ISO/IEC 7816

Last updated

ISO/IEC 7816 is an international standard related to electronic identification cards with contacts, especially smart cards, and more recently, contactless mobile devices, managed jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

Contents

It is developed by ISO/IEC JTC 1 (Joint Technical Committee 1) / SC 17 (Subcommittee 17). [1]

The following describes the different parts of this standard.

Note: abstracts and dates, when present, are mere quotations from the ISO website, [2] and are neither guaranteed at the time of edition nor in the future.

Parts

7816-1: Cards with contacts — Physical characteristics

Created in 1987, updated in 1998, amended in 2003, updated in 2011. [3]

This part describes the physical characteristics of the card, primarily by reference to ISO/IEC 7810 Identification cards — Physical characteristics, but also with other characteristics such as mechanical strength.

7816-2: Cards with contacts — Dimensions and location of the contacts

Four example SIM card sizes that use the ISO/IEC 7816 interface. GSM Micro SIM Card vs. GSM Mini Sim Card - Break Apart.svg
Four example SIM card sizes that use the ISO/IEC 7816 interface.

Created in 1988, updated in 1999, amended in 2004, updated in 2007. The standard defines an eight (or six) pin interface; the first pin is located at the bottom-right corner for the image given. Pins 4 and 8 are occasionally omitted. [4]

ISO/IEC 7816-2 pinout
Pin #NameDescription
1VCC+5 V or 3.3 V DC
2ResetCard Reset (Optional)
3CLOCKCard Clock
4ASApplication Specific
5GNDGround
6VPP+21 V DC [Programming], or NC
7I/OIn/out [Data]
8ASApplication Specific

7816-3: Cards with contacts — Electrical interface and transmission protocols

Created in 1989, amended in 1992 (addition of the T=1 protocol), amended in 1994 (revision of Protocol Type Selection), updated in 1997 (including addition of 3 Volt operation), amended in 2002 (including addition of 1.8 Volt operation), last updated in 2006 (including removal of Vpp). [5]

7816-4: Organization, security and commands for interchange

Created in 1995, updated in 2005, 2013 and 2020. [6] Amended in 2023. [7]

According to its abstract, it specifies:

It does not cover the internal implementation within the card or the outside world.

ISO/IEC 7816-4:2020 is independent of the physical interface technology, and applies equally to contact cards, proximity cards and vicinity cards.

7816-5: Registration of application providers

Created in 1995, updated in 2004. [8] This part is maintained by Danish Standards. [9]

According to its abstract, ISO/IEC 7816-5 defines how to use an application identifier to ascertain the presence of and/or perform the retrieval of an application in a card.

ISO/IEC 7816-5:2004 shows how to grant the uniqueness of application identifiers through the international registration of a part of this identifier, and defines

7816-6: Interindustry data elements for interchange

Created in 1996, updated in 2004, amended in 2006, updated in 2016 and 2023. [10] This part is maintained by Deutsches Institut für Normung (DIN). [9]

According to its abstract, it specifies the Data Elements (DEs) used for interindustry interchange based on integrated circuit cards (ICCs) both with contacts and without contacts. It gives the identifier, name, description, format, coding and layout of each DE and defines the means of retrieval of DEs from the card.

7816-7: Interindustry commands for Structured Card Query Language (SCQL)

Created in 1999. [11]

7816-8: Commands and mechanisms for security operations

Created in 1995, updated in 2004, 2016, 2019, and 2021. [12]

According to its abstract, it specifies interindustry commands for integrated circuit cards (either with contacts or without contacts) that may be used for cryptographic operations. These commands are complementary to and based on the commands listed in ISO/IEC 7816-4.

Annexes are provided that give examples of operations related to digital signatures, certificates and the import and export of asymmetric keys.

The choice and conditions of use of cryptographic mechanisms may affect card exportability. The evaluation of the suitability of algorithms and protocols is outside the scope of ISO/IEC 7816-8.

7816-9: Commands for card management

Created in 1995, updated in 2004, updated in 2017. [13]

According to its abstract, it specifies interindustry commands for integrated circuit cards (both with contacts and without contacts) for card and file management, e.g. file creation and deletion. These commands cover the entire life cycle of the card and therefore some commands may be used before the card has been issued to the cardholder or after the card has expired.

An annex is provided that shows how to control the loading of data (secure download) into the card, by means of verifying the access rights of the loading entity and protection of the transmitted data with secure messaging. The loaded data may contain, for example, code, keys and applets.

7816-10: Electronic signals and answer to reset for synchronous cards

Created in 1999. [14]

This part specifies the power, signal structures, and the structure for the answer to reset between an integrated circuit card(s) with synchronous transmission and an interface device such as a terminal.

7816-11 Personal verification through biometric methods

Created in 2004, updated in 2017. [15]

This part of ISO/IEC 7816 specifies security-related interindustry commands to be used for personal verification through biometric methods in integrated circuit cards. It also defines the data structure and data access methods for use of the card as a carrier of the biometric reference and/or as the device to perform the verification of the cardholder’s biometric probe (on-card biometric comparison). Identification of persons using biometric methods is outside the scope of this standard.

7816-12 Cards with contacts USB electrical interface and operating procedures

Created in 2005. [16]

According to its abstract, it specifies the operating conditions of an integrated circuit card that provides a USB interface. An integrated circuit card with a USB interface is named USB-ICC.

ISO/IEC 7816-12:2005 specifies:

ISO/IEC 7816-12:2005 provides two protocols for control transfers. This is to support the protocol T=0 (version A) or to use the transfer on APDU level (version B). ISO/IEC 7816-12:2005 provides the state diagrams for the USB-ICC for each of the transfers (bulk transfers, control transfers version A and version B). Examples of possible sequences which the USB-ICC must be able to handle are given in an informative annex.

The USB CCID device class defines a standard for communicating with ISO/IEC 7816 smart cards over USB.

7816-13: Commands for application management in multi-application environment

This part specifies commands for application management in a multi-application environment. [17]

7816-15: Cryptographic information application

Created in 2004, amended in 2004, 2007, 2008, updated in 2016. [18]

According to its abstract, it specifies a card application. This application contains information on cryptographic functionality. Further, ISO/IEC 7816-15:2016 defines a common syntax (in ASN.1) and format for the cryptographic information and mechanisms to share this information whenever appropriate.

ISO/IEC 7816-15:2016 supports the following capabilities:

See also

Related Research Articles

<span class="mw-page-title-main">Smart card</span> Pocket-sized card with embedded integrated circuits for identification or payment functions

A smart card (SC), chip card, or integrated circuit card, is a card used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Numerous nations have deployed smart cards throughout their populations.

<span class="mw-page-title-main">ISO/IEC 7810</span> Standard for ID cards

ISO/IEC 7810Identification cards — Physical characteristics is an international standard that defines the physical characteristics for identification cards.

ISO/IEC 14443Identification cards -- Contactless integrated circuit cards -- Proximity cards is an international standard that defines proximity cards used for identification, and the transmission protocols for communicating with it.

<span class="mw-page-title-main">SIM card</span> Integrated circuit card for a mobile device

A SIMcard is an integrated circuit (IC) intended to securely store an international mobile subscriber identity (IMSI) number and its related key, which are used to identify and authenticate subscribers on mobile telephone devices. Technically the actual physical card is known as a universal integrated circuit card (UICC); this smart card is usually made of PVC with embedded contacts and semiconductors, with the SIM as its primary component. In practice the term "SIM card" is still used to refer to the entire unit and not simply the IC.

<span class="mw-page-title-main">Proximity card</span> Contactless smart card

A proximity card or prox card also known as a key card or keycard is a contactless smart card which can be read without inserting it into a reader device, as required by earlier magnetic stripe cards such as credit cards and contact type smart cards. The proximity cards are part of the contactless card technologies. Held near an electronic reader for a moment they enable the identification of an encoded number. The reader usually produces a beep or other sound to indicate the card has been read.

<span class="mw-page-title-main">EMV</span> Smart payment card standard

EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for "Europay, Mastercard, and Visa", the three companies that created the standard.

Registration authorities exist for many standards organizations, such as ANNA, the Object Management Group, W3C, and others. In general, registration authorities all perform a similar function, in promoting the use of a particular standard through facilitating its use. This may be by applying the standard, where appropriate, or by verifying that a particular application satisfies the standard's tenants. Maintenance agencies, in contrast, may change an element in a standard based on set rules – such as the creation or change of a currency code when a currency is created or revalued. The Object Management Group has an additional concept of certified provider, which is deemed an entity permitted to perform some functions on behalf of the registration authority, under specific processes and procedures documented within the standard for such a role.

ISO/IEC 7813 is an international standard codified by the International Organization for Standardization and International Electrotechnical Commission that defines properties of financial transaction cards, such as ATM or credit cards.

A card reader is a data input device that reads data from a card-shaped storage medium and provides the data to a computer. Card readers can acquire data from a card via a number of methods, including: optical scanning of printed text or barcodes or holes on punched cards, electrical signals from connections made or interrupted by a card's punched holes or embedded circuitry, or electronic devices that can read plastic cards embedded with either a magnetic strip, computer chip, RFID chip, or another storage medium.

A contactless smart card is a contactless credential whose dimensions are credit card size. Its embedded integrated circuits can store data and communicate with a terminal via NFC. Commonplace uses include transit tickets, bank cards and passports.

A datacard is an electronic card for data operations.

<span class="mw-page-title-main">BioAPI</span> Biometric Interworking Protocol

BioAPI is a key part of the International Standards that support systems that perform biometric enrollment and verification. It defines interfaces between modules that enable software from multiple vendors to be integrated together to provide a biometrics application within a system, or between one or more systems using a defined Biometric Interworking Protocol (BIP) – see below.

<span class="mw-page-title-main">OpenPGP card</span> Type of cryptographic smart card

In cryptography, the OpenPGP card is an ISO/IEC 7816-4, -8 compatible smart card that is integrated with many OpenPGP functions. Using this smart card, various cryptographic tasks can be performed. It allows secure storage of secret key material; all versions of the protocol state, "Private keys and passwords cannot be read from the card with any command or function." However, new key pairs may be loaded onto the card at any time, overwriting the existing ones.

An Answer To Reset (ATR) is a message output by a contact Smart Card conforming to ISO/IEC 7816 standards, following electrical reset of the card's chip by a card reader. The ATR conveys information about the communication parameters proposed by the card, and the card's nature and state.

ISO/IEC 24727 is the first international standard to address the need for creation of a layered framework to support interoperability of smart cards providing identification, authentication, and (digital) signature services.

ISO/IEC JTC 1/SC 37 Biometrics is a standardization subcommittee in the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which develops and facilitates standards within the field of biometrics. The international secretariat of ISO/IEC JTC 1/SC 37 is the American National Standards Institute (ANSI), located in the United States.

ISO/IEC JTC 1/SC 17 Cards and security devices for personal identification is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which develops and facilitates standards within the field of identification cards and personal identification. The international secretariat of ISO/IEC JTC 1/SC 17 is the British Standards Institution (BSI) located in the United Kingdom.

WebUSB is a JavaScript application programming interface (API) specification for securely providing access to USB devices from web applications.

References

  1. "ISO/IEC JTC 1/SC 17 Cards and security devices for personal identification". Iso.org. Retrieved 2017-10-11.
  2. "Browse by ICS". www.iso.org. Retrieved 19 April 2018.
  3. "ISO/IEC 7816-1:2011 Identification cards — Integrated circuit cards — Part 1: Cards with contacts — Physical characteristics". Iso.org. 2011-01-31. Retrieved 2017-10-11.
  4. "ISO/IEC 7816-2:2007 Identification cards — Integrated circuit cards — Part 2: Cards with contacts — Dimensions and location of the contacts". Iso.org. 2007-10-11. Retrieved 2017-10-11.
  5. "ISO/IEC 7816-3:2006 Identification cards — Integrated circuit cards — Part 3: Cards with contacts — Electrical interface and transmission protocols". Iso.org. 2006-10-30. Retrieved 2017-10-11.
  6. "ISO/IEC 7816-4:2020 Identification cards — Integrated circuit cards — Part 4: Organization, security and commands for interchange". Iso.org. May 2020. Retrieved 2020-08-05.
  7. "ISO/IEC 7816-4:2020/Amd 1:2023 Identification cards — Integrated circuit cards — Part 4: Organization, security and commands for interchange — Amendment 1: Support of multiple logical security devices". Iso.org. 2023-10-01. Retrieved 2023-05-08.
  8. "ISO/IEC 7816-5:2004 Identification cards — Integrated circuit cards — Part 5: Registration of application providers". Iso.org. 2010-03-17. Retrieved 2017-10-11.
  9. 1 2 "Maintenance agencies and registration authorities". ISO. Retrieved 2023-11-21.
  10. "ISO/IEC 7816-6:2016 Identification cards — Integrated circuit cards — Part 6: Interindustry data elements for interchange". Iso.org. 2016-06-14. Retrieved 2017-10-11.
  11. "ISO/IEC 7816-7:1999 Identification cards — Integrated circuit(s) cards with contacts — Part 7: Interindustry commands for Structured Card Query Language (SCQL)". Iso.org. 2010-06-17. Retrieved 2017-10-11.
  12. "ISO/IEC 7816-8:2021 Identification cards — Integrated circuit cards — Part 8: Commands and mechanisms for security operations". Iso.org. 2021-08-01. Retrieved 2024-05-08.
  13. "ISO/IEC 7816-9:2017 Identification cards — Integrated circuit cards — Part 9: Commands for card management". Iso.org. 2017-12-07. Retrieved 2018-01-04.
  14. "ISO/IEC 7816-10:1999 Identification cards — Integrated circuit(s) cards with contacts — Part 10: Electronic signals and answer to reset for synchronous cards". Iso.org. 2010-06-17. Retrieved 2017-10-11.
  15. "ISO/IEC 7816-11:2007 Identification cards — Integrated circuit cards — Part 11: Personal verification through biometric methods". Iso.org. 2017-12-01. Retrieved 2018-01-04.
  16. "ISO/IEC 7816-12:2005 Identification cards — Integrated circuit cards — Part 12: Cards with contacts — USB electrical interface and operating procedures". Iso.org. 2011-03-17. Retrieved 2017-10-11.
  17. "ISO/IEC 7816-13:2007 Identification cards — Integrated circuit cards — Part 13: Commands for application management in a multi-application environment". Iso.org. 2007-03-09. Retrieved 2017-10-11.
  18. "ISO/IEC 7816-15:2016 Identification cards — Integrated circuit cards — Part 15: Cryptographic information application". Iso.org. 2016-05-09. Retrieved 2017-10-11.