C.I.E – Carta di Identità Elettronica Functional Specification Version 2.0

More documents

Recommendations

Info

4 --- b0 BSO IDTable 45: External Authenticate commandThis command allows the card to authenticate an external entity by means of a challenge-responseprotocol.It is possible to perform an External Authenticate only after a Get Challenge command. The GetChallenge makes the card generate internally a random, that is stored internally and sent to theterminal.It is possible to have other commands between a Get Challenge and its External Authenticate, aslong as they are issued during the same card session (between 2 resets).The random generated during the Get Challenge command is valid for only one ExternalAuthentication.The Data Field of the command contains the result of the cryptographic operation made on thechallenge.The card compares this value with the value computed internally, and if they match, the securitystatus of the card changes accordingly.The algorithm used for the cryptogram computation is set in the BSO, so P1=0.BSOs that can be used with External Authenticate are:• RSA KPUB – EXT AUTH• 3DES – EXT AUTHThe parameter P2 contains the scope and the ID of the BSO. If the BSO ID is equal to 0 then theBSO is searched in component TEST of the Current Security Environment (CSE).The length of the data field has to match the length of the challenge, and has to be 8 bytes if 3DESis used, or exactly the length of the key modulus in the other case (RSA). If it is not the case, anerror is returned.When the command is executed with success, the access right is granted and the error counterrelated to the relevant object (BSO) is set to its max value.If the command is not executed with success, then access right is not granted and the error counteris decreased by one.Security:The access condition to satisfy is AC_USE. The BSO object must not be in a blocked status.Recommendation:The use of External Authenticate in SM_SIG mode is deprecated.CIE - Functional Specification v 2.0 -Page 62/76
12.13 RESET RETRY COUNTERCLA INS P1 P2 P3 Data Field0X2C00 forPINXX forotherBSOtypeb7 = 0 BSO under theMFb7 = 1 BSO search withbacktrackingb6 = 0b5 = 0LC = m (verify) / 00+ n (new) / 00Verify data or empty+New reference data oremptyb4 --- b0 (BSO ID)Table 46: RESET RETRY COUNTER commandThis command sets the error counter of a security base object (BSO) to its maximum preset value.P1 coding has been extended with respect to what is indicated in ISO 7816-8.The RFU bits in P1 have been used to signal the object description.Only test object can be referenced.P1 ValueDescription0000 0000 The data field contains “Verification Data” and “New Reference Data”. This mode isvalid only when the object referred to by P2 has as access condition forAC_UNBLOCK a reference to a PIN object.Xxxx x001Xxxx x011The data field contains only “Verify Data”. This mode is only valid when the objectreferred to by P2 has as access condition for AC_UNBLOCK a reference to a PINobject.The data field is emptyTable 47: P1 coding for RESET RETRY COUNTER commandNote 1: the mode with P1=00h is allowed for PIN objects only.Note 2: the modes with P1= xxxx x001 and xxxx011 are allowed for any test object, includingkeys. It is not possible to change the value of the keys with this command.The parameter P2 identifies the BSO to use.Three cases are possible:CIE - Functional Specification v 2.0 -Page 63/76
Page 1 and 2:
C.I.E. - Carta di Identità Elettro
Page 3 and 4:
Table of Contents1. Revision Histor
Page 5 and 6:
12.17 GENERATE KEY PAIR ...........
Page 7 and 8:
2. IntroductionThis document is the
Page 9 and 10:
4. Reference Documents1. ISO/IEC 78
Page 11 and 12: Public Key - That key of an entity
Page 13 and 14: lsbLSBMACMFmsbMSBMSEMTSCOSOCIPINPPP
Page 15 and 16: 6. Electrical ParametersFor all ele
Page 17 and 18: 8. Answer To Reset (ATR)The Answer
Page 19 and 20: XXh XXh H5/H6 Y02h H7 Y49h H8 Y54h
Page 21 and 22: 9. Application SelectionNo explicit
Page 23 and 24: Record structure:The EF is seen at
Page 25 and 26: Linear Variable TLV or Cyclic EFSiz
Page 27 and 28: The card maintains an internal Secu
Page 29 and 30: BSO ID 1 01h to 1FhOPTION 1 See Tab
Page 31 and 32: RSA public key Exponent for Authent
Page 33 and 34: 11.4 Secure MessagingThe Secure Mes
Page 35 and 36: Byte Nr. SM Condition1 ENC USE IN2
Page 37 and 38: • Step 4: APDU command set up in
Page 39 and 40: 11.4.5 SM Response in SM_ENCOrigina
Page 41 and 42: 11.4.7 SM Response in SM_ENC_SIGOri
Page 43 and 44: 12. APDU ReferenceThe CIE supports
Page 45 and 46: 6A 86 Incorrect P1-P26A 87 Lc incon
Page 47 and 48: The PUT DATA - DATA_OCI acts on the
Page 49 and 50: 3DES - SM Cipher 10h 83h 03h3DES -
Page 51 and 52: 3 8Fh 6 BYTE 1: Not used - MUST be
Page 53 and 54: Table35Table 34: SELECT FILE Comman
Page 55 and 56: The operation is possible if the ac
Page 57 and 58: n has to be different from FFh.P1=0
Page 59 and 60: First and NextLast and PreviousSecu
Page 61: acktrackingallowed.b6 = 0b5 = 0b4 -
Page 65 and 66: 12.15 GIVE RANDOMCLA INS P1 P2 P3 D
Page 67 and 68: Security:The access condition to sa
Page 69 and 70: The access condition to satisfy is
Page 71 and 72: 0X 04 00 00 LC = 00 EmptyTable 59:
Page 73 and 74: • The length in bits of the priva
Page 75 and 76: • a sequence of q cipher text blo
show all

C.I.E – Carta di Identità Elettronica Functional Specification Version 2.0

Create successful ePaper yourself

Delete template?

Save as template?