Identification cards -- Integrated circuit cards

This document specifies interindustry commands which can be used for security operations. This document also provides informative directives on how to construct security mechanisms with commands defined in ISO/IEC 7816‑4. The choice and conditions of use of cryptographic mechanism in security operations can affect card exportability. The evaluation of the suitability of algorithms and protocols is outside the scope of this document. It does not cover the internal implementation within the card and/or the outside world.

Cartes d'identification -- Cartes à circuit intégré

General Information

Status
Published
Publication Date
08-Aug-2021
Current Stage
5060 - Close of voting Proof returned by Secretariat
Start Date
23-Jun-2021
Completion Date
23-Jun-2021
Ref Project

RELATIONS

Buy Standard

Standard
ISO/IEC 7816-8:2021 - Identification cards -- Integrated circuit cards
English language
35 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/IEC PRF 7816-8:Version 05-jun-2021 - Identification cards -- Integrated circuit cards
English language
35 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 7816-8
Fifth edition
2021-08
Identification cards — Integrated
circuit cards —
Part 8:
Commands and mechanisms for
security operations
Cartes d'identification — Cartes à circuit intégré —
Partie 8: Commandes et mécanismes pour les opérations de sécurité
Reference number
ISO/IEC 7816-8:2021(E)
ISO/IEC 2021
---------------------- Page: 1 ----------------------
ISO/IEC 7816-8:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 7816-8:2021(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope .................................................................................................................................................................................................................................1

2 Normative references ......................................................................................................................................................................................1

3 Terms and definitions .....................................................................................................................................................................................1

4 Abbreviated terms .............................................................................................................................................................................................. 2

5 Interindustry commands for security operations .............................................................................................................3

5.1 General ........................................................................................................................................................................................................... 3

5.2 Generate asymmetric key pair command .................................................................................................................. 3

5.3 Perform security operation command ....................................................................................................................... 7

5.3.1 General...................................................................................................................................................................................... 7

5.3.2 Compute cryptographic checksum operation ................................................................................10

5.3.3 Compute digital signature operation ....................................................................................................10

5.3.4 Hash operation ..............................................................................................................................................................10

5.3.5 Verify cryptographic checksum operation ......................................................................................11

5.3.6 Verify digital signature operation ..........................................................................................................11

5.3.7 Verify certificate operation...........................................................................................................................12

5.3.8 Encipher operation ...................................................................................................................................................13

5.3.9 Decipher operation ...................................................................................................................................................13

Annex A (informative) Examples of operations related to digital signature ...........................................................14

Annex B (informative) Examples of certificates interpreted by the card ....................................................................20

Annex C (informative) Examples of asymmetric key transfer .................................................................................................24

Annex D (informative) Alternatives to achieve the reversible change of security context .......................27

Annex E (informative) Examples of uses for generate asymmetric key pair command ...........................29

Bibliography .............................................................................................................................................................................................................................35

© ISO/IEC 2021 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 7816-8:2021(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives or www .iec .ch/ members

_experts/ refdocs).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC

list of patent declarations received (see patents.iec.ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso .org/

iso/ foreword .html. In the IEC, see www .iec .ch/ understanding -standards.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 17, Cards and personal identification.

This fifth edition cancels and replaces the fourth edition (ISO/IEC 7816-8:2019), which has been

technically revised.
The main changes compared to the previous edition are as follows:
— in Table A.9, A.10 and A.11, P1-P2 value of mse command has been corrected;

— in Table A.11, P1-P2 value of pso command with hash operation has been corrected.

A list of all parts in the ISO/IEC 7816 series can be found on the ISO and IEC websites.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html and www .iec .ch/ national

-committees.
iv © ISO/IEC 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 7816-8:2021(E)
Introduction

ISO/IEC 7816 is a series of standards specifying integrated circuit cards and the use of such cards

for interchange. These cards are identification cards intended for information exchange negotiated

between the outside world and the integrated circuit in the card. As a result of an information exchange,

the card delivers information (computation result, stored data) and/or modifies its content (data

storage, event memorization).

Five parts are specific to cards with galvanic contacts and three of them specify electrical interfaces:

— ISO/IEC 7816-1 specifies physical characteristics for cards with contacts;
— ISO/IEC 7816-2 specifies dimensions and location of the contacts;

— ISO/IEC 7816-3 specifies electrical interface and transmission protocols for asynchronous cards;

— ISO/IEC 7816-10 specifies electrical interface and answer to reset for synchronous cards;

— ISO/IEC 7816-12 specifies electrical interface and operating procedures for USB cards.

All the other parts are independent from the physical interface technology. They apply to cards accessed

by contacts and/or by radio frequency:
— ISO/IEC 7816-4 specifies organization, security and commands for interchange;
— ISO/IEC 7816-5 specifies registration of application providers;
— ISO/IEC 7816-6 specifies interindustry data elements for interchange;
— ISO/IEC 7816-7 specifies commands for structured card query language;
— ISO/IEC 7816-8 specifies commands for security operations;
— ISO/IEC 7816-9 specifies commands for card management;
— ISO/IEC 7816-11 specifies personal verification through biometric methods;

— ISO/IEC 7816-13 specifies commands for handling the life cycle of applications;

— ISO/IEC 7816-15 specifies cryptographic information application.

ISO/IEC 10536 (all parts) specifies access by close coupling. ISO/IEC 14443 (all parts) and

ISO/IEC 15693 (all parts) specify access by radio frequency. Such cards are also known as contactless

cards.
© ISO/IEC 2021 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 7816-8:2021(E)
Identification cards — Integrated circuit cards —
Part 8:
Commands and mechanisms for security operations
1 Scope

This document specifies interindustry commands which can be used for security operations. This

document also provides informative directives on how to construct security mechanisms with

commands defined in ISO/IEC 7816-4.

The choice and conditions of use of cryptographic mechanism in security operations can affect card

exportability. The evaluation of the suitability of algorithms and protocols is outside the scope of this

document. It does not cover the internal implementation within the card and/or the outside world.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 7816-4, Identification cards — Integrated circuit cards — Part 4: Organization, security and

commands for interchange
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
asymmetric key pair

pair of elements belonging to cryptographic techniques that use two related operations: a public

operation defined by public numbers or by a public key (3.4) and a private operation defined by private

numbers or by a private key

Note 1 to entry: The two operations have the property that, given the public operation, it is computationally

infeasible to derive the private operation.
3.2
certificate

digital signature (3.3) binding a particular person or object and its associated public key (3.4)

Note 1 to entry: The entity issuing the certificate also acts as tag allocation authority with respect to the data

elements in the certificate.
[SOURCE: ISO/IEC 7816-4:2020, 3.11]
© ISO/IEC 2021 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC 7816-8:2021(E)
3.3
digital signature

data appended to, or cryptographic transformation of, a data string that proves the origin and the

integrity of the data string and protects against forgery, e.g. by the recipient of the data string

[SOURCE: ISO/IEC 7816-4:2020, 3.20]
3.4
key
sequence of symbols controlling a cryptographic operation

EXAMPLE Encipherment, decipherment, a private or a public operation in a dynamic authentication,

signature production, signature verification.
[SOURCE: ISO/IEC 7816-4:2020, 3.30]
3.5
non-self-descriptive certificate

certificate (3.2) consisting of a concatenation of data elements associated to a header list or extended

header list, describing the structure of the certificate
3.6
self-descriptive certificate
certificate (3.2) consisting of a concatenation of data objects
3.7
secure messaging
set of means for cryptographic protection of (parts of) command-response pairs
[SOURCE: ISO/IEC 7816-4:2020, 3.49]
4 Abbreviated terms
BCD binary-coded decimal
BER basic encoding rules of ASN.1 (see ISO/IEC 8825-1)
CA certification authority
CCT control reference template for cryptographic checksum
CRT control reference template
CT control reference template for confidentiality
CVCA country verifying CA
DG3 data group 3
DO BER-TLV data object

DO'…' BER-TLV data object, the tag of which is a hexadecimal value given between single quo-

tation marks
DSA digital signature algorithm
DST control reference template for digital signature
DV document verifier
2 © ISO/IEC 2021 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 7816-8:2021(E)
ECC elliptic curve cryptography
ECDH elliptic curve Diffie–Hellman key exchange
ECDSA elliptic curve digital signature algorithm
EF elementary file
GQ2 modified Guillou-Quisquater protocol for zero knowledge proof
HT control reference template for hash-code
ICAO international civil aviation organization
ICC integrated circuit card
IS inspection system
KAT control reference template for key agreement
LDS logical data structure
MRTD machine readable travel document
mse manage security environment command
OID object identifier, as defined by ISO/IEC 8825-1
pso perform security operation command
RFU reserved for future use for ISO/IEC JTC 1/SC 17
RSA Rivest, Shamir, Adleman
SE security environment
SEID security environment identifier
TLV tag, length, value
5 Interindustry commands for security operations
5.1 General

An ICC compliant with this document may support any of the commands and/or options provided in 5.2

and 5.3.

NOTE In addition to the use of logical channels, there are other alternatives that can be used for switching

the security context. Annex D provides information about this functionality.
5.2 Generate asymmetric key pair command

The generate asymmetric key pair command, which shall be as specified in Table 1, initiates

— the generation and storing of an asymmetric key pair, i.e. a public key and a private key, in the card,

— the generation, storing of an asymmetric key pair and extracting generated public key, or

— the extracting previously generated public key.
© ISO/IEC 2021 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC 7816-8:2021(E)

The command may be preceded by a manage security environment command in order to set key

generation related parameters (e.g. algorithm reference). The command may be performed in one or

several steps, possibly using command chaining (see ISO/IEC 7816-4).
Table 1 — generate asymmetric key pair command-response pair
CLA As defined in ISO/IEC 7816-4
INS '46' or '47'
P1 See Table 2

P2 '00' (no information provided) or reference of the private key to be generated coded according

to ISO/IEC 7816-4:2020, Table 102
L field Absent for encoding N = 0, present for encoding N > 0
c c c
Data field Absent, or
Proprietary data if P1-P2 set to '0000', or

One or more CRTs associated to the key generation if P1-P2 different from '0000' (see notes)

A CRT may include an extended header list
L field Absent for encoding N = 0, present for encoding N > 0
e e e
Data field Absent, or
Public key as a sequence of data elements (INS = '46'), or
Public key as a sequence of data objects (INS = '47'), or

Public key as a sequence of data objects according to an extended header list (INS = '47')

SW1-SW2 See ISO/IEC 7816-4:2020, Tables 6 and 7 where relevant, e.g. 6985

NOTE 1 Several CRTs are present when the key pair is generated for several uses. In the command data field, a

CRT possibly has a zero length.
Table 2 — P1 coding
b8 b7 b6 b5 b4 b3 b2 b1 Value
0 0 0 0 0 0 0 0 No information given
1 — — — — x x x Additional information given
1 — — — — — — x Key generation
1 — — — — — — 0 - Generate asymmetric key pair
1 — — — — — — 1 - Access to an existing public key
1 — — — — — x — Format of returned public key data
1 — — — — — 0 — - Proprietary format
1 — — — — — 1 — - Output format according to extended header list
1 — — — — x — — Output indicator
1 — — — — 0 — — - Public key data in response data field

1 — — — — 1 — — - No response data if Le field absent or proprietary if Le field present

— x x x x — — — 0000, other values are RFU

NOTE 2 The private key can be stored in an internal EF the reference of which is known before issuing the

command or in a DO'7F48' as cardholder private key template.

NOTE 3 The public part can be stored for example in a DO'7F49' as cardholder public key template.

For extracting a previously generated public key (i.e. no generation), the command data field shall be

empty or shall contain a CRT, possibly including an extended header list.

NOTE 4 In those cases when only access to a previously generated public key is requested, P2 is either '00' or

references the private key.
4 © ISO/IEC 2021 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 7816-8:2021(E)
The response data field shall be
— absent,
— a public key as a sequence of data elements (INS = '46'),
— a public key as a sequence of data objects (INS = '47') from Table 3, or
— a public key as a DO'7F49' (INS = '47') nesting data objects from Table 3.

If the command data field does not indicate any format of public key data, it shall be implicitly known

before issuing the command (e.g. as part of the security environment). When the command data field

indicates an extended header list within a CRT, it covers public key data objects and other requested

data object.
EXAMPLE Annex E provides a set of examples on the use of this command.

If the algorithm is not indicated in the command, then the algorithm is known before issuing the

command. In the public key template, the context-specific class (first byte from '80' to 'BF') is reserved

for public key data objects.
Table 3 — Public key data objects
Tag Value

'7F49' Interindustry template for nesting one set of public key data objects with the following tags

'06' Object identifier of any further information, optional

'80' Algorithm reference as used in control reference data objects for secure messaging, optional

Set of public key data objects for RSA
'81' Modulus (a number denoted as n coded on x bytes)
'82' Public exponent (a number denoted as v, e.g. 65 537)
Set of public key data objects for DSA
'81' First prime (a number denoted as p coded on y bytes)
'82' Second prime (a number denoted as q dividing p-1, e.g. 20 bytes)
'83' Basis (a number denoted as g of order q coded on y bytes)

Public key (a number denoted as y equal to g to the power x mod p where x is the private key coded

'84'
on y bytes)
Set of public key data objects for ECC
'81' Prime (a number denoted as p coded on z bytes)
'82' First coefficient (a number denoted as a coded on z bytes)
'83' Second coefficient (a number denoted as b coded on z bytes)

'84' Generator (a point denoted as PB on the curve, coded on 2z + 1 or 2z or z + 1 bytes)

'85' Order (a prime number denoted as q, order of the generator PB, coded on z bytes)

Public key (a point denoted as PP on the curve, equal to x times PB where x is the private key, coded

'86'
on 2z + 1 or 2z or z + 1 bytes)
'87' Co-factor
Set of public key data objects for GQ2
'81' Modulus (a number denoted as n coded on x bytes)

Number of basic numbers (a number denoted as m coded on 1 byte. If tag '83' is present, then tag

'83' 'A3' shall be absent and the m basic numbers denoted as g, g ..g are the first m prime numbers

2 m
2, 3, 5, 7, 11…)
'84' Verification parameter (a number denoted as k coded on 1 byte)

Set of m basic numbers denoted as g, g ..g each one coded on 1 byte with tag '80' (If tag 'A3' is

2 m,
'A3'
present, then tag '83' shall be absent)
© ISO/IEC 2021 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC 7816-8:2021(E)
Table 3 (continued)
Tag Value
Set of public key data objects for RSA Okamoto-Schnorr signature scheme
'81' p the first large prime number

'82' q the second large prime number such that q|(p − 1), with q a divisor of (p − 1)

Zp* the set of integers U modulo p such as 0 < U < p and gcd (U,p) = 1, gcd() being the greatest

'83'
common divisor
'84' Zq* the set of integers U' modulo q such as 0 < U' < q and gcd (U',q) = 1

g the first element of Zp* of order q such as g is a generator of Gq and Gq a cyclic group of prime

'85'
order q
'86' h the second element of Zp* of order q different from g
-r -s

y the public key, an integer denoted as y=g h mod p where (s,r) is the secret key, and s and r are

'87'
two elements of (Zq*), and h of (Zp*)

NOTE In this context, ISO/IEC JTC 1/SC 17 reserves any other data object of the context-specific class (first

byte in the range '80' to 'BF').

The RSA Okamoto-Schnorr signature scheme, is considered a blind signature process, which is an interactive

procedure between a signer and a recipient. It allows a recipient to obtain a signature of a message of the recip-

[8]

ient's choice without giving the signer any information about the actual message or the resulting signature

[9][10][11]

. DO'73' may be used in the data field for returning a multi-part digital signature response comprised

of concatenation of context-specific data objects defined by the application.

NOTE 5 For other Blind Signature schemes, e.g. Blind RSA signature (with data objects related to RSA), Blind

Schnorr signature (with data objects related to DSA and/or ECDSA), Okamoto-Guillou-Quisquater blind signature

scheme (with data objects related to GQ2), the OID under template '7F49' determines the nature and meaning of

any further or different data objects, i.e. the following indications are possibly denoted by the OID.

— Blind signature type, e.g. RSA, Schnorr, Okamoto-Schnorr, Okamoto-Guillou-Quisquater.

— Cryptographic Hash function.
— Generic description of the token/credential (message) to be signed.
— Attributes generic structure, and/or

— Type of control upon signed message, i.e. partially blind, fully blind or restrictive blind signature (in some

mechanisms, the signer does not totally lose control over the signed message since the signer can include

explicit information in the resulting signature based on some agreement with the recipient. Such blind

signatures are called partially blind signatures. Other mechanisms allow a recipient to receive a blind

signature on a message not known to the signer but the choice of the message is restricted and conforms to

certain rules. Such schemes are called restrictive blind signature mechanisms).

For the coding of the DO stating information about the private part of the key pair, Table 4 applies.

Table 4 — Private key data objects
Tag Value

'7F48' Interindustry template for nesting one set of private key data object with the following tags

'82' Public exponent (optional)
'92' Parameter p
'93' Parameter q
'94' Parameter 1/q mod p
'95' Parameter d mod (p – 1)
'96' Parameter d mod (q – 1)
6 © ISO/IEC 2021 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 7816-8:2021(E)
Table 4 (continued)
Tag Value

Interindustry template for nesting one set of ECDSA/ECDH private key data object with the

'7F48'
following tags
'92' Private key
'06' Object identifier of related curve (optional)
Curve information (conditional if DO'06' above is not specified)
'93' p is the prime specifying the base field

'94' A 1st coefficient of the equation y^2 = x^3 + A*x + B mod p defining the elliptic curve

'95' B 2nd coefficient of the equation y^2 = x^3 + A*x + B mod p

'96' G = (x,y) base point, i.e. a point in E of prime order, with x and y being its x- and y-coordinates

'97' q prime order of the group generated by G
'98' h cofactor of G in E, i.e. #E[GF(p)]/q

NOTE In this context, ISO/IEC JTC 1/SC 17 reserves any other data object of the context-specific class (first

byte in the range '80' to 'BF').
Annex C provides examples of exporting a public key and importing a private key.
5.3 Perform security operation command
5.3.1 General

The perform security operation command, which shall be as specified in Table 5, initiates the

following security operations:
— computations, such as
— computation of a cryptographic checksum,
— computation of a digital signature, or
— computation of a hash-code;
— verifications, such as
— verification of a cryptographic checksum,
— verification of a digital signature, or
— verification of a certificate;
— encipherment; or
— decipherment.

P1 defines output data of the security operation (see Table 6). P2 defines input data to the security

operation (see Table 7). Values of tag of SM data object defined in ISO/IEC 7816-4 are used for P1 and

P2.

P1 and P2 also define operation of this command. It depends on each operation defined in subsequent

subclauses which value is used for P1 and P2. If the security operation requires several commands to

complete, then command chaining may apply (see ISO/IEC 7816-4).

The perform security operation command may be preceded by a manage security environment

command.
© ISO/IEC 2021 – All rights reserved 7
---------------------- Page: 12 ----------------------
ISO/IEC 7816-8:2021(E)

For example, the security object reference as well as the cryptographic mechanism reference shall be

either implicitly known or specified in a CRT in a manage security environment command.

NOTE A security object reference is a reference of a secret key, a reference of a public key, a reference data, a

reference for computing a session key or a reference of a private key. See ISO/IEC 7816-4.

Such a command can be performed only if the security status satisfies the security attributes for the

operation. The successful execution of the command may be subject to successful completion of prior

commands (e.g. verify before the computation of a digital signature).

If present (e.g. implicitly known by the card or because it is part of the command data field), a header

list or an extended header list defines the order and the data items that form the input for the security

operation.

For this command, when a verification related operation is considered, SW1-SW2 set to '6300' or '63CX'

indicates that a verification failed, 'X' ≥ '0' encodes the number of further allowed retries.

Table 5 — perform security operation command-response pair with INS = '2A'
CLA As defined in ISO/IEC 7816-4
INS '2A'
P1 See Table 6
P2 See Table 7
L field Absent for encoding N = 0, present for encoding N > 0
c c c
Data field Absent or value of the data object specified in P2
L field Absent for encoding N = 0, present for encoding N > 0
e e e
Data field Absent or value of the data object specified in P1
SW1-SW2 See ISO/IEC 7816-4:2020, Tables 6 and 7 where relevant, e.g. 6985
Table 6 — P1 coding for output data of the security operation
Value Meaning
'00' No output data
'80' Plain value not encoded in BER-TLV
'82' Cryptogram (plain value encoded in BER-TLV DO and including SM DOs)
'84' Cryptogram (plain value encoded in BER-TLV DO, but not including SM DOs)

'86' Padding-content indicator byte followed by cryptogram (plain value not encoded in BER-TLV DO)

'8E' Cryptographic checksum
'90' Hash-code
'9E' Digital signature
NOTE Any other value is reserved for future use by ISO/IEC JTC 1/SC 17.

P1 = '00' may be used for legacy reasons to indicate that output data is stored in the card and not returned in the

response, i.e. output data is not present in the response data field.
Table 7 — P2 coding for input data to the security operation
Value Meaning
'00' No input data
'80' Plain value not encoded in BER-TLV
'82' Cryptogram (plain value encoded in BER-TLV DO and including SM DOs)
'84' Cryptogram (plain value encoded in BER-TLV DO, but not including SM DOs)

'86' Padding-content indicator byte followed by cryptogram (plain value not encoded in BER-TLV DO)

8 © ISO/IEC 2021 – All rights reserved
---------------------- Page: 13 -------------
...

INTERNATIONAL ISO/IEC
STANDARD 7816-8
Fifth edition
Identification cards — Integrated
circuit cards —
Part 8:
Commands and mechanisms for
security operations
Cartes d'identification — Cartes à circuit intégré —
Partie 8: Commandes et mécanismes pour les opérations de sécurité
PROOF/ÉPREUVE
Reference number
ISO/IEC 7816-8:2021(E)
ISO/IEC 2021
---------------------- Page: 1 ----------------------
ISO/IEC 7816-8:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 7816-8:2021(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope .................................................................................................................................................................................................................................1

2 Normative references ......................................................................................................................................................................................1

3 Terms and definitions .....................................................................................................................................................................................1

4 Abbreviated terms .............................................................................................................................................................................................. 2

5 Interindustry commands for security operations .............................................................................................................3

5.1 General ........................................................................................................................................................................................................... 3

5.2 Generate asymmetric key pair command .................................................................................................................. 3

5.3 Perform security operation command ....................................................................................................................... 7

5.3.1 General...................................................................................................................................................................................... 7

5.3.2 Compute cryptographic checksum operation ................................................................................10

5.3.3 Compute digital signature operation ....................................................................................................10

5.3.4 Hash operation ..............................................................................................................................................................10

5.3.5 Verify cryptographic checksum operation ......................................................................................11

5.3.6 Verify digital signature operation ..........................................................................................................11

5.3.7 Verify certificate operation...........................................................................................................................12

5.3.8 Encipher operation ...................................................................................................................................................13

5.3.9 Decipher operation ...................................................................................................................................................13

Annex A (informative) Examples of operations related to digital signature ...........................................................14

Annex B (informative) Examples of certificates interpreted by the card ....................................................................20

Annex C (informative) Examples of asymmetric key transfer .................................................................................................24

Annex D (informative) Alternatives to achieve the reversible change of security context .......................27

Annex E (informative) Examples of uses for generate asymmetric key pair command ...........................29

Bibliography .............................................................................................................................................................................................................................35

© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE iii
---------------------- Page: 3 ----------------------
ISO/IEC 7816-8:2021(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC

list of patent declarations received (see https:// patents .iec .c).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso .org/

iso/ foreword .html.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 17, Cards and personal identification.

This fifth edition cancels and replaces the fourth edition (ISO/IEC 7816-8:2019), which has been

technically revised.
The main changes compared to the previous edition are as follows:
— in Table A.9, A.10 and A.11, P1-P2 value of mse command has been corrected;

— in Table A.11, P1-P2 value of pso command with hash operation has been corrected.

A list of all parts in the ISO/IEC 7816 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
iv PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 7816-8:2021(E)
Introduction

ISO/IEC 7816 is a series of standards specifying integrated circuit cards and the use of such cards

for interchange. These cards are identification cards intended for information exchange negotiated

between the outside world and the integrated circuit in the card. As a result of an information exchange,

the card delivers information (computation result, stored data) and/or modifies its content (data

storage, event memorization).

Five parts are specific to cards with galvanic contacts and three of them specify electrical interfaces:

— ISO/IEC 7816-1 specifies physical characteristics for cards with contacts;
— ISO/IEC 7816-2 specifies dimensions and location of the contacts;

— ISO/IEC 7816-3 specifies electrical interface and transmission protocols for asynchronous cards;

— ISO/IEC 7816-10 specifies electrical interface and answer to reset for synchronous cards;

— ISO/IEC 7816-12 specifies electrical interface and operating procedures for USB cards.

All the other parts are independent from the physical interface technology. They apply to cards accessed

by contacts and/or by radio frequency:
— ISO/IEC 7816-4 specifies organization, security and commands for interchange;
— ISO/IEC 7816-5 specifies registration of application providers;
— ISO/IEC 7816-6 specifies interindustry data elements for interchange;
— ISO/IEC 7816-7 specifies commands for structured card query language;
— ISO/IEC 7816-8 specifies commands for security operations;
— ISO/IEC 7816-9 specifies commands for card management;
— ISO/IEC 7816-11 specifies personal verification through biometric methods;

— ISO/IEC 7816-13 specifies commands for handling the life cycle of applications;

— ISO/IEC 7816-15 specifies cryptographic information application.

ISO/IEC 10536 (all parts) specifies access by close coupling. ISO/IEC 14443 (all parts) and

ISO/IEC 15693 (all parts) specify access by radio frequency. Such cards are also known as contactless

cards.
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 7816-8:2021(E)
Identification cards — Integrated circuit cards —
Part 8:
Commands and mechanisms for security operations
1 Scope

This document specifies interindustry commands which can be used for security operations. This

document also provides informative directives on how to construct security mechanisms with

commands defined in ISO/IEC 7816-4.

The choice and conditions of use of cryptographic mechanism in security operations can affect card

exportability. The evaluation of the suitability of algorithms and protocols is outside the scope of this

document. It does not cover the internal implementation within the card and/or the outside world.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 7816-4, Identification cards — Integrated circuit cards — Part 4: Organization, security and

commands for interchange
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
asymmetric key pair

pair of elements belonging to cryptographic techniques that use two related operations: a public

operation defined by public numbers or by a public key (3.4) and a private operation defined by private

numbers or by a private key

Note 1 to entry: The two operations have the property that, given the public operation, it is computationally

infeasible to derive the private operation.
3.2
certificate

digital signature (3.3) binding a particular person or object and its associated public key (3.4)

Note 1 to entry: The entity issuing the certificate also acts as tag allocation authority with respect to the data

elements in the certificate.
[SOURCE: ISO/IEC 7816-4:2020, 3.11]
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE 1
---------------------- Page: 6 ----------------------
ISO/IEC 7816-8:2021(E)
3.3
digital signature

data appended to, or cryptographic transformation of, a data string that proves the origin and the

integrity of the data string and protects against forgery, e.g. by the recipient of the data string

[SOURCE: ISO/IEC 7816-4:2020, 3.20]
3.4
key
sequence of symbols controlling a cryptographic operation

EXAMPLE Encipherment, decipherment, a private or a public operation in a dynamic authentication,

signature production, signature verification.
[SOURCE: ISO/IEC 7816-4:2020, 3.30]
3.5
non-self-descriptive certificate

certificate (3.2) consisting of a concatenation of data elements associated to a header list or extended

header list, describing the structure of the certificate
3.6
self-descriptive certificate
certificate (3.2) consisting of a concatenation of data objects
3.7
secure messaging
set of means for cryptographic protection of (parts of) command-response pairs
[SOURCE: ISO/IEC 7816-4:2020, 3.49]
4 Abbreviated terms
BCD binary-coded decimal
BER basic encoding rules of ASN.1 (see ISO/IEC 8825-1)
CA certification authority
CCT control reference template for cryptographic checksum
CRT control reference template
CT control reference template for confidentiality
CVCA country verifying CA
DG3 data group 3
DO BER-TLV data object

DO'…' BER-TLV data object, the tag of which is a hexadecimal value given between single quo-

tation marks
DSA digital signature algorithm
DST control reference template for digital signature
DV document verifier
2 PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 7816-8:2021(E)
ECC elliptic curve cryptography
ECDH elliptic curve Diffie–Hellman key exchange
ECDSA elliptic curve digital signature algorithm
EF elementary file
GQ2 modified Guillou-Quisquater protocol for zero knowledge proof
HT control reference template for hash-code
ICAO international civil aviation organization
ICC integrated circuit card
IS inspection system
KAT control reference template for key agreement
LDS logical data structure
MRTD machine readable travel document
mse manage security environment command
OID object identifier, as defined by ISO/IEC 8825-1
pso perform security operation command
RFU reserved for future use for ISO/IEC JTC 1/SC 17
RSA Rivest, Shamir, Adleman
SE security environment
SEID security environment identifier
TLV tag, length, value
5 Interindustry commands for security operations
5.1 General

An ICC compliant with this document may support any of the commands and/or options provided in 5.2

and 5.3.

NOTE In addition to the use of logical channels, there are other alternatives that can be used for switching

the security context. Annex D provides information about this functionality.
5.2 Generate asymmetric key pair command

The generate asymmetric key pair command, which shall be as specified in Table 1, initiates

— the generation and storing of an asymmetric key pair, i.e. a public key and a private key, in the card,

— the generation, storing of an asymmetric key pair and extracting generated public key, or

— the extracting previously generated public key.
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE 3
---------------------- Page: 8 ----------------------
ISO/IEC 7816-8:2021(E)

The command may be preceded by a manage security environment command in order to set key

generation related parameters (e.g. algorithm reference). The command may be performed in one or

several steps, possibly using command chaining (see ISO/IEC 7816-4).
Table 1 — generate asymmetric key pair command-response pair
CLA As defined in ISO/IEC 7816-4
INS '46' or '47'
P1 See Table 2

P2 '00' (no information provided) or reference of the private key to be generated coded according

to ISO/IEC 7816-4:2020, Table 102
L field Absent for encoding N = 0, present for encoding N > 0
c c c
Data field Absent, or
Proprietary data if P1-P2 set to '0000', or

One or more CRTs associated to the key generation if P1-P2 different from '0000' (see notes)

A CRT may include an extended header list
L field Absent for encoding N = 0, present for encoding N > 0
e e e
Data field Absent, or
Public key as a sequence of data elements (INS = '46'), or
Public key as a sequence of data objects (INS = '47'), or

Public key as a sequence of data objects according to an extended header list (INS = '47')

SW1-SW2 See ISO/IEC 7816-4:2020, Tables 6 and 7 where relevant, e.g. 6985

NOTE 1 Several CRTs are present when the key pair is generated for several uses. In the command data field, a

CRT possibly has a zero length.
Table 2 — P1 coding
b8 b7 b6 b5 b4 b3 b2 b1 Value
0 0 0 0 0 0 0 0 No information given
1 — — — — x x x Additional information given
1 — — — — — — x Key generation
1 — — — — — — 0 — Generate asymmetric key pair
1 — — — — — — 1 — Access to an existing public key
1 — — — — — x — Format of returned public key data
1 — — — — — 0 — — Proprietary format
1 — — — — — 1 — — Output format according to extended header list
1 — — — — x — — Output indicator
1 — — — — 0 — — — Public key data in response data field

1 — — — — 1 — — — No response data if Le field absent or proprietary if Le field present

— x x x x — — — 0000, other values are RFU

NOTE 2 The private key can be stored in an internal EF the reference of which is known before issuing the

command or in a DO'7F48' as cardholder private key template.

NOTE 3 The public part can be stored for example in a DO'7F49' as cardholder public key template.

For extracting a previously generated public key (i.e. no generation), the command data field shall be

empty or shall contain a CRT, possibly including an extended header list.

NOTE 4 In those cases when only access to a previously generated public key is requested, P2 is either '00' or

references the private key.
The response data field shall be
— absent,
4 PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 7816-8:2021(E)
— a public key as a sequence of data elements (INS = '46'),
— a public key as a sequence of data objects (INS = '47') from Table 3, or
— a public key as a DO'7F49' (INS = '47') nesting data objects from Table 3.

If the command data field does not indicate any format of public key data, it shall be implicitly known

before issuing the command (e.g. as part of the security environment). When the command data field

indicates an extended header list within a CRT, it covers public key data objects and other requested

data object.
EXAMPLE Annex E provides a set of examples on the use of this command.

If the algorithm is not indicated in the command, then the algorithm is known before issuing the

command. In the public key template, the context-specific class (first byte from '80' to 'BF') is reserved

for public key data objects.
Table 3 — Public key data objects
Tag Value

'7F49' Interindustry template for nesting one set of public key data objects with the following tags

'06' Object identifier of any further information, optional

'80' Algorithm reference as used in control reference data objects for secure messaging, optional

Set of public key data objects for RSA
'81' Modulus (a number denoted as n coded on x bytes)
'82' Public exponent (a number denoted as v, e.g. 65 537)
Set of public key data objects for DSA
'81' First prime (a number denoted as p coded on y bytes)
'82' Second prime (a number denoted as q dividing p-1, e.g. 20 bytes)
'83' Basis (a number denoted as g of order q coded on y bytes)

Public key (a number denoted as y equal to g to the power x mod p where x is the private key coded

'84'
on y bytes)
Set of public key data objects for ECC
'81' Prime (a number denoted as p coded on z bytes)
'82' First coefficient (a number denoted as a coded on z bytes)
'83' Second coefficient (a number denoted as b coded on z bytes)

'84' Generator (a point denoted as PB on the curve, coded on 2z + 1 or 2z or z + 1 bytes)

'85' Order (a prime number denoted as q, order of the generator PB, coded on z bytes)

Public key (a point denoted as PP on the curve, equal to x times PB where x is the private key, coded

'86'
on 2z + 1 or 2z or z + 1 bytes)
'87' Co-factor
Set of public key data objects for GQ2
'81' Modulus (a number denoted as n coded on x bytes)

Number of basic numbers (a number denoted as m coded on 1 byte. If tag '83' is present, then tag

'83' 'A3' shall be absent and the m basic numbers denoted as g, g ..g are the first m prime numbers

2 m
2, 3, 5, 7, 11…)
'84' Verification parameter (a number denoted as k coded on 1 byte)

NOTE In this context, ISO/IEC JTC 1/SC 17 reserves any other data object of the context-specific class (first byte in the

range '80' to 'BF').

The RSA Okamoto-Schnorr signature scheme, is considered a blind signature process, which is an interactive procedure

between a signer and a recipient. It allows a recipient to obtain a signature of a message of the recipient's choice without

[8][9][10][11]

giving the signer any information about the actual message or the resulting signature . DO'73' may be used in the

data field for returning a multi-part digital signature response comprised of concatenation of context-specific data objects

defined by the application.
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE 5
---------------------- Page: 10 ----------------------
ISO/IEC 7816-8:2021(E)
Table 3 (continued)
Tag Value

Set of m basic numbers denoted as g, g ..g each one coded on 1 byte with tag '80' (If tag 'A3' is

2 m,
'A3'
present, then tag '83' shall be absent)
Set of public key data objects for RSA Okamoto-Schnorr signature scheme
'81' p the first large prime number

'82' q the second large prime number such that q|(p − 1), with q a divisor of (p − 1)

Zp* the set of integers U modulo p such as 0 < U < p and gcd (U,p) = 1, gcd() being the greatest

'83'
common divisor
'84' Zq* the set of integers U' modulo q such as 0 < U' < q and gcd (U',q) = 1

g the first element of Zp* of order q such as g is a generator of Gq and Gq a cyclic group of prime

'85'
order q
'86' h the second element of Zp* of order q different from g
-r -s

y the public key, an integer denoted as y=g h mod p where (s,r) is the secret key, and s and r are

'87'
two elements of (Zq*), and h of (Zp*)

NOTE In this context, ISO/IEC JTC 1/SC 17 reserves any other data object of the context-specific class (first byte in the

range '80' to 'BF').

The RSA Okamoto-Schnorr signature scheme, is considered a blind signature process, which is an interactive procedure

between a signer and a recipient. It allows a recipient to obtain a signature of a message of the recipient's choice without

[8][9][10][11]

giving the signer any information about the actual message or the resulting signature . DO'73' may be used in the

data field for returning a multi-part digital signature response comprised of concatenation of context-specific data objects

defined by the application.

NOTE 5 For other Blind Signature schemes, e.g. Blind RSA signature (with data objects related to RSA), Blind

Schnorr signature (with data objects related to DSA and/or ECDSA), Okamoto-Guillou-Quisquater blind signature

scheme (with data objects related to GQ2), the OID under template '7F49' determines the nature and meaning of

any further or different data objects, i.e. the following indications are possibly denoted by the OID.

— blind signature type, e.g. RSA, Schnorr, Okamoto-Schnorr, Okamoto-Guillou-Quisquater),

— cryptographic Hash function,
— generic description of the token/credential (message) to be signed,
— attributes generic structure, and/or

— type of control upon signed message, i.e. partially blind, fully blind or restrictive blind signature

(in some mechanisms, the signer does not totally lose control over the signed message since the

signer can include explicit information in the resulting signature based on some agreement with

the recipient. Such blind signatures are called partially blind signatures. Other mechanisms allow

a recipient to receive a blind signature on a message not known to the signer but the choice of

the message is restricted and conforms to certain rules. Such schemes are called restrictive blind

signature mechanisms).

For the coding of the DO stating information about the private part of the key pair, Table 4 applies.

Table 4 — Private key data objects
Tag Value

'7F48' Interindustry template for nesting one set of private key data object with the following tags

'82' public exponent (optional)
'92' parameter p
'93' parameter q
'94' parameter 1/q mod p

NOTE In this context, ISO/IEC JTC 1/SC 17 reserves any other data object of the context-specific class (first byte in the

range '80' to 'BF').
6 PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 7816-8:2021(E)
Table 4 (continued)
Tag Value
'95' parameter d mod (p – 1)
'96' parameter d mod (q – 1)

Interindustry template for nesting one set of ECDSA/ECDH private key data object with the

'7F48'
following tags
'92' Private key
'06' object identifier of related curve (optional)
or
curve information (optional):
'93' — p is the prime specifying the base field;

'94' — A 1st coefficient of the equation y^2 = x^3 + A*x + mod p defining the elliptic curve;

'95' — B 2nd coefficient of the equation y^2 = x^3 + A*x + B mod p;

'96' — G = (x,y) base point, i.e., a point in E of prime order, with x and y being its x- and y-coordinates;

'97' — q prime order of the group generated by G;
'98' — h cofactor of G in E, i.e. #E[GF(p)]/q.

NOTE In this context, ISO/IEC JTC 1/SC 17 reserves any other data object of the context-specific class (first byte in the

range '80' to 'BF').
Annex C provides examples of exporting a public key and importing a private key.
5.3 Perform security operation command
5.3.1 General

The perform security operation command, which shall be as specified in Table 5, initiates the

following security operations:
— computations, such as
— computation of a cryptographic checksum,
— computation of a digital signature, or
— computation of a hash-code;
— verifications, such as
— verification of a cryptographic checksum,
— verification of a digital signature, or
— verification of a certificate;
— encipherment; or
— decipherment.

P1 defines output data of the security operation (see Table 6). P2 defines input data to the security

operation (see Table 7). Values of tag of SM data object defined in ISO/IEC 7816-4 are used for P1 and

P2.

P1 and P2 also define operation of this command. It depends on each operation defined in subsequent

subclauses which value is used for P1 and P2. If the security operation requires several commands to

complete, then command chaining may apply (see ISO/IEC 7816-4).
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE 7
---------------------- Page: 12 ----------------------
ISO/IEC 7816-8:2021(E)

The perform security operation command may be preceded by a manage security environment

command.

For example, the security object reference as well as the cryptographic mechanism reference shall be

either implicitly known or specified in a CRT in a manage security environment command.

NOTE A security object reference is a reference of a secret key, a reference of a public key, a reference data, a

reference for computing a session key or a reference of a private key. See ISO/IEC 7816-4.

Such a command can be performed only if the security status satisfies the security attributes for the

operation. The successful execution of the command may be subject to successful completion of prior

commands (e.g. verify before the computation of a digital signature).

If present (e.g. implicitly known by the card or because it is part of the command data field), a header

list or an extended header list defines the order and the data items that form the input for the security

operation.

For this command, when a verification related operation is considered, SW1-SW2 set to '6300' or '63CX'

indicates that a verification failed, 'X' ≥ '0' encodes the number of further allowed retries.

Table 5 — perform security operation command-response pair with INS = '2A'
CLA As defined in ISO/IEC 7816-4
INS '2A'
P1 See Table 6
P2 See Table 7
L field Absent for encoding N = 0, present for encoding N > 0
c c c
Data field Absent or value of the data object specified in P2
L field Absent for encoding N = 0, present for encoding N > 0
e e e
Data field Absent or value of the data object specified in P1
SW1-SW2 See ISO/IEC 7816-4:2020, Tables 6 and 7 where relevant, e.g. 6985
Table 6 — P1 coding for output data of the security operation
Value Meaning
'00' No output data
'80' Plain value not encoded in BER-TLV
'82' Cryptogram (plain value encoded in BER-TLV DO and including SM DOs)
'84' Cryptogram (plain value encoded in BER-TLV DO, but not including SM DOs)
'86' Padding-content indicator byte followed by cryptogram (plain value not enco
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.