ISO/IEC 7816-4
Information technology - Identification cards - Integrated circuit(s) cards with contacts - Part 4: Interindustry commands for interchange
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
3.1 access rule
3.2 Answer-to-Reset file
3.3 application
3.4 application identifier
3.5 application label
3.6 application provider
3.7 application template
3.8 card-verifiable certificate
3.9 certification authority
3.10 command-response pair
3.11 data element
3.12 data object
3.13 data unit
3.14 dedicated file
3.15 DF name
3.16 directory file
3.17 elementary file
3.18 file control parameters
3.19 file identifier
3.20 file management data
3.21 header list
3.22 internal elementary file
3.23 master file
3.24 parent file
3.25 password
3.26 path
3.27 provider
3.28 public-key certificate
3.29 record
3.30 record identifier
3.31 record number
3.32 secure messaging
3.33 security attribute
3.34 security environment
3.35 tag list
3.36 template
3.37 working elementary file
4 Abbreviations and notation
5 Basic organizations
5.1 Application identifiers
Table 1 - Categories of application identifiers
Figure 1 - AID of international category
Figure 2 - AID of national category
Figure 3 - AID of standard category
Figure 4 - AID of proprietary category
5.2 Files for applications and data
Figure 5 - Example of logical file organization
5.2.1 File referencing methods
5.2.2 Data referencing methods
Figure 6 - EF structures
5.2.2.1 Data unit referencing
5.2.2.2 Record referencing
5.2.2.3 Data object referencing
5.3 Command-response pairs
Table 2 - Command-response pair
5.3.1 Class byte
Table 3 - CLA for the interindustry classes
Table 4 - CLA for the other classes
5.3.2 Instruction byte
Table 5 - Invalid INS codes
Table 6 - INS codes of interindustry commands
5.3.3 Parameter bytes
5.3.4 Data fields
5.3.5 Status bytes
Figure 7 - Structural scheme of status bytes
Table 7 - General meaning of SW1-SW2
Table 8 - SW1-SW2 of interindustry commands
5.3.6 Command chaining
5.3.7 Logical channels
5.4 Data objects
5.4.1 BER-TLV data objects
5.4.1.1 BER-TLV tag fields
Table 9 - First byte of BER-TLV tag fields in ISO/IEC 7816
5.4.1.2 BER-TLV length fields
Table 10 - BER-TLV length fields in ISO/IEC 7816
5.4.2 SIMPLE-TLV data objects
5.4.3 Data fields, data objects and data elements
5.4.4 Identification of data elements
Table 11 - Interindustry data objects for tag allocation authority
5.4.4.1 Compatible tag allocation schemes
5.4.4.2 Coexistent tag allocation schemes
Table 12 - Interindustry templates reserved for ISO/IEC 7816
5.4.4.3 Independent tag allocation schemes
5.5 Historical bytes
5.5.1 Category indicator byte
Table 13 - Category indicator byte
5.5.2 COMPACT-TLV data objects
5.5.2.1 Country or issuer indicator
Table 14 - Country or issuer indicator data object
5.5.2.2 Application identifier
5.5.2.3 Card service data
Table 15 - Card service data byte
5.5.2.4 Initial access data
5.5.2.5 Card issuer's data
5.5.2.6 Pre-issuing data
5.5.2.7 Card capabilities
Table 16 - First software function table
Table 17 - Second software function table (data coding byte)
Table 18 - Third software function table
5.5.3 Status indicator
5.5.4 DIR data reference
5.6 File control information
Table 19 - Interindustry templates for file control information
Table 20 - File control parameter data objects
5.6.1 File descriptor byte
Table 21 - File descriptor byte
5.6.2 Short EF identifier
5.6.3 Life cycle status byte
Table 22 - Life cycle status byte
5.6.4 Cryptographic mechanism identifier template
* EXAMPLES (see examples of object identifiers in annex[B])
5.7 Security architecture
* Security status
* Security attributes
* Security mechanisms
6 Secure messaging
Table 23 - Secure messaging data objects
6.2 Basic SM data objects
6.2.1 Data objects for encapsulating plain values
Table 24 - Data objects for encapsulating plain values
6.2.2 Data objects for confidentiality
Table 25 - Data objects for confidentiality
Table 26 - Padding-content indicator byte
6.2.3 Data objects for authentication
Table 27 - Data objects for authentication
6.2.3.1 Cryptographic checksum data element
6.2.3.2 Digital signature data element
6.2.4 SM impact on command-response pair structures
Figure 8 - Command-response pair
Figure 9 - Secured command-response pair
6.3 Auxiliary SM data objects
Table 28 - Auxiliary SM data objects
6.3.1 Control reference templates
6.3.1.1 Control reference data objects in control reference templates
Table 29 - Control reference data objects in control reference templates
Table 30 - Usage qualifier byte
Table 31 - Cryptogram descriptor byte
6.3.2 Response descriptor template
6.4 Security supports
Table 32 - Security support data objects
6.5 Security environments
Table 33 - Security environment data objects
Table 34 - Physical interface byte
7.1 Compact format
Table 35 - Access mode byte for DFs
Table 36 - Access mode byte for EFs
Table 37 - Access mode byte for data objects
Table 38 - Access mode byte for tables & views
Table 39 - Security condition byte
7.2 Expanded format
Table 40 - Access mode data objects
Table 41 - Tags '81' to '8F' for access mode data objects
Table 42 - Security condition data objects
7.3 Access rule references
Table 43 - EF.ARR layout
Table 44 - Security attribute data objects referencing expanded format
8 Interindustry commands for interchange
8.1 Selection
8.1.1 SELECT command
Table 45 - SELECT command-response pair
Table 46 - Selection control in P1
Table 47 - Selection options in P2
Table 48 - Status conditions in SW1-SW2
8.1.2 MANAGE CHANNEL command
Table 49 - MANAGE CHANNEL command-response pair
Table 50 - Status conditions in SW1-SW2
8.2 Data unit handling
8.2.1 READ BINARY command
Table 51 - READ BINARY command-response pair
Table 52 - Status conditions in SW1-SW2
8.2.2 WRITE BINARY command
Table 53 - WRITE BINARY command-response pair
Table 54 - Status conditions in SW1-SW2
8.2.3 UPDATE BINARY command
Table 55 - UPDATE BINARY command-response pair
8.2.4 ERASE BINARY command
Table 56 - ERASE BINARY command-response pair
8.2.5 SEARCH BINARY command
Table 57 - SEARCH BINARY command-response pair
Table 58 - Status conditions in SW1-SW2
8.3 Record handling
Table 59 - Short EF identifier in P2
8.3.1 READ RECORD (S) command
Table 60 - READ RECORD (S) command-response pair
Table 61 - Reference control in P2
Table 62-1 - Response data field when reading for one record
Table 62-2 - Response data field when reading for several records
Table 63 - Status conditions in SW1-SW2
8.3.2 WRITE RECORD command
Table 64 - WRITE RECORD command-response pair
Table 65 - Reference control in P2
Table 66 - Command data field (one complete record)
Table 67 - Status conditions in SW1-SW2
8.3.3 UPDATE RECORD command
Table 68 - UPDATE RECORD command-response pair
8.3.4 APPEND RECORD command
Table 69 - APPEND RECORD command-response pair
8.3.5 SEARCH RECORD command
Table 70 - SEARCH RECORD command-response pair
Table 71 - Reference control in P2
Table 72 - First byte of the search indication
Table 73 - Status conditions in SW1-SW2
8.4 Data object handling
Table 74 - Data references in P1-P2
8.4.1 GET DATA command
Table 75 - GET DATA command-response pair
Table 76 - Status conditions in SW1-SW2
8.4.2 PUT DATA command
Table 77 - PUT DATA command-response pair
Table 78 - Status conditions in SW1-SW2
8.5 Basic security handling
Table 79 - Reference data qualifier in P2
Table 80 - Status conditions in SW1-SW2
8.5.1 INTERNAL AUTHENTICATE command
Table 81 - INTERNAL AUTHENTICATE command-response pair
8.5.2 GET CHALLENGE command
Table 82 - GET CHALLENGE command-response pair
8.5.3 EXTERNAL AUTHENTICATE command
Table 83 - EXTERNAL AUTHENTICATE command-response pair
Table 84 - Command-response pair for MUTUAL AUTHENTICATE function
8.5.4 GENERAL AUTHENTICATE command
Table 85 - GENERAL AUTHENTICATE command-response pair
Table 86 - Dynamic authentication data objects
8.5.5 VERIFY command
Table 87 - VERIFY command-response pair
8.5.6 CHANGE REFERENCE DATA command
Table 88 - CHANGE REFERENCE DATA command-response pair
8.5.7 ENABLE VERIFICATION REQUIREMENT command
Table 89 - ENABLE VERIFICATION REQUIREMENT command-response pair
8.5.8 DISABLE VERIFICATION REQUIREMENT command
Table 90 - DISABLE VERIFICATION REQUIREMENT command-response pair
8.5.9 RESET RETRY COUNTER command
Table 91 - RESET RETRY COUNTER command-response pair
8.5.10 MANAGE SECURITY ENVIRONMENT command
Table 92 - MANAGE SECURITY ENVIRONMENT command-response pair
Table 93 - Options in P1
Table 94 - Control in P2
Table 95 - Status conditions in SW1-SW2
Table 96 - Command-response pair for KEY DERIVATION function
8.6 Transmission handling
8.6.1 GET RESPONSE command
Table 97 - GET RESPONSE command-response pair
Table 98 - Status conditions in SW1-SW2
8.6.2 ENVELOPE command
Table 99 - ENVELOPE command-response pair
Table 100 - Status conditions in SW1-SW2
9 Application-independent card services
9.1 Card-originated command-response pairs
9.1.1 Triggering by the card
9.1.2 Message retrieval and reply by the interface device
9.1.3 Command-response pair formats
9.2 Card identification
9.2.1 Initial data string recovery
Table 101 - First byte of initial access data referenced by '42'
9.2.2 EF selection and access
9.3 Application identification and selection
The number of bytes is even in an absolute or relative path, but odd in a qualified path.
Table 102 - Interindustry data objects for application identification and selection
9.3.1 Implicit application selection
9.3.2 Direct application selection by application identifier
9.3.3 Application selection using EF.DIR or EF.ATR
9.4 Data element retrieval
9.4.1 Indirect references to data elements
* EXAMPLES
* EXAMPLE
9.4.2 Specific interindustry data elements
Table 103 - Login data objects
Table 104 - Telephone number
Table 105 - Delay indicator byte
9.4.3 Interchange profile
Table 106 - Interindustry data objects reserved for interchange profile
Annex A (informative) Application identifiers using issuer identification numbers
A.1 Background information
A.2 Format
Figure A.1 - AID using an issuer identification number
Annex B (informative) Object identifiers and tag allocation schemes
B.1 Object identifiers denoting ISO standards
B.2 Default tag allocation scheme
B.3 Compatible tag allocation scheme
* First example
* Second example
B.4 Coexistent tag allocation scheme
Annex C (informative) Secure messaging
C.1 Cryptographic checksum
Case 1 - No data, no data
Case 1.a - Status not protected
Case 1.b - Status protected
Case 2 - No data, data
Case 3 - Data, no data
Case 3.a - Status not protected
Case 3.b - Status protected
Case 4 - Data, data
C.2 Cryptograms
* Case a - Plain value not coded in BER-TLV
* Case b - Plain value coded in BER-TLV
C.3 Control references
C.4 Response descriptor
C.5 ENVELOPE command
Annex D (informative) Chains of GENERAL AUTHENTICATE commands
D.1 Introduction
D.2 INTERNAL AUTHENTICATE function
Case 1 - Basic protocol(two command-response pairs)
* Commitment from the card
* Challenge from the outside world and response from the card
Case 2 - Committed challenge(two command-response pairs)
* Commitment from the card
* Challenge from the outside world and response from the card
Case 3 - Extension to data field authentication(two command-response pairs)
* Commitment from the card
* Challenge from the outside world and response from the card
D.3 EXTERNAL AUTHENTICATE function
Case 1 - Basic protocol(two command-response pairs)
* Commitment from the outside world and challenge from the card
* Response from the outside world and control from the card
Case 2 - Committed challenge(three command-response pairs)
* Committed challenge from the card
* Commitment from the outside world and challenge from the card
* Response from the outside world and control from the card
Case 3 - Extension to data field authentication(two command-response pairs)
* Commitment from the outside world and challenge from the card
* Response from the outside world and control from the card
D.4 MUTUAL AUTHENTICATE function
Case 1 - Basic protocol(three command-response pairs)
* Commitment
* Challenge
* Response
Case 2 - Committed challenge(four command-response pairs)
* Committed challenge
* Commitment
* Challenge
* Response
Case 3 - Extension to key establishment(four command-response pairs)
* Exponential
* Commitment
* Challenge
* Response
|