ISO/IEC 7816-15:2016

FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
7816-15
ISO/IEC JTC 1/SC 17
Identification cards — Integrated
Secretariat: BSI
circuit cards —
Voting begins
on: 2015-12-07
Part 15:
Voting terminates
Cryptographic information application
on: 2016-02-07
Cartes d’identification — Cartes à circuit intégré à contacts —
Partie 15: Application des informations cryptographiques
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/IEC FDIS 7816-15:2015(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
©
NATIONAL REGULATIONS. ISO/IEC 2015

---------------------- Page: 1 ----------------------
ISO/IEC FDIS 7816-15:2015(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC FDIS 7816-15
Contents Page
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Symbols and abbreviated terms . 5
4.1 Symbols . 5
4.2 Abbreviated terms . 5
5 Conventions . 7
6 Cryptographic information objects . 7
6.1 General . 7
6.2 CIO classes . 7
6.3 Attributes . 8
6.4 Access restrictions . 8
7 CIO files . 8
7.1 Overview . 8
7.2 IC card requirements . 8
7.3 Card file structure . 8
7.4 EF.DIR . 9
7.5 Contents of DF.CIA . 11
7.5.1 Overview . 11
7.5.2 CIAInfo EF . 11
7.5.3 EF.OD . 12
7.5.4 CIO directory files . 12
7.5.5 DF.CIA selection . 13
8 Information syntax in ASN.1 . 13
8.1 Guidelines and encoding conventions . 13
8.2 Basic ASN.1 defined types . 14
8.2.1 Identifier . 14
8.2.2 Reference . 14
8.2.3 Label . 14
8.2.4 CredentialIdentifier . 14
8.2.5 ReferencedValue and Path . 15
8.2.6 ObjectValue . 16
8.2.7 PathOrObjects . 16
8.2.8 CommonObjectAttributes . 17
8.2.9 CommonKeyAttributes . 20
8.2.10 CommonPrivateKeyAttributes . 21
8.2.11 CommonPublicKeyAttributes . 22
8.2.12 CommonSecretKeyAttributes . 22
8.2.13 GenericKeyAttributes . 23
8.2.14 KeyInfo. 23
8.2.15 CommonCertificateAttributes . 23
8.2.16 GenericCertificateAttributes . 24
8.2.17 CommonDataContainerObjectAttributes . 24
8.2.18 CommonAuthenticationObjectAttributes . 25
8.2.19 CIO type . 25
8.3 CIOChoice type . 25
8.4 Private key information objects . 26
8.4.1 PrivateKeyChoice . 26
Error! Reference source not found. i

---------------------- Page: 3 ----------------------
ISO/IEC FDIS 7816-15
8.4.2 Private RSA key attributes .26
8.4.3 Private elliptic curve key attributes .27
8.4.4 Private Diffie-Hellman key attributes .27
8.4.5 Private DSA key attributes .27
8.4.6 Private KEA key attributes .27
8.4.7 Generic private key information objects .28
8.5 Public key information objects .28
8.5.1 PublicKeyChoice .28
8.5.2 Public RSA key attributes .28
8.5.3 Public elliptic curve key attributes .28
8.5.4 Public Diffie-Hellman key attributes .29
8.5.5 Public DSA key attributes .29
8.5.6 Public KEA key attributes .30
8.5.7 Generic public key information objects .30
8.6 Secret key information objects .30
8.6.1 SecretKeyChoice .30
8.6.2 Algorithm independent key attributes .30
8.6.3 GenericSecretKey type .31
8.7 Certificate information objects .31
8.7.1 CertificateChoice .31
8.7.2 X.509 certificate attributes .31
8.7.3 X.509 attribute certificate attributes.31
8.7.4 SPKI certificate attributes .32
8.7.5 PGP (Pretty Good Privacy) certificate attributes .32
8.7.6 WTLS certificate attributes .32
8.7.7 ANSI X9.68 domain certificate attributes .32
8.7.8 Card verifiable certificate attributes .33
8.7.9 Generic certificate attributes .33
8.8 Data container information objects .33
8.8.1 DataContainerObjectChoice .33
8.8.2 Opaque data container object attributes .33
8.8.3 ISO/IEC 7816 data object attributes .33
8.8.4 Data container information objects identified by OBJECT IDENTIFIERS .34
8.9 Authentication information objects .34
8.9.1 AuthenticationObjectChoice .34
8.9.2 Password attributes .34
8.9.3 Biometric reference data attributes .37
8.9.4 Authentication objects for external and internal authentication .39
8.10 Cryptographic information file, EF.CIAInfo .40
Annex A (normative) ASN.1 module .43
Annex B (informative) CIA example for cards with digital signature and authentication
functionality .59
B.1 General .59
B.2 CIOs .59
B.3 Access control .60
Annex C (informative) Example topologies .62
Annex D (informative) Examples of CIO values and their encodings .67
D.1 General .67
D.2 EF.OD .67
D.2.1 ASN.1 value notation .67
D.2.2 ASN.1 description, tags, lengths and values .68
D.2.3 Hexadecimal DER-encoding .68
D.3 EF.CIAInfo .68
D.3.1 ASN.1 value notation .68
D.3.2 ASN.1 description, tags, lengths and values .69
D.3.3 Hexadecimal DER-encoding .69
D.4 EF.PrKD .69
D.4.1 ASN.1 value notation .69
ii Error! Reference source not found.

---------------------- Page: 4 ----------------------
ISO/IEC FDIS 7816-15
D.4.2 ASN.1 description, tags, lengths and values. 70
D.4.3 Hexadecimal DER-encoding . 71
D.5 EF. CD . 72
D.5.1 ASN.1 value notation . 72
D.5.2 ASN.1 description, tags, lengths and values. 73
D.5.3 Hexadecimal DER-encoding . 73
D.6 EF.AOD . 74
D.6.1 ASN.1 value notation . 74
D.6.2 ASN.1 description, tags, lengths and values. 75
D.6.3 Hexadecimal DER-encoding . 76
D.7 EF.DCOD . 76
D.7.1 ASN.1 value notation . 76
D.7.2 ASN.1 description, tags, lengths and values. 77
D.7.3 Hexadecimal DER-encoding of DCOD . 77
D.8 Application template (within the EF.DIR) . 78
D.8.1 ASN.1 value notation . 78
D.8.2 ASN.1 description, tags, lengths and values in ApplicationTemplate . 78
D.8.3 Hexadecimal DER-encoding of ApplicationTemplate . 78
D.9 GeneralizedTime encoding guidelines . 78
Annex E (informative) Examples of the use of the cryptographic information application . 80
E.1 General . 80
E.2 Encoding of a private key . 80
E.2.1 Cryptographic information application example description . 80
E.2.2 ASN.1 encoding of an RSA private key . 80
E.2.3 Code encoding and decoding from the ASN.1 . 81
E.2.4 BER encoding . 84
E.3 Encoding of a protected data container . 86
E.3.1 Cryptographic information application example description . 86
E.3.2 ASN.1 encoding of the protected data container object . 86
E.3.3 Code from the ASN.1 for encoding and decoding BER . 87
E.3.4 BER encoding . 95
E.4 Encoding of a certificate . 95
E.4.1 Cryptographic information application example description . 95
E.4.2 ASN.1 Encoding of an X.509 certificate . 95
E.4.3 Code from the ASN.1 for encoding and decoding BER . 97
E.4.4 BER encoding . 103
E.5 Encoding of the ESIGN cryptographic information application . 107
E.5.1 Cryptographic information application example description . 107
E.5.2 ASN.1 encoding of the IAS cryptographic information application . 107
E.5.3 Code from the ASN.1 for encoding a decoding BER . 115
E.5.4 BER encoding . 115
Bibliography . 118

Error! Reference source not found. iii

---------------------- Page: 5 ----------------------
ISO/IEC FDIS 7816-15
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of
document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any
patent rights identified during the development of the document will be in the Introduction and/or on the ISO
list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,
as well as information about ISO's adherence to the WTO principles in the Technical Barriers to Trade (TBT)
see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 17,
Cards and personal identification.
This second edition cancels and replaces the first edition (ISO/IEC 7816-15:2004), which has been technically
revised. It also incorporates the Amendments ISO/IEC 7816-15:2004/Amd. 1:2007 and ISO/IEC 7816-
15:2004/Amd. 2:2008 and the Technical Corrigendum ISO/IEC 7816-15:2004/Cor. 1:2004.
ISO/IEC 7816 consists of the following parts, under the general title Identification cards — Integrated circuit
cards:
— Part 1: Cards with contacts — Physical characteristics
— Part 2: Cards with contacts — Dimensions and location of the contacts
— Part 3: Cards with contacts — Electrical interface and transmission protocols
— Part 4: Organization, security and commands for interchange
— Part 5: Registration of application providers
— Part 6: Interindustry data elements for interchange
— Part 7: Interindustry commands for Structured Card Query Language (SCQL)
— Part 8: Commands and mechanisms for security operations
— Part 9: Commands for card management
iv Error! Reference source not found.

---------------------- Page: 6 ----------------------
ISO/IEC FDIS 7816-15
— Part 10: Electronic signals and answer to reset for synchronous cards
— Part 11: Personal verification through biometric methods
— Part 12: Cards with contacts — USB electrical interface and operating procedures
— Part 13: Commands for application management in a multi-application environment
— Part 15: Cryptographic information application
Error! Reference source not found. v

---------------------- Page: 7 ----------------------
ISO/IEC FDIS 7816-15
Introduction
Integrated circuit cards with cryptographic functions can be used for secure identification of users of
information systems, as well as for other core security services such as non-repudiation with digital signatures
and distribution of enciphering keys for confidentiality. The objective of this part of ISO/IEC 7816 is to provide
a framework for such services based on available International Standards. A main goal has been to provide a
solution that may be used in large-scale systems with several issuers of compatible cards, providing for
international interchange. It is flexible enough to allow for many different environments while still preserving
the requirements for interoperability.
A number of data structures have been provided to manage private keys and key fragments to support a
public key certificate infrastructure and flexible management of user and entity authentication.
This part of ISO/IEC 7816 is based on PKCS #15 v1.1 (see Reference [9]). The relationship between these
documents is as follows:
 a common core is identical in both documents;
 those components of PKCS #15 which do not relate to IC cards have been removed.
This part of ISO/IEC 7816 includes enhancements to meet specific IC card requirements.
vi Error! Reference source not found.

---------------------- Page: 8 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/IEC FDIS 7816-15

Identification cards — Integrated circuit cards — Part 15:
Cryptographic information application
1 Scope
This part of ISO/IEC 7816 specifies an application in a card. This application contains information on
cryptographic functionality. This part of ISO/IEC 7816 defines a common syntax and format for the
cryptographic information and mechanisms to share this information whenever appropriate.
The objectives of this part of ISO/IEC 7816 are to
 facilitate interoperability among components running on various platforms (platform neutral),
 enable applications in the outside world to take advantage of products and components from multiple
manufacturers (vendor neutral),
 enable the use of advances in technology without rewriting applica
...