ISO IEC 7816-15:2016 download.Identification cards — Integrated circuit cards — Part 15: Cryptographic information application.
1 Scope
This part of ISO/IEC 7816 specifIes an application In a card. This application contains Information on cryptographic functionality. This part of ISO’IEC 7816 defines a common syntax and format for the cryptographic mformafion and mechanisms to share this riormation whenever appropriate.
The obectlves of this pan of ISO(IEC 7816 ate to
— facihiate interoperabulity among components running on various platforms (platform neutral).
— enable applications in the outside world to lake advantage of products and components from multiple manufacturers (vendor neutral),
enable the use of advances in technology without rewriting application-level software (application neutral),
— maintain consistency with existing, related standards while expanding upon them only where necessary and practicaL
It siçports (tie following capabilities:
— storage of multiple Instances of cryptographic Information In a card:
— use ot the cryptographic information;
retrieval of the cryptographic Information, a key factor foe this Is the notion of Directory F.Ies. which provides a layer of indwection between obêects on the card and the actual format of these objects:
— cross-referencing of the cryptographic information with DOs defined in other paris of ISOiIEC 7816 when appropriate;
— &fterent authentication mechanisms;
— multiple cryptograpli algodthes (the suitability of these is outside the scope ci this part of
ISO1EC 7816).
This part of ISO)IEC 7816 does not cover the internal implementation within the card andor the outside world. If is not mandatory for implemenlations complying with this International Standard to support all options desced.
In case of discrepancies between ASN I definitions In the body of the text and the module in Annex A, Annex A takes precedence.
sectwllyFlieOrObject SET OF SecurityFlleOrObject OPTiONAL, For future extensions
– Context tag lIs hletoflcal and itiaU not b. used
NOTE 1 PKCS #15 uses this tag.
NOTE 2 In accordance with ISOIEC 7816-4. and atien present in an application tenlate, the tag (APPUCATJON 19) r731 replaces the C)0000 SEQUENCE (‘30) tag. ie 10 wnplicII tagging. See 0.6 tar an example
NOTE 3 When kicated tinder a OF or an AOF other than OF. CIA. me by’default FilelD and Short EF Identifier of EFOD and EF.ClAlnfo are respectively as defined in Table I unless specified othersise by the decrebonary data object CIODOO or explicit tile ID definition is preferred.
SecurttyFlleOtObject :: SEQUENCE
label Label OPTiONAL.
communicatlonMode CommunicatlonMode OPTIONAL.
flleOrObjectPath Path,
cIoS.curltyld INTEGER OPTiONAL,
protocol OBJECT IDENTIFIER OPTiONAL,
Index (0) INTEGER (0.cla-ub-lndex) OPTIONAL,
precontIon (1)INTEGER (0..cia.ub-index) OPTiONAL,
-. — For future extensions
The providerid component. if present, shall contain an object identifier uniquely identifying the CIA provider. The odfPsth and clalnfoPalh components shalt, if present, contain paths to elementary files EF.OD and EF,ClAlnlo respectively or to constructed data objects nesting these files respective contents. This provides a way far issuers to use non-standard file identifiers for these files or. alternatively, data objects tags without sacrificing interoperability. If data objects are employed, they shall be constructed without control parameter template (see ISO/lEG 78164), It also prowdes card issuers wttti the opportunity to share ClAinfo fifes between CIAs, when several CIAs reside on one card. The aId component shall, if present, indicate the application to which this CIA applles. The secuiflyFlbOrabject optional extension of CIODDO container refers to security protocol descriptors. i.e. OlDs nested in a logical data structure, of which the execution priority shall b€ ordered accordeig the Index value of the precondition attribute. securttyFllecrObject components are
rileOrObfrctPath: path to the file or data object nesting a set of OlDs and further protocol relevant parameter denoting security protocols.
-— Index: attrtute index assigned to SecurttyFlleOrObject.
— precondtllon: cross-reference to the index of the ScutttyFileOrObject protocol(s) of which the execution is mandated prior to the current S.CurItyFIleOrObj.ct ones,
labeL attrtute that may serve to Identify the security file or object,
— commurilc.Ilonhlode. physical Interlace as defined in 82.8 and 10 whIch the protocols listed flleOrObjectPath apply. If the required communication mode cannot be fulfilled by the IFD. the SecurltyFIleOrOblect may be not accessible by the IFD,
— cioSecurltØd: identifier used as cross-reference to the authentication object required for the preleminary protocol lobe executed by the IFD, and
— protocol: determines which of the possibly mult1e protocols defined in ftIeOrOb)ectPath referenced structures is to be used.
In case the ICC wants to enforce a high level of privacy. CI0000 may only contain SecurttyFlleOrObjct structure to Irxbcate to the fF0 the preliminary protocol(s) to perform. II multiple S.curityfileOrOpct containers are present, which do not refer to each othta as precondition, they are meant as alternatives. For examples of EF.DIR content with privacy-enabling features, see Table Ci: the table provides EF.DIR description for the file system topology on Figure 0.5 and shows how secueftyFiteOrcbject component is implemented to ensure data minimization principle through access control according 10 ISO/lEG 7816-4.
— ClAlnfo.label: This optional component shall, when present, contain Identifying information about the application.
CtAJnfo.cerdtlags: This component contains information about the card per se. Flags incbde: If the card is read•only, If there are oryptograpl’llc functions that require a user to be authenticated, and If the card supports pseudo-random number generation.
ClAlnfo.aelnfo: This optional component Is Intended to convey Information about pre-set security environments on the card and the owner of these environments, The definition of these environments is currently out at scope for this part of ISO1IEG 7816; see further ISO/IEC 7816-4. The aid component indicates the (card) application for which the security environment is applicable
CIAlnfo.recordlnfo This optional component has two purposes:
— to indoate whether the elementary Ides EF.OD, EF.PrKD. EF.PuKD, EF.SKD. EF.CD, EF.0000 and EF.AOO are linear record files or transparent files (II the component Is present, they shall be linear record files; otherwise, they shall be transparent files);
— if they are linear record files, whether they are of fixed-length or not (it they are of fixed length. oo4’responth)g values in Recordlnto are present and not equal to zero and Indicates the record length. N some files are linear record files but not of fixed length. then corresponding values in Recordln#o shall be set to zero).
ClAlnfo.aupport.dAlgortthms: The intent of this optional component is to ndcate cryptographic aigonthms, associated parameters, operations and algorithm ioput formats supported by the card. The rference component of AIgo1thmlnfo Is a unique reference that is used for cross•reference purposes tram PrKDs and PuKDs. Values for the algorithm component are for private use. Values of the aupportedOperatlona component (compute-checksum, compute-signature. iertly-clwcksum, weilfy-slgnalure, encipher, decipher, hash and derive-keyl identifies operations the card can perform with a particular algorithm. The ob)ld component Indicates the object identifier for the algorithm. The aIgRet component Indicates the identifier used by the card for denoting this algorithm (and which occurs at the card interface as a parameter of. e.g. an EXTEPNAL AUTHENTZCATE command).
NOTE Values for the algorithm component may be choeen tram, and .nleipreted as, mechanism numbers in PKCS #11 (see Reference [6[).
— ClAlnfo.isauerld; This optional component shall, when present, contain identitying inforrnatioei about the card Issuer (e.g. the card issuer).
— ClAlnlo.holderld: This optional component shall, when present, contain identifying information about the cardholder (e.g. the cardholder).
ClAlnIo.IaatUpdal.: This optional component shall, when present, contain (or refer to) the date of the last update of files in the CIA. The presence of this component. together with the CLAlnlo.serlalNumbee component, will enable host-side applications to quickly find out whether they have to read EF.OD. EF.CD, etc. or if they can use cached copies (if available). The reteraneedTlm alternative of the LaslUpdale type is intended for those cases when EF.ClAlrifo needs to be write-protected.
— CIAlnlo.preterredLanguage: The preferred Language of the cardholder, encoded in accordance with
IETF IRFC 5646.
— CtAlnlo.profilelndlcallon: This optional component shall, when present. indicate profiles of this part of lSO”IEC 7816, which the card has been issued In conformance With
NOTE It is left to other specifications to define standardized profes of this pert ci ISO.IEC 7816.