In the context of smart cards, an application protocol data unit (APDU) is the communication unit between a smart card reader and a smart card. The structure of the APDU is defined by ISO/IEC 7816-4 Organization, security and commands for interchange. [1]
There are two categories of APDUs: command APDUs and response APDUs. A command APDU is sent by the reader to the card – it contains a mandatory 4-byte header (CLA, INS, P1, P2) [2] and from 0 to 65 535 bytes of data. A response APDU is sent by the card to the reader – it contains from 0 to 65 536 bytes of data, and 2 mandatory status bytes (SW1, SW2).
| Command APDU | ||
|---|---|---|
| Field name | Length (bytes) | Description |
| CLA | 1 | Instruction class - indicates the type of command, e.g., interindustry or proprietary |
| INS | 1 | Instruction code - indicates the specific command, e.g., "select", "write data" |
| P1-P2 | 2 | Instruction parameters for the command, e.g., offset into file at which to write the data |
| Lc | 0, 1 or 3 | Encodes the number (Nc) of bytes of command data to follow 0 bytes denotes Nc=0 |
| Command data | Nc | Nc bytes of data |
| Le | 0, 1, 2 or 3 | Encodes the maximum number (Ne) of response bytes expected 0 bytes denotes Ne=0 |
| Response APDU | ||
| Response data | Nr (at most Ne) | Response data |
| SW1-SW2 (Response trailer) | 2 | Command processing status, e.g., 90 00 (hexadecimal) indicates success [2] |