Professional Documents
Culture Documents
German
Health Professional Card
and
Security Module Card
Version 2.3.2
05.08.2009
Bundesrztekammer
Kassenrztliche Bundesvereinigung
Bundeszahnrztekammer
Bundespsychotherapeutenkammer
Kassenzahnrztliche Bundesvereinigung
Bundesapothekerkammer
Deutsche Krankenhausgesellschaft
Content ................................................................................................................. 5
2 References....................................................................................................14
7 CV-Certificates (normative).........................................................................56
7.1 CV-Certificates for RSA keys, G1 (normative) ....................................................56
7.1.1 Elements of a CV-Certificate ..............................................................................56
7.1.2 Certificate Profiles...............................................................................................57
7.1.3 Structure and Content of a CV-Certificate ..........................................................58
7.2 CV-Certificate for ELC keys, G2 (informative).....................................................59
14 Commands (normative)..........................................................................127
14.1 Roll-Back and Roll-Forward...........................................................................127
14.1.1 Roll-Back ......................................................................................................128
14.1.2 Roll-Forward .................................................................................................128
14.2 Management of the Object System ...............................................................128
14.2.1 ACTIVATE ....................................................................................................128
14.2.2 CREATE .......................................................................................................130
14.2.3 DEACTIVATE ...............................................................................................130
14.2.4 DELETE........................................................................................................132
14.2.5 LOAD APPLICATION ...................................................................................134
14.2.6 SELECT........................................................................................................137
14.2.7 TERMINATE CARD USAGE ........................................................................150
14.2.8 TERMINATE DF ...........................................................................................150
14.2.9 TERMINATE EF ...........................................................................................150
14.3 Access to Data in a transparent EF ..............................................................150
14.3.1 ERASE BINARY ...........................................................................................150
14.3.2 READ BINARY .............................................................................................153
14.3.3 SEARCH BINARY ........................................................................................156
14.3.4 UPDATE BINARY.........................................................................................156
14.3.5 WRITE BINARY............................................................................................160
14.4 Access to structured Data .............................................................................160
14.4.1 ACTIVATE RECORD....................................................................................160
14.4.2 APPEND RECORD ......................................................................................164
14.4.3 DEACTIVATE RECORD...............................................................................168
14.4.4 ERASE RECORD .........................................................................................172
14.4.5 READ RECORD ...........................................................................................175
14.4.6 SEARCH RECORD ......................................................................................179
14.4.7 UPDATE RECORD.......................................................................................182
14.4.8 WRITE RECORD..........................................................................................186
14.5 Access to data objects...................................................................................186
HPC Part 1 COS, V2.3.2 Page 8 of 278
14.5.1 GET DATA....................................................................................................186
14.5.2 PUT DATA ....................................................................................................187
14.6 User Verification .............................................................................................187
14.6.1 CHANGE REFERENCE DATA.....................................................................187
14.6.2 DISABLE VERIFICATION REQUIREMENT .................................................190
14.6.3 ENABLE VERIFICATION REQUIREMENT ..................................................192
14.6.4 GET PIN STATUS ........................................................................................194
14.6.5 RESET RETRY COUNTER ..........................................................................196
14.6.6 VERIFY.........................................................................................................201
14.7 Component Authentication............................................................................203
14.7.1 EXTERNAL AUTHENTICATE / MUTUAL AUTHENTICATE ........................203
14.7.2 GENERAL AUTHENTICATE ........................................................................209
14.7.3 GET SECURITY STATUS KEY ....................................................................209
14.7.4 INTERNAL AUTHENTICATE .......................................................................212
14.8 Commands of the Cryptobox ........................................................................215
14.8.1 PSO: COMPUTE DIGITAL SIGNATURE .....................................................215
14.8.2 PSO: COMPUTE CRYPTOGRAPHIC CHECKSUM ....................................219
14.8.3 PSO: DECIPHER..........................................................................................221
14.8.4 PSO: ENCIPHER (normative) ......................................................................224
14.8.5 PSO: VERIFY CRYPTOGRAPHIC CHECKSUM .........................................228
14.8.6 PSO: HASH ..................................................................................................230
14.8.7 PSO: TRANSCIPHER ..................................................................................230
14.8.8 PSO: VERIFY CERTIFICATE.......................................................................235
14.9 Miscellaneous .................................................................................................238
14.9.1 ENVELOPE ..................................................................................................238
14.9.2 GENERATE ASYMMETRIC KEY PAIR .......................................................244
14.9.3 GET CHALLENGE........................................................................................248
14.9.4 GET RESPONSE .........................................................................................249
14.9.5 MANAGE CHANNEL ....................................................................................249
14.9.6 MANAGE SECURITY ENVIRONMENT .......................................................252
14.9.7 GET RANDOM .............................................................................................260
16 Miscellaneous (normative).....................................................................275
16.1 Algorithm Identifier.........................................................................................275
HPC Part 1 COS, V2.3.2 Page 9 of 278
16.2 Coding for Trailer............................................................................................278
1.1 Purpose
This specification defines the requirements to the functionality of an operating system for the
electronic Health Professional Card and the Security Module Card, which correspond to in-
ternational standards to guarantee international and European interoperability.
On the basis of [ISO7816-4], [ISO7816-8] and [ISO7816-9] commands and options will be
described which have to be supported by the HPC and the SMC.
Clause 2: Reference List: contains the list of documents referenced in this document
Clause 3: Abbreviations: contains the abbreviations and notations used in this document.
Clause 4: Lifecycle of smartcard and application (informative): terminates the scope of the
HPC/SMC -specification on the timeline.
Clause 5: Data types and data conversion: defines some basic data types, which simplify
the normative description in following clauses.
Clause 8: Objects (normative): contains a kind of class diagram in textual form. The de-
fined objects and attributes simplify the normative description in following clauses.
Clause 9: Object system (normative): describes how information can be stored persistent
and hierarchically on an HPC resp. an SMC.
Clause 10: Access Control (normative): describes the protection of information on an HPC
resp. an SMC against unauthorized access.
Clause 11: Communication (normative): describes how HPC and SMC exchanges infor-
mation with other systems.
Clause 12: Channel context (normative): describes the information which can be stored
volatile and channel-specific on an HPC and an SMC (compare also [ISO7816-4] in re-
spect to logical channels).
Clause 13: Secured Communication (normative): describes how the HPC and the SMC
exchange information with other systems with cryptographic protection.
Clause 16: Miscellaneous (normative): specifies concrete values for a number of place-
holders.
The document is built bottom-up: artifacts will be first described and defined before used.
To read top down, it is recommended to start with Clause 14. In this clause references to
other clauses will be mentioned, if themes will be described there more in detail. Because of
the special importance of Clause 14, the structure of this clause will be described in detail:
Chapter 14 contains all commands standardized in ISO/IEC 7816. Because of better clarity
Clause 14 is divided in the sections Roll-Back and Roll-Forward, Management of the Object
System, Access to Data in a transparent EF, Access to structured Data, Access to Data Ob-
jects, User Verification, Component Authentication, Commands of the Cryptobox, Miscella-
neous. Each sector contains a number of sub-clauses with commands in alphabetical order.
The relatively simple command READ BINARY is used as an example to explain the specifi-
cation of a command. It starts with a basic description of the command. In the sub-clauses
14.3.2.1 and 14.3.2.2 guidelines for the APDUs will follow. Looking at (N544.00) it becomes
obvious that the guidelines for command APDUs are not addressed to the card operating
system but to the using systems. The requirements to the card operating system are de-
scribed in a separate sub-clause Command Handling inside the smartcard.
This document is addressed to manufacturers of card operating systems (COS) and pro-
grammers of application software, which communicates directly with the smartcard.
The content of this document is mandatory for the production of HPCs and SMCs.
The work on this document is closely related to the specification of the electronic Health Card
(eGK) [eGK-P1]und [eGK-P2] and the specification of the SMC-K [SMC-K].
This document specifies the behavior at the electrical interface of a card operating system.
This document does not specify the architecture of the operating system. To simplify the pic-
ture this document will be based on a modular structure of the COS. The structure described
here is not mandatory. But it is recommended to be oriented at this structure because sup-
plements and extensions will be based on this.
The configuration of a smartcard, thus the definition which applications, folders, files, keys
and passwords can be found on an HPC / SMC is not part of this document.
HPC Part 1 COS, V2.3.2 Page 12 of 278
Normative rules for the useful life of cryptographic methods are defined in [Krypt-Alg]. For
reasons of interoperability with the eGK and the SMC-K [Krypt-Alg] it is relevant also for the
HPC, the SMC-A and the SMC-B. Redundancies to that document will be accepted.
[AES-128]
Federal Information Processing Standards Publication 197,
(FIPS-197), November 26, 2001, Announcing the ADVANCED ENCRYPTION STANDARD
(AES), http://csrc.nist.gov/publications/
[AES-CTR]
Section 6.5 of NIST Special Publication 800-38A, Recommendation for Block, Cipher Modes
of Operation, Methods and Techniques, Morris Dworkin, December 2001 Edition,
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
[ANSI X3.92]
American National Standard X3.92 1981, Data Encryption Algorithm
[ANSI X9.62]
Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signa-
ture Algorithm (ECDSA), 2005
[ANSI X9.63]
Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Trans-
port Using Elliptic Curve Cryptography, 2001
[BinPrefix]
Prefix for binary multiples, IEC INTERNATIONAL STANDARD 60027-2, Third edition, 2005-
08, Letter symbols to be used in electrical technology Part 2: Telecommunications and
electronics, Clause 3.8.3, http://physics.nist.gov/cuu/Units/binary.html
http://de.wikipedia.org/wiki/Bin%C3%A4rpr%C3%A4fix
http://en.wikipedia.org/wiki/Binary_prefix
[BrainPool]
ECC Brainpool Standard Curves and Curve Generation v. 1.0 19.10.2005,
http://www.teletrust.de/fileadmin/files/oid/oid_ECC-Brainpool-Standard-curves-V1.pdf
[CMAC]
NIST Special Publication 800-38B, Recommendation for Block, Cipher Modes of Operation:
The CMAC Mode for Authentication, Morris Dworkin, May 2005,
http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
[eGK-P1]
gematik (19.09.2008): Spezifikation elektronische Gesundheitskarte; Teil 1: Spezifikation der
elektrischen Schnittstelle, Version 2.2.2, www.gematik.de
[eGK-P2]
gematik (19.06.2008): Spezifikation elektronische Gesundheitskarte; Teil 2: Grundlegende
Applikationen, Version 2.2.1, www.gematik.de
[EN14890-1]
EN 14890-1: 2008, Application Interface for smart cards used as secure signature creation
devices Part 1: Basic services
[EN14890-2]
[HPC-P2]
German Health Professional Card and Security Module Card, Part 2: HPC Applications and
Functions, Version 2.3.2, 12.08.2009
[HPC-P3]
German Health Professional Card and Security Module Card, Part 3: SMC Applications and
Functions, Version 2.3.2, 12.08.2009
[ISO7816-3]
ISO/IEC 7816-3: 2006
Identification cards Integrated circuit cards with contacts Part 3: Electrical interface and
transmission protocols
[ISO7816-4]
ISO/IEC ISO 7816-4: 2005
Identification cards Integrated circuit cards Part 4: Organization, security and commands
for interchange
[ISO7816-5]
ISO/IEC 7816-5: 2004
Identification cards Integrated circuit cards Part 5: Registration of application providers
[ISO7816-8]
ISO/IEC 7816-8: 2004
Identification cards Integrated circuit cards Part 8: Commands for security operations
[ISO7816-9]
ISO/IEC 7816-9: 2004
Identification cards Integrated circuit cards Part 9: Commands for card management
[ISO9796-2]
ISO/IEC 9796-2: 2002
Information technology Security techniques Digital signature schemes giving message
recovery Part 2: Integer factorization based mechanisms Second edition, 2002-10-01
[Krypt-Alg]
gematik: Verwendung kryptographischer Algorithmen in der Telematikinfrastruktur,
Version 1.6.0, www.gematik.de
[PKCS#1]
PKCS #1 v2.1: RSA Cryptography Standard, RSA Laboratories, June 14, 2002,
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf
[PKI-Reg]
gematik: Registrierung einer CVC-CA der zweiten Ebene, Version 1.8.0, www.gematik.de
[PKI-Nota]
gematik: Festlegungen zu den Notationen von Schlsseln und Zertifikaten kryptographischer
Objekte in der TI, Version 1.1.0, www.gematik.de
[RFC2119]
[SHA-256]
Federal Information Processing Standards Publication 180-2
Change Notice to include SHA-224), section 6.2, 2002 August 1, Announcing the, SECURE
HASH STANDARD, http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
[SMC-K]
gematik: Spezifikation der SMC-K,
Version 1.2.0, www.gematik.de
[TR-03111]
Technical Guideline TR-03111, Elliptic Curve Cryptography,
Based on ISO 15946, Version 1.00, http://www.bsi.de/literat/tr/tr03111/BSI-TR-03111.pdf
[TR-03116]
BSI TR-03116, Technische Richtlinie fr die eCard-Projekte der Bundesregierung, Version:
3.0, Datum: 08.04.2009, http://www.bsi.de/literat/tr/tr03116/BSI-TR-03116.pdf
3.1 Abbreviations
AC Attribute Certificate
ADF Application Dedicated File
AID Application Identifier [ISO7816-5]
AKS Auslser KomfortSignatur (Comfort Signature Trigger)
APDU Application Protocol Data Unit [ISO7816-3]
ATR Answer-to-Reset
AUT Authentication
AUTD CV-based device-authentication
AUTR CV-based role-authentication
C Certificate
CA Certification Authority
CAMS Card Application Management System
CAR Certification Authority Reference
CBC Cipher Block Chaining
CC Cryptographic Checksum
CH Cardholder
CHA Certificate Holder Authorization
CHR Certificate Holder Reference
CLA Class-Byte of a command APDU
COS Chipcard Operating System
CPI Certificate Profile Identifier
CRT Control Reference Template
CS CertSign (CertificateSigning)
CTR Counter mode [AES-CTR]
CVC Card Verifiable Certificate
DE Data Element
DER Distinguished Encoding Rules
DES Data Encryption Standard
DO Data Object
DF Dedicated File [ISO7816-4]
DS Digital Signature
In this document an object oriented view will be pursued. Therefore the artefacts file (EF in
the nomenclature of [ISO7816-4] or keys will be regarded as objects and their properties as
attributes of the objects. If attributes of an object are meant the notation obj.attribute is used.
If the attribute is an object with additional attributes, also longer names are possible.
For keys and certificates the following simplified Backus-Naur-Notation is used (see [PKI-
Nota] for definitions):
<health professional>::= HP
<card holder>::= CH
<certification authority>::= <root certification authority> |
<certification authority for CAMS of HPC> | <certification authority for HPC> |
<certification authority for SMC> | <certification authority for eGK> |
<certification authority for comfort signature trigger>
<root certification authority>::= RCA
<certification authority for card application management
system of health professional card>::= CA_CAMS_HPC
<certification authority for health professional card>::= CA_HPC
<certification authority for security module card>::= CA_SMC
<certification authority for electronic health card>::=
CA_eGK (CA elektronische Gesundheitskarte)
<certification authority for comfort signature trigger>::= CA_KM (CA Komfortmerkmal)
<certificate descriptor>::=
<certificate>.<certificate holder>.<certificate usage>
<certificate>::= C
<certificate holder>::=
<health professional> | <certification authority> | <health professional card> |
<card application management system> | <security module card> |
<security module card terminal> | <electronic health card>
<certificate usage>::=
<organizational signature> | <encipherment> | <authentication> | <certsign cvc> |
<certsign x509>
To distinguish between normative and informative information key words in capital letters as
defined in [RFC2119] will be used.
MUST This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an
absolute requirement of the specification.
MUST NOT This phrase, or the phrase "SHALL NOT", mean that the definition is an abso-
lute prohibition of the specification.
SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid
reasons in particular circumstances to ignore a particular item, but the full implications
must be understood and carefully weighed before choosing a different course.
SHOULD NOT This phrase, or the phrase "NOT RECOMMENDED" mean that there may
exist valid reasons in particular circumstances when the particular behavior is acceptable
or even useful, but the full implications should be understood and the case carefully
weighed before implementing any behavior described with this label.
Clauses with normative content will show the following addition in the headline:
(normative)
In general only structures marked by (N4711.00) SHALL contain properties being relevant for
the accreditation tests and therefore SHALL be tested during the accreditation tests. If in a
special case this is not mentioned, this is very likely an editorial fault.
Clauses marked with Generation 1 (G1) normally have the addition normative. Clauses
marked with Generation 2 (G2) are provided for the use in a later version of this document;
these clauses have the addition informative. It shall be mentioned that the informative
clauses relating to generation 2 are only an outlook. On one hand this means that changes
are possible until the realization of generation 2. There is no guarantee that no changes will
occur until than. On the other hand these clauses are in no way relevant for the accreditation
for generation 1.
In the literature different definitions for the term lifecycle can be found. This clause gives a
simplified view and defines the area of validity of this specification. Roughly the lifecycle of a
smartcard can be divided into three phases:
1. Preparation phase: from a production point of view this phase contains all steps being
necessary to prepare the smartcard for the useful life. Parts of this are the development
of the operational system (OS), the test of the OS, the certification and eventually the
evaluation. Chips coming out of this process will than be produced initialized and person-
alized. The chips will be implanted into a card body and the smartcards will be delivered
to the final user. The sequence described here is only an example and can also be differ-
ent.
This specification is not valid for the preparation phase of a smartcard.
The preparation phase of the smartcard ends with the transfer of the smartcard to the fi-
nal user. Then it starts the useful life of a smartcard.
2. Useful Life: This phase includes the electrical use of the smartcard.
This specification is valid for the useful life of the electrical interface of the smartcard.
The useful life of the smartcard ends after the irreversible termination of all business use
cases, that means also, if the card is physically destroyed.
The following data types equivalent to [TR-03111] Clause 3 are used in this document:
1. Octet string (OS)
2. Bit string (BS)
3. Integer (I),
4. Field element (FE) and
5. elliptical curve point (ECP)
Definition: the most significant bit (MSBit) of a bit string is the bit farthest left
Definition: the least significant bit (LSBit) of a bit string is the bit farthest right
Definition: the most significant octet (most significant byte MSByte) of an octet string is the
octet farthest left
Definition: the least significant octet (least significant byte LSByte) of an octet string is the
octet farthest right
The following conversion functions conform to [TR-03111] are used in this document:
1. Bit string to octet string BS2OS
2. Octet string to bit string OS2BS
3. Field element to octet string FE2OS
4. Octet string to field element OS2FE
This functionality is not directly visible at the physical interface. In the context of several in-
ternal operations in the operating system of a smartcard the function described will be used
as follows:
Errors: none
This functionality is not directly visible at the physical interface. In the context of several in-
ternal operations in the operating system of a smartcard the function described will be used
as follows:
Input: in Octet string with any content and any length, or integer having no nega-
tive value
Errors: none
This clause describes the conversion of an integer having not a negative value into an octet
string. This functionality is not directly visible at the physical interface. In the context of sev-
eral internal operations in the operating system of a smartcard the function described will be
used as follows:
(N1.00)
As a principle the integer x having no negative value will be taken as a number of digits
to the basis of 256; only the least significant digits will than be used for the output:
a. Step 1: x = 2560 x0 + 2561 x1 + 2562 x2 + + 256i xi +
This clause describes the conversion of an octet string into an integer having no negative
values. This functionality is not directly visible at the physical interface. In the context of sev-
eral internal operations in the operating system of a smartcard the function described will be
used as follows:
Errors: none
(N2.00)
As a principle each octet will be regarded as a number in big endian-format without
negative values to the basis of 256,
a. Step 1: n = OctetLength( in )
b. If n
i. equals 0, then out = 0
ii. does not equal 0, than out has to be chosen so that I2OS( out, n ) = in
This clause describes the conversion of an octet string into a point on an elliptical curve. This
functionality is not directly visible at the physical interface. In the context of several internal
operations in the operating system of a smartcard the function described will be used as fol-
lows:
PO = PC || X || Y,
1 = OctetLenght( PC ),
L = OctetLength( X ) = OctetLength( Y ).
c. Step 3: If PC is not equal to 04 then return error code ERROR and terminate this
algorithm.
d. Step 4: PEA = ( x, y ) = ( OS2I( X ) mod dP.p, OS2I( Y ) mod dP.p ).
e. Step 5: If PEA is not part of the curve defined by dP then return error code ERROR
and terminate this algorithm.
This clause describes the conversion of a point on an elliptical curve into an octet string. This
functionality is not directly visible at the physical interface. In the context of several internal
operations in the operating system of a smartcard the function described will be used as fol-
lows:
Errors:
Notation: PO = P2OS( P, n )
(N4.00)
Coding of P according to [TR-03111] Clause 3.1.1:
PO = 04 || I2OS( x, n ) || I2OS( y, n ).
This clause describes the extraction of leading bits from a bit string
Errors: none
(N5.00)
Precondition: n less than or equal to s
(N6.00)
The bit string out contains the n MSBit of in
This clause describes how to extract leading octets from an octet string.
Errors: none
(N7.00)
Precondition: n less than or equal to s
(N8.00)
The octet string out contains the n MSByte of in
5.8 PaddingIso
This functionality is not directly visible at the physical interface. The padding is done accord-
ing to [ISO7816-4] Clause 6.2.3.1 Sequential stage bullet point 2. In the context of several
internal operations in the operating system of a smartcard the function described will be used
as follows:
Errors: none
(N9.00)
Execute the following:
a. Step 1: out in || 80.
b. Step 2: If 0 = OctetLength( out ) mod n, then return out and terminate the algorithm.
Otherwise continue with step 3.
c. Step 3: out out || 00.
d. Step 4: continue with step 2
5.9 TruncateIso
This functionality is not directly visible at the physical interface. In the context of several in-
ternal operations in the operating system of a smartcard the function described will be used
as follows:
Input: in Octet string with any content and a number of octets being a
multiple of n
n Integer, defines the block length in octets used for the padding
Output: out Octet string with any content and any length
(N10.00)
Execute the following:
a. Step 1: len OctetLength( in )
If len is not a multiple of n, then terminate the algorithm with the error code pad-
dingError.
b. Step 2: If OctetLength( in ) is null, then terminate the algorithm with the error code
paddingError.
c. Step 3: If LSByte of in has the value 00, then set
in Extract_MSByte( in, OctetLength( in ) 1)
and continue with step 2.
d. Step 3: If LSByte of in has not the value 80, then terminate the algorithm with the
error code paddingError.
e. Step 4: out Extract_MSByte( in, OctetLength( in ) 1)
This functionality is not directly visible at the physical interface. In the context of several in-
ternal operations in the operating system of a smartcard the function described will be used
as follows:
Errors: error According to [ISO9796-2] Annex B.3.2 Point 1 an error has to be re-
turned, if Z is too long or LN is too large.
Note: Today these errors are not relevant for the use of smartcards. They will
only occur if Z or N has values of more than several Gigabytes.
Notation: N = MGF( Z, LN , i )
Note 1: If this function is called with i = 0, then the result is in accordance with
[ISO9796-2] Annex B,
[PKCS#1] Annex B.2.1.
Note 2: If this function is called with i = 1, then the result is in accordance with
[ANSI X9.63] Clause 5.6.3, if there the optional parameter SharedInfo is empty.
[TR-03111] Clause 4.4.2, however the key material will be extracted from N in a different way.
(N11.00)
Execute the following:
a. Step 1: Set n (empty octet string).
b. Step 2: Set n n || SHA_256( BS2OS( Z ) || I2OS( i, 4 ) ).
c. Step 3: If the hash operation terminates with an error then stop this algorithm with
the error code error.
d. Step 4: Set i i + 1.
e. Step 5: If i is greater than or equal to 232 = 1 0000 0000, then stop this algorithm
with the error code error.
f. Step 6: If 8 times OctetLength( n ) is less than LN, then continue this algorithm with
step 2.
g. Step 7: Set N Extract_MSBit( n, LN ).
This functionality is not directly visible at the physical interface. In the context of several in-
ternal operations in the operating system of a smartcard the function described will be used
as follows:
Errors: none
(N12.00)
Execute the following: generate an octet string out with a length of n whereas each bit
of out is generated by chance.
Note: This document does not define normative statements in terms of quality of the random number
generator. However, for evaluation purposes it is reasonable that the quality of the random num-
ber generator follows [Krypt-Alg] Clause 5.2 and[TR-03116].
A hash algorithm calculates a bit string of fixed length from any sequence of bits of (nearly)
unlimited length. This functionality is not directly visible at the physical interface. In the con-
text of several internal operations in the operating system of a smartcard a hash algorithm
will be used as a function as described in the following clauses:
Errors: M too long Message to be hashed contains too many bits. This is the case
for M with more than (264 -1) bits
Note: In practice this error is not relevant for smartcards. To hash a
message with a length of 264 bits in 10 years the hash algorithm
has to work with 6,8 GiB per second.
Notation: H = SHA_256( M )
(N13.00)
The COS MUST calculate H from M according to [SHA-256].
In this clause a function is described, which calculates - starting from an initial value key
material for symmetric algorithms. This key material will mainly be used for encryption during
transport. This functionality is not directly visible at the physical interface. In the context of
several internal operations in the operating system of a smartcard the key agreement as a
function will be used as described in the following sub-clauses:
Input: KD Octet string, key derivation data, initial material for the key agreement,
in principle it is an octet string of any content and any length
Output: Kenc Octet string with the length of 24 octets, used as 3TDES-key for en-
cryption and decryption
Errors: none
(N14.00)
The COS MUST calculate ( Kenc, T1, Kmac, T2 ) from KD according to [ANSI X9.63]
Clause 5.6.3.
a. Step 1: km = BS2OS( MGF( OS2BS( KD ), 512, 1 )).
b. Step2: Split km to Kenc, t1, Kmac and t2 in a way, that:
i. OctetLength( Kenc ) = OctetLength( Kmac ) = 24
ii. OctetLength( t1 ) = OctetLength( t2 ) = 8
iii. km = Kenc || t1 || Kmac || t2
c. Step 3: T1 = OS2I( t1 ) and T2 = OS2I( t2 )
Input: KD Octet string, key derivation data, initial material for the key agreement,
in principle it is an octet string of any content and any length
Output: Kenc Octet string with the length of 16 octets, used as AES128 key for en-
cryption and decryption
T1 non-negative integer used in combination with Kenc initial value for the
counter, see functions in Clause 6.7
Kmac Octet string with the length of 16 octets, used as AES128 key for
MAC-generation and MAC-check.
Errors: none
(N15.00)
The COS MUST calculate (Kenc, T1, Kmac, T2 ) from KD according to [TR-03111]
Clause 4.4.2 as follows:.
a. Step 1: km = BS2OS(MGF( OS2BS( KD), 512, 1 )).
b. Step 2: split km to Kenc, t1, Kmac and t2 in a way that:
HPC Part 1 COS, V2.3.2 Page 34 of 278
i. OctetLength( Kenc ) = OctetLength( Kmac ) = 16
ii. OctetLength( t1 ) = OctetLength( t2 ) = 16
iii. km = Kenc || t1 || Kmac || t2
c. Step 3: T1 = OS2I(t1) and T2 = OS2I (t2)
Starting with any octet string (plaintext), an encryption algorithm calculates an encrypted text
(cipher text) by using a secret key. A corresponding decryption algorithm calculates from the
encrypted text (cipher text) the original octet string (plaintext) using the same symmetric se-
cret key. In this clause only the encryption of one block with a block-cipher algorithm will be
shown. The processing of input data of any length will be treated in Clause 6.7.
This functionality is not directly visible at the physical interface. In the context of several in-
ternal operations in the operating system of a smartcard the encryption as a function will be
used as described in the following:
Errors: none
Notation: Cj = DES_ENC( K, Pj )
(N16.00)
The COS MUST calculate Cj from Pj using K, according to [ANSI X3.92].
K any octet string with a length of 24 octets = 192 bits, to be used as a key.
K consists of the three partial keys Ka, Kb, Kc and it applies: K = Ka ||
Kb || Kc
Errors: none
Notation: Cj = 3TDES_ENC( K, Pj )
This functionality is not directly visible at the physical interface. In the context of several in-
ternal operations in the operating system of a smartcard the encryption as a function will be
used as described in the following:
Errors: none
Notation: Pj = DES_DEC( K, Cj )
(N18.00)
The COS MUST calculate Pj from Cj using K, according to [ANSI X3.92].
K any octet string with a length of 24 octets = 192 bits, to be used as a key.
K consists of the three partial keys Ka, Kb, Kc and it applies: K = Ka ||
Kb || Kc
Errors: none
Notation: Pj = 3TDES_DEC( K, Cj )
(N19.00)
The COS MUST calculate Pj from Cj using K as follows:
Pi = DES_DEC( Ka, DES_ENC( Kb, DES_DEC( Kc, Ci ) ) ).
This functionality is not directly visible at the physical interface. In the context of several in-
ternal operations in the operating system of a smartcard the encryption as a function will be
used as described in the following:
Errors: none
Notation: Cj = AES_ENC( K, Pj )
(N20.00)
The COS MUST calculate Cj from Pj using K according to [AES-128] Figure 5.
RSA is used as the basic asymmetric algorithm. The mathematical background of this
scheme is described in [PKCS#1].
(N21.00)
The COS MUST support RSA-keys with
a. a modulus length n from the set of {2048} bits
b. a public exponent e in the following interval
[216+1, 2321] = [65.537, 4.294.967.295] = [0001 0001, FFFF FFFF].
(N22.00)
The COS MAY accept additional modulus lengths.
The COS MAY refuse additional modulus lengths.
(N23.00)
The COS MAY support public exponents of other intervals.
The COS MAY refuse public exponents of other intervals.
(N24.00)
Private RSA keys violating the 2 bound from [TR-03116] Clause 3.5.2,
therefore |log2(p) log2 (q)| < 30 does not apply for these keys,
a. MAY be accepted by the COS
b. MAY be refused by the COS
In accordance with [PKCS#1] Clause 2 the RSA-key-parameters will be described in this
document as follows:
As the basic algorithm elliptical curves will be used. The mathematical background of this
scheme is described in [TR-03111].
(N25.00)
The COS MUST support elliptical curves, for which the domain-parameters comply with
the requirements of [BrainPool] Clause 3 and have a length of 256 bits.
(N26.00)
The COS MAY support additional elliptic curves.
The COS MAY refuse additional elliptic curves.
In accordance with to [TR-03111] Table 2.1 the domain parameters will be described in this
document as follows:
Within the scope of data authentication information will be added to any data, which allows
checking the integrity and the authenticity of the data.
Input: M any octet string of any length for which the MAC should be calculated
K any octet string with a length of 24 octets = 192 bits, to be used as a key.
K consists of the three partial keys Ka, Kb, Kc and it applies: K = Ka ||
Kb || Kc
Output: T Octet string to be used to check the integrity and the authenticity of M
Errors:
Notation: T = CALCULATE_Retail_MAC( K, M )
(N27.00)
The COS MUST calculate T from M using K. The following steps will be executed:
a. Step 1: Calculate X = PaddingIso( M, 8 )
b. Step 2: Divide X into blocks with 64 bits each X = X1 || X2 || || Xn.
c. Step 3: Set Y0 = 0000 0000 0000 0000.
d. Step 4: Calculate Yi = DES_ENC( Ka, Yi1 XOR Xi ) for i = 1, , n 1.
e. Step 5: Calculate T = 3TDES_ENC( K, Yn1 XOR Xn )
Note: In the context of Secure Messaging an initialization vector Y0 unequal to null is used for the con-
struction of the message, see (N354.00)and (N367.00).
Input: M any octet string for which the MAC should be calculated
Output: T Octet string to be used to check the integrity and the authenticity of M
Errors:
Notation: T = CALCULATE_CMAC( K, M )
(N28.00)
The COS MUST calculate T from M using K according to [CMAC] Clause 6.2. The fol-
lowing steps will be executed:
a. Step 0: Mlen = BitLength( M ).
CIPH = Block Cipher Algorithm (see (N20.00))
b = Blocklength of CIPH = 128 bits
b. Step 1: generate subkeys K1 and K2 according to [CMAC] Clause 6.1.
c. Step 2: If Mlen = 0 then set n=1
Otherwise r = Mlen mod b and
HPC Part 1 COS, V2.3.2 Page 39 of 278
If r = 0, then set n = Mlen / b
Otherwise set n = (Mlen r) / b + 1
d. Step 3: Divide M in blocks as follows:
M = M1 || M2 || || Mn1 || M*n.
The blocks M1 until Mn1 have the length b. The block length of M*n is less than or
equal to b.
e. Step 4: If r = 0 then set Mn = K1 XOR M*n,
Otherwise set Mn = K2 XOR PaddingIso( M*n, b / 8 ).
f. Step 5: C0 = I2OS( 0, b / 8 )
g. Step 6: Ci = AES_ENC( K, Ci1 XOR Mi ).
h. Step 7: T = Cn.
With the MAC validation the consistency of the data and the added data of the data authenti-
cation will be checked. This functionality is not directly visible at the physical interface. In the
context of several internal operations in the operating system of a smartcard the MAC valida-
tion as a function will be used as described in the following
Errors:
(N29.00)
The COS MUST check the integrity of M using T and K. The following steps have to be
done:
a. Step 1: T = CALCULATE_Retail_MAC( K, M ).
b. Step 2: If T is identical to T then return VALID.
Otherwise return INVALID
Errors:
(N30.00)
The COS MUST check the integrity of M using T and K according to [CMAC]
Clause 6.3. The following steps have to be performed:
a. Step 1: T = CALCULATE_CMAC( K, M ).
b. Step 2: If T is identical to T then return VALID.
Otherwise return INVALID
In this document calculation of a signature only means the operation using the private key.
Errors:
(N31.00)
According to [ISO9796-2] Clause 7 and 8 the COS MUST perform the following opera-
tions using these definitions: n = PrK.n, d = PrK.d
a. Step 1: message allocation: splitting the message M in M1 and M2 according to
[ISO9796-2] Clause 7.1.2.
b. Step 2: message representative production: Calculate the representation F of the
message M according to [ISO9796-2] Clause 8.2. whereas t = 1 MUST be set and
the hash function SHA-256 (see (N13.00)) MUST be used.
c. Step 3: signature production: According to [ISO9796-2] Clause 7.1.4 and [ISO9796-
2] Annex A.4 the following operations will be performed:
Input: digestInfo any octet string being used as digest info, see [PKCS#1] Annex
A.2.4
(N32.00)
According to [PKCS#1] Clauses 8.2.1, 9.2 the COS MUST perform the following opera-
tions using these definitions: n = PrK.n, d = PrK.d
a. Step 0: If OctetLength( digestInfo ) > 0,4 OctetLength( n ), then terminate this algo-
rithm with error code DigestInfoTooLong.
b. Step 1: Set EM 00 || digestInfo.
c. Step 2: Set EM FF || EM.
d. Step 3: If OctetLength( EM ) is less than OctetLength( n ) 2, then continue with
step 2..
e. Step 4: Set EM 01 || EM.
f. Step 5: Set m OS2I( EM ).
d
g. Step 6: Set s m mod n.
h. Step 7: Set S I2OS( s, OctetLength( n ) ).
Input: M1 any octet string representing the recoverable part of the message M to
be signed.
h(M2) any octet string representing the hash value which is calculated from the
non recoverable part of the message to be signed M.
Errors:
(N33.00)
According to [ISO9796-2] Clauses 7 and 9, the COS MUST perform the following op-
erations using these definitions: n = PrK.n, d = PrK.d
a. Step 1: Message representative production: Calculate the representation F of the
message M according to [ISO9796-2] Clause 9.2. whereas t = 1 and Ls = Lh MUST
be set and the hashfunction SHA-256 (see (N13.00)) MUST be used. In detail:
i. Set C = I2OS( BitLength( OS2BS( M1 ) ), 8)
ii. Set S = RAND( 32 )
iii. Calculate H = SHA_256( C || M1 || h(M2) || S )
iv. Calculate F according to [ISO9796-2] Clause 9.2.2.
b. Step 2: signature production: according to [ISO9796-2] Clause 7.1.4 and [ISO9796-
2] Annex A.6 the following operations will be performed:
i. Step 2.1: J = OS2I( F )
ii. Step 2.2: a = Jd mod n
iii. Step 2.3: sig = I2OS( a, OctetLength( n ) )
Input: M1 any octet string representing the recoverable part of the message M to
be signed.
h(M2) any octet string representing the hash value which is calculated from
the non recoverable part of the message to be signed M.
Errors:
(N34.00)
According to [ISO9796-2] Clauses 7 and 9, the COS MUST perform the following op-
erations using this definition: n = PrK.n,
a. Step 1: a = OS2I( RSA_PSS_SIGN( PrK, M1, h(M2) )).
b. Step 2: b =na
c. Step 3: c = min{ a, b }
HPC Part 1 COS, V2.3.2 Page 43 of 278
d. Step 4: sig = I2OS( c, OctetLength( n ) )
6.6.3.1.5 RSASSA-PSS-SIGN
Using the command INTERNAL AUTHENTICATE (see (N895.00)d) and the command PSO:
COMPUTE DIGITAL SIGNATURE (see (N912.00)c) this functionality is visible at the physical
interface. It will be used as follows:
Input: mHash any octet string representing the hash value of the message to be
signed M.
Errors:
(N35.00)
According to [PKCS#1], Clauses 8.1.1, 9.1.1 the COS MUST perform the following
operation:
a. Step 1: M1 = (M1 is an empty octet string)
b. Step 2: S = RSA_PSS_SIGN( PrK, M1, mHash ).
Using the command PSO: COMPUTE DIGITAL SIGNATURE this functionality is visible at
the physical interface (see (N912.00)d). It will be used as follows:
Errors:
Notation: ( R, S ) = ELC_SIG(PrK, H)
(N36.00)
According to [TR-03111] Clause 4.2.1 the COS MUST perform the following opera-
tions using these definitions:
n = PrK.domainParameter.n, G = PrK.domainParameter.G,
dA = PrK.domainParameter.d, L = PrK.domainParameter.L
a. Step 1: k RNG({1,2, , n 1}).
b. Step 2: Q [k] G with Q = ( xQ, yQ ).
c. Step 3: r OS2I( FE2OS(xQ) ) mod n.
If r = 0, then continue with step 1
HPC Part 1 COS, V2.3.2 Page 44 of 278
d. Step 4: kinv k1 mod n.
e. Step 5: s kinv ( r dA + OS2I( H ) ) mod n.
If s = 0, then continue with step 1.
f. Step 6: R I2OS( r, L ).
S I2OS( s, L ).
In this document validation of a signature only means the operation processed with the
public key. This functionality is not directly visible at the physical interface. It will be used
internally. In the context of several internal operations in the operating system of a smartcard
the signature validation as a function will be used as described in the following.
M2 any octet string representing the non recoverable part of the message M.
M2 MAY be empty.
Errors:
(N37.00)
According to [ISO9796-2] Clauses 7.2 the COS MUST perform the following operations
using these definitions: n = PuK.n, e = PuK.e
a. Step 1: signature opening: according to [ISO9796-2] Annex A.5:
i. Step 1.1: if the bit length of sig is not equal to the bit length of modulus n, then
return False and terminate this algorithm.
ii. Step 1.2: if the most significant bit of sig has the value 1, then return False
and terminate this algorithm.
iii. Step 1.3: s = OS2I( sig ).
iv. Step 1.4: J* = se mod n.
v. Step 1.5: If J* is even then set I* = J*,
otherwise set I* = n J*.
vi. Step 1.6: If I* mod 256 is not equal to BC, then return False and terminate
this algorithm.
vii. Step 1.7: F* = I2OS( I*, OctetLength( n ) ).
viii. Step 1.8: If the most significant bit of F* has the value 1, then return False
and terminate this algorithm.
b. Step 2: message recovery; according to [ISO9796-2] Clause 8.3:
HPC Part 1 COS, V2.3.2 Page 45 of 278
i. Step 2.1: If the second significant bit of F* has the value 0, then return False
and terminate this algorithm.
ii. Step 2.2: Calculate H* and M1* according to [ISO9796-2] Clause 8.3.
iii. Step 2.3: Calculate M = M1 || M2.
iv. Step 2.4: Calculate H = SHA_256( M ).
v. Step 2.5: If H is identical with H*, then return True and M otherwise return
False without M.
Note: Keep in mind that F* in (N37.00) is an octet string. From this F* a bit string will be emerged by
cutting off the most significant bit. This bit string complies with F* [ISO9796-2] Clause 8.3.
Therefore the second important bit will be checked in (N37.00)b.i and in [ISO9796-2] Clause 8.3
the leftmost bit.
Errors:
(N38.00)
According to [TR-03111] Clause 4.2.2 the COS MUST perform the following operations
using this definitions:
n = PuK.domainParameter.n, G = PuK.domainParameter.G,
Pa = PuK.P
a. Step 0: r OS2I( R ).
s OS2I( S ).
b. Step 1: check whether r and s are elements of the set {1, 2, , n 1}.
If not return False and terminate the algorithm.
c. Step 2: sinv s1 mod n.
d. Step 3: u1 sinv OS2I ( H ) mod n.
u2 sinv r mod n.
e. Step 4: Q [u1] G + [u2] Pa.
f. Step 5: v OS2I ( FE2OS(xQ) ) mod n.
g. Step 6: Return True if v = r , otherwise False.
The symmetric encryption transfers any plaintext (octet string of any content and any length)
into a cipher text. This functionality is not directly visible at the physical interface. In the con-
text of several internal operations in the operating system of a smartcard the symmetric en-
cryption as a function will be used as described in the following
Input: P Octet string, plaintext, any octet string of any length to be en-
crypted
(N39.00)
The COS MUST calculate C from P using K and T. The following steps have to be per-
formed:
a. Step 1: If OctetLength( P ) mod 8 is not equal to 0, then return lengthError and ter-
minate the algorithm.
b. Step 2: Divide P in blocks of 64 bits each P = P1 || P2 || || Pn.
c. Step 3: Set C0 = I2OS( T1, 8 )
d. Step 4: Calculate Ci = 3TDES_ENC( K, Ci1 XOR Pi ) for i = 1,, n.
e. Step 5: Calculate C = C1 || C2 || || Cn1 || Cn.
Input: P Octet string, plaintext, any octet string of any length to be encrypted
T1 any number having no negative value, to be used as initial value for the
counter
(N40.00)
The COS MUST calculate C and Tn+1 from P using K according to [AES-CTR] Clause
6.5. The following steps have to be performed:
a. Divide P in blocks P = P1 || P2 || || Pn1 || P*n.
The blocks P1 to Pn1 have a length of 128 bits. The block P*n has a length which is
equal to or less than 128 bits.
b. Set Oj = AES_ENC(K, I2OS(T1 + j 1, 16)) for j = 1, 2, , n.
c. Set Cj = Pj XOR Oj for j = 1, 2, , n 1.
d. Set C*n = P*n XOR Extract_MSByte( On, OctetLength( P*n ) ).
e. Set C = C1 || C2 || || Cn1 || C*n
f. Set Tn+1 = T1 + n
The symmetric decryption transfers a cipher text (octet string of any content and any length)
into a plaintext. This functionality is not directly visible at the physical interface. In the context
of several internal operations in the operating system of a smartcard the symmetric decryp-
tion as a function will be used as described in the following.
Input: C any octet string, cipher text, to be decrypted; the length being a
multiple of the block length.
(N41.00)
The COS MUST calculate P from C using K and T1. The following steps have to be per-
formed:
a. Step 0: If length of C is not a multiple of the block length, then return InvalidLength
and terminate the algorithm.
b. Step 1: Divide C into blocks with a length of 64 bits each
C = C1 || C2 || || Cn.
T1 any number having no negative value, to be used as initial value for the
counter
Errors: none
(N42.00)
It applies: ( P, Tn+1 ) = AES_CTR_DEC( K, T1, C ) = AES_CTR_ENC( K, T1, C ).
The asymmetric encryption transfers a message M (octet string of any content and any
length) into a cipher text C. This functionality is not directly visible at the physical interface. In
the context of several internal operations in the operating system of a smartcard the asym-
metric encryption as a function will be used as described in the following:
(N44.00)
The COS MUST calculate C using PuK and M according to [PKCS#1] Clause 7.1.1 us-
ing the definitions n = PuK.n, e = PuK.e.
a. Step 1: If OctetLength( M ) is greater than OcetLength( n ) 66, then terminate the
algorithm and return the error message message too long.
b. Step 2: Set L = , (empty octet string).
c. Step 3: Set lHash = SHA_256( L ).
d. Step 4: Set Plen = OctetLength( n ) OctetLength( M ) 66.
e. Step 5: Set PS = I2OS( 0, Plen ).
f. Step 6: Set DB = lHash || PS || 01 || M.
HPC Part 1 COS, V2.3.2 Page 50 of 278
g. Step 7: Set seed = RAND( 32 ).
h. Step 8: Set dbMask = MGF( seed, Octetlength( n ) 33 ).
i. Step 9: Set maskedDB = DB XOR dbMasked.
j. Step 10: Set seedMask = MGF( maskedDB, 32 ).
k. Step 11: Set maskedSeed = seed XOR seedMask.
l. Step 12: Set EM = 00 || maskedSeed || maskedDB.
m. Step 13: Set m = OS2I( EM ).
n. Step 14: Set c = me mod n.
o. Step 15: Set C = I2OS( c, OctetLength( n )).
Input: M Octet string, message of any content and any length to be en-
crypted
(N45.00)
The COS MUST calculate POA, C and T using M and POB. The steps 1 to 6 are per-
formed according to Clause 4.3.1 in [TR-03111] and the following definitions are used:
n = dP.n, h = dP.h,
G = dP.G, L = dP.L
a. Step 0: PB OS2P( POB, dP ).
If this function terminates with an error, then return ERROR and terminate this al-
gorithm.
b. Step 1: r RNG({1, 2, , n 1}).
c. Step 2: PEA [r] G.
d. Step 3: l h1 mod n.
e. Step 4: Q [h] PB.
f. Step 5: S [ r l mod n ] Q with S=(xS, yS).
If S equals the point of infinity O of the curve, then return ERROR and terminate
this algorithm.
g. Step 6: KAB I2OS( xS, L ).
This functionality is visible in the context of the command PSO: DECIPHER at the physical
interface (see (N945.00)a).
(N46.00)
The COS MUST calculate M using PrK and C according to [PKCS#1] Clause 7.2.2 us-
ing these definitions: n = PrK.n, d = PrK.d
a. Step 1: If OctetLength( C ) is not equal to OctetLength( n ), then terminate this algo-
rithm with decryption error.
b. Step 2: Set c = OS2I( C ).
c. Step 3: If c is greater than or equal to n, then terminate this algorithm with decryp-
tion error.
d. Step 4: Set EM = I2OS( cd mod n, OctetLength( n )).
e. If the first octet in EM is not equal to 00, or the second octet in EM is not equal to
02, then terminate this algorithm with decryption error.
f. Step 5: Split EM as follows: EM = 00 02 || PS || 00 || M. Each octet in PS
MUST be unequal to 00.
g. Step 6: Terminate this algorithm with decryption error, if
Note: The check in Step 1 is not necessary as the case does not occur in the context of this specifica-
tion because of (N928.00) Furthermore, Step 3 checks more strictly.
This functionality is visible in the context of the command PSO: DECIPHER at the physical
interface (see (N945.00)b).
(N47.00)
The COS MUST calculate M using PrK and C according to [PKCS#1] Clause 7.1.2 us-
ing these definitions: n = PrK.n, d = PrK.d
a. Step 1: Set L = , (empty octet string).
b. Step 2: Set c = OS2I( C ).
c. Step 3: If c is greater than or equal to n, then terminate this algorithm with decryp-
tion error.
d. Step 4: Set m = cd mod n.
e. Step 5: Set EM = I2OS( m, OctetLength( n ) ).
f. Step 6: Set lHash = SHA_256( L ).
g. Step 7: Divide EM as follows:
i. Step 7.1: EM = Y || maskedSeed || maskedDB.
ii. Step 7.2: 1 = OctetLenght( Y ).
iii. Step 7.3: 32 = OctetLength( maskedSeed ).
h. Step 8: Set seedMask = MGF( OS2BS( maskedDB ), 256, 0 ).
i. Step 9: Set seed = OS2BS( maskedSeed ) XOR seedMask.
j. Step 10: Set dbMask = MGF(seed, 8 OctetLength(maskedDB),0).
k. Step 11: Set DB = maskedDB XOR BS2OS( dbMask ).
l. Step 12: Split DB as follows:
i. Step 12.1: DB = lHash || PS || 01 || M.
ii. Step 12.2: 32 = OctetLength(lHash).
HPC Part 1 COS, V2.3.2 Page 53 of 278
iii. Step 12.3: the octet string PS (possibly empty) may only contain octets
with the value 00.
m. Step 13: Terminate this algorithm with decryption error, if
i. lHash is not equal to lHash, or
ii. Y has not the value 00, or
iii. No octet with the value 01 exists, which separates PS from M .
n. return M
This functionality is visible in the context of the command PSO: DECIPHER at the physical
interface (see (N945.00)c).
(N48.00)
The COS MUST calculate M using PEA, PrK, C and T. The steps 1 to 4 are performed
according to Clause 4.3.2 in [TR-03111] and the following definitions are used:
n = PrK.domainParameter.n, h = PrK.domainParameter.h,
dB = PrK.domainParameter.d, L = PrK.domainParameter.L
a. Step 0: PEA OS2P( PO, PrK.domainParameter ).
If this function terminates with an error, return ERROR and terminate this algo-
rithm.
b. Step 1: l h1 mod n.
c. Step 2: Q [ h ] PEA with Q = ( xQ, yQ ).
d. Step 3: S [ dB l mod n ] Q. with S = ( xS, yS ).
If S is equal to the point of infinity O of the curve, then return ERROR and termi-
nate this algorithm.
e. Step 4: KAB I2OS( xS, L ).
f. Step 5: Calculate derived keys according to 0
( Kenc, T1, Kmac, SSC ) Key_Derivation_AES128( KAB ).
In this chapter only non self-descriptive CV-certificates will be regarded, containing a signa-
ture with message recovery as defined in [ISO9796-2] DS1.
Technically such a certificate is a message M signed according to [ISO9796-2] DS1. The
message M contains several data, being concatenated without structural information or sepa-
rators, therefore non self-desriptive as a denotation. To allow an explicit extraction of the
information, the most significant octet of M will be analyzed.
All signed messages M looked at in Clause 7.1 contain the information described in the fol-
lowing sub-clauses.
The Certificate Profile Identifier (CPI) indicates the exact structure of a CV-certificate.
The Certification Authority Reference (CAR) references the key of the CA issuing the certifi-
cate. Typically the CAR contains an internal structure which guarantees that worldwide the
CAR is unique.The document [PKI-Reg] contains the corresponding definitions.
Typically also the issuing CA has a CV-certificate. Thus a tree of certificates is defined (PKI),
starting with the Root-CA at the top.
The public key of the Root-CA is regarded as the security base. It will be stored in the smart-
card during the preparation phase (see Clause 4). Therefore it is not necessary to import this
public key with the CV-certificate (break of the recursion).
The Certificate Holder Reference (CHR) is used to assign a unique identifier to the public key
being part of the certificate. Typically the unique serial number of the smartcard (ICCSN) is
used as part of the CHR. Within this document it is irrelevant how the CHR is built. The
document [PKI-Reg] contains the corresponding definitions.
The Certificate Holder Authorization (CHA) indicates the role of the certificate owner. Typi-
cally it is a requirement of the security concept that two different roles below a Root-CA are
not allowed to have the same CHA. Therefore more and more the requirement is raised that
HPC Part 1 COS, V2.3.2 Page 56 of 278
the CHA should be worldwide unique. To achieve this typically a part of the unique applica-
tion identifier is used as part of the CHA. Within this document it is irrelevant how concrete
values will be defined. The document [PKI-Reg] contains the corresponding definitions.
The Object Identifier (OID) in a CVC describes the algorithm, which is assigned to the key in
the cerificate. Within this specification different algorithms will be used for different purposes.
Therefore the usage of the public key being part of the certificate is defined by the algorithm-
OID in an implicit way. OIDs are worldwide unique.
Within Clause 7.1 only the following OIDs are used:
Table 6: (N48.50) Object Identifier of the Registration Authority TeleTrusT (www.teletrust.de)
The public RSA-key has the parts defined in the following sub-clauses.
7.1.1.6.1 Modulus
The modulus is hex-coded, unsigned in big endian-format
This clause lists the certificate profiles to be supported. The certificate profiles will be identi-
fied by means of the CPI.
In this sub-clause the content of a CV-certificate will be described. It contains the public key
of a CA. With the help of this public key additional public keys can be imported per CV-
certificate using the command PSO: VERIFY CERTIFICATE (see Clause 14.8.8.1). The fol-
lowing conditions have to be fulfilled:
(N49.00)
The CPI MUST have the value 21
(N50.00)
The coding of the OID MUST have a length of seven octets. Within Clause 7.1 only
2B24 0304 0202 04 will be used for the OID {1.3.36.3.4.2.2.4} (see Table 6 (N48.50)).
In this sub-clause the structure of a CV-certificate will be described which contains the public
key of an entity using this key for authentication purposes. The following conditions have to
be fulfilled for those certificates:
(N56.00)
The CPI MUST have the value 22
(N57.00)
The CHA MUST have a length of seven octets
(N58.00)
The coding of the OID MUST have a length of six octets. Within Clause 7.1 only 2B24
0305 0204 will be used for the OID {1 3 36 3 5 2 4} (see Table 6 (N48.50)).
(N59.00)
The length of the modulus MUST be 38 octets less than the message M
(N60.00)
The public exponent MUST have a length of 4 octets
(N61.00)
The CHR MUST have a length of twelve octets
(N62.00)
The CAR MUST have a length of eight octets
(N63.00)
For the message to be signed M the following applies:
M = CPI || modulus || public exponent || OID || CHA || CHR || CAR.
CHR and CAR belong to the non recoverable part of the signed message if (N21.00)a is
regarded and the hash value is calculated according to Clause 6.1. Then CHR and CAR are
stored as plaintext.
Tag L Value
7F21 820146 CV-Certificate (0146 = 326 octets)
Tag L Value
5F37 820100 Signature SIG.CA (0100 = 256 octets)
5F38 3E non recoverable part M2 (003E = 62 octets)
Tag L Value
7F21 820150 CV-Certificate (0150 = 336 octets)
Tag L Value
5F37 820100 Signature SIG.CA (0100 = 256 octets)
5F38 48 non recoverable part M2 (0048 = 72 octets)
This sub-clause describes some attributes which are relevant for several object types.
The attribute type fileIdentifier is used for the object types DF and EF.
The specification of an application has to comply with the following rules defined in the norm
[ISO7816-4]:
(N67.00)
The value of the fileIdentifier MUST be an integer in the interval [1000, FEFF].
(N68.00)
An object not being root (see Clause 9.1) MUST NOT have a fileIdentifier with the
value 3F00.
(N69.00)
An object MUST NOT have a fileIdentifier with the value 3FFF.
Note: Requirement (N67.00) is stronger than [ISO7816-4]. This gives room for manufacturer-specific
folders (DF) and files (EF).
It is possible that the attribute type shortFileIdentifier is used by the object types file (see
Clause 8.3.2).
The specification of an application has to comply with the following rule defined in the norm
[ISO7816-4]:
(N70.00)
The value of shortFileIdentifier MUST be an integer in the interval [1, 30].
The attribute type lifeCycleStatus is used by the object types folder, file and record to store a
physical Life Cycle Status (see (N216.00)). The object types password and key only have a
logical Life Cycle Status (see (N217.00)).
The specification of an application has to comply with the following rules defined in the norms
[ISO7816-4] Table 13 and [ISO7816-9] Figure 1:
(N71.00) The value of lifeCycleStatus MUST be an element of the set {
Operational state (activated),
Operational state (deactivated)
}.
A COS MAY support additional values for lifeCycleStatus.
A COS MAY refuse additional values for lifeCycleStatus.
The attribute type accessRuleList is used by object types, for which the execution of com-
mands depends on access rules. Normally it is a combination of several access rules. Typi-
cally more than one access rule is assigned to an object, thus allowing the COS to react
situationally. As an example: specific read operations are only allowed via the contact inter-
face whereas they are forbidden for the contactless interface. On the other hand normally the
access to deactivated objects is strictly limited. Additionally security environments are used
to realize access conditions depending on the operational environment.
From an academic point of view it would be necessary to use a 3D-matrix with access condi-
tions: access conditions depending on the interface (contact/contactless = first dimension),
the life cycle (activated/deactivated = second dimension) and the operational environment
(SE-identifier = third dimension).
In this document the first dimension will not be regarded because a contactless interface is
not defined; for the second dimension it is sufficient to look only at the operational environ-
ment in respect to the deactivated state. Therefore in this version of the document a simple
list is used instead of a (multidimensional) matrix.
(N72.00)
The value of accessRuleList MUST be a list of at least two and a maximum of five ele-
ments:
A COS MAY support a list with more elements.
A COS MAY refuse a list with more elements.
(N73.00)
An element of the list MUST be used for the value of the variable lifeCycleStatus =
Operational state (deactivated) (see Clause 8.1.3)
(N74.00)
The remaining elements of the list MUST be assigned to exactly one value of seIdenti-
fier (according to (N79.00)).
(N75.00)
Each element of the list MUST contain exactly one access rule according to Clause
10.3.
8.1.5 Record
The objecttype record will be used by the object types linear variable, linear fixed and cyclic
Elementary File (EF).
(N76.00)
A record MUST have a record number number. The record number MUST be an inte-
ger in the interval [1, 254].
A COS MAY support record numbers with additional values.
A COS MAY refuse record numbers with additional values.
(N77.00)
A record MUST contain an octet string data; the number of included octets MUST be in
the interval [1, 255].
A COS MAY support additional lengths for record.
A COS MAY refuse additional lengths for record.
8.1.6 SE-Identifier
The attribute type seIdentifier is closely linked to the term Security Environment (see
Clause 8.7). From the range of values defined in [ISO7816-4] Clause 6.3.3 the following sub-
set will be chosen:
(N79.00)
The value of seIdentifier MUST be an integer in the interval [1, 4].
The COS MAY support additional values for seIdentifier.
The COS MAY refuse additional values for seIdentifier.
8.1.7 PIN
The attribute type pin is used in the context of user authentication. The following applies:
(N80.00)
A pin MUST be a sequence of digits from the set {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}. The num-
ber of digits MUST be in the interval [4, 12].
A COS MAY support additional digits and additional numbers of digits for pin.
A COS MAY refuse additional digits and additional numbers of digits for pin.
(N81.00)
The following rules apply for the conversion of the attribute type pin to a format-2-PIN-
block:
a. The format-2-PIN-block is an octet string with 8 octets = 16 nibbles
b. The first nibble MUST have a value 2.
c. The second nibble MUST code the number of digits in pin in hex.
d. The nibble i + 2 MUST code the digit i of pin in hex
e. All other nibbles MUST have the value F.
The attribute type 3TDES_Key acts as a store for a 3TDES-key, which consists of three par-
tial keys Ka, Kb and Kc.
(N82.00)
The value of 3TDES_Key MUST be an octet string of 24 octets.
(N83.00)
The value of 3TDES_Key MUST be selectable without restrictions, but the following
applies for the parity of each octet: If the parity of the octets is not correct, then
This clause may be changed in a later version of this document. Generation2-smartcards may be in the field until
2020. Therefore it is possible, that in Generation 2 AES-256 will be used instead of AES-128 from the beginning.
That has to be discussed.
The attribute type domainParameter acts as a store for parameters, which characterise an
elliptical curve. The following rules apply for the specification of applications, compare Table
5 (N26.50):
(N86.00)
domainParameter contains
a. a prime number p,
b. a number a,
c. a number b,
d. a point G on an elliptical curve,
e. a number n,
f. a number h,
g. a number L, which defines the minimum number of octets being necessary to code p
as an unsigned number. This parameter was added to the official list of domain pa-
rameters, because it is used in many cases in this document.
The attribute type privateKey acts as a generic term for privateRsaKey and privateElcKey.
The attribute type privateRsaKey acts as a store for the private part of an asymmetric RSA-
keypair. The following rules apply for the specification of applications:
(N87.00)
A privateRsaKey MUST have an attribute n according to (N21.00).
(N88.00)
A privateRsaKey MUST have an attribute d with an integer value in the interval [1, n
1].
The attribute type privateElcKey acts as a store for the private part of an asymmetric ELC-
keypair. The following rules apply for the specification of applications:
(N89.00)
A private privateElcKey MUST have an attribute domainParameter according to
(N86.00), which MAY be referenced per OID according to (N86.00)h.
(N90.00)
A privateElcKey MUST have an attribute d, with an integer value in the interval [1, n
1].
The attribute type publicRSAKey acts as a store for the public part of an asymmetric RSA-
keypair. The following rules apply for the specification of applications:
(N91.00)
A publicRsaKey MUST have an attribute n according to (N21.00)a.
(N92.00)
A publicRsaKey MUST have an attribute e according to (N21.00)b.
The attribute type publicElcKey acts as a store for the public part of an asymmetric ELC-
keypair. The following rules apply for the specification of applications:
(N93.00)
A publicElcKey MUST have an attribute domainParameter according to (N86.00),
which MUST be referenced per OID according to (N86.00)h.
(N94.00)
A publicElcKey MUST have an attribute P which describes a point of the curve defined
by the domain parameters.
This sub-clause describes file-oriented object types. In this context file is used as a generic
term for folder (see Clause 8.3.1) and file (see Clause 8.3.2).
8.3.1 Folder
Folders are used for the hierachical arrangement of objects in an object oriented system. In
this document the term folder is used as a generic term for:
HPC Part 1 COS, V2.3.2 Page 65 of 278
Applications (Clause 8.3.1.1),
Dedicated Files (Clause 8.3.1.2) and
Application Dedicated Files (Clause 8.3.1.3)
The specification of an application has to comply with the following rules for folders defined in
the norm [ISO7816-4]:
(N99.00)
A folder MUST have exactly one attribute of the type lifeCycleStatus (see
Clause 8.1.3).
(N100.00)
A folder MUST have exactly one attribute of the type accessRuleList (see Clause 8.1.4.
(N101.00)
A folder MUST have a list children (possibly empty) with child objects.
a. The following object types (considering the maximum number of nestings) MUST be
supported as list elements (see (N215.00))
Dedicated File (see Clause 8.3.1.2)
Application Dedicated File (see Clause 8.3.1.3)
File (see Clause 8.3.2)
Password (see Clause 8.4)
Symmetric object for authentication (see Clause 8.5.1)
private key object (see Clause 8.5.3)
b. The COS MAY support additional object types as list elements.
The COS MAY refuse additional object types as list elements.
c. For all elements of the list children, which contains the child objects of a folder, it
applies: the list children of a folder MUST NOT contain child objects,
i. whose attribute fileIdentifier (if available, see (N108.00) and (N110.00) has the
same value.
ii. whose attribute shortFileIdentifier (if available, see (N111.00) has the same
value.
iii. whose attribute pwdIdentifier (if available, see (N153.00) has the same value.
iv. whose attribute keyIdentifier (if available, see (N167.00) and (N184.00) has
the same value.
(N102.00)
A folder MUST have exactly one attribute shareable of the type Boolean. In the context
of this specification the value of this attribute MUST be always True. This indicates
that this folder can be used as currentFolder in more than one logical channel (see
(N321.00)a).
Note: in (N101.00)a applications (see Clause 8.3.1.1) are deliberately not included, compare also
(N213.00)).
8.3.1.1 Application
An application is a folder, which can only be selected by an AID. This is the main difference
to a DF (see Clause 8.3.1.2).
The specification of an application has to comply with the following rules defined in the norm
[ISO7816-4]:
HPC Part 1 COS, V2.3.2 Page 66 of 278
(N103.00)
An application is an extension of a folder and MUST fulfill the requirements of Clause
8.3.1.
(N104.00)
The attribute applicationIdentifier (AID) MUST be an octet string.
a. The length of applicationIdentifier MUST be in the interval [5, 16].
b. The octets in applicationIdentifier MUST be selectable without any restriction.
c. A COS MAY accept applicationIdentifier violating these rules.
A COS MAY refuse applicationIdentifier violating these rules.
(N105.00)
An application MUST have at least one applicationIdentifier.
(N106.00)
An application MUST have NOT more than two applicationIdentifier.
A COS MAY accept more than two applicationIdentifier for applications.
A Dedicated File (DF) is a folder, which can only be selected by a File Identifier. This is the
main difference to an application (see Clause 8.3.1.1).
The specification of an application has to comply with the following rules defined for a DF in
the norm [ISO7816-4]:
(N107.00)
A DF is an extension of a folder and MUST fulfill the requirements of Clause 8.3.1.
(N108.00)
A DF MUST have exactly one attribute of the type fileIdentifier (see Clause 8.1.1)).
An Application Dedicated File (ADF) is a folder which can be selected by the applicationIden-
tifier as well as by the fileIdentifier. In this document ADF is regarded as the set union of
application (Clause 8.3.1.1) and DF (Clause 8.3.1.2). Accordingly for an ADF the following
rule applies, which have to be fulfilled by the specification of an application:
(N109.00)
An ADF MUST combine the characteristics of application and DF. Therefore it MUST
fulfill both the requirements of Clause 8.3.1.1 and Clause 8.3.1.2.
8.3.2 File
In this document a file is the generic term for a transparent EF (see Clause 8.3.1.2) and a
structured EF (see Clause 8.3.2.2).
The specification of an application has to comply with the following rules defined for a file in
the norm [ISO7816-4]:
(N110.00)
A file MUST have exactly one attribute of the type fileIdentifier (see Clause 8.1.1).
(N111.00)
A file MUST support a list of elements of the type shortfileIdentifier (see Clause 8.1.2).
this list is either
a. empty (the file has no shortFileIdentifier) or
A transparent elementary file (transparent EF) serves to store octet strings, whereas it is
possible to access any part of the octet string. The content of octet strings in transparent EF
being defined in the context of an application is merely stored but will never be interpreted or
used internally by the COS. The octet strings are divided into data units (see [ISO7816-4]).
The data units are referenced by an offset value.
The specification of an application has to comply with the following rules defined for a trans-
parent EF in the norm [ISO7816-4]:
(N117.00)
A transparent EF is an extension of a file and MUST comply with the requirements of
Clause 8.3.2.
(N118.00)
A transparent EF MUST have exactly one attribute numberOfBytes; the value MUST
be an integer in the interval [1, 32768].
A COS MAY refuse numberOfBytes if it is out of this interval.
A COS MAY accept numberOfBytes if it is out of this interval.
(N119.00)
A transparent EF MUST have an attribut body of the type octet string. The number of
octets in body is equal to the numberOfBytes.
(N120.00)
The size of one data unit in body MUST be 1 octet.
(N121.00)
The offset of the first octet in body is zero. If i is the offset of the octet i, than (i+1) is the
offset of the next octet.
(N122.00)
A transparent EF MUST support the following commands:
A structured Elementary File (structured EF) serves to store a list of records (see Clause
8.1.5). Access to any list element is possible. The content of an octet string of a record in a
structured EF being defined in the context of an application is merely stored but will never be
interpreted or used internally by the COS.
The specification of an application has to comply with the following rules defined for a struc-
tured EF in the norm [ISO7816-4]:
(N124.00)
A structured EF is an extension of a file and MUST comply with the requirements of
Clause 8.3.2.
(N125.00)
A structured EF MUST have exactly one attribute recordList of the type list with ele-
ments of the type record. The number of list elements MUST be in the interval [0, 254].
A COS MAY accept a greater number of list elements.
A COS MAY refuse a greater number of list elements.
(N126.00)
The element i in recordList MUST have the record number i.
(N127.00)
A structured EF MUST have exactly one attribute maximumNumberOfRecords. Its
value MUST be an integer in the interval [1, 254].
A COS MAY accept maximumNumberOfRecords if its value is outside this interval.
A COS MAY refuse maximumNumberOfRecords if its value is outside this interval.
(N128.00)
A structured EF MUST have exactly one attribute maximumRecordLength; its value
MUST be an integer in the interval [1, 255].
A COS MAY accept maximumRecordLength if its value is outside this interval.
A COS MAY refuse maximumRecordLength if its value is outside this interval.
(N129.00)
A structured EF MUST have exactly one attribute flagRecordLifeCycleStatus of the
Boolean type. If this attribute
a. is True then all elements in recordList MUST have a lifeCycleStatus.
b. is False then NO element in recordList MUST have a lifeCycleStatus.
HPC Part 1 COS, V2.3.2 Page 69 of 278
(N130.00)
A structured EF MUST support the following commands:
a. ACTIVATE RECORD (see Clause 14.4.1),
APPEND RECORD (see Clause 14.4.2),
DEACTIVATE RECORD (see Clause 14.4.3),
ERASE RECORD (see Clause 14.4.4),
READ RECORD (see Clause 14.4.5),
SEARCH RECORD (see Clause 14.4.6),
UPDATE RECORD (see Clause 14.4.7).
The transparent EF has to be selected, before these commands can work with the
octet string. This can be done either with the SELECT command (see
Clause 14.2.6.13 and Clause 14.2.6.14), or with the Short File Identifier being a pa-
rameter of the command sequence.
b. ACTIVATE (see Clause 14.2.1),
DEACTIVATE (see Clause 14.2.3),
DELETE (see Clause 14.2.4).
The transparent EF has to be selected, before these commands can work with the
octet string. This is done with the SELECT command (see Clause 14.2.6.13 and
Clause 14.2.6.14).
(N131.00)
A structured EF MAY support additional commands.
A structured EF MAY refuse additional commands.
The File Control Parameters (FCP) contain attributes of a file. In the context of this document
the FCP are only visible in the response data of a SELECT command (see (N510.00)a) at
the interface of the interpreter (see Figure 1 (N270.50)). For the coding of the File Control
Parameters the following rule apply:
(N142.00)
According to DER-TLV the File Control Parameters (FCP) MUST be coded in a
DO_FCP which MUST have a tag = 62.
(N143.00)
80: If the file is of the type transparent EF (see Clause 8.3.2.1) or linear variable EF
(see Clause 8.3.2.2.1), then DO_FCP MUST contain a DO_Size. It applies:
a. DO_Size MUST have a tag = 80.
b. The value field MAY be of any length.
c. If the octet string is converted with OS2I(), then this number MUST be equal to
numberOfBytes (see (N118.00), resp. (N133.00)).
(N144.00)
82: DO_FCP MUST contain a DO_FileDescriptor. If the file is of the type
a. Folder, then it applies:
i. DO_FileDescriptor MUST have a tag = 82
A password is a secret usually known only to the card holder. The COS will process specific
Services only after this secret is successfully presented in the context of a user authentica-
tion. The necessity of this user authentication can be switched on (enable) or off (disable), if
the COS supports the commands ENABLE VERIFICATION REQUIREMENT and DISABLE
VERIFICATION REQUIREMENT.
Normally this secret can be changed for security reasons. Also for security reasons the ser-
vice user authentication will be blocked by the COS if the user authentication with a specific
password fails too often. Normally it is possible to unblock the blocking.
Note: In other documents normally the term PIN is used that denotes sometimes the 6-digit secret
known to the cardholder (Please enter your PIN) and sometimes the object as such (The PIN is
blocked). For clearness only the term password is used for the object type in this document.
This sub-clause describes key objects being used in the context of cryptographic operations.
In this document the term key object is the generic term for symmetric, private and public
keys.
In this document symmetric keys are used for the following purposes:
1. With a secret (key) stored in a persistent way for one-sided authentication
(see Clause 15.1.1, (N895.00)a, (N895.00)b).
2. With a secret (key) stored in a persistent way for mutual authentication with parallel
negotiation of session keys (see Clause 15.4.1, Clause 15.4.2, Clause 15.6,
(N870.00)d, (N870.00)e, (N870.10)a, (N870.10)b, (N895.00)g).
3. As session keys to guarantee confidential communication
4. As session keys to guarantee the integrity and the authenticity of the communication
In this document private keys are used for the following purposes:
1. Calculation of electronic signatures (see Clause 14.8.1)
2. Decryption of data (see Clause 14.8.3)
3. Cornfirmation of the authenticity of this card
(see Clause 15.1.2, Clause 15.1.3, (N895.00)c, (N895.00)d, (N895.00)e, (N895.00)i)
At first an asymmetric mutual and certificate based authentication is performed (mutual intro-
duction) in order to provide the key derivation data. The session keys established during au-
thentication are persistently stored for later use. Session keys which are stored this way will
perform the same tasks as the two asymmetric keys that were involved in the authentication
procedure. Thus, an introduction object inherits certain information of the public key certifi-
cate as well as security-related properties of the private key. The advantage of introduction
objects is that their use is more efficient (about the factor 2 to 3). Cards which frequently
have to mutually authenticate can use the introduction objects from the time when they were
introduced to each other.
Assuming that it is possible to store several private key objects for authentication purposes
on a card, the ICCSN alone is no longer an adequate reference to the corresponding public
keys. Therefore, the following CHR format MUST be used as reference:
(N174.00)
The CHR of the certificate is used as public key reference of a private key. The CHR
consists of 12 octets and is constructed as follows:
a. CHR = index || keyReference || ICCSN, with
b. index = 00 for all certificates,
c. keyReference = reference of the corresponding private key
according to (N1089.00)
d. ICCSN = card serial number of length 10 octets as given in EF.GDO
(N175.00)
It SHOULD be possible to store several introduction objects per public key. As refer-
ence to introduction objects the CHR MUST be used with an index octet denoting the
agreed key material as follows:
a. index = 01 introduction object with 2TDES key material
b. index = 02 introduction object with 3TDES key material
c. index = 03 introduction object with AES-128 key material
d. index = 04 introduction object with AES-192 key material
e. index = 05 introduction object with AES-256 key material
f.
A symmetric introduction object is used in the authentication context according to Clause
15.6. For this key object the following rules have to be observed while defining an applica-
tion:
(N176.00)
A symmetric introduction object MUST have an attribute keyIdentifier. Any octet string
of length 12 octets MUST be allowed as value of keyIdentifier.
(N181.00)
A symmetric introduction object MUST have exactly one attribute of type CHA accord-
ing to Clause 7.1.1.4.
(N182.00)
A symmetric introduction object MUST support the following commands:
EXTERNAL AUTHENTICATE (see Clause 14.7.1.1 and Clause 14.7.1.2),
INTERNAL AUTHENTICATE (see Clause 14.7.4.1),
MUTUAL AUTHENTICATE (see Clause 14.7.1.2 and Clause 14.9.6.6),
Prior to sending the command that uses the symmetric introduction object, the object
itself has to be selected by applying one of the use cases described in Clause 14.9.6.
(N183.00)
A symmetric introduction object MAY support further commands.
A symmetric introduction object MAY refuse further commands.
Before these commands can work with the private key object it has to be selected. This
is done according to the use cases described in Clause 14.9.6.
A COS MAY support or refuse additional commands for such private key objects.
(N191.00)
In Generation 1 for the purpose of decryption algorithmIdentifier MUST be an element
of the following set (see Table 187 (1217.00)): {
rsaDecipherPKCS1_V1_5 (see Clause 14.8.3.1, (N945.00)a and
Clause 14.8.7.1, (N1004.00)a)
rsaDecipherOaep (see Clause 14.8.3, (N945.00)b and
Clause 14.8.7.1, (N1004.00)b)
}
(N192.00)
If an algorithmIdentifier from the set specified in (N191.00) is assigned to a private key
object, then the key object MUST support the following commands:
PSO: DECIPHER (see Clause 14.8.3),
PSO: TRANSCIPHER (see Clause 14.8.7).
Before these commands can work with the private key object it has to be selected. This
is done according to the use cases described in Clause 14.9.6.9.
A COS MAY support or refuse additional commands for such private key objects.
(N193.00)
A private key object MUST support an attribute keyAvailable of Boolean type. This at-
tribute is used in the context of the commands
GENERATE ASYMMETRIC KEY PAIR (see Clause 14.9.2.5) and
PSO: COMPUTE DIGITAL SIGNATURE (see (N911.00)).
The value True indicates, that the attribute privateKey can be used.
The value False indicates, that the attribute privateKey cannot be used.
(N194.00)
In Generation 1 for the purpose of signature computation algorithmIdentifier MUST be
an element of the set (see Table 188 (N1218.00)): {
sign9796_2_DS2, (see Clause 14.8.1.2 and (N912.00)a)
signPKCS_V1_5, (see Clause 14.8.1.1 and (N912.00)b)
signPSS, (see Clause 14.8.1.1 and (N912.00)c)
}.
(N195.00)
If an algorithmIdentifier from the set specified in (N194.00) is assigned to a private key
object, then the key object MUST support the following commands:
GENERATE ASYMMETRIC KEY PAIR (see Clause 14.9.2),
PSO: COMPUTE DIGITAL SIGNATURE (see Clause 14.8.1)
Before these commands can work with the private key object it has to be selected. This
is done according to the use cases described in Clause 14.9.6.7.
A COS MAY support or refuse additional commands for such private key objects.
A public object for signature verification is used for the verification of an electronic signature
in a CV-certificate. The specifications of applications have to comply with the following rules
for this key object:
(N201.00)
A public object for signature verification is an extension of a public key object and
MUST comply with the requirements of Clause 8.5.4.
(N202.00)
For the value of the attribute keyIdentifier any octet string with a length of eight octets
MUST be possible.
A COS MAY support additional lengths for keyIdentifier.
A COS MAY refuse additional lengths for keyIdentifier.
(N203.00)
For a public object for signature verification in Generation 1 the value of oid MUST be
an element of the set {
sigS_ISO9796-2Withrsa_sha256, (see Table 6 (N48.50))
}.
A COS MAY support additional values for oid.
A COS MAY refuse additional values for oid.
(N204.00)
A public object for signature verification MUST support the following command:
PSO: VERIFY CERTIFICATE (see Clause 14.8.8)
Before these commands can work with the public object for signature verification it has
to be selected. This is done according to the use cases described in Clause 14.9.6.8.
A public object for signature verification MAY support additional commands.
A public object for signature verification MAY refuse additional commands.
A public authentication object is used for the authentication of another technical component
to this component. The specifications of applications have to comply with the following rules
for this key object:
(N205.00)
A public authentication object is an extension of a public key object and MUST comply
with the requirements of Clause 8.5.4.
According to [ISO7816-4] the access for data objects is done with the commands GET DATA
and PUT DATA. These commands are not mandatory for this version of the specification;
therefore they will not be regarded.
According to [ISO7816-4] Clause 6.3.3 there is a wide variety of interpretations possible for
the term Security Environment. Therefore it is the intention not to use this term in the nor-
mative parts of this document. For the same reason only the indisputable principle of security
environments will be touched shortly in this informative (but not normative) Clause.
Security environments (SEs) offer the possibility to allocate in dependence of the environ-
ment concrete values to attributes of objects. For example this is used in this document for
the attribute type accessRuleList (Clause 8.1.4). Using SEs additional possibilities will result
for the design of applications.
An example: An HPC may be used in two different environments and in both environments
qualified electronic signatures can be created using the command PSO: COMPUTE DIGITAL
SIGNAURE.
1. In the environment 1 only single signatures can be created, i.e. user verification with
the signature PIN (PIN.QES) is required for each signature creation. Signature crea-
tion is also possible in signature environments other than the telematics environment
HPC Part 1 COS, V2.3.2 Page 82 of 278
of the health professional. The access rule of the signature key simply demands the
entry of PIN.QES.
2. In the environment 2 stack and comfort signatures can be created. In addition to the
user verification with PIN.QES, a device authentication of the signature environment
of the helath professional must be performed towards the HPC. The device authenti-
cation is a CVC-based role authentication of the signature application component
(SAK). Furthermore, the the data to be signed must be transfered in a protected
mode (with Secure Messaging).
Each environment has its own set of access conditions:
1. Environment_1:
a. Signature Key PSO: COMPUTE DS for single signatures:
User verification with PIN.QES
b. QES Certificate READ BINARY: always possible
2. Environment_2
a. Signature Key PSO: COMPUTE DS for stack and comfort signatures:
User verification with PIN.QES and
Authentication of SAK and
Secure Messaging
b. QES Certificate READ BINARY: always possible
The set of access rules to be used is defined by the environment. A concrete security envi-
ronment is selected by the use case in Clause 14.9.6.1.
On the other hand security environments will be used to select keys and other parameters for
cryptographic operations. The approach is different than for passwords. The specific pass-
word to be used by a command from Clause 14.6. will be determined by a parameter of this
command.
The procedure for keys is comparable with the procedure for files: The attribute currentEF
determines the file being affected. This attribute has to be chosen with the command SE-
LECT before the final command is executed. The file-oriented commands can only work with
one file per command; therefore one single attribute currentEF per folder is sufficient (see
(N322.00)b).
For some cryptographic commands it is possible that several cryptographic objects are af-
fected, like
According to [ISO7816-4] Clause 5.4.1 there is a wide variety of interpretations possible for
the term Security Status. Therefore it is the intention not to use this term in the normative
parts of this document. For the same reason only the indisputable principle of security status
will be touched shortly in this informative (but not normative) clause.
According to [ISO7816-4] the following items are part of the security status
1. Global security status which can be modified by user verification or component authenti-
cation with objects in the folder root (see (N210.00))
2. Application-specific security status which can be modified by user verification or compo-
nent authentication with objects in any folder
3. File specific status (not regarded in this document)
4. Command-specific status, which is allowed for the evaluation of access rules
In respect to global and application specific states one security status is assumed in this
document. In addition
a. user verification is covered by (N321.00)i, (N321.00)j and (N321.00)k. The mini-
mum number of security states per folder to be supported for user authentication
is also defined there.
b. component authentication is covered by (N321.00)e, (N321.00)f and (N321.00)g.
The minimum number of security states to be supported for component authenti-
cation is also defined there.
Note: In this document the normative rules allow to store the attributes globalSecurityList, dfSpecific-
SecurityList, globalPasswordList and dfSpecificPasswordList (including the password attribute
securityStatusEvaluationCounter) in the RAM to achieve a better performance. The mentioned
attributes were assigned simply for the sake of clear description.
In this document a smartcard will be regarded as a secure data storage unit, the accentua-
tion being on both parts.
Data storage unit: a smartcard stores any information, in line with a hard disk in a
computer (see Clause 8.3.2).
Security: The access to data being stored in files is defined by specific rules. The
compliance with these rules is guaranteed by the operating system. Typically rules
contain access restrictions so that access is only allowed after a successful user au-
thentication or component authentication. Furthermore a confident and authentic data
exchange is enforced.
Data, i.e. information, is usually stored hierarchically.
In this document the rules are defined to allow the building of a hierarchical system with at
least four layers of files (root contains DF2, DF2 contains DF3, DF3 contains DF 4, DF4 con-
tains no additional folders).
Private and symmetric keys as well as passwords can be searched by backtracking. That
means, at first they will be searched in the current file. If not found there, the search will be
continued recursive in the next higher level.
A search being DF-specific never includes root.
Public keys are regarded as centrally stored objects. Usually, such keys belong to an exter-
nal component and are imported by means of a certificate (see Clause 14.8.8)).
This clause defines the hierarchical structure as seen at the interface. It is not subject of this
document how the corresponding information and structure is stored internally in the smart-
card. Furthermore the term file system is not used. Instead the term object system is used
because beside files other object types are regarded, such as passwords and keys.
The following rules apply for the specification of applications:
(N210.00)
The COS MUST support a hierarchical object system with several layers.
a. The object system MUST have an attribute root with the following characteristics:
i. The attribute root MUST be of the type application (see Clause 8.3.1.1)
ii. The access condition for the command DELETE (see Clause 14.2.4) MUST
be NEVER (see (N236.00)).
b. The object system MUST have an attribute answerToReset of the type octet string.
The allowed values for this attribute are defined in Clause 11.2.1.
c. The object system MUST have an attribute iccsn8 of the type octet string. For iccsn8
any values with eight octets MUST be possible.
d. The object system MUST have an attribute persistentPublicKeyList.
i. The COS MUST support any number of list elements. A limitation is only given
by the available memory space.
HPC Part 1 COS, V2.3.2 Page 85 of 278
ii. The object type public object for signature verification MUST be supported
as a list element (see Clause 8.5.4.1), together with a reference to a file to
which this key object is assigned (see (N228.00) and (N1019.00)a.vii).
A COS MAY support additional public key object types.
A COS MAY refuse additional public key object types.
iii. Elements of this list MUST be stored in a persistent way.
e. The object system MUST support an attribute publicKeyList.
i. The COS MUST support a list length of one.
A COS MAY support greater numbers for the list length.
A COS MAY refuse greater numbers for the list length.
ii. The object type public key object MUST be supported as a list element (see
Clause 8.5.4), together with a reference to a file to which this key object is as-
signed (see (N228.00) and (N1019.00)a.viii).
iii. Elements of the list MAY be stored on a persistent base.
Elements of the list MAY be stored on a volatile base.
f. The hierarchical object system MUST support an attribute persistentIntroduction-
KeyList
i. The COS MUST support any number of list elements up to the maximum
number of elements which is set during card manufacturing.
The COS MAY support a dynamic adjustment of the list length.
The COS MAY refuse a dynamic adjustment of the list length.
ii. The object type symmetric introduction object (see Clause 8.5.2) MUST be
supported as list element together with a reference to a directory which the ob-
ject is assigned to (see (N340.00)b.vii).
iii. Elements of the list MUST be persistently stored
g. From generation 2 on: the object system MUST support an attribute domainParama-
terList.
i. The COS MUST support any number of list elements. A limitation is only given
by the available persistent memory space.
ii. As list elements MUST (to be completed for generation 2)
iii. Changes of the list, downloads, deletion.., secured with AC,. (to be com-
pleted for generation 2)
(N211.00)
The folder root is part of layer_0. Layer_0 is named the highest level of the object sys-
tem.
(N212.00)
If a folder is part of layer_i, then all elements of the list children of this layer are part of
layer_(i+1).
Layer_i is the next higher level to layer_(i+1).
Layer_(i+1) is the next lower layer to layer_i.
(N213.00)
According to Clause 8.3.1.1 applications have no attribute fileIdentifier. Therefore they
cannot be selected with the command SELECT and parameter selectionMode = 01.
An application being not root,
a. MUST be part of layer_1
b. MAY be taken as an element of the list children (according to (N101.00)) of root.
HPC Part 1 COS, V2.3.2 Page 86 of 278
c. MAY be stored somewhere else in the smartcard.
(N214.00)
Folders being part of layer_0 (root), layer_1 (DF1) or layer_2 (DF2) MUST allow the
objecttypes Dedicated File (Clause 8.3.1.2) and Application Dedicated File
(Clause 8.3.1.3) as list elements in the attribute children.
(N215.00)
Folders being part of layer_3,
a. MAY support folders in the attribute children,
b. MAY refuse folders in the attribute children
Additional channel-specific attributes are assigned to the object system. Typically these at-
tributes are assigned to a channel context (see (N321.00)) stored in a volatile way (in the
RAM). Typically these attributes will be changed during the selection of the folder.
According to Clause 8.3.1, Clause 8.3.2 and Clause 8.1.5 the object types folder, file and
record have an attribute lifeCycleStatus. According to (N211.00) and (N212.00) the instances
of all object types can be assigned to layers. Records will be regarded as the next lower level
compared to the file, to which they belong. It will only be distinguished between the physical
and the logical value of lifeCycleStatus.
(N216.00)
The value belonging to the corresponding attribute of the object is named the physical
value of lifeCycleStatus. In this document only folders, files and records have such an
attribute.
(N217.00)
The combined view on the physical value of the lifeCycleStatus of an object and the
logical values of lifeCycleStatus in all higher layers is referred to as the logical value of
lifeCycleStatus. The following recursion applies:
a. For the object root the logical value and the physical value MUST be identical.
b. For an object with an attribute lifeCycleStatus, being different from root it MUST ap-
ply: If the logical value of the object in the next higher layer is
i. Operational state (activated), then and only then the logical and the physical
value of lifeCycleStatus for this object MUST be identical.
ii. Operational state (deactivated), then and only then the logical value of life-
CycleStatus for this object MUST be Operational state (deactivated) as well.
c. For an object having no own attribute lifeCycleStatus (in the context of this docu-
ment: password objects and key objects), the logical value of lifeCycleStatus MUST
be identical to the logical value of the next higher layer.
According to Clause 9.1 a hierarchical object system is visible at the interface of the smart-
card. This clause defines how an object will be searched and which rules apply in order to
find it.
The search for files, i.e. folders and data files, takes place only in the context of a selection.
Therefore the explicit search is described in Clause 14.2.6. Additionally, the commands refer-
Passwords are used in the context of commands defined in Clause 14.6, but also for the
evaluation of access rules (see (N237.00)). The search for passwords is a functionality of the
smartcard itself for which many implementation details are playing a role. At the interface
Interpreter (see Figure 1 (N270.50)) the characteristics defined in the following will become
clear:
(N218.00)
The input parameter passwordReference is divided into parts according to (N753.00):
a. identifier = passwordReference mod 128
b. location = passwordReference - identifier
(N219.00)
If location has the value 00 = 0 addressing a global password, then it will be searched
for a password in the root layer root of the object system whose attribute pwdIdentifier
is identical to identifier. If such a password
a. exists, then it is used as the output parameter for password..
b. does not exist, then the error pwdNotFound will be returned.
(N220.00)
If location has the value 80 = 128 addressing a DF-specific password, then the local
variable folder is set to startFolder.
(N221.00)
If folder
a. points to the root directory root, then the error pwdNotFound will be returned.
b. Otherwise it will be searched in folder for a password whose attribute pwdIdentifier
is identical to identifier. If such a password object
i. exists, then it is used as the output parameter for password.
ii. does not exist, then folder is set to the next higher folder and the algorithm is
continued with step (N221.00)a.
The function described here is a generalization of the other functions for key search and
therefore represents the general entry point for key search as used at different passages in
this document.
identifier The following value ranges are possible for this parameter:
- an octet keyReference according to (N1089.00)
- 8 octets keyIdentifier according to (N196.00) and (N202.00)
- 12 octets keyIdentifier according to (N196.00) and (N206.00)
- 12 octets keyIdentifier of an introductionkey acc. to (N176.00)
- manufacturer-specific acc. to (N339.00)b.ii or(N339.00)b.iii
Errors: keyNotFound No key object matching the given input parameters was found
notSupported The key does not support the algorithm required by algID
(N222.00)
If the parameter identifier contains a key reference according to
a. (N1089.00), then it applies:
key = SearchPrivateOrSecretKey( startFolder, identifier, algID )
b. (N202.00) or (N206.00), then it applies:
key = SearchPublicKey ( startFolder, identifier, algID )
c. (N176.00), then it applies:
key = SearchIntroductionKey( startFolder, identifier, algID )
d. (N339.00)b.ii or(N339.00)b.iii, then it applies:
The search aims at session keys that are used in the context of PSO commands for
trusted channel support. As long as the security status exists (compare (N328.00)c),
that has been set during negotiation of the session keys, these keys are available
and MUST be found.
In this clause symmetric key objects according to Clause 8.5.1 and private key objects ac-
cording to Clause 8.5.3 are described together, because the search for both objects is done
in the same way. These objects are used in the context of several cryptographic operations.
Symmetric key objects will also be used during the evaluation of access rules (see
(N238.00)). This kind of search for keys is a functionality of the smartcard itself for which
HPC Part 1 COS, V2.3.2 Page 89 of 278
many implementation details are playing a role. At the interface Interpreter (see Figure 1
(N270.50)) the characteristics defined in the following will become clear:
Errors: keyNotFound For the given input parameters no appropriate key was found
notSupported The key does not support the algorithm asked for by algID
(N223.00)
The input parameter keyReference is divided according to (N1089.00) into the parts
a. identifier = keyReference mod 128
b. location = keyReference - identifier
(N224.00)
If location has the value 00 = 0 addressing a global key object, then the root layer root
of the object system is searched for a key object whose attribute keyIdentifier is identi-
cal to identifier. If such a key object
a. exists, then it is used as the output parameter for key.
b. does not exist, then the error keyNotFound will be returned.
(N225.00)
If location has the value 80 = 128 addressing a DF-specific password, then the local
variable folder is set to startFolder.
(N226.00)
If folder
a. points to the root directory root, then the error keyNotFound will be returned.
b. Otherwise it will be searched in folder for a password whose attribute keyIdentifier is
identical to identifier. If such a password object
i. exists, then it is used as the output parameter for key.
ii. does not exist, then folder is set to the next higher folder and the algorithm is
continued with step (N226.00)a.
(N227.00)
If the output parameter key is a
a. symmetric key having an attribute algorithmIdentifier mismatching with the parame-
ter algID, then the error notSupported will be returned.
Public key objects are used for the import of keys via card verifiable certificates. For this pur-
pose, the attributes of the key object are set to the corresponding values of the certificate,
e.g. the attribute keyIdentifier is set to the CHR value (see (N196.00) and (N1019.00)). The
attributes of a public key object may as well be set to constant values during personalization.
Public key objects are used in the context of authentication protocols and can be referenced
via keyIdentifier. The sub-class public authentication objects will also be used during the
evaluation of access rules (see (N239.00) and (N240.00)). This kind of search for keys is a
functionality of the smartcard itself for which many implementation details are playing a role.
At the interface Interpreter (see Figure 1 (N270.50)) the characteristics defined in the fol-
lowing will become clear:
Errors: keyNotFound For the given input parameters no appropriate key was found
(N228.00)
The local variable folder is set to startFolder. Then the following steps will be executed:
a. In the attributes persistentPublicKeyList and publickeyList of the object system it will
be searched for a key object,
i. whose attribute keyIdentifier is identical to identifier and
ii. whose attribute oid according to (N198.00) matches with the given algID (see
(N229.00)) and
iii. which is assigned to the folder folder.
b. If such a key object
i. exists, then it is used as the output parameter for key.
ii. does not exist and folder
1. equals the folder root, then the errorkeyNotFound is returned.
2. does not equal the folder root, then folder is set to the next higher folder
and the algorithm is continued with step (N228.00)a.
Note 1: According to Clause 7.1.1.5, Table 6 (N48.50)), (N203.00) and (N207.00) for this document
only OIDs from the following set are relevant:
{sigS_ISO9796-2Withrsa_sha256, authS_ISO9796-2Withrsa_sha256_mutual}.
Note 2: According to (N859.00), (N870.00), (N895.00) and (N1018.00) in connection with (N1111.00),
(N1101.00) and (N1125.00) for this document only algIDs from the following set are relevant:
Symmetric introduction objects are used for authentication purposes. Furthermore, they are
used during evaluation of access rules (see (N239.00) and (N240.00)). This kind of key
search is an internal functionality of the card depending on many implementation details. At
the interpretation interface however, the behavior becomes obvious as defined in the follow-
ing:
(N230.00)
The local variable folder is set to startFolder. Then the following steps are performed:
a. The attribute persistentIntroductionKeyList is searched for a key object of which the
attribute keyIdentifier is equal to identifier and which is assigned to the directory
folder. If such a key object
b. exists, then it will be used as output parameter key
c. does not exist and folder
i. equals root, then the error keyNotFound will be returned.
ii. does not equal root, then folder will be set to the next higher directory and the
algorithm continued with step (N230.00)a.
Nearly all commands described in Clause 14 are protected by access rules. That means that
the card operating system controls whether the security status is sufficient to execute a spe-
cific operation. The rules in this clause are a subset of the rules defined in [ISO7816-4]
Clause 5.4.3.2 Expanded format.
The access mode indicates whether the access rules assigned to an access mode should be
evaluated in the context of the validation of access rules. The specifications of applications
have to comply with the following rules:
(N232.00)
An access mode MUST be a list of descriptions of commands
(N233.00)
Being a subset of [ISO7816-4] Table 22 for each list element it MUST apply:
a. a list element MUST contain according to Clause 14 the name of a command being
equivalent to exactly one combination of CLA Byte (see Clause 11.5.1) and INS
Byte (see Clause 11.5.2)
b. Within a list element the parameter P1 (see Clause 11.5.3) is optional. That means:
It MUST be possible that a list element contains
i. exactly one parameter P1.
ii. no parameter P1.
c. Within a listen element the parameter P2 (see Clause 11.5.4) is optional. That
means: It MUST be possible that a list element contains
i. exactly one parameter P2.
ii. no parameter P2.
d. A COS MAY support additional descriptions of commands.
A COS MAY refuse additional descriptions of commands.
(N234.00)
Definition: During evaluation the access mode MUST match with the current command
APDU, if the integral parts of the access mode are identical to the integral parts of the
command APDU at the interface Interpreter (see Figure 1 (N270.50)).
(N235.00)
The Boolean element ALWAYS MUST always return the value True.
(N236.00)
The Boolean element NEVER MUST always return the value False.
(N237.00)
The Boolean element PWD(passwordReference) MUST
a. return True if and only if the search for a password according to Clause 9.2.2 with
the input parameters passwordReference and startFolder finds a password and at
least one of the following conditions is fulfilled:
i. This password object is contained in either globalPasswordList (see
(N321.00)i) or dfSpecificPasswordList (see (N321.00)j, and the attribute secu-
rityStatusEvaluationCounter of this password is unequal zero. The attribute
securityStatusEvaluationCounter MUST be decremented by one. In case the
value has reached zero this way, the entry in the list
1. MAY remain in the list or
2. MAY be deleted from the list.
ii. The attribute flagEnabled of this password has the value False.
b. In all other cases return False.
(N238.00)
The Boolean element AUT(keyReference) MUST
a. return True, if and only if the key search according to Clause 9.2.3.1 with the input
parameters keyReference, Wildcard and startFolder finds a key object key and ex-
actly this key object is part of either globalSecurityList (see (N321.00)e) or dfSpeci-
ficSecurityList (see (N321.00)f).
b. In all other cases return False.
(N239.00)
From generation 2 on it applies: the Boolean element AUT(acBitList) MUST (to be
completed for generation 2).
(N240.00)
The Boolean element AUT(CHA) MUST
a. return True, if and only if CHA is part of globalSecurityList (see e) or dfSpecificSe-
curityList (see (N321.00)f).
b. In all other cases return False.
(N241.00)
Secure messaging according to Clause 13 is used in access conditions as follows:
a. The Boolean element SmMac MUST return
i. True, if and only if the attribute SessionkeyContext.flagSessionEnabled has
the value SK4SM.
ii. False at all other values of SessionkeyContext.flagSessionEnabled.
An access rule combines access mode and access condition and returns a Boolean result
after execution. The specifications of applications have to comply with the following rules:
(N244.00)
An access rule is a list with at least one element.
(N245.00)
A list element MUST contain exactly one access mode according to Clause 10.1 and
one access condition according to Clause 10.2.
(N246.00)
A list element MUST
a. return exactly the Boolean value True if and only if
i. the access mode matches according to (N234.00) and
ii. the Boolean value of the access condition has the value True.
b. In all other cases return False (implicit NEVER).
(N247.00)
An access rule MUST be regarded as
a. fulfilled if at least one list element returns the value True.
b. not fulfilled in all other cases.
This sub-clause describes how the COS checks whether a specific command is allowed or
forbidden.
Input: obj Instance of an object of the type folder, file, password object, sym-
metric authentication object or private key object.
Errors:
(N249.00)
Step 1: If obj is
a. a folder, then it MUST be se = seIdentifier of this folder (see (N322.00)a).
b. otherwise it MUST be se = seIdentifier of the folder (see (N322.00)a), which con-
tains obj in its attribute children (see (N101.00)).
(N250.00)
Step 2: The adequate access rule will be selected from obj.accessRuleList under con-
sideration of the logical value of obj.lifeCycleStatus (see (N217.00)) and se (see
Clause 8.1.4).
(N251.00)
Step 3: On the basis of CLA, INS, P1 and P2 it will be determined whether the selected
access condition (N250.00) is fulfilled (see Clause 10.3).
(N252.00)
Step 4: If the selected access rule
a. is fulfilled, then it MUST be b = True.
b. otherwise it MUST be b = False.
Note: If the access condition PWD1 OR PWD2 contains both password objects with SSEC unequal to
infinity then it is manufacturer-specific whether both SSECs or only one (and in this case which of
them) will be decremented.
For smartcards it is state of the art to exchange information with an external communication
partner using a channel with half-duplex transfer mode. In addition they work similar to a
server. That means that the external communication partner sends a message (command)
across the channel. This message (command) will be executed by the smartcard. Afterwards
the smartcard sends a message (response) back across the same channel. Only after the
external communication partner has received the complete smartcard-message it will be able
to send the next message.
11.2.1 Activation
(N253.00)
The external communication partner MUST activate the smartcard according to
[ISO7816-3] Clause 6.2.1.
(N254.00)
Following the activation according to (N253.00) the external communication partner
MUST execute a Cold Reset according to [ISO7816-3] Clause 6.2.2.
(N255.00)
The smartcard MUST support a Warm Reset according to [ISO7816-3] Clause 6.2.3.
(N256.00)
A Cold Reset according to (N254.00) and a Warm Reset according to (N255.00) can
be understood as special messages of the external communication partner. The
smartcard returns an Answer-to-Reset (ATR) according to [ISO7816-3] Clause 8.2. The
ATR MUST be sent according to [ISO7816-3] Clause 8.1.
(N257.00)
The communication MUST be done using direct convention (see [ISO7816-3]
Clause 8.1). That means that initial character TS in Answer-To-Reset MUST have the
value 3B.
(N258.00)
For the value of the TA1 byte in the ATR it MUST apply: After a
a. Cold Reset, the value MUST be of the set {'18', '95', '96', '97'}.
b. Warm Reset, the value MUST be of the set {'18', '95', '96'}.
(N259.00)
The ATR SHOULD contain a TC1. If TC1 is present, its value MUST be FF.
(N260.00)
In TD1 the ATR MUST indicate the protocol T=1.
(N261.00)
The ATR MUST NOT contain TA2. It follows that the smartcard MUST support the ne-
gotiable mode (see Clause 11.2.4).
11.2.2 Deactivation
(N263.00)
The external communication partner SHOULD deactivate the smartcard according to
[ISO7816-3] Clause 6.4.
(N264.00)
The deactivation MAY be done in a different way.
(N265.00)
When the deactivation is started while a transaction-protected write operation is exe-
cuted (see Clause 14.1) the COS has to guarantee that it follows the rules in
Clause 14.1.1 resp. 14.1.2, before the next command APDU is accepted by the com-
ponent Cmd Interpreter in Figure 1 (N270.50).
(N266.00)
At the physical interface (see Figure 1 (N270.50) characters according to [ISO7816-3]
Clause 7 MUST be used.
(N267.00)
According to (N261.00) the smartcard MUST show the negotiable mode. Therefore
the smartcard MUST support Protocol and Parameter Selection according to
[ISO7816-3] Clause 9.
(N268.00)
If TA1 in ATR has the value 18, then the smartcard MUST accept a value of the set
{12, 13, 18} in PPS1.
(N269.00)
If TA1 in ATR has the value 95, then the smartcard MUST accept a value of the set
{92, 93, 94, 95} in PPS1.
(N270.00)
If TA1 in ATR has the value 96, then the smartcard MUST accept a value of the set
{92, 93, 94, 95, 96} in PPS1.
(N270.10)
If TA1 in ATR has the value 97, then the smartcard MUST accept a value of the set
{92, 93, 94, 95, 96, 97} in PPS1.
According to the ISO reference model, several layers will be defined in this document. These
layers are involved in the processing of the messages sent by an external communication
partner. It is pointed out that the content of this clause does not define details of the imple-
mentation. So it is acceptable to design the internal structure of the smartcard operating sys-
tem or its communication behavior differently. But underlying the following the normative
parts of this document can easier be described and understood:
HPC Part 1 COS, V2.3.2 Page 99 of 278
Figure 1 (N270.50) shows exemplarily how a command APDU CmdApdu1 is pieced together
by the external communication partner. According to the conventions of the transmission
protocol (see Clause 11.8) CmdApdu1 will be divided in the physical layer and in the Data
Link Layer into one or possibly more TPDUs. According to Clause 11.5 these will be reas-
sembled to a CmdApdu1 in the I/O of the smartcard.
The next layer manages logical channels (see [ISO7816-4] Clause 5.1.1.2) and transfers the
received command according to the channel number in the CLA Byte to the corresponding
logical channel, in this case channel_0.
If the command is optionally secured by Secure Messaging it will be decrypted in the next
layer SecMes and, then transferred to the command interpreter.
The command interpreter processes the command APDU and generates a corresponding
response APDU. Optionally the response APDU can be secured by Secure Messaging. In
the I/O this optionally secured response is divided into one or more TPDUs which are trans-
ferred to the external communication partner via the physical interface.
Interpreter
TPDU2.
...
TPDUn
Interface physical
CmdApdu1
CmdApdu2
CmdApdu3
Interface SM
Interface I/O
RspApdu1.
RspApdu2.
RspApdu3. Interface
TPDUn+1.
...
TPDUn+2
TPDUm.
This clause describes the handling of a command being sent by an external communication
partner to the COS. Terms defined in Clause 11.3 are used. It will be explicitly indicated that
the content of Clause 11.3 is not normative. In this respect the exact allocation of the norma-
tive declarations of this clause to parts of the COS is not determined. But it is important that
the behavior of the COS at the physical interface complies with the normative specifications.
The COS supports the concept of logical channels according to [ISO7816-4] in order to make
it possible that several health care professionals bound to multitasking work can create stack
signatures almost in parallel.
For the processing of a command APDU and the generation of a response APDU the follow-
ing steps will be performed:
The Class Byte (CLA Byte) contains the command class. In combination with the Instruction
Byte (see Clause 11.5.2) it defines definitely the command to be executed.
In Clause 14 the combinations of CLA, INS, P1 and P2 to be supported will be defined.
(N281.00)
According to [ISO7816-3] the CLA Byte MUST be coded in an octet.
The Instruction Byte (INS Byte) contains the coding for the command to be executed. In
combination with the Class Byte (see Clause 11.5.1) it defines definitely the command to be
executed.
In Clause 14 the combinations of CLA, INS, P1 and P2 to be supported will be defined.
(N282.00)
According to [ISO7816-3] the INS Byte MUST be coded in an octet.
11.5.3 Parameter P1
Normally the parameter P1 contains a variable, which is needed for the execution of the
command. Generally the meaning of this parameter depends on the combination of CLA, INS
and P2.
In Clause 14 the combinations of CLA, INS, P1 and P2 to be supported will be defined.
(N283.00)
According to [ISO7816-3] the parameter P1 MUST be coded in an octet.
11.5.4 Parameter P2
Normally the parameter P2 contains a variable, which is needed for the execution of the
command. Generally the meaning of this parameter depends on the combination of CLA and
INS.
In Clause 14 the combinations of CLA, INS, P1 and P2 to be supported will be defined.
(N284.00)
According to [ISO7816-3] the parameter P2 MUST be coded in an octet.
The data field of a command APDU is optional. It is possible that it is absent. The data field is
an octet string with the length Nc. According to [ISO7816-3] the definition range of Nc is {1,
, 65535}.
(N285.00)
At the interface Interpreter (see Figure 1 (N270.50)) it applies for Nc:
a. The COS MUST support all values in the interval [1, 543] for Nc.
b. A COS MAY support additional values for Nc.
c. A COS MAY refuse additional values for Nc.
d. A COS MUST NOT refuse an APDU because of a length error, if
i. the command APDU fulfills the requirements of Clause 11.7 and
ii. the data field fulfills the length restriction of (N285.00)a or the entire command
APDU fulfills the length restriction of EF.ATR.
(N286.00)
The sender of a command APDU SHOULD adhere to the length restriction by choosing
an appropriate Nc.
Note 1: If a COS supports additional values for Nc for specific combinations of CLA, INS, P1 and P2
this should be indicated in EF.ATR.
11.5.6 Le Field
The Le field of a command APDU is optional. It is possible that it is absent. The Le field con-
tains a number Ne, defining how many octets are expected in the data field of a response
APDU. In this document the following definitions apply:
WildCardShort This value is used to indicate, that within the upper limit of 256 octets
all available octets have to be inserted into the data field of the re-
sponse message.
WildCardExtended This value is used to indicate, that within the upper limit of 65536 oc-
tets all available octets have to be inserted into the data field of the
response message.
According to [ISO7816-4] the definition range for Ne is: {1, , 65535, WildCardShort, Wild-
CardExtended}
(N287.00)
At the interface Interpreter (see Figure 1 (N270.50)) it applies for Ne:
a. The COS MUST support all values in the interval [1, 543] for Ne
b. The COS MUST support the value WildCardShort for Ne.
c. The COS MUST support the value WildCardExtended for Ne.
d. A COS MAY support additional values for Ne.
A COS MAY refuse additional values for Ne.
e. A COS MUST NOT refuse an APDU because of a length error, if Ne fulfills the
length restriction of (N287.00)a or the entire response APDU fulfills the length re-
striction of EF.ATR.
(N288.00)
The sender of a command APDU SHOULD adhere to the length restriction by choosing
an appropriate Ne.
Note 1: If a COS supports additional values for Ne for specific combinations of CLA, INS, P1 and P2
this should be indicated in EF.ATR.
Note 2: The upper limit in (N287.00)a applies for the COS of a smartcard and (N288.00) applies for
the external world Because of future expansions, developments and for performance reasons it
is recommended for the IFD (card terminal) to support at least 2048 = 0800.
For a response APDU it results from the definitions of Clause 11.6.1 and Clause 11.6.2:
The data field rspData of a response APDU is optional. It is possible that it is absent. The
data field rspData is an octet string of the length Nr. According to [ISO7816-3] the definition
range of Nr is {1, , 65536}.
(N290.00)
At the interface Interpreter (see Figure 1 (N270.50)) it applies for Nr: Nr MUST be
less than or equal to Ne of the corresponding command APDU. If Ne is equal to
a. WildCardShort, then Nr MUST be less than or equal to '100' = 256.
b. WildCardExtended, then Nr MUST be less than or equal to '10000' = 65536.
11.6.2 Trailer
The trailer (see [ISO7816-4] Table 1) consists of two octets. Table 189 (1219.00) shows the
trailers defined in this document. The trailer contains status information about the processing
of the command. Also error indications are part of this information.
As described in Clause 11.5.5 and Clause 11.5.6 two elements of the command APDU are
optional. As an outcome of this, four combinations are possible, that are described in the
following.
In a Case 1 command APDU the data field and the Le field are absent. The command APDU
contains the following information:
Content Description
CLA XX CLA Byte according to [ISO7816-4]
INS XX Instruction Byte according to [ISO7816-4]
P1 XX first parameter
P2 XX second parameter
According to the rules of Clause 11.5 CLA, INS, P1 and P2 are each coded in an octet.
Therefore it applies for the complete Case 1 command APDU:
(N291.00)
A Case 1 command APDU MUST consist of four octets.
(N292.00)
The four octets of a Case 1 command APDU MUST be concatenated as follows:
CLA || INS || P1 || P2.
Content Description
trailer Status bytes SW1 and SW2
In a Case 2 command APDU the data field is absent. The Le field is present. Depending on
the value of Ne being part of the Le field, the cases short and extended will be distin-
guished.
In this case the data field of the response message will never contain more than 256 octets.
The command APDU contains the following information for a Case 2 Short:
Table 12: (N292.60) Case 2 Short command APDU
Content Description
CLA XX CLA Byte according to [ISO7816-4]
INS XX Instruction Byte according [ISO7816-4]
P1 XX first parameter
P2 XX second parameter
Ne XX Ne of the set {1, , 255, WildCardShort}
According to the rules of Clause 11.5 CLA, INS, P1 and P2 are each coded in an octet.
Therefore it applies for the complete Case 2 Short command APDU:
(N293.00)
A Case 2 Short command APDU MUST consist of five octets.
(N294.00)
The value of Ne is coded as follows in an octet named the Le field:
a. If Ne is in the interval [1, 255], then this integer MUST be coded in an octet:
LeField = I2OS( Ne, 1 ).
b. If Ne otherwise has the value WildCardShort, then the Le field MUST be 00.
(N295.00)
The five octets of a Case 2 Short command APDU MUST be concatenated as follows:
CLA || INS || P1 || P2 || LeField
In this case the data field of the response message possibly contains more than 256 octets.
The command APDU for Case 2 Extended contains the following information:
Content Description
CLA XX CLA Byte according to [ISO7816-4]
INS XX Instruction Byte according to [ISO7816-4]
P1 XX first parameter
P2 XX second parameter
Ne XX Ne of the set {256, , 65535, WildCardExtended}
According to the rules of Clause 11.5 CLA, INS, P1 and P2 are each coded in an octet.
Therefore it applies for the complete Case 2 Extended command APDU:
(N296.00)
A Case 2 Extended command APDU MUST consist of seven octets.
(N297.00)
The value of Ne is coded as follows in two octets forming the Le field:
a. If Ne is in the interval [256, 65535], then this integer MUST be coded in two octets:
LeField = I2OS( Ne, 2 ).
b. If Ne has the value WildCardExtended, then the Le field MUST be 0000.
(N298.00)
The seven octets of a Case 2 Extended command APDU MUST be concatenated as
follows:
CLA || INS || P1 || P2 || 00 || LeField.
Note: The octet 00 after the parameter P2 can be understood as an indicator for extended length.
The response APDU belonging to a Case 2 command APDU consists of an optional data
field and the trailer.
Table 14: (N298.50) Case 2 Response APDU
Content Description
Data Optional part of the response APDU; if present, the rules of
Clause 11.6.1 apply
Trailer Status bytes SW1 and SW2
In a Case 3 command APDU the Le field is absent. The data field is present. Depending on
the number of octets in the data field the cases short and extended will be distinguished.
In this case the data field of the response message will never contain more than 255 octets.
The command APDU contains the following information for a Case 3 Short:
Content Description
CLA XX CLA Byte according to [ISO7816-4]
INS XX Instruction Byte according to [ISO7816-4]
P1 XX first parameter
P2 XX second parameter
Data XXYY Data field with any octets, number of octets within the set [1, 255]
According to the rules of Clause 11.5 CLA, INS, P1 and P2 are each coded in an octet.
Therefore it applies for the complete Case 3 Short command APDU:
(N299.00)
A Case 3 Short command APDU MUST consist of five octets plus the octets of the data
field.
(N300.00)
The number Nc of the octets of the data field MUST be coded in an octet named the Lc
field: LcField = I2OS( Nc, 1 ).
(N301.00)
The five plus Nc octets of a Case 3 Short command APDU MUST be concatenated as
follows:
CLA || INS || P1 || P2 || LcField || Data field.
In this case the data field of the command message contains more than 255 octets. The
command APDU for Case 3 Extended contains the following information:
Content Description
CLA XX CLA Byte according to [ISO7816-4]
INS XX Instruction Byte according to [ISO7816-4]
P1 XX first parameter
P2 XX second parameter
Data XXYY Data field with any octets, number of octets within the set [256, 65535]
According to the rules of Clause 11.5 CLA, INS, P1 and P2 are each coded in an octet.
Therefore it applies for the complete Case 3 Extended command APDU:
(N302.00)
A Case 3 Extended command APDU MUST consist of seven octets plus the octets of
the data field.
(N303.00)
The number Nc of the octets of the data field MUST be coded in two octets named the
Lc field: LcField = I2OS( Nc, 2 ).
(N304.00)
The seven plus Nc octets of a Case 3 Extended command APDU MUST be concate-
nated as follows:
CLA || INS || P1 || P2 || 00 || LcField || Data Field.
Note: The octet 00 after the parameter P2 can be understood as an indicator for extended length.
HPC Part 1 COS, V2.3.2 Page 107 of 278
11.7.3.3 Case 3 Response
The response APDU belonging to a Case 3 command APDU consists of the trailer only.
Table 17: (N304.50) Case 3 Response APDU
Content Description
Trailer Status bytes SW1 and SW2
A Case 4 command contains all optional parts. Depending on the number of octets in the
data field of the command message and depending on the value of Ne being part of the Le
field, the cases short and extended will be distinguished.
In this case the data field of the command message will never contain more than 255 octets
and the data field of the response message will never contain more than 256 octets. The
command APDU contains the following information for a Case 4 Short:
Content Description
CLA XX CLA Byte according to [ISO7816-4]
INS XX Instruction Byte according to [ISO7816-4]
P1 XX first parameter
P2 XX second parameter
Data XXYY Data field with any octets, number of octets within the set [1, 255]
Ne XX Ne of the set {1, , 255, WildCardShort}
Notation CmdApdu = Case4S( CLA, INS, P1, P2, Data, Ne )
According to the rules of Clause 11.5 CLA, INS, P1 and P2 are each coded in an octet.
Therefore it applies for the complete Case 4 Short command APDU:
(N305.00)
A Case 4 Short command APDU MUST consist of six octets plus the octets of the data
field.
(N306.00)
The number Nc of the octets of the data field MUST be coded in an octet named the Lc
field: LcField = I2OS( Nc, 1 ).
(N307.00)
The value of Ne is coded as follows in an octet forming the Le field:
a. If Ne is in the interval [1, 255], then this integer MUST be used in an octet as Le
field: LeField = I2OS( Ne, 1 ).
b. If Ne otherwise has the value WildCardShort, then the Le field MUST be 00.
(N308.00)
The six plus Nc octets of a Case 4 Short command APDU MUST be concatenated as
follows:
CLA || INS || P1 || P2 || LcFeld || Data Field || LeField.
In this case the data field of the command message contains more than 255 octets or possi-
bly the data field of the response message contains more than 256 octets. The command
APDU contains the following information for a Case 4 Extended:
Table 19: (N308.50) Case 4 Extended Command APDU
Content Description
CLA XX CLA Byte according to [ISO7816-4]
INS XX Instruction Byte according to [ISO7816-4]
P1 XX first parameter
P2 XX second parameter
Data XXYY Data field with any octets, number of octets within the set [1, 65535]
Ne XX Ne of the set {1, , 65535, WildCardExtended}
Notation CmdApdu = Case4E( CLA, INS, P1, P2, Data, Ne )
According to the rules of Clause 11.5 CLA, INS, P1 and P2 are each coded in an octet.
Therefore it applies for the complete Case 4 Extended command APDU:
(N309.00)
A Case 4 Extended command APDU MUST consist of nine octets plus the octets of the
data field.
(N310.00)
The number Nc of the octets of the data field MUST be coded in two octets named the
Lc field: LcField = I2OS( Nc, 2 ).
(N311.00)
The value of Ne is coded as follows in two octets forming the Le field:
a. If Ne is in the interval [1, 65535], then this integer MUST be coded in two octets: Le-
Field = I2OS( Ne, 2 ).
b. If Ne otherwise value WildCardExtended, then the Le field MUST be 0000.
(N312.00)
The nine plus Nc octets of a Case 4 Extended command APDU MUST be concate-
nated as follows:
CLA || INS || P1 || P2 || 00 || LcFeld || Data Field || LeField.
Note: The octet 00 after the parameter P2 can be understood as an indicator for extended length.
The response APDU belonging to a Case 4 command APDU consists of an optional data
field and of the trailer.
Content Description
Data Optional part of the response APDU; if present, the rules of
Clause 11.6.1 apply
Trailer Status bytes SW1 and SW2
(N313.00)
At the physical interface T = 1 (see Figure 1 (N270.50)) MUST be used as transmission
protocol according to [ISO7816-3] Clause 11.
(N314.00)
For the Information Field Size IFSC (see [ISO7816-3] Clause 11.4.2) the value
FE = 254 MUST be used.
(N315.00)
For the Information Field Size IFSD the value FE = 254 MUST be set via IFSD re-
quest (see [ISO7816-3] Clause 11.4.2).
(N316.00)
The NAD Octet in the TPDU to the smartcard MUST have the value 00.
The COS MAY accept other values.
The COS MAY refuse other values.
(N317.00)
S-Block ABORT MAY be used by the COS, if the I/O-buffer size was ignored.
According to [ISO7816-4] Clause 5.1.1.1 Command Chaining allows for chaining consecutive
command-response pairs, which belong together. For this purpose the mechanism is used to
indicate the substeps that all together form a multi-step process. Whereas in [ISO7816-4]
Clause 5.1.1.1 some details are left open, the following behaviour applies for this document:
(N318.00)
Command Chaining is a sequence of command-response pairs with the following char-
acteristics:
a. Except bit b5 in the CLA byte all command APDUs of a chain have identical values
for CLA, INS, P1 and P2.
b. The bit b5 in the CLA Byte of the last commmand APDU of a Command Chaining
sequence has the value 0, the bits b5 of all other CLA bytes of a Command Chain-
ing sequence have the value 1.
c. The statements in (N318.00)a and (N318.00)b apply for command APDU at the "In-
terface I/O" in Figure 1 (N270.50).
(N319.00)
A Command Chaining sequence MUST NOT be interrupted at the "Interface I/O" in
Figure 1 (N270.50)
a. by commands, which do not belong to the sequence.
b. by a deactivation (see Clause 11.2.2).
(N320.00)
If the the external entity does not adhere to the requirement in (N319.00), i.e. the
Command Chaining sequence is interrupted by an interrupting command, then
a. the COS MUST accept the interupting command.
b. the COS MAY accept to continue the interrupted sequence.
c. the COS SHALL refuse to continue the interrupted sequence.
The object system described in Clause 9 bundles the information which is stored in the
smartcard in a persistent way and is available similarly for all logical channels. In this clause
the information will be regarded which is only available in the time between the opening and
the closing of a logical channel therefore being channel-specific. The channel-specific attrib-
utes are combined in the object channelContext.
Typically the attributes mentioned in the following are assigned to a security environment
(see Clause 8.7) or a security status (see Clause 8.8) stored in a volatile memory (in the
RAM), or they will be changed by the command MSE (see Clause 14.9.6).
At the physical interface (see Figure 1 (N270.50)) the COS acts as if an object channelCon-
text exists per logical channel, having the following attributes:
(N321.00)
The following attributes of channelContext are assigned to the object system: the
channelContext MUST
a. contain exactly one attribute currentFolder, which points to an object of the type
folder
b. contain exactly one attribute RND.ICC, which stores a random number generated by
the COS (see (N1073.00)).
c. contain exactly one list keyReferenceList. Each list element MUST support a value
indicating that it is empty. The list keyReferenceList MUST consist of the following
parts:
i. externalAuthenticate, with the components keyReference and algorithm-
Identifier
ii. internalAuthenticate, with the components keyReference and algorithm-
Identifier
iii. verifyCertificate, with the component keyReference
iv. signatureCreation, with the components keyReference and algorithmIdenti-
fier.
v. dataDecipher, with the components keyReference and algorithmIdentifier
vi. macCalculation, with the components keyReference and algorithmIdentifier
d. contain exactly one attribute SessionkeyContext containing the following elements:
i. flagSessionEnabled is an attribute with the following values:
1. SK4SM indicates that the rest of the attributes contain cryptographic mate-
rial usable for secure messaging.
2. SK4TC indicates that the rest of the attributes contain cryptographic mate-
rial usable for trusted channel support.
3. noSK indicates that no session keys were negotiated.
ii. Kenc is a symmetrical key for encryption and decryption.
A new channel context according to Clause 12.1 will be established if a reset is executed,
or if a new logical channel is opened. Then it applies:
(N323.00)
If the logical channel with the number zero (basic channel) is opened by (N254.00) or
(N255.00), or another logical channel is opened according to Clause 14.9.5, then the
following MUST apply for the new channel being opened:
a. A channel context according to Clause 12.1 will be assigned exclusively to this new
channel being opened.
b. The attribute currentFolder MUST be set to root.
c. The attribute RND.ICC MAY be handled in a manufacturer-specific way.
d. The attribute keyReferenceList MUST be set so that all elements are empty.
e. The attribute SessionkeyContext.flagSessionEnabled MUST be set to noSK.
f. The list globalSecurityList MUST be empty.
g. The list dfSpecificSecurityList MUST be empty.
h. The attribute bitSecurityList (to be completed for generation 2)
i. The list globalPasswordList MUST be empty.
j. The list dfSpecificPasswordList MUST be empty.
k. For all folders it applies:
i. seIdentifier MUST be set to the value 1.
ii. currentEF MUST be set to the value undetermined.
The routine described here sets the security status of the authentication key handed over as
a parameter.
The routine described here deletes the security status of the authentication key passed as a
parameter.
(N327.00)
If obj
The routine described here sets the security status of the password handed over as a pa-
rameter.
(N330.00)
If obj
a. is part of the list children in the folder root (see (N210.00)a), then it applies tmpList =
globalPasswordList (see (N321.00)i).
b. is part of a different folder, then it applies tmpList = dfSpecificPasswordList (see
(N321.00)j).
(N331.00)
If obj is not present in the list tmpList, then obj MUST be entered at the beginning of
tmpList.
(N332.00)
If by additional entries tmpList will become longer than accepted by the COS, then the
COS MUST delete the last list element (FIFO = first in first out).
(N333.00)
In the entry of obj in tmpList the attribute securityStatusEvaluationCounter MUST be
set to the value of obj.startSsec.
The routine described here deletes the security status of the authentication key handed over
as a parameter.
(N334.00)
If obj
a. is part of the list children in the folder root (see (N210.00)a), then it applies
tmpList = globalSecurityList (see (N321.00)i).
b. is part of a different folder, then it applies
tmpList = dfSpecificSecurityList (see (N321.00)j).
(N335.00)
If obj is
a. not part of the list tmpList, then stop this algorithm.
b. still part of the list tmpList, then obj MUST be removed from tmpList.
This clause describes the functionality of layer SecMes in Figure 1 (N270.50). In addition to
the information defined in (N321.00), this layer uses the following further attributes:
KD.i is an octet string which stores a random number generated by the COS. This random
number is used for the derivation of session keys.
KD.e is an octet string which stores an externally generated random number. This random
number is used for the derivation of session keys.
(N336.00)
All normative requirements defined in Chapter 13 and its sub-clauses MUST apply to
HPC, SMC-A and SMC-B. Only the following exception is permitted:
An HPC MAY support the algorithms desSessionkey4TC and rsaSessionkey4TC.
An HPC MAY not support the algorithms desSessionkey4TC and rsaSessionkey4TC.
(N337.00)
If algID indicates the agreement on 3TDES keys, then the following applies:
a. for the attributes of SessionkeyContext:
(Kenc, SSCenc, Kmac, SSCmac) = KeyDerivation_3TDES (KD.i XOR KD.e).
b. the MSByte in keyId is replaced by the octet 02.
(N338.00)
If algID indicates the negotiation of AES-128 keys, then (to be completed for gen-
meration 2)
HPC Part 1 COS, V2.3.2 Page 118 of 278
(N339.00)
If algID indicates that the session keys
a. have to be used in the context of Secure Messaging, then set
SessionkeyContext.flagSessionEnabled = SK4SM.
b. have to support the operation of a trusted channel, then
i. set SessionkeyContext.flagSessionEnabled = SK4TC and
ii. enter a card manufacturer-specific keyReference in channelContext.key-
ReferenceList.dataDecipher and set algorithmReference = desSession-
key4TC.
iii. enter a card manufacturer-specific keyReference in channelContext.keyRefe-
renceList.macCalculation and set algorithmReference = desSessionkey4TC.
c. are to be stored persistently, then set
SessionkeyContext.flagSessionEnabled = noSK
(N340.00)
If algID indicates that the session keys are to be persistently stored, then it applies:
a. obj = SearchKey( currentFolder, keyId, algID ). If the search was not successful,
then obj MUST be set to any element of persistentIntroductionkeyList.
b. The attributes of the list element referred by obj are set to the following values:
i. obj.keyIdentifier = keyId.
ii. obj.accessRuleList = PrK.accessRuleList.
iii. obj.encKey = Kenc.
iv. obj.macKey = Kmac.
v. obj.cha = cha.
vi. For the attribute listAlgorithmIdentifier applies
1. Step 1: obj.listAlgorithmIdentifier = {desRoleCheck}
2. Step 2: If PrK.listAlgorithmIdentifier contains values of the set { rsaClientAu-
thentication, rsaRoleAuthentication}, then it applies:
obj.listAlgorithmIdentifier += desRoleAuthentication
3. Step 3: If PrK.listAlgorithmIdentifier contains the value rsaSessionkey4SM,
then it applies:
obj.listAlgorithmIdentifier += desSessionkey4SM
4. Step 4: If PrK.listAlgorithmIdentifier contains the value rsaSessionkey4TC,
then it applies:
obj.listAlgorithmIdentifier += desSessionkey4TC
vii. If the private key which algID belongs to, is assigned to the same or a lower
level than the public key which is referred by chr, then obj MUST be assigned
to the directory of the private key.
viii. Otherwise obj MUST be assigned to the directory of the public key.
c. clearSecurityStatus (obj) MUST be executed.
(N341.00)
If no Secure Messaging is indicated in the CLA byte (see [ISO7816-4] Clause 5.1.1)
and SessionkeyContext.flagSessionEnabled has the value
a. SK4SM, then
i. the security status of the key that was involved in the negotiation of the ses-
sion keys MUST be deleted by means of clearSecurityStatus(...).
ii. CmdApdu3 = CmdApdu2 MUST be set.
b. Otherwise CmdApdu3 = CmdApdu2 MUST be set.
(N342.00)
If Secure Messaging is indicated in the CLA byte and flagSessionEnabled has the
value
a. SK4SM, then
i. the secured CmdApdu2 MUST comply to the normative requirements in
Clause 13.2. If a DO with Tag = 87 is present in CmdApdu2, flagCmdEnc
MUST be set to True, otherwise to False.
The COS MAY accept further Secure Messaging formats.
The COS MAY refuse further Secure Messaging formats.
ii. the secured CmdApdu2 MUST be released according to the rules defined in
Clause 13.2 resulting in CmdApdu3. If and only if an error occurs in the proc-
ess, then
1. the security status of the key that was involved in the negotiation of the
session keys MUST be deleted (see Clause 12.4) by means of clearSecuri-
tyStatus(...).
2. the processing of the command MUST terminate.
3. In this case RspApdu2 does not contain any response data but solely con-
sists of the trailer IncorrectSmDo = 69 88.
b. otherwise
i. the command processing MUST terminate.
ii. In this case RspApdu2 does not contain any response data but solely consists
of the trailer IncorrectSmDo = 69 88.
(N343.00)
The CmdApdu3 that was forwarded by the Secure Messaging layer (SecMes in
Figure 1 (N270.50)) MUST be processed according to the requirements defined in this
document. This will result in a response RspApdu1. It is assumed that the Secure Mes-
saging layer pre-processes the CmdApdu3 in such a way that Secure Messaging will
not be indicated in the CLA Byte and the channel number will be set to zero.
(N344.00)
If flagSessionEnabled has the value
a. SK4SM, then the unsecured RspApdu1 MUST be transformed according to Clause
13.3 into the secured RspApdu2.
b. SK4TC or noSK, then RspApdu2 = RspApdu1 MUST be set.
(N345.00)
If KD.i as well as KD.e are present (i.e. one or both values were set in the command
that was processed just before), then
Errors: none
(N370.00)
The COS MAY support combinations of CLA, INS, P1 and P2 which are not listed in
this chapter.
In the following clauses it is casually mentioned that the persistent memory has to be
changed with Roll-Forward or Roll-Back. As a generic term transaction protection is
used to show that Roll-Forward or Roll-back is meant. In short this implies the following:
for technical reasons the persistent storage of information will last some milliseconds. Smart-
cards are not able to buffer the loss of electric power. So it may be that this loss of electric
power happens in a moment in which the status of the memory is undefined. The transaction
protection defines how to deal with an undefined status of the memory.
For the execution of a command with transaction protection the following points of time will
be defined, as shown in Figure 2 (N370.50):
At time t0 the first bit of the command APDU is sent via the physical interface to the smart-
card (see Figure 1 (N270.50)).
At time t1 the execution of the command has reached the status that the temporary buffer
is ready to be filled.
At time t2 the temporary buffer is completely filled, but the content is not yet marked as
valid.
At time t3 the content is marked as valid and the actual persistent change is going to be
started.
At time t4 the actual persistent change is finished but the content of the temporary buffer is
still marked as valid.
At time te (not shown in Figure 2 (N370.50)) the smartcard has sent the last bit of the re-
sponse APDU via the physical interface.
(N371.00)
This Document does not define in which chronological relationship te is in respect to the
other time points. Therefore, te MAY be at any time time after t0.
Roll-Back determines how an operation which has been interrupted by a loss of electric
power will be reversed when the electric power is back. Typically before a change the origi-
nal content of the memory will be written to a temporary memory. Then the change will be
executed. Afterwards the content of the temporary memory will be marked as invalid.
(N372.00)
If the loss of electric power occurs
a. before t4:, then either the change has not been executed or the content of the tem-
porary memory has definitely been set to valid. The (original) content of the tempo-
rary memory MUST be recovered after the electric power is back again.
b. after t5:, then the content of the temporary memory is definitely set to invalid. The
recovery of the original content is impossible.
c. between t4 and t5:, then the status of the temporary memory is by chance either
valid or invalid (physical memories definitely show no time- or valued-discrete
behavior).
In this case the original status MAY be restored.
In this case the new status MAY be kept.
14.1.2 Roll-Forward
Roll-Forward determines how an operation which has been interrupted by a loss of electric
power will be reversed when the electric power is back. Typically before a change the new
content of the memory will be written to a temporary memory. Then the change will be exe-
cuted. Afterwards the content of the temporary memory will be marked as invalid.
(N373.00)
If the loss of electric power occurs
a. before t2:, then the content of the temporary memory has definitely not been set to
valid. The change to the new status is impossible.
b. after t3:, then the content of the temporary memory is definitely set to valid. The
content (being new) of the temporary memory MUST be recovered after the electric
power is back.
c. between t2 and t3:, then the status of the temporary memory is by chance either
valid or invalid (physical memories definitely show no time- or valued-discrete
behavior).
In this case the original status MAY be kept.
In this case the new status MAY be set.
14.2.1 ACTIVATE
The command ACTIVATE activates a file in a reversible way. The file being affected will be
chosen before the execution of the command. This is done by a select-operation (command
SELECT or command with shortFileIdentifier) before the command ACTIVATE is sent.
Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 44 Instruction Byte according to [ISO7816-4]
P1 00
P2 00
(N375.00)
A COS MAY use additional trailers.
14.2.2 CREATE
(N385.00)
The COS MAY support this command according to [ISO7816-9].
The COS MAY refuse this command according to [ISO7816-9].
Note: Within this document the functionality of this command will be provided by the command LOAD
APPLICATION (see Clause 14.2.5).
14.2.3 DEACTIVATE
The command DEACTIVATE deactivates a file in a reversible way. The file being affected
will be chosen before the execution of the command. This is done by a select-operation
(command SELECT or command with shortFileIdentifier) before the command DEACTIVATE
is sent.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 04 Instruction Byte according to [ISO7816-4]
P1 00
P2 00
14.2.4 DELETE
The command DELETE deletes objects of the type file from the object system. The file being
affected will be chosen before the execution of the command. This is done by a select-
operation (command SELECT or command with shortFileIdentifier) before the command DE-
LETE is sent.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS E4 Instruction Byte according to [ISO7816-4]
P1 00
P2 00
The command LOAD APPLICATION is used to create new files to the object system. It is
possible to create
- a new folder including a sub-tree
- a new file including content (transparent or structured).
The created file is stored in currentFolder. Typically the amount of data to be transferred to
the smartcard is too large to be sent with a single command APDU. Therefore this command
supports Command Chaining.
14.2.5.1 Use Case Creation of a new Object, not end of the command sequence
This variant has to be chosen if the amount of data cannot be transferred with only one
command APDU. It is used from the first to the last command APDU. The last command
APDU will be transferred according to 14.2.5.2. In the variant described here the APDU of
the command LOAD APPLICATION contains two parameters.
(N411.00)
The CLA-byte shows that this command APDU is not the last one of a command chain.
This is coded by the value CLA = 10.
(N412.00)
The parameter cmdData contains data describing the file to be created. The parameter
cmdData is an octet string with any content which is manufacturer-specific. The length
of cmdData is subject to the restrictions of Clause 11.5.5.
(N413.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3. For the construction of this case 3 command
APDU the instructions of Table 30 (N413.50) MUST be used.
Content Description
CLA 10 CLA Byte according to [ISO7816-4], Chaining Bit b5 is set
INS EA Instruction Byte according to [ISO7816-4],
P1 00
P2 00
Data XXYY cmdData
This variant has to be chosen if the amount of data can be transferred with only one com-
mand APDU, or if it is the last command of a command chain. In this variant the APDU of the
command LOAD APPLICATION contains one parameter.
(N414.00)
The parameter cmdData contains data describing the file to be created. The parameter
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS EA Instruction Byte according to [ISO7816-4]
P1 00
P2 00
Data XXYY cmdData
(N416.00)
A COS MAY use additional trailers.
14.2.6 SELECT
The command SELECT searches for a file (folder or file) in the object system and selects it.
In many cases the selection is the condition for other use cases (read, write) to be executed
successfully. Optionally the main attributes of the files can be reported in the response data.
The file to be selected is determined by the parameters of the command-APDU.
14.2.6.1 Use Case Selection without AID, first occurence, no response data
This variant selects the root directory of the object system. In this variant the APDU of the
command SELECT contains three parameters:
(N432.00)
The parameter selectionMode determines the kind of search. For this use case selec-
tionMode = 04 MUST be set.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A4 Instruction Byte according to [ISO7816-4]
P1 04 selectionMode = selection of folder with applicationIdentifier (in this case
empty)
P2 0C fileOccurrence + responseType = first occurrence, no response data
14.2.6.2 Use Case Selection without AID, first occurrence, Response Data with FCP
This variant selects the root directory of the object system. In this variant the APDU of the
command SELECT contains four parameters:
(N436.00)
The parameter selectionMode determines the kind of search. For this use case selec-
tionMode = 04 MUST be set.
(N437.00)
The parameter fileOccurrence determines which file will be selected in a list of appro-
priate files. For this use case fileOccurrence = 0 MUST be set.
(N438.00)
The parameter responseType determines the kind of response data. For this use case
responseType = 04 MUST be set.
(N439.00)
The parameter length determines the length of the response data being expected. The
value of length MUST be chosen from the range defined in Clause 11.5.6.
(N440.00)
A case 2 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.2. For the construction of this case 2 command
APDU the instructions of Table 35 (N440.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A4 Instruction Byte according to [ISO7816-4]
P1 04 selectionMode = selection of folder with applicationIdentifier (in this case
empty)
P2 04 fileOccurrence + responseType = first occurrence, response data with
FCP
Ne length Expected number of octets in the response data
14.2.6.3 Use Case Selection without AID, next occurrence, no response data
The repeated execution of this variant selects all folders consecutively having the attribute
applicationIdentifier (applications according to Clause 8.3.1.1 and ADF according to Clause
8.3.1.3). In this variant the APDU of the command SELECT contains three parameters:
(N441.00)
The parameter selectionMode determines the kind of search. For this use case selec-
tionMode = 04 MUST be set.
(N442.00)
The parameter fileOccurrence determines which file will be selected in a list of appro-
priate files. For this use case fileOccurrence = 2 MUST be set.
(N443.00)
The parameter responseType determines the kind of response data. For this use case
responseType = 0C MUST be set.
(N444.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 36 (N444.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A4 Instruction Byte according to [ISO7816-4]
P1 04 selectionMode = selection of folder with applicationIdentifier (in this case
empty)
P2 0E fileOccurrence + responseType = next occurrence, no response data
14.2.6.4 Use Case Selection without AID, next occurrence, response data with FCP
The repeated execution of this variant selects all folders consecutively having the attribute
applicationIdentifier (applications according to Clause 8.3.1.1 and ADF according to Clause
8.3.1.3). In this variant the APDU of the command SELECT contains four parameters:
(N445.00)
The parameter selectionMode determines the kind of search. For this use case selec-
tionMode = 04 MUST be set.
Table 37: (N449.50) SELECT, no AID, next occurrence, response data with FCP
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A4 Instruction Byte according to [ISO7816-4]
P1 04 selectionMode = selection of folder with applicationIdentifier (in this case
empty)
P2 06 fileOccurrence + responseType = next occurrence, FCP response data
Ne length Expected number of octets in the response data
14.2.6.5 Use Case Selection per AID, first occurrence, no response data
In this variant the APDU of the command SELECT contains four parameters:
(N450.00)
The parameter selectionMode determines the kind of search. For this use case selec-
tionMode = 04 MUST be set.
(N451.00)
The parameter fileOccurrence determines which file will be selected in a list of appro-
priate files. For this use case fileOccurrence = 0 MUST be set.
(N452.00)
The parameter aid contains an octet string according to (N104.00) or its first part. In the
object system it will be searched for a folder with matching attribute applicationIdenti-
fier.
(N453.00)
The parameter responseType determines the kind of response data. For this use case
responseType = 0C MUST be set.
(N454.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 38 (N454.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A4 Instruction Byte according to [ISO7816-4]
P1 04 selectionMode = Selection of folder with applicationIdentifier
P2 0C fileOccurrence + responseType = first occurrence, no response data
Data XXYY aid, octet string, number of octets in the interval [1, 16]
14.2.6.6 Use Case Selection per AID, first occurrence, response data with FCP
In this variant the APDU of the command SELECT contains five parameters:
(N455.00)
The parameter selectionMode determines the kind of search. For this use case selec-
tionMode = 04 MUST be set.
(N456.00)
The parameter fileOccurrence determines which file will be selected in a list of appro-
priate files. For this use case fileOccurrence = 0 MUST be set.
(N457.00)
The parameter aid contains an octet string according to (N104.00) or its first part. In the
object system it will be searched for a folder with matching attribute applicationIdenti-
fier.
(N458.00)
The parameter responseType determines the kind of response data. For this use case
responseType = 04 MUST be set.
(N459.00)
The parameter length determines the length of the response date being expected. The
value of length MUST be chosen from the range defined in Clause 11.5.6.
(N460.00)
A case 4 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.4. For the construction of this case 4 command
APDU the instructions of Table 39 (N460.50) MUST be used.
Table 39: (N460.50) SELECT, AID, first occurrence, response data with FCP
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A4 Instruction Byte according to [ISO7816-4]
P1 04 selectionMode = Selection of folder with applicationIdentifier
P2 04 fileOccurrence + responseType = first occurrence, response data with
FCP
Data XXYY aid, Octet string, number of octets in the interval [1, 16]
Ne length Expected number of octets in the response data
14.2.6.7 Use Case Selection per AID, next occurrence, no response data
In this variant the APDU of the command SELECT contains four parameters:
(N461.00)
The parameter selectionMode determines the kind of search. For this use case selec-
tionMode = 04 MUST be set.
HPC Part 1 COS, V2.3.2 Page 141 of 278
(N462.00)
The parameter fileOccurrence determines which file will be selected in a list of appro-
priate files. For this use case fileOccurrence = 2 MUST be set.
(N463.00)
The parameter aid contains an octet string according to (N104.00) or its first part. In the
object system it will be searched for a folder with matching attribute applicationIdenti-
fier.
(N464.00)
The parameter responseType determines the kind of response data. For this use case
responseType = 0C MUST be set.
(N465.00)
A case 3 command APDU MUST be sent via the interface Interpreter Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 40 (N465.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A4 Instruction Byte according to [ISO7816-4]
P1 04 selectionMode = Selection of folder with applicationIdentifier
P2 0E fileOccurrence + responseType = next occurrence, no response data
Data XXYY aid, octet string, number of octets in the interval [1, 16]
14.2.6.8 Use Case Selection per AID, next occurrence, response data with FCP
In this variant the APDU of the command SELECT contains five parameters:
(N466.00)
The parameter selectionMode determines the kind of search. For this use case selec-
tionMode = 04 MUST be set.
(N467.00)
The parameter fileOccurrence determines which file will be selected in a list of appro-
priate files. For this use case fileOccurrence = 2 MUST be set.
(N468.00)
The parameter aid contains an octet string according to (N104.00) or its first part. In the
object system it will be searched for a folder with matching attribute applicationIdenti-
fier.
(N469.00)
The parameter responseType determines the kind of response data. For this use case
responseType = 04 MUST be set.
(N470.00)
The parameter length determines the length of the response data being expected. The
value of length MUST be chosen from the range defined in Clause 11.5.6.
(N471.00)
A case 4 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.4. For the construction of this case 4 command
APDU the instructions of Table 41 (N471.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A4 Instruction Byte according to [ISO7816-4]
P1 04 selectionMode = Selection of folder with applicationIdentifier
P2 06 fileOccurrence + responseType = next occurrence, response data with
FCP
Data XXYY aid, octet string, number of octets in the interval [1, 16]
Ne length Expected number of octets in the response data
In this variant the APDU of the command SELECT contains four parameters:
(N472.00)
The parameter selectionMode determines the kind of search. For this use case selec-
tionMode = 01 MUST be set.
(N473.00)
The parameter fileOccurrence determines which file will be selected in a list of appro-
priate files. For this use case fileOccurrence = 0 MUST be set.
(N474.00)
The parameter fid contains an octet string according to (N67.00). In currentFolder it will
be searched for a folder with matching attribute fileIdentifier.
(N475.00)
The parameter responseType determines the kind of response data. For this use case
responseType = 0C MUST be set.
(N476.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 42 (N476.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A4 Instruction Byte according to [ISO7816-4]
P1 01 selectionMode = Selection of folder with fileIdentifier
P2 0C fileOccurrence + responseType = first occurrence, no response data
Data XXYY fid
In this variant the APDU of the command SELECT contains five parameters:
(N477.00)
The parameter selectionMode determines the kind of search. For this use case selec-
tionMode = 01 MUST be set.
Table 43: (N482.50) SELECT, DF or ADF with FID, response data with FCP
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A4 Instruction Byte according to [ISO7816-4]
P1 01 selectionMode = Selection of folder with fileIdentifier
P2 04 fileOccurrence + responseType = first occurrence, response data with
FCP
Data XXYY fid
Ne length Expected number of octets in the response data
This variant selects the folder of a layer being one level higher (see (N211.00) and
(N212.00)). In this variant the APDU of the command SELECT contains five parameters:
(N483.00)
The parameter selectionMode determines the kind of search. For this use case selec-
tionMode = 03 MUST be set.
(N484.00)
The parameter responseType determines the kind of response data. For this use case
responseType = 0C MUST be set.
(N485.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 44 (N485.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A4 Instruction Byte according to [ISO7816-4]
P1 03 selectionMode = selection of the folder in the layer one level higher
P2 0C responseType = no response data
This variant selects the folder of a layer being one level higher (see (N211.00) and
(N212.00)). In this variant the APDU of the command SELECT contains three parameters:
(N486.00)
The parameter selectionMode determines the kind of search. For this use case selec-
tionMode = 03 MUST be set.
(N487.00)
The parameter responseType determines the kind of response data. For this use case
responseType = 04 MUST be set.
(N488.00)
The parameter length determines the length of the response data being expected. The
value of length MUST be chosen from the range defined in Clause 11.5.6.
(N489.00)
A case 2 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.2. For the construction of this case 2 command
APDU the instructions of Table 45 (N489.50) MUST be used.
Table 45: (N489.50) SELECT, higher layer, response data with FCP
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A4 Instruction Byte according to [ISO7816-4]
P1 03 selectionMode = selection of the folder in the layer one level higher
P2 04 responseType = response data with FCP
Ne length Expected number of octets in the response data
In this variant the APDU of the command SELECT contains four parameters:
(N490.00)
The parameter selectionMode determines the kind of search. For this use case selec-
tionMode = 02 MUST be set.
(N491.00)
The parameter fileOccurrence determines which file will be selected in a list of appro-
priate files. For this use case fileOccurrence = 0 MUST be set.
(N492.00)
The parameter fid contains an octet string according to (N67.00). In currentFolder it will
be searched for a folder with matching attribute fileIdentifier.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A4 Instruction Byte according to [ISO7816-4]
P1 02 selectionMode = Selection of file with fileIdentifier
P2 0C fileOccurrence + responseType = first occurrence, no response data
Data XXYY fid
In this variant the APDU of the command SELECT contains five parameters:
(N495.00)
The parameter selectionMode determines the kind of search. For this use case selec-
tionMode = 02 MUST be set.
(N496.00)
The parameter fileOccurrence determines which file will be selected in a list of appro-
priate files. For this use case fileOccurrence = 0 MUST be set.
(N497.00)
The parameter fid contains an octet string according to (N67.00). In currentFolder it will
be searched for a folder with matching attribute fileIdentifier.
(N498.00)
The parameter responseType determines the kind of response data. For this use case
responseType = 04 MUST be set.
(N499.00)
The parameter length determines the length of the response data being expected. The
value of length MUST be chosen from the range defined in Clause 11.5.6.
(N500.00)
A case 4 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.4. For the construction of this case 4 command
APDU the instructions of Table 47 (N500.30) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A4 Instruction Byte according to [ISO7816-4]
P1 02 selectionMode = Selection of file with fileIdentifier
P2 04 fileOccurrence + responseType = first occurrence, FCP response data
Data XXYY fid
Ne length Expected number of octets in the response data
To get an overview all variants of this command are shown in the following table. It shall be
mentioned that not all combinations listed are described in the preceding clauses. Therefore
the combinations not being described are not mandatory.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A4 Instruction Byte according to [ISO7816-4]
P1 01 Selection of a folder with fileIdentifier
02 Selection of a file with fileIdentifier
03 selection of the folder in the layer one level higher
04 selection of a folder with (possibly empty) applicationIdentifier
P2 04 first occurrence, response data with FCP
06 next occurrence, response data with FCP
0C first occurrence, no response data
0E next occurrence, no response data
Data XXYY P1 = 01: two bytes fid
P1 = 02: two bytes fid
P1 = 03: absent
P1 = 04: absent, or up to 16 Octets aid
Ne length P2 = 04: Expected number of octets in the response data
P2 = 06: Expected number of octets in the response data
P2 = 0C: absent
P2 = 0E: absent
(N501.00)
A COS MAY use additional trailers.
oldFolder This is the name of currentFolder before the execution of this SELECT
command.
newFile This is the name of the file (folder or file) which is chosen in the context of
this selection.
path(folder) Path of a folder with the name folder. By this definition the folder folder as
well as all higher ranking directories including root are part of this path.
(N502.00)
The COS MUST support the variants of SELECT from 14.2.6.1, 14.2.6.2, 14.2.6.5,
14.2.6.6, 14.2.6.9, 14.2.6.10, 14.2.6.11, 14.2.6.12, 14.2.6.13 and 14.2.6.14.
The COS MAY support additional varaiants of SELECT.
The COS MAY refuse additional varaiants of SELECT
(N503.00)
The access condition for all variants of SELECT MUST be ALWAYS.
(N504.00)
If the parameter P1 has the value 01, then it MUST be searched in oldFolder.children
for a folder with an attribute fileIdentifier, whose value matches with the parameter fid
being part of the command data. If such a folder exists, then newFile MUST be set to
this folder. If not, the search has been unsuccessful.
(N505.00)
If the parameter P1 has the value 02, then it MUST be searched in oldFolder.children
for a file with an attribute fileIdentifier, whose value matches with the parameter fid be-
ing part of the command data. If such a file exists, then newFile MUST be set to this
file. If not, the search has been unsuccessful
(N506.00)
If the parameter P1 has the value 03, and currentFolder
a. is identical with root, then the command MUST terminate with the trailer FileNot-
Found.
b. is not root, then newFile is a folder being one level higher in comparison with cur-
rentFolder (see (N211.00) and (N212.00)).
(N507.00)
If the parameter P1 has the value 04, then the command message contains a (possi-
bly empty) parameter aid.
HPC Part 1 COS, V2.3.2 Page 148 of 278
a. in the whole object system it will be searched for folders having an attribute applica-
tionIdentifier matching with aid. An attribute applicationIdentifier matches with aid, if
i. applicationIdentifier is identical to aid, or
ii. aid is empty.
b. All matching folders are grouped in a list.
i. It root part of the list, then it MUST be the first element of the list.
ii. For an identical aid always the same list has to be generated as long as the
object system is not changed (DELETE or LOAD APPLICATION).
c. If P2 has a value of the set {04, 0C}, then newFile MUST be set to the first list
element.
d. If P2 has a value of the set {06, 0E} and
i. oldFolder is also part of the list and oldFolder is
1. not the last list element, then newFile MUST be set to the next list element.
2. the last list element, then the search MUST be unsuccessful.
ii. oldFolder is not part of the list, then
1. newFile MAY be set to any list element, or
2. the search MAY be unsuccessful.
(N508.00)
If and only if the search has been unsuccessful then the command MUST terminate
with the trailer FileNotFound. CurrentFolder, currentEF as well as the channel context
(see Clause 12) MUST NOT be changed in this case.
(N509.00)
If newFile is
a. a file, then currentEF will be set to newFile.
b. a folder, then
i. currentFolder MUST be set equal to newFile.
ii. currentEF MUST be set to the value undefined.
iii. in all folders being part of path(oldFolder) as well as part of path(newFile)
seIdentifier MUST remain unchanged.
iv. in all other folders seIdentifier MUST be set to the value 1.
v. all entries MUST be deleted from dfSpecificSecurityList using clearSecurityS-
tatus(), which do not belong to path(newFile).
vi. all entries MUST be deleted from dfSpecificPasswordList using clearPass-
wordStatus(), which do not belong to path(newFile).
vii. each element of keyReferenceList MUST be set to the value empty.
(N510.00)
For the data field of the response message it applies:
a. If and only if P2 has a value of the set {04, 06}, then the data field of the re-
sponse message MUST contain the File Control Parameter according to
Clause 8.3.3.
b. Otherwise the data field is absent in the response message.
(N514.00)
The COS MAY support this command according to [ISO7816-9].
The COS MAY refuse this command according to [ISO7816-9].
14.2.8 TERMINATE DF
(N515.00)
The COS MAY support this command according to [ISO7816-9].
The COS MAY refuse this command according to [ISO7816-9].
14.2.9 TERMINATE EF
(N516.00)
The COS MAY support this command according to [ISO7816-9].
The COS MAY refuse this command according to [ISO7816-9].
It is possible to access data in the body of a transparent EF with READ BINARY (reading) or
UPDATE BINARY (writing).
The commands in this sub-clause support two variants:
1. Variant without shortFileIdentifier: This variant is characterized by the fact that for a suc-
cessful command execution currentEF must be a transparent EF.
2. Variant with shortFileIdentifier: This variant is characterized by the fact, that the EF af-
fected by the command is set during command execution. A command SELECT is not
necessary prior to the command.
The command ERASE BINARY replaces data existing in the body of a transparent EF with
octets with the value 00. The appropriate transparent EF is selected prior to the erase op-
HPC Part 1 COS, V2.3.2 Page 150 of 278
eration. This is done either by a select operation (command SELECT) prior to the execution
of the command ERASE BINARY or as part of the command ERASE BINARY, if a short-
FileIdentifier is a parameter of this command. The offset being part of the command mes-
sage determines which information will be erased in body.
In this variant the APDU of the command ERASE BINARY contains one parameter:
(N517.00)
The parameter offset determines the position where the erasure starts. The value of
offset MUST be an integer from the interval [0, 32767] = [`0000, 7FFF] (compare
(N118.00)).
(N518.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 51 (N518.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 0E Instruction Byte according to [ISO7816-4]
P1 XX (offset P2) / 256, MSByte of offset
P2 XX offset mod 256, LSByte of offset
In this variant the APDU of the command ERASE BINARY contains two parameters:
(N519.00)
The parameter shortFileIdentifier selects an EF during the command execution. The
value of shortFileIdentifier MUST be in the interval defined in (N70.00).
(N520.00)
The parameter offset determines the position where the erasure starts. The value of
offset MUST be an integer from the interval [0, 255] = [`0000, FF].
(N521.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 52 (N521.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 0E Instruction Byte according to [ISO7816-4]
P1 XX 128 + shortFileIdentifier = 80 + shortFileIdentifier
P2 XX offset
(N522.00)
A COS MAY use additional trailers.
The command READ BINARY is used to read information from body of a transparent EF.
Therefore the data field of the response message contains (parts of) body. The transparent
EF affected will be selected ahead the read operation. This is done either by a select opera-
tion (command SELECT) before the command READ BINARY is sent, or as part of the
command READ BINARY, if a shortFileIdentifier is sent as a parameter of the command. The
command parameters offset and length determine, which information is read from body.
In this variant the APDU of the command READ BINARY contains two parameters:
(N536.00)
The parameter offset determines the starting position for the read operation. The value
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS B0 Instruction Byte according to [ISO7816-4]
P1 XX (offset P2) / 256, MSByte of offset
P2 XX offset mod 256, LSByte of offset
Ne length Expected number of octets in the response data
In this variant the APDU of the command READ BINARY contains three parameters:
(N539.00)
The parameter shortFileIdentifier selects an EF during the command execution. The
value of shortFileIdentifier MUST be in the interval defined in (N70.00).
(N540.00)
The parameter offset determines the starting position for the read operation. The value
of offset MUST be an integer in the interval [0, 255] = [`00, FF].
(N541.00)
The parameter length determines the length of the expected response data. The value
of length MUST be chosen from the range defined in Clause 11.5.6.
(N542.00)
A case 2 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.2. For the construction of this case 2 command
APDU the instructions of Table 56 (N542.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS B0 Instruction Byte according to [ISO7816-4]
P1 XX 128 + shortFileIdentifier = 80 + shortFileIdentifier
P2 XX offset
Ne length Expected number of octets in the response data
(N543.00)
A COS MAY use additional trailers.
(N556.00)
The COS MAY support this command according to [ISO7816-4].
The COS MAY refuse this command according to [ISO7816-4].
The command UPDATE BINARY replaces data being present in body of a transparent EF by
data, which are present in the data field of the command message. The transparent EF af-
fected will be selected ahedad of the write operation. This is done either by a select opera-
tion (command SELECT) before the command UPDATE BINARY is sent, or as part of the
command UPDATE BINARY, if a shortFileIdentifier is sent as a parameter of the command.
HPC Part 1 COS, V2.3.2 Page 156 of 278
The command parameters offset and newData determine which information is changed from
body.
In this variant the APDU of the command UPDATE BINARY contains two parameters:
(N557.00)
The parameter offset determines the starting position for the update operation. The
value of offset MUST be an integer in the interval [0, 32767] = [`0000, 7FFF], (com-
pare (N118.00)).
(N558.00)
The parameter newData contains the new data which replace the data being present in
body starting at the position marked by offset. The parameter newData is an octet
string with any content. The length of newData is only limited by the restrictions of
Clause 11.5.5.
(N559.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3. For the construction of this case 3 command
APDU the instructions of Table 59 (N559.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS D6 Instruction Byte according to [ISO7816-4]
P1 XX (offset P2) / 256, MSByte of offset
P2 XX offset mod 256, LSByte of offset
Data XXYY newData
In this variant the APDU of the command UPDATE BINARY contains three parameters:
(N560.00)
The parameter shortFileIdentifier selects an EF during the command execution. The
value of shortFileIdentifier MUST be in the interval defined in (N70.00).
(N561.00)
The parameter offset determines the starting position for the update operation. The
value of offset MUST be an integer in the interval [0, 255] = [`00, FF].
(N562.00)
The parameter newData contains the new data which replace the data being present in
body starting at the position marked by offset. The parameter newData is an octet
string with any content. The length of newData is only limited by the restrictions of
Clause 11.5.5.
(N563.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3. For the construction of this case 3 command
APDU the instructions of Table 60 (N563.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS D6 Instruction Byte according to [ISO7816-4]
P1 XX 128 + shortFileIdentifier = 80 + shortFileIdentifier
P2 XX offset
Data XXYY newData
(N564.00)
A COS MAY use additional trailers.
(N579.00)
The COS MAY support this command according to [ISO7816-4].
The COS MAY refuse this command according to [ISO7816-4].
It is possible to access list elements of recordList in structured EFs with a read command
(READ RECORD) or write command (UPDATE RECORD). Additionally new list elements
can be created (APPEND RECORD). List elements cannot be deleted. But it is possible to
erase the content of a list element (ERASE RECORD). List elements can be activated (AC-
TIVATE RECORD) as well as deactivated (DEACTIVATE RECORD), which influences the
use of the content of the record. It is also possible to search in the list for elements whose
content matches with an arbitrary search pattern (SEARCH RECORD).
The commands in this sub-clause support two variants:
1. Variant without shortFileIdentifier: This variant is characterized by the fact that for a suc-
cessful command execution currentEF must be a structured EF.
2. Variant with shortFileIdentifier: This variant is characterized by the fact, that the EF af-
fected is set during command execution. A command SELECT is not necessary prior to
the command.
The command ACTIVATE RECORD activates one ore more list elements from recordList of
a structured EF. The structured EF affected is selected prior to this operation. This is done
either by a select operation (command SELECT) before the command ACTIVATE RECORD
is sent, or as part of the command ACTIVATE RECORD if a shortFileIdentifier is sent as a
parameter of the command. The parameters record number and mode of the command
message determine the list elements to be activated.
In this variant the APDU of the command ACTIVATE RECORD contains two parameters:
(N580.00)
The parameter recordNumber determines the list element being affected.The value of
recordNumber MUST be compliant with (N76.00).
(N581.00)
The parameter mode determines the kind of the operation. For this use case mode =
04 MUST be set.
(N582.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 63 (N582.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 08 Instruction Byte according to [ISO7816-4]
P1 XX recordNumber
P2 04 mode, coding 04 means use list element P1
In this variant the APDU of the command ACTIVATE RECORD contains three parameters:
(N583.00)
The parameter shortFileIdentifier selects an EF during the command execution. The
value of shortFileIdentifier MUST be in the interval defined in (N70.00).
(N584.00)
The parameter recordNumber determines the list element being affected.The value of
recordNumber MUST be confom to (N76.00).
(N585.00)
The parameter mode determines the kind of the operation. For this use case mode =
04 MUST be set.
(N586.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 64 (N586.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 08 Instruction Byte according to [ISO7816-4]
P1 XX recordNumber
P2 XX 8 * shortFileIdentifier + mode
i.e. (bit left-shift operation shortFileIdentifier << 3) + 04
coding 04 means use list element P1
In this variant the APDU of the command ACTIVATE RECORD contains two parameters:
(N587.00)
The parameter recordNumber determines the first list element being affected.The value
of recordNumber MUST be confom to (N76.00).
(N588.00)
The parameter mode determines the kind of the operation. For this use case mode =
05 MUST be set.
(N589.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 65 (N589.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 08 Instruction Byte according to [ISO7816-4]
P1 XX recordNumber
P2 05 mode, coding 05 means use list elements from P1
In this variant the APDU of the command ACTIVATE RECORD contains three parameters:
(N590.00)
The parameter shortFileIdentifier selects an EF during the command execution. The
value of shortFileIdentifier MUST be in the interval defined in (N70.00).
(N591.00)
The parameter recordNumber determines the first list element being affected.The value
of recordNumber MUST be confom to (N76.00).
(N592.00)
The parameter mode determines the kind of the operation. For this use case mode =
05 MUST be set.
(N593.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 66 (N593.40) MUST be used.
Table 66: (N593.40) ACTIVATE RECORD, all records from P1, with shortFileIdentifier
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 08 Instruction Byte according to [ISO7816-4]
P1 XX recordNumber
P2 XX 8 * shortFileIdentifier + mode
i.e. (bit left-shift operation shortFileIdentifier << 3) + 05
coding 05 means use list elements from P1
(N594.00)
A COS MAY use additional trailers.
The command APPEND RECORD adds a new list element to recordList of a structured EF
an, whereas the data for the octet string of the new list element are part of the data field of
the command message. The structured EF affected is selected prior to this operation. This is
done either by a select operation (command SELECT) before the command APPEND RE-
CORD is sent, or as part of the command APPEND RECORD if a shortFileIdentifier is sent
as a parameter of the command.
In this variant the APDU of the command APPEND RECORD contains one parameter:
(N608.00)
The parameter recordData contains the data of the new record. The parameter record-
Data is an octet string of any content. The length of recordData is only limited by the
restrictions of (N70.00).
(N609.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 69 (N609.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS E2 Instruction Byte according to [ISO7816-4]
P1 00 Parameter with no meaning
P2 00 Parameter with no meaning
Data XXYY recordData
In this variant the APDU of the command APPEND RECORD contains two parameters:
(N610.00)
The parameter shortFileIdentifier selects an EF during the command execution. The
value of shortFileIdentifier MUST be in the interval defined in (N70.00).
(N611.00)
The parameter recordData contains the data of the new record. The parameter record-
Data is an octet string of any content. The length of recordData is only limited by the
restrictions of (N77.00).
(N612.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 70 (N612.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS E2 Instruction Byte according to [ISO7816-4]
P1 00 Parameter with no meaning
P2 XX 8 * shortFileIdentifier
i.e. bit left-shift operation shortFileIdentifier << 3
Data XXYY recordData
(N613.00)
A COS MAY use additional trailers.
The command DEACTIVATE RECORD deactivates one ore more list elements from record-
List of a structured EF. The structured EF affected is selected prior to this operation. This is
done either by a select operation (command SELECT) before the command DEACTIVATE
RECORD is sent, or as part of the command DEACTIVATE RECORD if a shortFileIdentifier
is sent as a parameter of the command. The parameters record number and mode of the
command message determine the list elements to be deactivated.
In this variant the APDU of the command DEACTIVATE RECORD contains two parameters:
(N630.00)
The parameter recordNumber determines the list element being affected.The value of
recordNumber MUST be confom to (N76.00).
(N631.00)
The parameter mode determines the kind of the operation. For this use case mode =
04 MUST be set.
(N632.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 73 (N632.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 06 Instruction Byte according to [ISO7816-4]
P1 XX recordNumber
P2 04 mode, coding 04 means use list element P1
In this variant the APDU of the command DEACTIVATE RECORD contains three parame-
ters:
(N633.00)
The parameter shortFileIdentifier selects an EF during the command execution. The
value of shortFileIdentifier MUST be in the interval defined in (N70.00).
(N634.00)
The parameter recordNumber determines the list element being affected.The value of
recordNumber MUST be confom to (N76.00).
(N635.00)
The parameter mode determines the kind of the operation. For this use case mode =
04 MUST be set.
(N636.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 74 (N636.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 06 Instruction Byte according to [ISO7816-4]
P1 XX recordNumber
P2 XX 8 * shortFileIdentifier + mode
i.e. (bit left-shift operation shortFileIdentifier << 3) + 04
coding 04 means use list element P1
In this variant the APDU of the command DEACTIVATE RECORD contains two parameters:
(N637.00)
The parameter recordNumber determines the first list element being affected. The
value of recordNumber MUST be confom to (N76.00).
(N638.00)
The parameter mode determines the kind of the operation. For this use case mode =
05 MUST be set.
(N639.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 75 (N639.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 06 Instruction Byte according to [ISO7816-4]
P1 XX recordNumber
P2 05 mode, coding 05 means use list elements from P1
In this variant the APDU of the command DEACTIVATE RECORD contains three parame-
ters:
(N640.00)
The parameter shortFileIdentifier selects an EF during the command execution. The
value of shortFileIdentifier MUST be in the interval defined in (N70.00).
(N641.00)
The parameter recordNumber determines the first list element being affected.The value
of recordNumber MUST be confom to (N76.00).
(N642.00)
The parameter mode determines the kind of the operation. For this use case mode =
05 MUST be set.
(N643.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 76 (N643.40) MUST be used.
Table 76: (N643.40) DEACTIVATE RECORD, all records from P1, with shortFileIdentifier
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 06 Instruction Byte according to [ISO7816-4]
P1 XX recordNumber
P2 XX 8 * shortFileIdentifier + mode
i.e. (bit left-shift operation shortFileIdentifier << 3) + 05
coding 05 means use list elements from P1
(N644.00)
A COS MAY use additional trailers.
The command ERASE RECORD replaces the octet string of an already existing list element
of recordList of a structured EF by an octet string having only octets with the value 00. The
structured EF affected is selected prior to this operation. This is done either by a select op-
eration (command SELECT) before the command ERASE RECORD is sent, or as part of the
command ERASE RECORD if a shortFileIdentifier is sent as a parameter of the command.
Which list element is affected is defined by the record number being a parameter of the
command message.
In this variant the APDU of the command ERASE RECORD contains one parameter:
(N660.00)
The parameter recordNumber determines the list element being affected.The value of
recordNumber MUST be confom to (N76.00).
(N661.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 79 (N661.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 0C Instruction Byte according to [ISO7816-4]
P1 XX recordNumber
P2 04 coding 04 means use list element P1
In this variant the APDU of the command ERASE RECORD contains two parameters:
(N662.00)
The parameter shortFileIdentifier selects an EF during the command execution. The
value of shortFileIdentifier MUST be in the interval defined in (N70.00).
(N663.00)
The parameter recordNumber determines the list element being affected.The value of
recordNumber MUST be confom to (N76.00).
(N664.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 80 (N664.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 0C Instruction Byte according to [ISO7816-4]
P1 XX recordNumber
P2 XX 8 * shortFileIdentifier + 4
i.e. (bit left-shift operation shortFileIdentifier << 3) + 04
coding 04 means use list element P1
(N665.00)
A COS MAY use additional trailers.
The command READ RECORD is used to read (the beginning) of a list element from record-
List of a structured EF. The structured EF affected is selected prior to this operation. This is
done either by a select operation (command SELECT) before the command READ RECORD
is sent, or as part of the command READ RECORD if a shortFileIdentifier is sent as a pa-
rameter of the command. The parameters record number and length of the command mes-
sage determine which list element (or the beginning of it) will be read.
In this variant the APDU of the command READ RECORD contains two parameters:
(N680.00)
The parameter recordNumber determines the list element being affected.The value of
recordNumber MUST be compliant with (N76.00).
(N681.00)
The parameter length determines the length of the expected response data. The value
of length MUST be chosen from the range defined in Clause 11.5.6.
(N682.00)
A case 2 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.2.1. For the construction of this case 2 command
APDU the instructions of Table 83 (N682.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS B2 Instruction Byte according to [ISO7816-4]
P1 XX recordNumber
P2 04 coding for use list element P1
Ne length Expected number of octets in the response data
In this variant the APDU of the command READ RECORD contains three parameters:
(N683.00)
The parameter shortFileIdentifier selects an EF during the command execution. The
value of shortFileIdentifier MUST be in the interval defined in (N70.00).
(N684.00)
The parameter recordNumber determines the list element being affected.The value of
recordNumber MUST be compliant with (N76.00).
(N685.00)
The parameter length determines the length of the expected response data. The value
of length MUST be chosen from the range defined in Clause 11.5.6.
(N686.00)
A case 2 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause. 11.7.2.1 For the construction of this case 2 command
APDU the instructions of Table 84 (N686.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS B2 Instruction Byte according to [ISO7816-4]
P1 XX recordNumber
P2 XX 8 * shortFileIdentifier + 4
i.e. (bit left-shift operation shortFileIdentifier << 3) + 04
coding 04 means use list elements from P1
Ne length Expected number of octets in the response data
(N687.00)
A COS MAY use additional trailers.
The command SEARCH RECORD is used to search in the list elements of recordList of a
structured EF for a pattern which is part of the data field of the command message. The re-
sponse data include the numbers of the records containing the pattern. The structured EF
affected is selected prior to this operation. This is done either by a select operation (com-
mand SELECT) before the command SEARCH RECORD is sent, or as part of the command
SEARCH RECORD if a shortFileIdentifier is sent as a parameter of the command. The pa-
rameter record number of the command message determines at which list element of re-
cordList the search starts.
In this variant the APDU of the command SEARCH RECORD contains three parameters:
(N701.00)
The parameter recordNumber determines the list element which is the first one being
affected by the search.The value of recordNumber MUST be compliant with (N76.00).
(N702.00)
The parameter searchString contains the pattern, for which it is searched in the octet
strings of the list elements. The parameter searchString is an octet string with any con-
tent. The length of searchString is only limited by the restrictions of (N77.00).
(N703.00)
The parameter length determines the length of the expected response data. The value
of length MUST be chosen from the range defined in Clause 11.5.6.
(N704.00)
A case 4 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.4.1. For the construction of this case 4 command
APDU the instructions of Table 87 (N704.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A2 Instruction Byte according to [ISO7816-4]
P1 XX recordNumber
P2 04 Coding for search in list element P1 and all following list elements
Data XXYY searchString
Ne length Expected number of octets in the response data
In this variant the APDU of the command SEARCH RECORD contains four parameters:
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS A2 Instruction Byte according to [ISO7816-4]
P1 XX recordNumber
P2 XX 8 * shortFileIdentifier + 4
i.e. (bit left-shift operation shortFileIdentifier << 3) + 04
Coding 04 means search in list element P1 and all following list ele-
ments
Data XXYY searchString
Ne length Expected number of octets in the response data
(N710.00)
A COS MAY use additional trailers.
The command UPDATE RECORD is used to replace the octet string of an already existing
list element of recordList of a structured EF with data which are part of the data field of the
command message. The structured EF affected is selected prior to this operation. This is
done either by a select operation (command SELECT) before the command UPDATE RE-
CORD is sent, or as part of the command UPDATE RECORD if a shortFileIdentifier is sent
as a parameter of the command. The parameter record number of the command message
determines which list element of recordList will be replaced.
In this variant the APDU of the command UPDATE RECORD contains two parameters:
HPC Part 1 COS, V2.3.2 Page 182 of 278
(N726.00)
The parameter recordNumber determines the list element being affected.The value of
recordNumber MUST be confom to (N76.00).
(N727.00)
The parameter newData contains the new data which replace the octet string of the
addressed record. The parameter newData is an octet string with any content. The
length of newData is only limited by the restrictions of (N77.00).
(N728.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 91 (N728.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS DC Instruction Byte according to [ISO7816-4]
P1 XX recordNumber
P2 04 coding 04 means use list element P1
Data XXYY newData
In this variant the APDU of the command UPDATE RECORD contains three parameters:
(N729.00)
The parameter shortFileIdentifier selects an EF during the command execution. The
value of shortFileIdentifier MUST be in the interval defined in (N70.00).
(N730.00)
The parameter recordNumber determines the list element being affected.The value of
recordNumber MUST be compliant with (N76.00).
(N731.00)
The parameter newData contains the new data which replace the octet string of the
addressed record. The parameter newData is an octet string with any content. The
length of newData is only limited by the restrictions of (N77.00).
(N732.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 92 (N732.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS DC Instruction Byte according to [ISO7816-4]
P1 XX recordNumber
P2 XX 8 * shortFileIdentifier + 4
i.e. (bit left-shift operation shortFileIdentifier << 3) + 04
coding 04 means use list element P1
Data XXYY newData
(N733.00)
A COS MAY use additional trailers.
(N750.00)
The COS MAY support this command according to [ISO7816-4].
The COS MAY refuse this command according to [ISO7816-4].
Note: According to Clause 8.6 the commands of this clause are not mandatory.
(N751.00)
The COS MAY support this command according to [ISO7816-4].
The COS MAY refuse this command according to [ISO7816-4]
(N752.00)
The COS MAY support this command according to [ISO7816-4].
The COS MAY refuse this command according to [ISO7816-4]
All commands of this clause use password objects according to Clause 8.4 during the proc-
essing of the commands. The affected password object will be defined by a password refer-
ence which is a parameter of the command data. For this password reference it applies:
(N753.00)
The parameter passwordReference has two parts: location and identifier. location indi-
cates whether a global or a DF-specific password is affected by the operation. The
value of location MUST be an element of the set {0, 128} = {00, 80}. It applies:
a. The value location = 00 MUST be used if a global password is affected (see
(N219.00)).
b. The value location = 80 MUST be used if a DF-specific password is affected (see
(N220.00)).
c. The parameter identifier defines the affected password object. The value of identifier
MUST be chosen according to (N153.00).
d. The parameter passwordReference MUST be coded in one octet with the following
value: passwordReference = location + identifier.
The command CHANGE REFERENCE DATA replaces the attribute secret of a password
object by data being part of the command message. The affected password object will be
defined by a password reference which is a parameter of the command message. This
document specifies the following variants:
The command data field contains the old and the new user secret.
The command data field contains only the new user secret.
The command CHANGE REFERENCE DATA does not set a security status (see (N771.00)).
In this variant the APDU of the command CHANGE REFERENCE DATA contains three pa-
rameters:
(N754.00)
The parameter passwordReference references the password affected by the operation
and MUST be chosen according to (N753.00).
(N755.00)
The parameter oldSecret contains the old user secret.
(N756.00)
The parameter newSecret contains the new user secret.
(N757.00)
The parameters oldSecret and newSecret MUST be coded according to (N81.00).
Table 95: (N758.50) CHANGE REFERENCE DATA with old and new user secret
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 24 Instruction Byte according to [ISO7816-4]
P1 00 Data contains old and new user secret
P2 XX passwordReference
Data XXYY oldSecret || newSecret
In this variant the APDU of the command CHANGE REFERENCE DATA contains two pa-
rameters:
(N759.00)
The parameter passwordReference references the password affected by the operation
and MUST be chosen according to (N753.00).
(N760.00)
The parameter newSecret contains the new user secret.
(N761.00)
The parameter newSecret MUST be coded according to (N81.00).
(N762.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 96 (N762.40) MUST be used.
Table 96: (N762.40) CHANGE REFERENCE DATA, only new user secret
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 24 Instruction Byte according to [ISO7816-4]
P1 01 Data contains the new user secret
P2 XX passwordReference
Data XXYY newSecret
(N763.00)
A COS MAY use additional trailers.
In this variant the APDU of the command DISABLE VERIFICATION REQUIREMENT con-
tains one parameter:
(N779.00)
The parameter passwordReference references the password affected by the operation
and MUST be chosen according to (N753.00).
(N780.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 99 (N780.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 26 Instruction Byte according to [ISO7816-4]
P1 01 No verification data
P2 XX passwordReference
Table 101: (N780.60) DISABLE VERIFICATION REQUIREMENT Response APDU in case of fail-
ure
(N781.00)
A COS MAY use additional trailers.
In this variant the APDU of the command ENABLE VERIFICATION REQUIREMENT con-
tains one parameter:
(N791.00)
The parameter passwordReference references the password affected by the operation
and MUST be chosen according to (N753.00).
(N792.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 28 Instruction Byte according to [ISO7816-4]
P1 01 No verification data
P2 XX passwordReference
Table 104: (N792.60) ENABLE VERIFICATION REQUIREMENT Response APDU in case of failure
(N793.00)
A COS MAY use additional trailers.
whether a password object is protected by a transport PIN and if so, which transport PIN
process is used by the password object.
The affected password object will be defined by a password reference which is a parameter
of the command message.
In this variant the APDU of the command GET PIN STATUS contains one parameter:
(N803.00)
The parameter passwordReference references the password affected by the operation
and MUST be chosen according to (N753.00).
(N804.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions Table 105 (N804.40) MUST be used.
Content Description
CLA 80 CLA Byte according to [ISO7816-4] indicated here as proprietary
INS 20 Instruction Byte
P1 00
P2 XX passwordReference
Table 107: (N804.60) GET PIN STATUS Response APDU in case of failure
(N805.00)
A COS MAY use additional trailers.
The command RESET RETRY COUNTER sets the attribute retryCounter of a password ob-
ject to the initial value startRetryCounter. The affected password object will be defined by a
password reference which is a parameter of the command message. This command exists in
the variants
with and without a new value for the attribute secret of the password object.
Typically the variant with PUK is used, if a non-technical entity (e.g. the cardholder) has
the right to execute this operation.
Typically the variant without PUK is used, if a technical entity (e.g. the CMS) has to execute
this operation. In this case at least a role authentication is mandatory in the access condi-
tions.
Typically the variant with new secret is used, if the cardholder has definitely forgotten his
password.
Typically the variant without new secret is used, if it is forbidden for the entity being author-
ized to reset the retry counter to execute operations protected by the password. This is
mainly used in the context of applications for qualified electronic signatures and the signature
password.
In this variant the APDU of the command RESET RETRY COUNTER contains three parame-
ters:
(N814.00)
The parameter passwordReference references the password affected by the operation
and MUST be chosen according to (N753.00).
(N815.00)
The parameter PUK contains a secret, which authorizes this operation.
(N816.00)
The parameter newSecret contains the new user secret.
(N817.00)
The parameters PUK and newSecret MUST be coded according to (N81.00).
(N818.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 108 (N818.50) MUST be used.
Table 108: (N818.50) RESET RETRY COUNTER, with PUK, with newSecret
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2C Instruction Byte according to [ISO7816-4]
P1 00 Data contains PUK and new user secret
P2 XX passwordReference
Data XXYY PUK || newSecret
In this variant the APDU of the command RESET RETRY COUNTER contains two parame-
ters:
(N819.00)
The parameter passwordReference references the password affected by the operation
and MUST be chosen according to (N753.00).
(N820.00)
The parameter PUK contains a secret, which authorizes this operation.
(N821.00)
The parameter PUK MUST be coded according to (N81.00).
(N822.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 109 (N822.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2C Instruction Byte according to [ISO7816-4]
P1 01 Data contains only the PUK
P2 XX passwordReference
Data XXYY PUK
In this variant the APDU of the command RESET RETRY COUNTER contains two parame-
ters:
(N823.00)
The parameter passwordReference references the password affected by the operation
and MUST be chosen according to (N753.00).
(N824.00)
The parameter newSecret contains the new user secret,
(N825.00)
The parameter newSecret MUST be coded according to (N81.00).
(N826.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 110 (N826.50) MUST be used.
Table 110: (N826.50) RESET RETRY COUNTER, without PUK, with newSecret
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2C Instruction Byte according to [ISO7816-4]
P1 02 Data contains only the new user secret
P2 XX passwordReference
Data XXYY newSecret
In this variant the APDU of the command RESET RETRY COUNTER contains one parame-
ter:
(N827.00)
The parameter passwordReference references the password affected by the operation
and MUST be chosen according to (N753.00).
(N828.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 111 (N828.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2C Instruction Byte according to [ISO7816-4]
P1 03 Command data field absent
P2 XX passwordReference
Table 113: (N828.60) RESET RETRY COUNTER Response APDU in case of failure
(N829.00)
A COS MAY use additional trailers.
14.6.6 VERIFY
The command VERIFY compares the attribute secret of a password object with data being
part of the data field of the command message. If the comparison is successful the security
status of the smartcard is changed. The affected password object will be defined by a pass-
word reference which is a parameter of the command message.
In this variant the APDU of the command VERIFY contains two parameters:
(N844.00)
The parameter passwordReference references the password affected by the operation
and MUST be chosen according to (N753.00).
(N845.00)
The parameter verificationData contains the new user secret.
(N846.00)
The parameter verificationData MUST be coded according to (N81.00).
(N847.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 114 (N847.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 20 Instruction Byte according to [ISO7816-4]
P1 00 Data contains verification data
P2 XX passwordReference
Data XXYY verificationData
(N848.00)
A COS MAY use additional trailers.
In this variant the APDU of the command EXTERNAL AUTHENTICATE contains one pa-
rameter:
(N859.00)
The parameter cmdData contains the response of the external entity. The parameter
cmdData is an octet string with any content. The length of cmdData is depending on
algID, being chosen according to (N1105.00) or (N1111.00). If algID equals
a. aesRoleCheck, then cmdData MUST (to be completed for generation 2).
b. aesSessionkey4SM, then cmdData MUST (to be completed for generation 2)
c. desRoleCheck, then cmdData MUST be 8 octets long.
d. desSessionKey4SM, then cmdData MUST be 104 Octets long.
e. (requirement for SMC-A and SMC-B) desSessionkey4TC, then cmdData MUST be
104 octets long.
f. elcRoleCheck, then cmdData MUST (to be completed for generation 2)
g. rsaRoleCheck, then cmdData MUST contain exactly the number of octets as the
modulus of the authentication key.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 82 Instruction Byte according to [ISO7816-4]
P1 00 Information in respect to the algorithm already present in the smartcard
P2 00 key reference already present in the smartcard
Data XXYY cmdData
In this variant the APDU of the command MUTUAL AUTHENTICATE contains two parame-
ters:
(N861.00)
The parameter cmdData contains the response of the external entity. The parameter
cmdData is an octet string with any content. The length of cmdData is depending on
algID, being chosen according to (N1116.00). If algID equals
a. aesSessionkey4SM, then cmdData MUST (to be completed for generation 2)
b. desSessionkey4SM, then cmdData MUST be 104 octets long.
c. (requirement for SMC-A and SMC-B) desSessionkey4TC, then cmdData MUST be
104 octets long.
(N862.00)
The parameter length determines the length of the expected response data. The value
of length MUST be chosen from the range defined in Clause 11.5.6.
(N863.00)
A case 4 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.4.1. For the construction of this case 4 command
APDU the instructions of Table 118 (N863.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 82 Instruction Byte according to [ISO7816-4]
P1 00 Information in respect to the algorithm already present in the smartcard
P2 00 key reference already present in the smartcard
Data XXYY cmdData
Ne length Expected number of octets in the response data
Note: This table contains no errors, which are detected in the components I/O, ChannelSwitch and
SecMes from Figure 1 (N270.50).
(N864.00)
A COS MAY use additional trailers.
(N876.00)
The COS MAY support this command according to [ISO7816-4].
The COS MAY refuse this command according to [ISO7816-4].
The command GET SECURITY STATUS KEY is used to ask for the security status of key
objects. The security status to be read is determined by a reference which is part of the
command data as a parameter.
In this variant the APDU of the command GET SECURITY STATUS KEY contains one pa-
rameter:
Content Description
CLA 80 CLA Byte according to [ISO7816-4] indicated here as proprietary
INS 82 Instruction Byte (identical to EXTERNAL AUTHENTICATE)
P1 80 Read security status
P2 00
Data XXYY 83 01 || cmdData
In this variant the APDU of the command GET SECURITY STATUS KEY contains one pa-
rameter:
(N879.00)
The parameter cmdData contains a role reference. Value and coding MUST be chosen
according to 7.1.1.4 and (N57.00).
(N880.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 122 (N880.20) MUST be used.
Content Description
CLA 80 CLA Byte according to [ISO7816-4] indicated here as proprietary
INS 82 Instruction Byte (identical to EXTERNAL AUTHENTICATE)
P1 80 Read security status
P2 00
Data XXYY 5F4C 07 || cmdData
Table 124: (N880.90) GET SECURITY STATUS KEY Response APDU in case of failure
(N881.00)
A COS MAY use additional trailers.
In this variant the APDU of the command INTERNAL AUTHENTICATE contains two parame-
ters:
(N888.00)
The parameter token contains the data to be authorised. The parameter token is an oc-
tet string of any content. The length of token token depends on the algID selected us-
ing noch suchen. If algID equals
a. aesRoleAuthentication, then token MUST be 16 octets long.
b. desRoleAuthentication, then token MUST be 8 octets long.
c. elc (to be completed for generation 2)
d. rsaClientAuthentication, then token MUST NOT be longer than 64 octets.
e. rsaRoleAuthentication, then token MUST be 16 octets long.
f. rsaSessionkey4SM, then token MUST be chosen according to (N1187.00).
g. rsaSessionkey4Intro, then token MUST be chosen according to (N1187.00) (HPC
towards an eGK) resp. (N1190.00) (SMC to HPC).
h. (requirement for SMC-A and SMC-B) rsaSessionkey4TC, then token MUST be cho-
sen according to (N1183.00) (SMC towards an eGK) resp. (N1190.00) (SMC to
HPC).
i. desSessionKey4SM, then token MUST be 16 octets long.
j. (requirement for SMC-A and SMC-B) desSessionKey4TC, then token MUST be 16
octets long
k. signPKCS1_V1_5, then the number of octets in token MUST be less than 0,4 Oc-
tetLength( n ), with n as modulus of the selected authentication key.
(N889.00)
The parameter length determines the length of the expected response data. The value
of length MUST be chosen from the range defined in Clause 11.5.6.
(N890.00)
A case 4 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.4. For the construction of this case 4 command
APDU the instructions of Table 125 (N890.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 88 Instruction Byte according to [ISO7816-4]
P1 00 Information in respect to the algorithm already available in the smartcard
P2 00 Key reference already available in the smartcard
Data XXYY token
Ne length Expected number of octets in the response data
(N891.00)
A COS MAY use additional trailers.
Note: The length of PRND is chosen in a way that M2 = token. Therefore it is not nec-
essary to include M2 in the response message.
f. rsaSessionkey4SM, then it applies with PrK = affectedObject.privateKey
i. KD.i = RAND( 64 )
The octet string KD.i MUST be transferred to the Secure Messaging Layer
(see Clause 13.1).
ii. PRND = RAND(OctetLength( PrK.n ) 34 OctetLength(KD.i) )
iii. M = PRND || KD.i || token
iv. ( sig, M2 ) = RSA_ISO9796_2_DS1_SIGN( PrK, M )
Note: The length of PRND is chosen in a way that M2 = token. Therefore it is not nec-
essary to include M2 in the response message.
v. If channelContext.keyReferenceList.externalAuthenticate
1. is empty, then the command MUST terminate with the trailer NoPukRefer-
ence.
2. is not empty, then tmpObject = SearchKey(
currentFolder
channelContext.keyReferenceList.externalAuthenticate.keyReference,
channelContext.keyReferenceList.externalAuthenticate.algID
) is set. According to Clause 9.2.3.2 and according to (N1136.00) it MAY
happen, that the search for a key is not successful. Then the command
MUST terminate with the trailer PuKNotFound.
vi. response = sigPuK.e mod PuK.n, with PuK = tmpObject.publicKey.
g. desSessionKey4SM or (requirement for SMC-A and SMC-B) desSessionkey4TC,
then the following steps will be executed:
The command PSO: COMPUTE DS signs data using a private key. The private key and the
algorithm to be used are selected prior to the signature operation. This is done by sending a
command MSE: SET before PSO: COMPUTE DS is sent, see Clause 14.9.6.7. The data to
be signed are part of the command message as a parameter.
14.8.1.1 Use Case Signing of the data field, without message recovery
This variant applies for the following algorithms (see (N189.00) and (N194.00)): rsaClientAu-
thentication, signPKCS1_V1_5, signPSS, signECDSA.
In this variant the APDU of the command PSO: COMPUTE DS contains two parameters:
(N899.00)
The parameter dataToBeSigned contains the data to be signed. The parameter data-
ToBeSigned is an octet string of any content. The length of dataToBeSigned depends
on the algID selected by (N1121.00). If algID equals
a. rsaClientAuthentication, then dataToBeSigned MUST NOT be longer than 64 octets.
b. signPKCS1_V1_5, then the number of octets in dataToBeSigned MUST be less
than 0,4 OctetLength( n ), with n being the Modulus of the selected signature key.
c. signPSS, then dataToBeSigned MUST NOT be longer than 64 octets.
Table 128: (N901.50) PSO: COMPUTE DS, signing of a data field, without message recovery
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2A Instruction Byte according to [ISO7816-4]
P1 9E Description of the response data, here digital signature
P2 9A Description of the command data, here data to be signed
Data XXYY dataToBeSigned
Ne length Expected number of octets in the response data
This variant applies for the following algorithm (see (N194.00)): sign9796_2_DS2.
In this variant the APDU of the command PSO: COMPUTE DS contains three parameters:
(N902.00)
The parameter M1 contains the recoverable part of the message to be signed. The
parameter M1 is an octet string of any content. The bit length of M1 MUST NOT ex-
ceed the capacity of the scheme according to [ISO9796-2] Clause 9.1.4.
(N903.00)
The parameter hashM2 contains the hash value of the non recoverable part of the
message to be signed. The parameter hashM2 is an octet string of any content, whose
length MUST be less than or equal to 64 octets.
(N904.00)
The parameter length determines the length of the response date being expected. The
value of length MUST be chosen from the range defined in Clause 11.5.6.
(N905.00)
The parameters M1 and hashM2 MUST be present in the data fieldof the command
message. The coding is specified in (N912.00). The number of octets in signIn-
put9796_2_DS2 is restricted by (N902.00) and (N903.00).
(N906.00)
A case 4 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.4. For the construction of this case 4 command
APDU the instructions of Table 129 (N906.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2A Instruction Byte according to [ISO7816-4]
P1 9E Description of the response data, here digital signature
P2 AC Description of the command data, here data to be signed as DE
Data XXYY signInput9796_2_DS2
Ne length Expected number of octets in the response data
(N907.00)
A COS MAY use additional trailers.
In this variant of PSO: COMPUTE CC the command APDU includes two parameters.
(N917.00)
The parameter data contains the data to be protected. The parameter data is an octet
string of any content. The parameter data corresponds to the MACin in (N354.00)a.iii.
The length of data is subject only to the restrictions described in Clause 11.5.5.
(N918.00)
The parameter length determines the length of the expected response data. The value
of length MUST be in the range defined in Clause 11.5.6.
(N919.00)
A Case 4 command APDU according to Clause 11.7.4.1 MUST be sent via interpreter
interface. For the construction of this case 4 command APDU the instructions of Table
132 (N919.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2A Instruction Byte according to [ISO7816-4]
P1 8E Description of response data, here: cryptographic checksum
P2 80 Description of command data, here: plaintext
Data XXYY data
Ne length Number of octets expected in the response data
(N920.00)
A COS MAY use additional trailers.
The command PSO: DECIPHER deciphers data using a private asymmetric or symmetric
key. The data to be decrypted are part of the command message as a parameter.
This variant applies for the following algorithms (see (N191.00)): rsaDecipherPKCS1_V1_5,
rsaDecipherOaep. The private key and the algorithm to be used are selected prior to the de-
cryption operation. This is done by sending a command MSE: SET before PSO: DECIPHER
is sent, see Clause 14.9.6.9.
In this variant the APDU of the command PSO: DECIPHER contains two parameters:
(N928.00)
The parameter C contains the data to be decrypted. The parameter C is an octet string
of any content. The number of octets in C MUST be equal to OctetLength( n ) with n as
modulus of the key which is used for the decyphering operation.
(N929.00)
The parameter length determines the length of the expected response data. The val-
ued of length MUST be chosen from the range defined in Clause 11.5.6
(N930.00)
A case 4 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.4. For the construction of this case 4 command
APDU the instructions of Table 135 (N930.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2A Instruction Byte according to [ISO7816-4]
P1 80 Description of the response data, here plaintext
P2 86 Description of the command data, here cipher text
Data XXYY 00 || C, Meaning: PaddingIndicator || Cryptogram
Ne length Expected number of octets in the response data
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2A Instruction Byte according to [ISO7816-4]
P1 80 Description of response data, here: plaintext
P2 86 Description of command data, here: cryptogram
Data XXYY 01 || C = padding indicator || cryptogram
Ne length Number of octets expected in the response data
This variant applies for the following algorithm (see (N191.00)): elcSharedSecretCalculation.
In this variant the APDU of the command PSO: DECIPHER contains four parameters:
(N935.00)
The parameter POA contains a point on an elliptical curve.This point was selected by
the sender of the message. The parameter POA is an octet string, whose content
SHOULD be chosen so that no error occurs during decoding, see (N48.00)a.
(N936.00)
The parameter C contains the data to be decrypted. The parameter C is an octet string
of any content.
(N937.00)
The parameter T contains a MAC, which protects the integrity of C. The parameter T is
an octet string whose content SHOULD be chosen so that no error occurs during the
verification of the MAC.
(N938.00)
The parameter length determines the length of the expected response data. The val-
ued of length MUST be chosen from the range defined in Clause 11.5.6.
(N939.00)
The parameters POA, C and T MUST be part of the data field of the command mes-
sage. The coding is specified in (N945.00)c.
(N940.00)
A case 4 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.4. For the construction of this case 4 command
APDU the instructions of Table 137 (N940.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2A Instruction Byte according to [ISO7816-4]
P1 80 Description of the response data, here plaintext
P2 86 Description of the command data, here cipher text
Data XXYY cipher
Ne length Expected number of octets in the response data
Note: P2 will possibly be changed in a later version of this document.
(N941.00)
A COS MAY use additional trailers.
The command PSO: ENCIPHER enciphers data using a public asymmetric key or a symmet-
ric key. The public key and the data to be enciphered are part of the command message as a
parameter.
This variant applies to the following algorithm: desSessionkey4TC. The algorithm to secure a
command which has to be used is described in Clause 13.2. In doing so the SMC executes
the steps according to (N348.00)a and (N348.00)b.
In this variant the APDU of the command PSO: ENCIPHER contains two parameters
(N951.00)
The parameter M contains the data to be enciphered. The parameter M is an octet
string of any content. M complies with Data in (N348.00)b.The length of M is subject
only to the restrictions defined in Clause 11.5.5.
(N952.00)
The parameter length determines the length of the expected response data. The value
of length MUST be in the range defined in Clause 11.5.6.
(N953.00)
A case 4 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.4. For the construction of this case 4 command
APDU the instructions of Table 140 (N953.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2A Instruction Byte according to [ISO7816-4]
P1 86 Description of response data, here: cryptogram
P2 80 Description of command data, here: plaintext
Data XXYY M
Ne length Number of octets expected in the response data
In this variant the APDU of the command PSO: ENCIPHER contains five parameters:
(N954.00)
The parameter algID contains information about the algorithm to be used for the en-
cryption. The parameter algID MUST be chosen from the set (to be defined for gen-
eration 2).
(N955.00)
The parameter oid contains an object identifier referencing the used elliptical curve.
The parameter oid is an octet string, whose length and content SHOULD be chosen so
that a curve is referenced which is stored in the smartcard.
(N956.00)
The parameter POB contains a point on an elliptical curve. This point represents the
public key of the receiver. The parameter POB is an octet string whose length and con-
tent SHOULD be chosen so that no error occurs during the decoding, see (N48.00)a.
(N957.00)
The parameter M contains the data to be encrypted. The parameter M is an octet string
with any content.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2A Instruction Byte according to [ISO7816-4]
P1 86 Description of the response data, here cipher text
P2 80 Description of the command data, here plaintext
Data XXYY plain
Ne length Expected number of octets in the response data
Note: P1 will possibly be changed in a later version of this document.
(N961.00)
A COS MAY use additional trailers.
Note: in this case cipher is defined in an identical way to (N945.00)c and (N1002.00)c.
ix. Set keyDO = 7F49 L7F49 ( 86 L86 POA ).
x. Set cipherDO = 86 L86 02 || C.
xi. Set macDO = 8E L8E T.
xii. Set cipher = A6 LA6 ( keyDO || cipherDO || macDO ).
(N966.00)
As data field of the response message cipher MUST be used.
(N967.00)
NoError MUST be used as trailer.
(N968.00)
The following applies for the priority of the trailers:
a. The priority of the trailers in Table 143 (N960.60) is manufacturer-specific.
b. Each trailer in Table 143 (N960.60) MUST have a higher priority than NoError.
The command PSO: VERIFY CC by using a symmetric key checks, whether a given crypto-
graphic checksum matches the given data. The algorithm to be used to verify a response
APDU is described in Clause 13.3. The symmetric key is agreed during a mutual authentica-
tion procedure (see Clause 15.4 and Clause 15.6). The checksum and the protected data are
contained as parameters in the command message.
(N969.00)
All normative requirements of Clause 14.8.5 and its sub-clauses MUST apply to SMC-
A and SMC-B.
In this variant the APDU of the command PSO: VERIFY CC contains two parameters:
(N970.00)
The parameter data contains the protected data. The parameter data is an octet string
of any content.
(N971.00)
The parameter mac contains a cryptographic checksum. The parameter mac is an oc-
tet string of any content whose length MUST NOT exceed the block length of the sym-
metric algorithm.
(N972.00)
The parameters data and mac MUST be contained in the data field of the command
message. The encoding is defined in (N978.00).
(N973.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3. For the construction of this case 3 command
APDU the instructions of Table 144 (N973.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2A Instruction Byte according to [ISO7816-4]
P1 00 Description of response data, here: no response data
P2 A2 Description of command data, here: input template for MAC
Data XXYY inputTemplate
(N974.00)
A COS MAY use additional trailer
(N982.00)
The COS MAY support this command according to [ISO7816-8].
The COS MAY refuse this command according to [ISO7816-8].
The command PSO: TRANSCIPHER combines the commands PSO: DECIPHER and PSO:
ENCIPHER without the need for the plaintext to leave the smartcard. The data will be de-
crypted with a private key and will be encrypted immediately after. The private key and the
algorithm to be used are selected prior to the decryption operation. This is done by sending a
command MSE: SET before the command PSO: TRANSCIPHER is sent, see Clause
14.9.6.9. The data to be transciphered and the public key of the receiver are part of the
command message as a parameter.
This variant applies for the following algorithms (see (N191.00)): rsaDecipherPKCS1_V1_5,
rsaDecipherOaep.
In this variant the APDU of the command PSO: TRANSCIPHER contains four parameters
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2A Instruction Byte according to [ISO7816-4]
P1 86 Description of the response data, here cipher text
P2 B8 Description of the command data, here CRT for encryption
Data XXYY cipherIN
Ne length Expected number of octets in the response data
This variant applies for the following algorithm (see (N191.00)): elcSharedSecretCalculation.
In this variant the APDU of the command PSO: TRANSCIPHER contains six parameters:
(N989.00)
The parameter POA contains a point on an elliptical curve.This point was selected by
the sender of the message. The parameter POA is an octet string, whose content
SHOULD be chosen so that no error occurs during decoding, see (N48.00)a.
(N990.00) The parameter C contains the data to be transciphered. The parameter C is an
octet string of any content.
(N991.00)
The parameter T contains a MAC, which protects the integrity of C. The parameter T is
an octet string whose length and content SHOULD be chosen so that no error occurs
during the verification of the MAC.
(N992.00)
The parameter POB contains a point on an elliptical curve. This point represents the
HPC Part 1 COS, V2.3.2 Page 231 of 278
public key of the receiver. The parameter POB is an octet string whose content
SHOULD be chosen so that no error occurs during the decoding, see (N48.00)a
(N993.00)
The parameter algID_enc contains information about the algorithm to be used for the
encryption. A value of the set { elcSharedSecretCalculation} MUST be used.
(N994.00)
The parameter length determines the length of the expected response data. The value
of length MUST be chosen from the range defined in Clause 11.5.6.
(N995.00)
The parameters POA, POB, C, T and algID_enc MUST be part of the data field of the
command message. The coding is specified in (N1001.00), (N1002.00)c and
(N1004.00)c.
(N996.00)
A case 4 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.4. For the construction of this case 4 command
APDU the instructions of Table 148 (N996.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2A Instruction Byte according to [ISO7816-4]
P1 86 Description of the response data, here cipher text
P2 86 Description of the command data, here also cipher text
Data XXYY cipherIN
Ne length Expected number of octets in the response data
Note 1: it will be interesting if RSA and ELC keys will be mixed for transcipher. That is something for
the future.
Note 2: Possibly P1 and P2 will be changed in a later version of this document.
Note: In this case cipher is defined in an identical way to (N945.00)c and (N965.00)b.
v. M = ELC_DEC( POA, affectedObject.privateElcKey, Cin, Tin ).
If and only if this function terminates with the error ERROR, then the com-
mand MUST terminate with the trailer WrongCiphertext.
(N1003.00)
Search in plainDO for a DO with the tag = 80. This DO MUST have the length one.
Then it applies algID_enc = value field of the DO with tag = 80.
(N1004.00)
The cipher text cipherOUT will be calculated from M as follows:
If algID_enc has the value
a. rsaEncipherPKCS1_V1_5, then it applies:
i. plainDO = A0 LA0 ( algDO || keyDO ).
ii. algDO = 80 01 || algID_enc.
iii. keyDO = 7F49 L7F49 [(81 L81 PuK.n) || (82 L82 PuK.e)].
iv. cipherOUT = 00 || RSAES_PKCS1_V1_5_ENCRYPT(PuK, M ).
b. rsaEncipherOaep, then it applies:
i. plainDO = A0 LA0 ( algDO || keyDO ).
ii. algDO = 80 01 || algID_enc.
iii. keyDO = 7F49 L7F49 [(81 L81 PuK.n) || (82 L82 PuK.e)].
iv. cipherOUT = 00 || RSAES_OAEP_ENCRYPT( PuK, M ).
c. elcSharedSecretCalculation, then it applies:
i. plainDO = A0 LA0 ( algDO || keyDOB ).
ii. algDO = 80 01 || algID_enc.
iii. keyDOB = 7F49 L7F49 ( 86 L86 POB ).
iv. ( POout, Cout, Tout ) = ELC_ENC(
M,
POB,
affectedObject.privateElcKey.domainParameter
)
If and only if this function terminates with the error ERROR, then the com-
mand MUST terminate with the trailer WrongCiphertext. Otherwise a DER TLV
coded octet string cipherOUT is built as follows:
The command PSO: VERIFY CERTIFICATE verifies the signature of a certificate using a
public key. The public key is selected prior to the verification operation. This is done by send-
ing a command MSE: SET before PSO: VERIFY CERTIFICATE is sent, see Clause 14.9.6.8.
The certificate is part of the command message as a parameter. If the signature of the certifi-
cate is regarded as valid, then certain attributes of the key object being part of the certificate
will be stored for a later usage.
In this variant the APDU of the command PSO: VERIFY CERTIFICATE contains two pa-
rameters:
(N1008.00)
The parameter certificateContent contains attribute information for the key object.
(N1009.00)
The parameter signature contains the signature over the attribute information, created
by a CA.
(N1010.00)
The parameters certificateContent and signature MUST be part of the data field of the
command message. The coding is specified in (N1019.00)a.
(N1011.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3. For the construction of this case 3 command
APDU the instructions of Table 151 (N1011.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2A Instruction Byte according to [ISO7816-4]
P1 00 no response data
P2 AE Command data with template; the value fields are certified
Data XXYY certificate
In this variant the APDU of the command PSO: VERIFY CERTIFICATE contains two pa-
rameters:
(N1012.00)
The parameter certificateContent contains all attributes for the key object.
(N1013.00)
The parameter signature contains the signature over the attributes, created by a CA.
(N1014.00)
The parameters certificateContent and signature MUST be part of the data field of the
command message. The coding is specified in (N1019.00)b.
(N1015.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3. For the construction of this case 3 command
APDU the instructions of Table 152 (N1015.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 2A Instruction Byte according to [ISO7816-4]
P1 00 no response data
P2 BE Command data with certified template
Data XXYY certificate
(N1016.00)
A COS MAY use additional trailers.
14.9 Miscellaneous
14.9.1 ENVELOPE
The optional command ENVELOPE supports a Trusted Channel by generating Secure Mes-
saging data objects for secured commands and by processing Secure Messaging data ob-
jects for secured responses. Thus ENVELOPE is possibly a more efficient alternative to the
commands PSO: COMPUTE CC (see Clause 14.8.2) and PSO: ENCIPHER (see Clause
14.8.4) for the generation of data objects and PSO: DECIPHER (see Clause 14.8.3) and
14.9.1.1 Use Case Generation of Secure Messaging DOs for secured commands
In this variant the APDU of the command ENVELOPE contains three parameters:
(N1025.00)
The parameter commandData contains the data to be protected and possibly to be en-
ciphered. The parameter commandData MUST be an octet string with the content of a
command APDU according to Clause 11.5. The length of commandData is only limited
by the restrictions of Clause 11.5.5.
(N1026.00)
The parameter responseDescriptor contains information which data objects are ex-
pected in the response message. The parameter responseDescriptor MUST be em-
bedded in a Response Descriptor Template according to [ISO7816-4] Clause 6.3.4.
(N1027.00)
If the command ENVELOPE shall calculate a checksum and return it in the response
message, then the parameter responseDescriptor MUST be coded as an empty
checksum with the value of 8E 00.
(N1028.00)
If the command ENVELOPE shall calculate a cryptogram and a checksum and return
both in the response message, then the parameter responseDescriptor MUST be
coded as empty data objects cryptogram and checksum with the values of 87 00 ||
8E 00.
(N1029.00)
The parameter commandData and responseDescriptor MUST be part of inputTemplate
in the data field of the command message. It MUST apply
a. inputTemplate =
52 L52 commandData || 7D L7D (BA LBA responseDescriptor)'
(N1030.00)
The parameter length determines the length of the expected response data. The value
of length MUST be chosen from the range defined in Clause 11.5.6.
(N1031.00)
A case 4 command APDU MUST be sent via the interface Interpreter of Figure 1
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS C3 Instruction Byte according to [ISO7816-4]
P1 00
P2 00
Data XXYY inputTemplate: DO Command APDU and Secure Messaging Template
with Response Descriptor Template according to [ISO7816-4]
Ne length Expected number of octets in the response data
14.9.1.2 Use Case Processing of Secure Messaging DOs with secured response data
In this variant the APDU of the command ENVELOPE contains one or three parameter:
(N1032.00)
The parameter responseData contains protected data which are possibly also enci-
phered. The parameter responseData MUST be an octet string with the content of a
secured response APDU according to Clause 11.6 and Clause 13.3.
(N1033.00)
The optional parameter responseDescriptor contains the information that the command
ENVELOPE shall decipher a cryptogram and return the plaintext in the response mes-
sage; it MUST be coded as an empty DO plaintext with the value of 80 00.
(N1034.00)
The parameter responseData MUST be present in inputTemplate in the data field of
the command message. The parameter responseDescriptor MAY be present. It MUST
apply:
a. inputTemplate = 7D L7D responseData, or
b. inputTemplate = 7D L7D (responseData || BA LBA responseDescriptor).
(N1035.00)
The optional parameter length
a. MUST be present if the parameter responseDescriptor is present.
b. MUST NOT be present if the parameter responseDescriptor is not present.
(N1036.00)
The parameter length determines the length of the expected response data. The value
of length MUST be chosen from the range defined in Clause 11.5.6.
(N1037.00)
If the parameter length is
a. present, then a case 4 command APDU MUST be sent via the interface Interpreter
of Figure 1 (N270.50), according to Clause 11.7.4.1.
b. not present, then a case 3 command APDU MUST be sent via the interface Inter-
preter of Figure 1 (N270.50), according to Clause 11.7.3.1.
(N1038.00)
For the construction of this case 4 or case 3 command APDU the instructions of Table
156 (N1038.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS C3 Instruction Byte according to [ISO7816-4]
P1 00
P2 00
Data XXYY inputTemplate: Secure Messaging Template with or without Response
Descriptor Template according to [ISO7816-4]
Ne length Expected number of octets in the response data (conditional, see
(N1037.00), depending on the presence of a Response Descriptor Tem-
plate in inputTemplate)
(N1039.00)
A COS MAY use additional trailers.
The command GENERATE ASYMMETRIC KEY PAIR (GAKP) is used to generate asymmet-
ric key pairs and to read a public key generated by the command. The respective key pair is
selected afore. This is done by a command MANAGE SECURITY ENVIRONMENT (see
Clause 14.9.6.7).
In this variant the APDU of the command GAKP contains one parameter:
(N1045.00)
The parameter operationMode determines the operation to be performed. In this case
operationMode = 84 MUST be chosen.
(N1046.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
Table 159: (N1046.50) GAKP, key generation without returning a public key
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 46 Instruction Byte according to [ISO7816-4]
P1 84 operationMode = key generation
P2 00
In this variant the APDU of the command GAKP contains two parameters:
(N1047.00)
The parameter operationMode determines the operation to be performed. In this case
operationMode = 81 MUST be chosen.
(N1048.00)
The parameter length determines the length of the expected response data. The value
of length MUST be chosen from the range defined in Clause 11.5.6.
(N1049.00)
A case 2 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.2. For the construction of this case 2 command
APDU the instructions of Table 160 (N1049.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 46 Instruction Byte according to [ISO7816-4]
P1 81 operationMode = returning a key generated afore
P2 00
Ne length Expected number of octets in the response data
In this variant the APDU of the command GAKP contains two parameters:
(N1050.00)
The parameter operationMode determines the operation to be performed. In this case
operationMode = 80 MUST be chosen.
(N1051.00)
The parameter length determines the length of the expected response data. The value
of length MUST be chosen from the range defined in Clause 11.5.6.
(N1052.00)
A case 2 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.2. For the construction of this case 2 command
APDU the instructions of Table 161 (N1052.40) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 46 Instruction Byte according to [ISO7816-4]
P1 80 operationMode = key generation and return of the public key
P2 00
Ne length Expected number of octets in the response data
(N1053.00)
A COS MAY use additional trailers.
The command GET CHALLENGE generates a random number. This random number is
available inside the smartcard at least fort the execution of the next command. Typically this
next command contains the authentication of an external component.
In this variant the APDU of the command GET CHALLENGE contains one parameter:
(N1065.00)
The parameter length determines the length of the expected response data. The value
of length MUST be equal to 8.
(N1066.00)
A case 2 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.2.1. For the construction of this case 2 command
APDU the instructions of Table 164 (N1066.20) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 84 Instruction Byte according to [ISO7816-4]
P1 00
P2 00
Ne 08 Expected number of octets in the response data, in this case 8
14.9.3.2 Use Case Generation of a random number for AES or ELC authentication
(N1067.00)
A COS MAY use additional trailers.
(N1074.00)
The COS MAY support this command according to [ISO7816-4]
The COS MAY refuse this command according to [ISO7816-4].
The command MANAGE CHANNEL is used for opening and closing logical channels which
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 70 Instruction Byte according to [ISO7816-4]
P1 00 intendedAction, here: Open a channel,
P2 00 Channel number is determined by the COS.
Ne 01 Number of expected octets in the response data
In this variant the APDU of a MANAGE CHANNEL command includes two parameters:
(N1080.00)
The parameter logicalChannelNumber MUST contain the number of an open channel
that is to be closed. The value of logicalChannelNumber MUST be a non-zero value
and MUST be set according to [ISO7816-4] CLAUSE 5.1.1, i.e. in the CLA byte of the
APDU that is visible at the I/O interface.
(N1081.00)
The parameter intendedAction indicates that a logical channel is to be closed. The
HPC Part 1 COS, V2.3.2 Page 250 of 278
channel number is specified in the CLA byte. The value of intendedAction MUST be set
to 32768 = 8000.
(N1082.00)
A case 1 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.1. For the construction of this case 1 command
APDU the instructions of Table 168 (N1082.40) MUST be used.
Content Description
CLA XX CLA Byte according to [ISO7816-4] with a non-zero channel number
INS 70 Instruction Byte according to [ISO7816-4]
P1 80 intendedAction, here: Close a channel
P2 00 affected channel is indicated in the CLA byte.
In this variant the APDU of the command MSE contains two parameters
(N1090.00)
The parameter operationMode determines the operation to be executed. For this use
case operationMode = F3 MUST be chosen.
(N1091.00)
The parameter seNo MUST be chosen according to (N79.00).
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 22 Instruction Byte according to [ISO7816-4]
P1 F3 operationMode = selection of a SEIdentifier
P2 XX seNo = value of the SEIdentifier to be selected
In this variant the APDU of the command MSE contains four parameters:
(N1093.00)
The parameter operationMode determines the operation to be executed. For this use
case operationMode = 41 MUST be chosen.
(N1094.00)
The parameter crtTag determines the list element in keyReferenceList, which has to be
changed. For this use case crtTag = A4 MUST be chosen.
(N1095.00)
Requirement for SMC-A and SMC-B
The parameter keyRef contains the new value of keyReference in the list element in-
ternalAuthenticate. Value and encoding MUST be chosen
a. either according to (N1089.00) or
b. according to (N176.00).
(N1096.00)
The parameter algID contains the new value for the element algorithmIdentifier in the
list element internalAuthenticate. The value and encoding MUST be chosen according
to Table 186 (N1216.00). A value of the set {
desRoleAuthentication,
desSessionkey4SM,
desSessionkey4TC (requirement for SMC-A and SMC-B)
} MUST be used.
The COS MAY support further values for algID.
The COS MAY refuse further values for algID.
(N1097.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 172 (N1097.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 22 Instruction Byte according to [ISO7816-4]
P1 41 operationMode = setting of an internal key
P2 A4 crtTag = the list element affected is internalAuthenticate
Data XXYY 83 L83 keyRef || 80 01 || algID
Note: L83 is an octet with the value of I2OS( OctetLength(keyRef), 1).
In this variant the APDU of the command MSE contains four parameters:
(N1098.00)
The parameter operationMode determines the operation to be executed. For this use
case operationMode = 41 MUST be chosen.
(N1099.00)
The parameter crtTag determines the list element in keyReferenceList, which has to be
changed. For this use case crtTag = A4 MUST be chosen.
(N1100.00)
The parameter keyRef contains the new value for the element keyReference in the list
element internalAuthenticate. Value and coding MUST be chosen according to
(N1089.00).
(N1101.00)
The parameter algID contains the new value for the element algorithmIdentifier in list
element internalAuthenticate. The value and encoding MUST be chosen according to
Table 186 (N1216.00) and Table 188 (N1218.00). A value of the set {
rsaClientAuthentication,
rsaRoleAuthentication,
rsaSessionkey4Intro,
rsaSessionkey4SM,
rsaSessionkey4TC, (requirement for SMC-A and SMC-B)
signPKCS1_V1_5
} MUST be used.
The COS MAY support further values for algID.
The COS MAY refuse further values for algID.
(N1102.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 173 (N1102.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 22 Instruction Byte according to [ISO7816-4]
P1 41 operationMode = setting of an internal key
P2 A4 crtTag = the list element affected is internalAuthenticate
Data XXYY 84 01 || keyRef || 80 01 || algID
In this variant the APDU of the command MSE contains four parameters:
(N1103.00)
The parameter operationMode determines the operation to be executed. For this use
case operationMode = 81 MUST be chosen.
(N1104.00)
The parameter crtTag determines the list element in keyReferenceList, which has to be
changed. For this use case crtTag = A4 MUST be chosen.
(N1105.00)
Requirement for SMC-A and SMC-B
The parameter keyRef contains the new value for the element keyReference in the list
element externalAuthenticate. The value and encoding MUST be chosen
a. either according to (N1089.00) or
b. according to (N176.00).
(N1106.00)
The parameter algID contains the new value for the element algorithmIdentifier in list
element externalAuthenticate. The value and encoding MUST be used according to
Table 186 (N1216.00). A value of the set {
desRoleCheck,
desSessionkey4SM
desSessionkey4TC (requirement for SMC-A and SMC-B)
} MUST be used.
The COS MAY support further values for algID.
The COS MAY refuse further values for algID.
(N1107.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 174 (N1107.50) MUST be used.
Table 174: (N1107.50) MSE, Selection symmetric key for EXTERNAL AUTHENTICATE
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 22 Instruction Byte according to [ISO7816-4]
P1 81 operationMode = setting of an external key
P2 A4 crtTag = the list element affected is externalAuthenticate
Data XXYY 83 L83 keyRef || 80 01 || algID
Note: L83 is an octet with the value of I2OS( OctetLength(keyRef), 1).
In this variant the APDU of the command MSE contains four parameters:
(N1108.00)
The parameter operationMode determines the operation to be executed. For this use
case operationMode = 81 MUST be chosen.
(N1109.00)
The parameter crtTag determines the list element in keyReferenceList, which has to be
changed. For this use case crtTag = A4 MUST be chosen.
(N1110.00)
The parameter keyRef contains the new value for the element keyReference in the list
element externalAuthenticate. Value and coding MUST be chosen according to
(N206.00).
(N1111.00)
The parameter algID contains the new value for the element algorithmIdentifier in list
element externalAuthenticate. The value and encoding MUST be chosen according to
Table 186 (N1216.00). A value of the set {
rsaRoleCheck,
rsaSessionkey4Intro,
rsaSessionkey4SM,
rsaSessionkey4TC, (requirement for SMC-A and SMC-B)
} MUST be used.
The COS MAY support further values for algID.
The COS MAY refuse further values for algID.
(N1112.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 175 (N1112.50) MUST be used.
Table 175: (N1112.50) MSE, selection of a public key for EXTERNAL AUTHENTICATE
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 22 Instruction Byte according to [ISO7816-4]
P1 81 operationMode = setting of a public key
P2 A4 crtTag = the list element affected is externalAuthenticate
Data XXYY 83 0C || keyRef || 80 01 || algID
In this variant the APDU of the command MSE contains four parameters:
(N1113.00)
The parameter operationMode determines the operation to be executed. For this use
case operationMode = 81 MUST be chosen.
(N1114.00)
The parameter crtTag determines the list element in keyReferenceList, which has to be
changed. For this use case crtTag = A4 MUST be chosen.
(N1115.00)
The parameter keyRef contains the new value for the element keyReference in the list
element externalAuthenticate. The value and encoding MUST be chosen
HPC Part 1 COS, V2.3.2 Page 256 of 278
a. either according to (N1089.00) or
b. according to (N176.00).
(N1116.00)
The parameter algID contains the new value for the element algorithmIdentifier in the
list element externalAuthenticate. Value and coding MUST be chosen according to
Table 186 (N1216.00), whereas a value from the set {
desSessionkey4SM
desSessionkey4TC (requirement for SMC-A and SMC-B)
} MUST be used.
The COS MAY accept additional values for algID.
The COS MAY refuse additional values for algID.
(N1117.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 176 (N1117.50) MUST be used.
Table 176: (N1117.50) MSE, selection symmetric key for MUTUAL AUTHENTICATE
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 22 Instruction Byte according to [ISO7816-4]
P1 81 operationMode = setting of a symmetric key
P2 A4 crtTag = the list element affected is externalAuthenticate
Data XXYY 83 L83 keyRef || 80 01 || algID
Note 1: L83 is an octet with value I2OS( OctetLength(keyRef), 1)
Note 2: It is not required to change or extend the normative requirement (N1116.00) as the command
MUTUAL AUTHENTICATE is solely used to establish session keys for Trusted Channel.
This use case is used to select a signature key. Afterwards it is possible to generate this key
or to read its public part (see Clause 14.9.2) or to calculate signatures with this key (see
Clause 14.8.1). In this variant the APDU of the command MSE contains four parameters:
(N1118.00)
The parameter operationMode determines the operation to be executed. For this use
case operationMode = 41 MUST be chosen.
(N1119.00)
The parameter crtTag determines the list element in keyReferenceList, which has to be
changed. For this use case crtTag = B6 MUST be chosen.
(N1120.00)
The parameter keyRef contains the new value for the element keyReference in the list
element signatureCreation. Value and coding MUST be chosen according to
(N1089.00).
(N1121.00)
The parameter algID contains the new value for the element algorithmIdentifier in the
list element signatureCreation. Value and coding MUST be chosen according to Table
186 (N1216.00) and Table 188 (N1218.00). A value from the set {
rsaClientAuthentication,
sign9796_2_DS2,
signPKCS1_V1_5,
signPSS
HPC Part 1 COS, V2.3.2 Page 257 of 278
} MUST be used.
The COS MAY accept additional values for algID.
The COS MAY refuse additional values for algID.
(N1122.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 177 (N1122.50) MUST be used.
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 22 Instruction Byte according to [ISO7816-4]
P1 41 operationMode = setting of a private key
P2 B6 crtTag = the list element affected is signatureCreation
Data XXYY 84 01 || keyRef || 80 01 || algID
In this variant the APDU of the command MSE contains three parameters:
(N1123.00)
The parameter operationMode determines the operation to be executed. For this use
case operationMode = 81 MUST be chosen.
(N1124.00)
The parameter crtTag determines the list element in keyReferenceList, which has to be
changed. For this use case crtTag = B6 MUST be chosen.
(N1125.00)
The parameter keyRef contains the new value for the element keyReference in the list
element verifyCertificate. Value and coding MUST be chosen according to (N202.00).
(N1126.00)
A case 3 command APDU MUST be sent via the interface Interpreter of Figure 1
(N270.50), according to Clause 11.7.3.1. For the construction of this case 3 command
APDU the instructions of Table 178 (N1126.50) MUST be used.
Table 178: (N1126.50) MSE, selection of the public certificate validation key
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 22 Instruction Byte according to [ISO7816-4]
P1 81 operationMode = setting of a public key
P2 B6 crtTag = the list element affected is verifyCertificate
Data XXYY 83 08 || keyRef
In this variant the APDU of the command MSE contains four parameters:
Content Description
CLA 00 CLA Byte according to [ISO7816-4]
INS 22 Instruction Byte according to [ISO7816-4]
P1 41 operationMode = setting of a private key
P2 B8 crtTag = the list element affected is dataDecipher
Data XXYY 84 01 || keyRef || 80 01 || algID
(N1132.00)
A COS MAY use additional trailers.
The command GET RANDOM generates a random number. Unlike GET CHALLENGE this
random number is not available for further operations inside the smartcard after completion
of the command. In return the random number generated via GET RANDOM fulfills certain
security requirements.
HPC Part 1 COS, V2.3.2 Page 260 of 278
(N1139.00)
All normative requirements of Clause 14.9.7 and sub-clauses MUST apply for the HPC,
SMC-A and SMC-B.
Content Description
CLA 80 CLA Byte according to [ISO7816-4] indicated here as proprietary
INS 84 Instruction Byte acc. to [ISO7816-4] (identical to GET CHALLENGE)
P1 00
P2 00
Ne length Expected number of octets in the response data
(N1142.00)
A COS MAY use additional trailers.
This clause describes how the key-based authentication is processed between an HPC and
an eGK (see Figure 3 (N1148.40)), between an SMC and an eGK (see Figure 4 (N1148.50)),
and between an HPC and an SMC (see Figure 5 (N1148.60)).
Channel_1 Channel_2
HP C S oftware eGK
C hannel_1 Channel_2
SMC Softw are eGK
Channel_1 Channel_2
HP C S oftware SMC
A component HPC respectively SMC has the interface characteristics specified in this
document.
A component controlling software has a defined process logic. The controlling software
shall communicate with the HPC via the communication channel 1 and with the eGK via
the communication channel 2. Depending on the communication partner the SMC is ad-
dressed either via channel 1 (eGK is the communication partner) or via channel 2 (the
HPC is the communication partner). These two channels comply with the physical inter-
face in Figure 1(N270.50).
A separate sub-clause is dedicated to each of the described variants. In general the authen-
tication consists of a sequence of one ore more commands, being sent via the communica-
tion channels. For all authentication protocols it applies:
(N1149.00)
If the sequence of an authentication protocol has more than one command-response
pair (see Clause 15.3, Clause 15.4, Clause 15.5 and Clause 15.6), then this sequence
MUST NOT be interrupted at the interface channel 1 in Figure 3 (N1148.40) and Figure
In case that the HPC resp. SMC will prove its authenticity with a symmetric key and no ses-
sion keys shall be negotiated the following sequence has to be used (see Figure 6
(N1156.50)):
(N1153.00)
The first command of the sequence MUST be GET CHALLENGE sent to the eGK via
channel 2.
(N1154.00)
The second command of this sequence MUST be INTERNAL AUTHENTICATE ac-
cording to Clause 14.7.4.1 sent to the HPC or SMC via channel 1. In the HPC or SMC
desRoleAuthentication MUST be set as algorithm according to Clause 14.9.6.2.
(N1155.00)
The third command is the last command of this sequence and MUST be EXTERNAL
AUTHENTICATE sent to the eGK via channel 2.
GetChallenge
Channel_1
Channel_2
InternalAuthenticate(RND .ICC). (RND. ICC, N oError ).
In case that the HPC resp. SMC will prove its authenticity with a RSA key and no session
keys shall be negotiated the following sequence has to be used (see Figure 6 (N1156.50)):
(N1157.00)
The first command of the sequence MUST be GET CHALLENGE sent to the eGK via
channel 2.
(N1158.00)
The second command of this sequence MUST be INTERNAL AUTHENTICATE ac-
cording to Clause 14.7.4.1 sent to the HPC or SMC via channel 1. In the HPC or SMC
rsaRoleAuthentication MUST be set as algorithm according to Clause 14.9.6.3.
(N1159.00)
The third command is the last command of this sequence and MUST be EXTERNAL
AUTHENTICATE sent to the eGK via channel 2.
(N1160.00)
It MUST be possible to transfer the commands of this sequence, which are sent via
channel 1, in protected mode according to Clause 13 (Secure Messaging).
In case that the HPC resp. SMC will prove its authenticity with an ELC key and no session
keys shall be negotiated the following sequence has to be used (compare Figure 6
(N1156.50)):
(N1161.00)
The first command of the sequence MUST be GET CHALLENGE sent via channel 2 to
the eGK.
(N1162.00)
The second command of this sequence MUST be INTERNAL AUTHENTICATE ac-
cording to Clause 14.7.4.1 sent to the HPC or SMC via channel 1. In the HPC or SMC
elcRoleAuthentication MUST be set as algorithm according to Clause 14.9.6.3.
In case that the HPC resp. SMC will check the authenticity of an eGK with a key and no ses-
sion keys shall be negotiated the following sequence has to be used (see Figure 7
(N1168.50)):
(N1165.00)
The first command of the sequence MUST be GET CHALLENGE according to Clause
14.9.3.1 sent to the HPC or SMC via channel 1.
(N1166.00)
The second command of this sequence MUST be INTERNAL AUTHENTICATE sent to
the eGK via channel 2. In the eGK rsaRoleAuthentication MUST be set as algorithm.
(N1167.00)
The third command of the sequence MUST be EXTERNAL AUTHENTICATE according
to Clause 14.7.1.1 sent to the HPC or SMC via channel 1. In the HPC or SMC
rsaRoleCheck MUST be set as algorithm according to Clause 14.9.6.5.
(N1168.00)
It MUST be possible to transfer the commands of this sequence, which are sent via
channel 1, in protected mode according to Clause 13 (Secure Messaging)
GetC hallenge
Channel_1
Channel_2
The Card-2-Card authentication without negotiation of session keys is a special variant of the
processes discussed in Clause 15.1 and Clause 15.2.
If a one-sided authentication (only one of the components HPC resp. SMC or eGK authenti-
cates) is intended, then an algorithm from Clause 15.1 or Clause 15.2 will be performed de-
pending on the direction of the authentication.
If a mutual authentication (both components HPC resp. SMC and eGK authenticate) is inten-
ded, then both an algorithm from Clause 15.1 and an algorithm from Clause 15.2 will be per-
HPC Part 1 COS, V2.3.2 Page 266 of 278
formed. Typically the access conditions for the involved keys define which component has to
authenticate first.
This sub-clause covers the mutual authentication of two entities whereas session keys are
negotiated at the same time.
In case that a mutual authentication has to be executed between SMC and eGK and at the
same time session keys shall be negotiated the following sequence has to be used (see
Figure 8 (N1173.50)):
(N1169.00)
The first command of the sequence MUST be GET CHALLENGE sent to the eGK via
channel 2. The random number generated by the eGK is denoted R.1.
(N1170.00)
The second command MUST be INTERNAL AUTHENTICATE according to Clause
14.7.4.1 sent to the SMC via channel 1. In the SMC desSessionkey4TC MUST be set
as algorithm according to Clause 14.9.6.2. For the authentication command cmdData
MUST contain R.1. The response data are denoted rspData.2.
(N1171.00)
The third command of the sequence MUST be MUTUAL AUTHENTICATE sent to the
eGK via channel 2. In the eGK desSessionkey4SM MUST be set as algorithm. For the
authentication command rspData.2 MUST be used as command data. The response
data are denoted rspData.3.
(N1172.00)
The fourth command is the last command of this sequence and MUST be EXTERNAL
AUTHENTICATE according to Clause 14.7.1.1 sent to the SMC via channel 1. In the
SMC desSessionkey4TC MUST be set as algorithm according to Clause 14.9.6.4. For
the authentication command rspData.3 MUST be used as command data.
(N1173.00)
The SMC MAY accept the protected transfer of the sequence.
The SMC MAY refuse the protected transfer of the sequence.
GetChallenge
Channel_1
Channel_2
(R.1, NoError).
InternalAuthenticate(cmdData=R.1 sn.1).
(rspData.2=enc(R.2 sn.2 R.1 sn.1 KD.2) || MAC, NoError )
MutualAuthenticate(rspData.2)
(rspData.3=enc(R.1 sn.1 R.2 sn.2 KD.1) || MAC, NoError ).
ExternalAuthenticate(rspData.3).
(NoError)
In case that a mutual authentication has to be executed between HPC and SMC with sym-
metric keys and at the same time session keys shall be negotiated the following sequence
has to be used (see Figure 9 (N1178.50)):
(N1174.00)
The first command of the sequence MUST be GET CHALLENGE according to Clause
14.9.3.1 sent to the SMC via channel 2. The random number generated by the SMC is
denoted R.1.
(N1175.00)
The second command MUST be INTERNAL AUTHENTICATE according to Clause
14.7.4.1 sent to the HPC via channel 1. In the HPC desSessionkey4SM MUST be set
as algorithm according to Clause 14.9.6.2. For the authentication command cmdData
MUST contain R.1. The response data are denoted rspData.2.
(N1176.00)
The third command of the sequence MUST be MUTUAL AUTHENTICATE according to
Clause 14.7.1.2 sent to the SMC via channel 2. In the SMC desSessionkey4TC MUST
be set as algorithm according to Clause 14.9.6.6. For the authentication command
rspData.2 MUST be used as command data. The response data are denoted
rspData.3.
(N1177.00)
The fourth command is the last command of this sequence and MUST be EXTERNAL
AUTHENTICATE according to Clause 14.7.1.1 sent to the HPC via channel 1. In the
HPC desSessionkey4SM MUST be set as algorithm according to Clause 14.9.6.4. For
the authentication command rspData.3 MUST be used as command data.
(N1178.00)
HPC and SMC MAY accept the protected transfer of the sequence.
HPC and SMC MAY refuse the protected transfer of the sequence.
GetChallenge
Channel_1
Channel_2
(R.1, NoError).
InternalAuthenticate (cmdData=R.1 sn.1).
(NoError)
Figure 9: (N1178.50) Sequence Diagram for the symmetric Negotiation of Session Keys
between HPC and SMC
In case that a mutual authentication has to be executed between SMC and eGK with asym-
metric RSA keys and at the same time session keys shall be negotiated the following se-
quence has to be used (see Figure 10 (N1185.50)):
(N1179.00)
The first command MUST be GET CHALLENGE according to Clause 14.9.3.1 sent to
the SMC via channel 1. The response data generated by the SMC are denoted R.1.
(N1180.00)
The second command MUST be INTERNAL AUTHENTICATE sent to the eGK via
channel 2. In the eGK rsaSessionkey4SM MUST be set as algorithm. For the authenti-
cation command it MUST apply: cmdData.2 = R.1 || ICCSN8.SMC with ICCSN8.SMC
equal to iccsn8 (see (N210.00)c) of the SMC. It is not a topic of this document to de-
scribe how the entity which sends the command APDU gets knowledge of
ICCSN8.SMC. The corresponding response data of the eGK are denoted rspData.2.
(N1181.00)
The third command MUST EXTERNAL AUTHENTICATE according to Clause 14.7.1.1
sent to the SMC via channel 1. In the SMC rsaSessionkey4TC MUST be set as algo-
rithm according to Clause 14.9.6.5. For the authentication command rspData.2 MUST
be used as command data.
(N1182.00)
The fourth command MUST be GET CHALLENGE according to Clause 14.9.3.1 sent
to the eGK via channel 2. The corresponding response data generated by the eGK are
denoted R.2.
(N1183.00)
The fifth command MUST be INTERNAL AUTHENTICATE according to Clause
14.7.4.1 sent to the SMC via channel 1. In the SMC rsaSessionkey4TC MUST be set
as algorithm according to Clause 14.9.6.3. For the authentication command it MUST
apply: cmdData.5 = R.2 || ICCSN8.eGK with ICCSN8.eGK equal to iccsn8 (see
(N210.00)c) of the eGK. It is not a topic of this document to describe how the entity
which sends the command APDU gets knowledge of ICCSN8.eGK. The corresponding
response data of the SMC are denoted rspData.5.
(N1184.00)
The sixth command is the last command of this sequence and MUST be EXTERNAL
AUTHENTICATE sent to the eGK via channel 2. In the eGK rsaSessionkey4SM MUST
be set as algorithm. For the authentication command rspData.5 MUST be used as
command data.
(N1185.00)
The SMC MAY accept the protected transfer of the sequence.
The SMC MAY refuse the protected transfer of the sequence.
Ge tChalle nge.
Channel_1
Channel_2
(No Error)
GetChalle nge
Figure 10: (N1185.50) Sequence Diagram for the RSA Negotiation of Session Keys
between SMC and eGK
In case that a mutual authentication has to be executed between SMC and HPC with asym-
metric RSA keys and at the same time session keys shall be negotiated the following se-
quence has to be used (see Figure 11 (N1192.10)):
(N1186.00)
The first command MUST be GET CHALLENGE according to Clause 14.9.3.1 sent to
the SMC via channel 2. The response data generated by the SMC are denoted R.1.
(N1187.00)
The second command MUST be INTERNAL AUTHENTICATE according to Clause
14.7.4.1 sent to the HPC via channel 1. In the HPC rsaSessionkey4SM MUST be set
as algorithm. For the authentication command it MUST apply: cmdData.2 = R.1 ||
ICCSN8.SMC with ICCSN8.SMC equal to iccsn8 (see (N210.00)c) of the SMC. It is not
a topic of this document to describe how the entity which sends the command APDU
gets knowledge of ICCSN8.SMC. The corresponding response data of the HPC are
denoted rspData.2
(N1188.00)
The third command MUST be EXTERNAL AUTHENTICATE according to Clause
14.7.1.1 sent to the SMC via channel 2. In the SMC rsaSessionkey4TC MUST be set
as algorithm. For the authentication command rspData.2 MUST be used as command
data.
(N1189.00)
The fourth command MUST be GET CHALLENGE according to Clause 14.9.3.1 sent
to the HPC via channel 1. The corresponding response data generated by the HPC are
denoted R.2
(N1190.00)
The fifth command MUST be INTERNAL AUTHENTICATE according to Clause
14.7.4.1 sent to the SMC via channel 2. In the SMC rsaSessionkey4TC MUST be set
as algorithm. For the authentication command it MUST apply: cmdData.5 = R.2 ||
GetChallenge.
Channel_2
(NoError)
GetChallenge
(rspData.4=R.2, NoError). InternalAuthenticate(cmdData.5=R.2 sn.2).
(NoError).
Figure 11: (N1192.10) Sequence Diagram for the RSA Negotiation of Session Keys
between SMC and HPC
In the context of the so called Round of introduction a mutual authentication with negotia-
tion of session keys is executed; these session keys will be stored in a persistent way as
Introduction Keys after successful authentication. The benefit of this Round of Introduction
is the fact that for later authentication procedures the keys of the participating components
are instantly available, thus improving the performance. The agreed introduction keys belong
individually to the corresponding authentication keys. If a component A is introduced to n
other components, then n different introduction keys have to be stored.
The HPC holds the public key PuK.SMC.AUTD_RPS_CVC. Therefore, the corre-
sponding certificate C.SMC.AUTD_RPS_CVC had to be imported into the HPC.
The SMC-A holds the public key PuK.HPC.AUTD_SUK_CVC. Therefore, the corre-
sponding certificate C.HPC. AUTD_SUK_CVC had to be imported into the SMC-A.
A mutual introduction between SMC-B and SMC-A provides a basis for an efficient symmet-
ric authentication (see Chapter 15.6) with the objective of remote PIN transfer to the SMC-B.
The following is assumed for this introduction:
The SMC-B holds the public key PuK.SMC.AUTD_RPS_CVC. Therefore, the corre-
sponding certificate C.SMC.AUTD_RPS_CVC had to be imported into the SMC-B.
The SMC-A holds the public key PuK.SMC.AUTD_RPE_CVC. Therefore, the corre-
sponding certificate C.SMC. AUTD_RPE_CVC had to be imported into the SMC-A.
A mutual introduction between HPC and SMC-K provides a basis for an efficient symmetric
authentication (see Chapter 15.6) with the objective of transfer of data to be signed to the
HPC. The following is assumed for this introduction:
The HPC holds the public key PuK.SAK.AUTD_CVC. Therefore, the corresponding
certificate C.SAK.AUTD_CVC had to be imported into the HPC.
The SMC-K holds the public key PuK.HPC.AUTD_SUK_CVC. Therefore, the corre-
sponding certificate C.HPC. AUTD_SUK_CVC had to be imported into the SMC-K.
The following steps will be executed (see Figure 12 (N1199.20)):
(N1193.00)
The first command of the sequence MUST be GET CHALLENGE according to Clause
14.9.3.1 sent to the SMC-A or SMC-K via channel 2. The random number generated by
the SMC-A or SMC-K is denoted R.1.
(N1194.00)
The second command MUST be INTERNAL AUTHENTICATE according to Clause
14.7.4.1 sent to the HPC or SMC-B via channel 1. Prior to this command, the private
key PrK.HPC.AUTD_SUK_CVC (HPC) or PrK.SMC.AUTD_RPE_CVC (SMC-B) and
the algorithm rsaSessionkey4Intro MUST be selected according to Clause 14.9.6.3.
For the authentication command it MUST apply: cmdData.2 = R.1 || sn.1 with serial
number sn.1 equal to iccsn8 (see (N210.00)c) of the SMC-A or SMC-K. The corre-
sponding response data are denoted rspData.2.
(N1195.00)
The third command MUST be EXTERNAL AUTHENTICATE according to Clause
14.7.1.1 sent to the SMC-A or SMC-K via channel 2. Prior to this command, the public
key PuK.HPC.AUTD_SUK_CVC (of HPC) or PuK.SMC.AUTD_RPE_CVC (of SMC-B)
Channel_2
It is assumed that
either (HPC and SMC-A) or (SMC-B and SMC-A) or (HPC and SMC-K) are involved,
the serial numbers of both cards are known from their files EF.GDO.
The following steps will be executed (see Figure 13 (N1207.20)):
(N1203.00)
The first command of the sequence MUST be GET CHALLENGE according to Clause
14.9.3.1 sent to the SMC-A or SMC-K via channel 2. The random number generated by
the SMC-A or SMC-K is denoted R.1.
(N1204.00)
The second command MUST be INTERNAL AUTHENTICATE according to Clause
14.7.4.1 sent to the HPC or SMC-B via channel 1. Prior to this command, the introduc-
tion key with a reference according to (N175.00) and the algorithm desSessionkey4SM
MUST be selected according to Clause 14.9.6.2. For the authentication command it
MUST apply: cmdData.2 = R.1 || sn.1 with serial number sn.1 equal to iccsn8 (see
(N210.00)c) of the SMC-A or SMC-K. The corresponding response data are denoted
rspData.2.
(N1205.00)
The third command MUST be MUTUAL AUTHENTICATE according to Clause 14.7.1.2
sent to the SMC-A or SMC-K via channel 2. Prior to this command, the introduction key
with a reference according to (N175.00) and the algorithm desSessionkey4TC MUST
be selected according to Clause 14.9.6.6. For the authentication command rspData.2
MUST be used as command data. The response data are denoted rspData.3.
(N1206.00)
The fourth command is the last command of this sequence and MUST be EXTERNAL
AUTHENTICATE according to Clause 14.7.1.1 sent to the HPC or SMC-B via channel
1. Prior to this command, the introduction key with a reference according to (N175.00)
and the algorithm desSessionkey4SM MUST be selected according to Clause 14.9.6.4.
For the authentication command rspData.3 MUST be used as command data.
(N1207.00)
HPC and SMC MAY accept the protected transfer of the sequence.
HPC and SMC MAY refuse the protected transfer of the sequence.
H PC SM C-A
Softw are
SMC-B SM C-K
GetChalle nge
Channel_1
Channel_2
In ter nalAuth entica te(cm dData.2=R.1 sn.1). (r spDa ta.1 =R.1, N oErro r).
(No Er r or)
Figure 13: (N1207.20) Sequence Diagram for the Negotiation of Session Keys with Introduction
Keys.
Note 1: It is not an easy task to define AlgIds for authentication purposes, if the whole health care area
and also prEN14890 has to be taken into account. In the light of the ongoing discussion about
stack and comfort signatures several options are discussed and must be regarded if applicable.
The following is a trial for a generic approach:.
At the moment I see four possibilities (2 bit) for a private authentication key with respect to ses-
sion keys (SK):
1) Authentication without SK negotiation
2) Authentication with SK negotiation, whereas SKs are NOT stored in a persistent way.
3) Authentication with SK negotiation and storage of the SK as IntroductionKeys.
4) Authentication with SK negotiation and storage of the SK as PairingKeys.
Difference IntroductionKeys to Pairingkeys:
IntroductionKeys are some kind of shortcut with high performance to the asymmetric CV based
authentication, being described in this specification. This shortcut is intended for any of the de-
fined cards (mainly for HPC and SMC). It is not critical to introduce any HPC to any SMC.
ParingKeys are similar to IntroductionKeys, but meant for the pairing between two well defined
smartcards: A concrete HPC with a concrete token for the comfort signature.
Usage of the SKs, two options (1 Bit): Either for Secure Messaging or for PSO commands.
Derivation of SKs, two options (1 Bit): according to the new or to the old version of the specifica-
tion.
SK Type, four options (2Bit): 2TDES, 3TDES, AES-128, AES-256
So for an AlgId of 1 byte 2 bits are remaining for the selection of the authentication mechanism.
With SHA-1 (not used here), SHA-256
Note 2: Proposal for the coding of algorithmIdentifier for the Session key negotiation based on Note 1.
a) AlgId is coded in an octet.
b) Bits b2 b1 are coding the authentication mechanism
00 => process according to this spec.
others out of scope
c) Bits b4 b3 are coding SK Type
00 => 2TDES (not used here, but elsewhere)
01 => 3TDES
10 => AES-128
11 => AES-256
d) Bit b5 is coding the derivation method
0 => [EN14890-1]
1 => Clause 6.2
e) Bit b6 is coding the usage of the SKs (in the future also the SMC shall be prepared for Re-
mote-PIN)
0 => for Secure Messaging
1 => for PSO commands (resp. ENVELOPE)
f) Bits b8 b7 are coding possibilities
00 => no SK negotiation, coding of the remaining bits results from Note 3.
01 => SK negotiation with persistent storage of the SKs
10 => SK negotiation, storage as IntroductionKeys
11 => SK negotiation, storage as PairingKeys
Note 3: Proposal for the coding of algorithmIdentifier for authentication without Session key negotia-
tion.
a) AlgId is coded in one octet.
HPC Part 1 COS, V2.3.2 Page 275 of 278
b) Bits b8 b7 are coding session key negotiation
00 => no SK negotiation, other values are discussed in Note 1.
c) The remaining bits will be set to 0, because at the moment only one method is assigned to
each key type (AES, DES, RSA, ELC).
Table 185: (N1215.00) Generic AlgorithmIdentifier for authentication purposes
Table 188: (N1218.00) AlgorithmIdentifier for Signature Computation and Signature Validation