standard only when incorporated in it by amendment or revision. For undated references the latest edition of the publication referred to applies. EN 7262:1995, Identifkation cad systems -
15、 Telecommunications integrated cimit(sj cads and termi,nals - Pa,? 2: Security framework. EN 72631994, Identi - EFmy - op is an elementary file containing operational keys; - EFmy - MAN is an elementary Ne containing management keys; - EFDIK-OP is an elementary file containing diversified operationa
16、l keys; - EFDIK - MAN is an elementary fde containing diversified management keys. 3.1.9 file identifier (ID) each file w, DF, EF) has an identifier consisting of 2 bytes 3.1.10 file qualifier fust byte of the file identifier 3.1.11 master file (MF) the mandatory unique ie representing the root of t
17、he file structure and containing AC and allocatable memory It may be the parent of elementary files andor dedicated files 3.1.12 operating system that which is required to manage the logical resources of a system, including process scheduling and file management O BSI 11-1999 STD.BSI BS EN 726-7-ENG
18、L 1999 Lb24bb9 0808066 444 m Page 6 EN 726-E1999 3.1.13 Path concatenation of le identifiers without delimitation 3.1.14 secrets algorithm(s), related key(s), security procedures and information 3.1.16 security module a device containing logicaily and physically protected secrets - aigorithm(s), rel
19、ated key(s), security procedures and information to protect applications in such a way that unauthorized access is not feasible. In order to achieve this the module may in adition be further physically, electxically and logically protected 3.1.16 security module provider see IS0 10202-4 3.1.17 seque
20、nce control a feature assuring that operations, invoked by commands, can only be performed by the SM in allowed, predefined order(s) 3.2 Abbreviations AC AID AUT CHV DF EF EW IC ICC ID IFD 1NT.AUT.H INV LEN MAC MF NEV PRO RAN REH RFU SM uc Access Condition Application Identifier Authenticakd Card Ho
21、lder Verification infomation Dedicated File Elementary File External World Integrated Circuit Integrated Circuit Card Identifier of a Ne Interface Device Internal Authentication Invalidate Message Authentication Master File Never Protected Random Rehabilitate Reserved for Future Use Security Module
22、User Card Length O BSI 11-1999 STD.BSI BS EN 72b-7-ENGL 1999 1624669 0808067 380 Page 6 EN 726-R1999 4 Physical characteristics of the SM If the SM is an IC card the physical characteristics shall be in accordance with clause 4 of EN 7263: 1994. For any other case the physical characteristics are ou
23、t of the scope of this part of EN 726. 5 Electronic signals and transmission protocols If the SM is an IC card the electronic signals and transmission protocol(s) shall be in accordance with clause 6 of EN 7263:1994. For any other case the electronic signais and transmission protocol are out of the
24、scope of this standard 6 Logical model for SM A SM following this standard contains: - permanent secrets (master key); - temporary secrets (diversified key(s); - a balance (optional); - an operating system to handle secure access to the secrets mentioned above. Additional options are possible as lon
25、g as they do not interfere with the basic contents, but are out of the scope of this standard. I Physical interface I EN 27816-3 EN 27816-3 e.g. T=O, T= EN 726-3 I Operating system I up to implementation Diversified key) c One of the options could be prevention of physical attacks Figure 1 - General
26、 structure of a SM Options r O BSI 11-1999 STD.BSI BS EN 726-7-ENGL 1799 3624669 OBOB068 217 II Page 7 EN 72671999 I uc Terminal SM interface SM Application master EN 726-5 - EN 726-6 EN 726-5 Application/ Routines EN 726-6 EN 726-7 EN 726-3 EN 726-4 EN 726-7 EN 726-3 EN 2781 6-3 EN 27816-3 EN 27816
27、-2 EN 27816-2 EN 27816-3 EN 278 16-3 EN 726-7 Functions Commands Transport Physical only if the SM is an ICC (otherwise out of scope) * out of scope For the purpose of this figure, the application master is the equipment which is issuing commands io the UC and SM Figure 2 - Standardized communicatio
28、n between a UC and a SM 7 General concepts 7.1 General security principles The SM provider shall be responsible for the life cycle of the SM. Any aspect in the operation of a SM or dab obtainable from a SM shall not compromise the security of the system. Cryptographic keys used in the SM and the UC
29、shall be managed in such a way that the security of any system using SMs or UCs is not compromised. During the application life cycle the need to change keys in the UC may appear. To support this the SM may contain several keyset versions. Interoperability of telecommunication SMs in Europe is based
30、 on the exchange of secret keys. The mechanisms for downloading keys into the SM are not described in this part of EN 726. The isolation of the key management systems between different operators requires the use of a trusted party. 7.1.1 Access conditions For the functions described in this part of
31、the standard no ACs have to be fulfilled in the SM, but the usage of the keys may be restricted. The SM uses diversified keys for functions in the UC where the ACs require a key operation. For the management of the SM by the External World, the ACs defined in EN 72631994 shall apply only if the SM i
32、s an IC card. The SM may also perform a key iveisificaton for Application Specific functions in the UC which are not defined in EN 72fXk1994. In this case, the limits of the usage of the key(s) for this specific function shall be kept in the SM. 7.1.2 Sequence control A sequence control can be achie
33、ved by using ACs of the UC on the SM. Sequence control functions where the SM checks if it is aiowed to perform commands and status responses can optionally be added if needed in the application. The implementation is out of the scope of the standard. Nevertheless the following applies, if the comma
34、nd is allowed the operation will be performed and the results will be the outcome of the command. If the command is not allowed the operation will not be performed and the status conditions wili contain “Command out of sequence“. “he internai reaction of the SM is application dependent. 7.2 SM Life
35、cycle See Is0 102024. 7.3 Configuration of the system The general card related functions at the SM-terminal interface including minimum data exchange shall not be affected. The user card-terminal interface shall not be affected by type of implementation of the SM. Four possible configurations of the
36、 SM are shown in Figures 3 to 6. O BSI 11-1999 STD.BS1 BS EN 726-7-ENGL 1999 M Lb24bb9 08080b9 153 Page 8 EN 726-R1999 IC Card In the interests of completeness ail four locations are shown. However, it is probable that for the more distant locations a higher level transport protocol may be appropria
37、te. Such high level ansport protocols are outside the scope of this standard. TERMINAL pM-I IC Card 1 ICCard NETWORK TERMINAL TERMINAL Figure 4 - SM included in a local concentrator I II Figure 6 - SM in the network TERM IN AL NETWORK _(I Figure 6 - Remote SM O BSI 11-1999 Page 9 EN 726-7:1999 A dis
38、tinction between normal operations (transfer of sensitive dah such as payment transactions) and more sensitive operations (such as creation of sensitive data) may be necem. In this case, two kinds of SM may exist. SM1 situated in an open environment only allowing normal operations and SM2 (and termi
39、nai) located in a secure environment and allowing in addition e.g. personalization. For SMs covering more sensitive operations, specific security tools are necessary as physical protection. These requirements are out of the scope of this standard. SM type 1 increase amount in S Management transactio
40、ns Purchase transaction Management system ment transactions Personalization SM type 2 Figure 7 - An example of a system configuration 7.4 SM security functions A SM contains: - secrets which aow the tenninal to access protected parts of the UC; - secrets which allow the authenticity of the UC to be
41、checked; - optionally, a balance that can be increased and decreased in a secure manner in the SM, coupled with a corresponding reverse operation in the UC. A SM shall be logically and physically protected against attacks aimed at exposing or abusing secrets during the whole Me cycle of the SM. Ali
42、functions shall be independent of transmission protocols. These may be different at the terminai-UC and at the termina-SM interface. In order to fulfill the AC = AUT or PRO of files in the UC, any related functions in the UC and the SM shall use the Same keys and algorithms. For the purpose of this
43、part of EN 726 the functionality is based on: - symmetric algorithms; - diversified keys. However, the use of asymmetric or hybrid cryptosystems may be defined later. 8 Description of the functions of a SM This clause only describes the aditional specific functions necessary for a SM. If the SM is a
44、n IC card the remaining part of this clause and annex A apply. Additional functions to support other applications outside the scope of EN 726 are not precluded. Any such function shall not conflict with the content of EN 726. The command header and trailer referred to in this chapter are data elemen
45、ts used to control the processing of data by the SM in accordance with the function specified. O BSI 11-1999 Page 10 EN 726R1999 Bytes Description 1 to 4 5 IC card manufacturing references (coded in accordance with EN 72-1994) Card perconalizer ID (coded in accordance with EN 72M1994) 8.1 Functions
46、without MAC 8.1.1 SELECT KEYSET The purpose of this function is to unambiguously address a specific keyset in the SM, that shall be used at least for the next cryptographic computation, corresponding to the specific command, Ne, AC and application of the UC. In case a UC following EN 72G31994 is use
47、d, the SM shall select a keyset corresponding with the key master version indicated by the UC. Input: a/ command header, b/ key qualifier. Length 4 bytes 1 byte 6 to 7 8 File ID of the EFwy Keyfle version (coded in accordance with EN 726-31994) I 2 bytes I 1 byte Bytes Description 1-x AID (coded in
48、accordance with to EN 72631994) Length 1 to 16 bytes output: al data : none; b/ status. 8.1.3 ASK PARAMETER The purpose of this function is to transfer a parameter from the SM to the terminal. This parameter is given to the terminal and used inside the SM to compute the next incoming cryptogram. Thi
49、s parameter shall be valid until the next function requiring a challenge is pedormed in the SM except in the case of VERIFY MAC. I 2) chalienge (counter). G+U- x+3 G + 2) O BSI 11-19!9 File ID of the EFwy Keyfile version (coded in accordance with EN 72-1994) 2 bytes 1 byte STD.BSI BS EN 72b-7-ENGL 1999 3b24bb9 0808072 748 Bytes Page 11 EN 726-7:1999 Description Length Several counters for providing challenges, related in different keysets, may exist. in case of multiple counters the counter related to
