ISO/IEC AWI 23465-1

INTERNATIONAL ISO/IEC
STANDARD 23465-1
First edition
2023-02
Card and security devices for personal
identification — Programming
interface for security devices —
Part 1:
Introduction and architecture
description
Cartes et dispositifs de sécurité pour l’identification personnelle —
Interface de programmation pour dispositifs de sécurité —
Partie 1: Introduction et description de l’architecture
Reference number
ISO/IEC 23465-1:2023(E)
© ISO/IEC 2023
---------------------- Page: 1 ----------------------
ISO/IEC 23465-1:2023(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2023

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

Foreword ........................................................................................................................................................................................................................................iv

Introduction .................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2  Normative references ..................................................................................................................................................................................... 1

3  Terms and definitions .................................................................................................................................................................................... 1

4  Symbols and abbreviated terms..........................................................................................................................................................2

5  System overview .................................................................................................................................................................................................. 3

5.1 Conditions of use................................................................................................................................................................................... 3

5.2 Simple system configuration ..................................................................................................................................................... 4

5.3 Complex system configuration ................................................................................................................................................ 4

5.4 Generic examples using the different configurations ......... ................................................................................. 5

5.4.1 SoC — Example of simple system configuration ................................................................................... 5

5.4.2 ID-systems ............................................................................................................................................................................... 5

5.4.3 Mobile devices with multiple security devices ....................................................................................... 6

5.4.4 Mobile devices with a single security device ............................................................................................ 7

5.4.5 Use cases .................................................................................................................................................................................... 8

6  Architecture model ...........................................................................................................................................................................................8

6.1 Components ............................................................................................................................................................................................... 8

6.1.1 Client application ............................................................................................................................................................... 8

6.1.2 Proxy ............................................................................................................................................................................................. 8

6.1.3 Security device ..................................................................................................................................................................... 8

6.2 System using the API ......................................................................................................................................................................... 8

6.3 Data model of client application .............................................................................................................................................. 9

6.4 Data management ............................................................................................................................................................................. 10

6.5 Security architecture..................................................................................................................................................................... 11

7  API ....................................................................................................................................................................................................................................12

7.1 General ........................................................................................................................................................................................................12

7.2 Requirements for a programming interface .............................................................................................................12

7.3 API Implementation ........................................................................................................................................................................ 12

8  Proxy ..............................................................................................................................................................................................................................12

8.1 General ........................................................................................................................................................................................................12

8.2 Proxy characteristics .....................................................................................................................................................................13

9 Evolution of security device types .................................................................................................................................................13

Annex A (informative) Design rules ..................................................................................................................................................................14

Annex B (informative) Use cases ..........................................................................................................................................................................15

Annex C (informative) Variants of security device interfaces ..............................................................................................20

Annex D (informative) Usage and co-existence of additional APIs ..................................................................................21

Bibliography .............................................................................................................................................................................................................................22

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

The procedures used to develop this document and those intended for its further maintenance

are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria

needed for the different types of document should be noted. This document was drafted in

accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC

Any trade name used in this document is information given for the convenience of users and does not

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see

www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

A list of all parts in the ISO/IEC 23465 series can be found on the ISO and IEC websites.

Any feedback or questions on this document should be directed to the user’s national standards

body. A complete listing of these bodies can be found at www.iso.org/members.html and

Integrated circuit card (ICC) technologies and solutions are widely deployed around the world, but

systems for identity tokens and credentials are quickly changing. In this context, the application

protocol data unit (APDU) protocol defined in the ISO/IEC 7816 series is becoming, in some cases, a

hindrance to the integration of integrated circuits (ICs) (as security devices) in environments such as

mobile phones, handheld devices, connected devices (e.g. M2M, IoT) or other applications using security

Several stakeholders are not familiar with, or not very fond of the APDU protocol because of its

complexity. They will often circumvent its constraints by requesting an abstraction layer hiding IC

specifics. Although the security mechanisms of security devices are well defined in ISO/IEC 7816-4

their implementation and application differ from vendor to vendor and the complexity overstrains most

In software development, a common way to simplify the usage of complex systems is the definition and

application of application programming interface (API) functions to access the IC within the devices.

Specific knowledge of APDU protocols and details of the IC implementation is not necessary anymore.

Also, the complexity and details of the implementation of the security model and the security policy can

be shifted from pure application development into system design of the electronic device and its related

Therefore, this document is geared towards software (SW)-architects, application programmers or

specification developers developing software applications using and addressing ICs as security devices

The projected applications can run on different software and hardware environments. Generalisation

of the API definition is key and the dependencies on specific runtime environments and equipment are

Existing runtime environments already support the access to IC as security devices using different

specific APIs, e.g. OpenMobileAPI, PKCS#11, but they always implement a proprietary interface

and middleware, which is not commonly applicable. However, even solutions based on those kinds

of middleware are perceived as cumbersome in some systems. The market looks for a middleware

memory footprint to be as low as possible. This document also aims to overcome or mitigate those

issues by proposing a new approach that would preserve ICC functionality and allows for a seamless

Since the system is designed for easy support by mobile operation systems, mobile operating system

(OS) designers/ implementers are encouraged to support these standardized APIs to access any

In the context of mobile devices, there is a necessity for trusted computing, e.g. by dedicated security

hardware. The proposed API helps the application implementer with a standardized common interface

The ISO/IEC 23465 series focuses on a solution by designing an API and a system with the following

— It offers a set of API calls related to multi-sectorial ICC functionality, derived from the ISO/IEC 7816

— It defines the sub-system to perform the conversion from the API function to the interface of the

— It results in a description of solutions with no middleware or very little middleware memory

— It defines the simplified ICC capabilities, the discoverability (i.e. with significantly less complexity

The ISO/IEC 23465 series is comprised of three parts each focusing on a specific topic:

— ISO/IEC 23465-1 (this document): provides an introduction to the series and a short overview of the

— ISO/IEC TS 23465-2: defines the API for client applications allowing incorporation and usage of

— ISO/IEC TS 23465-3 : describes the software called Proxy which provides different services e.g. to

convert the API calls into serialized messages to be sent to the security device.

This document introduces and describes the concept of the application programming interface (API) to

security devices with the intention to simplify the usage of commands and mechanisms defined by the

— the system overview and description of the system of the programming interface;

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

software (SW) component allowing two systems from different or similar operating systems

conceptual model that characterizes and standardizes the communication functions of a network or

computing system without regard to its underlying internal structure and technology

sub-system to perform conversion from the application programming interface (API) function to the

tamper-resistant secure hardware component which is used in a device to provide the security,

confidentiality, and multiple application environment required to support various business models

Note 1 to entry: It may exist in any form factor, e.g. embedded or integrated SE, SIM/UICC, smart card, SD-card.

translation of data structures or object state into an octet string for transmitting or storing

aspect of the mobile device comprising hardware and/or software which provides security services to

the mobile device computing environment, protects data against general software attacks and isolates

list of actions or event steps typically defining the interactions between a role and a system to achieve

The utilisation of an API for security devices defined in the ISO/IEC 23465 series of standards is useful

in any client application software which needs services of a security device. The application software

may run on any electronic devices, e.g. personal computers, terminals or mobile devices. The electronic

device contains or is connected to a security device and allows its access by client applications. It is

assumed that any software running on the electronic device is separated into several logical or

functional layers. Such layers may be designed as a middleware between the client application software

and the related security device or may be provided by the device’s operating system. API is herein

defined as generalised function calls from the client application software to the additional layers in the

The API allows the logical access to any available security device, independent from the physical

form factor, the technology, the used connectivity and the applied transmission protocol. It hides the

physical layer, the data link layer and the network layers of OSI model to the application. The API offers

standardized methods and functions to security device services and builds either an abstraction or a

subset of the underlying security device interface, e.g. the APDU interface defined by ISO/IEC 7816-4,

or both. In this way, the transport, session and presentation layers are also hidden from the client

The API is a representation of the application layer to a security device. The application implementer

does not need further details to contact, address, select and use a connected security device. But the

set of the API functions still allows the application to work with the security device by retrieving all

Systems implementing this API facilitate the access to the security device. Dedicated function calls

and specific knowledge about the structure and architecture of the security device’s application is not

needed by the client application programmer. The API generalises function calls, offers less complexity

The API functions are resolved within an additional software, which handles the access to security

devices. These additional software components are provided by the manufacturer of the electronic

device. Since the number of security devices in a system is not limited, the additional software

Conversely, several client applications can use a single security device. It is possible for each client

application to use a different application inside the security device. Furthermore, applications inside a

The simplest possible configuration is outlined Figure 1. This kind of system consists (possibly among

other components) of just one software environment running any application and incorporates the

security device. Such configuration is, e.g. a SoC device proposed for mobile devices. In this case, the

mobile device environment contains the complete client application and the security device for which

the implementation is running on the same system and within the same runtime environment as the

API calls from the client application directly lead to function calls in the security device. The security

device implements the resolution of the API and handles the processing of the requested operation on

the security device. Thus, from a client application programmer's point of view, the API calls from the

client application just call the corresponding method implementation of the security device.

In this simple situation, there is neither any other layer in between nor is there any kind of message

serialization. The API calls and the resolution of the API calls are done in the common system. To

achieve this, the security device programmer normally provides a library to the system manufacturer

Compared to the simple configuration in Figure 1, the API defined in the ISO/IEC 23465 series of

standards applies also to configurations where a system contains more than one client application

or more than one security device, as outlined in Figure 2. The API supports the possibility that more

than one security device is available. It contains methods to select a specific security device among the

available ones. This kind of selection requires another component, called Proxy, mediating between

client applications and security devices. The client application calls API methods which trigger the

Proxy and address the appropriate requested functionality in the selected security device.

Even in complex system client applications, security devices and the Proxy may run in the same runtime

environment. Typically, a security device is deployed as dedicated hardware. If so, client applications

and (part of) the Proxy on one hand runs in a runtime environment which differs from the security

The simplest configuration of a system using security devices is a system running client applications and

security devices in the same runtime environment (see 5.3). A library within the runtime environment

is supposed to act as the Proxy between the client application and the security device. This library

A slightly more complex system runs client applications and security devices in different runtime

environments with separated software layers. Examples are ID-systems in general (e.g. border control,

banking, health) typically holding a client application as a part of a host connected to a card reader.

Security devices in this configuration are ID-cards temporarily connected to the ID-system. To simplify

the development of such systems, it would be appropriate not only to standardize the interface between

the client applications and the Proxy, but also to standardize the communication between the Proxy

Figure 3 depicts a generic simple system showing the conditions of usage with an client application

using the API defined in ISO/IEC TS 23465-2 within a single runtime environment. The Proxy can be

Figure 4 shows an example of a complex system configuration using different security devices within a

mobile device (e.g. mobile phones or tablet computers). The mobile app, downloaded from an app store,

requests, in the course of the client application, functionality from security devices by API function

calls. The software system beneath the mobile app, introduced as Proxy in the ISO/IEC 23465 series,

handles the function calls and transforms or serializes them into a data stream understandable by

the security devices. Depending on the implementation of the security devices, the function calls are

operated by the addressed security device and the results/responses are transferred and transformed

adequately to the calling mobile app. Within mobile devices, usually a fixed number of security devices

are permanently connected, e.g. USIM, ISIM, eSIM, eSE, which can be used by different mobile apps

The Proxy can use additional APIs to achieve the physical access to the security device, e.g. provided by

the mobile operating system. Applications running on personal computers or similar devices can use

additional existing SW drivers, e.g. PC/SC, which can facilitate the access. Security device form factors

of mobile devices beside SIMs are, e.g. soldered ICs on the PCB, connected USB-devices, SD-cards or

ISO/IEC 7816-4 defined APDUs or other representation of messages are transmitted by the lower level

transmission protocols determined by the technology used in the addressed security device. Examples

for this protocol types are, e.g. USB, I C, SPI or serial communication according to ISO/IEC 7816-3,

The API hides all these security device details completely from the client applications. ISO/IEC TS 23465-3

If a mobile device contains just one security device, which is used by several mobile apps, then the

security device can be configured such that each mobile app uses a different application in the security

device. Furthermore, the security device can be configured such that its applications are physically

and logically separated from each other such that no interference occurs. The security device controls