ISO/IEC 7816 is an international standard related to electronic identification cards with contacts, especially smart cards, managed jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
It is edited by the Joint technical committee (JTC) 1 / Sub-Committee (SC) 17, Cards and personal identification.
The following describes the different parts of this standard.
Created in 1987, updated in 1998, amended in 2003, updated in 2011.
This part describes the physical characteristics of the card, primarily by reference to ISO/IEC 7810 Identification cards — Physical characteristics, but also with other characteristics such as mechanical strength.
Created in 1988, updated in 1999, amended in 2004, updated in 2007.
Created in 1989, amended in 1992 (addition of the T=1 protocol), amended in 1994 (revision of Protocol Type Selection), updated in 1997 (including addition of 3 Volt operation), amended in 2002 (including addition of 1.8 Volt operation), last updated in 2006 (including removal of Vpp).
According to its abstract, it specifies:
It does not cover the internal implementation within the card or the outside world.
Created in 1995, updated in 2004.
According to its abstract, ISO/IEC 7816-5 defines how to use an application identifier to ascertain the presence of and/or perform the retrieval of an application in a card.
ISO/IEC 7816-5:2004 shows how to grant the uniqueness of application identifiers through the international registration of a part of this identifier, and defines
Created in 1996, updated in 2004, amended in 2006, updated in 2016.
According to its abstract, it specifies the Data Elements (DEs) used for interindustry interchange based on integrated circuit cards (ICCs) both with contacts and without contacts. It gives the identifier, name, description, format, coding and layout of each DE and defines the means of retrieval of DEs from the card.
Created in 1999.
Created in 1995, updated in 2004, updated in 2016.
According to its abstract, it specifies interindustry commands for integrated circuit cards (either with contacts or without contacts) that may be used for cryptographic operations. These commands are complementary to and based on the commands listed in ISO/IEC 7816-4.
Annexes are provided that give examples of operations related to digital signatures, certificates and the import and export of asymmetric keys.
The choice and conditions of use of cryptographic mechanisms may affect card exportability. The evaluation of the suitability of algorithms and protocols is outside the scope of ISO/IEC 7816-8.
Created in 1995, updated in 2004, updated in 2017.
According to its abstract, it specifies interindustry commands for integrated circuit cards (both with contacts and without contacts) for card and file management, e.g. file creation and deletion. These commands cover the entire life cycle of the card and therefore some commands may be used before the card has been issued to the cardholder or after the card has expired.
An annex is provided that shows how to control the loading of data (secure download) into the card, by means of verifying the access rights of the loading entity and protection of the transmitted data with secure messaging. The loaded data may contain, for example, code, keys and applets.
Created in 1999.
This part specifies the power, signal structures, and the structure for the answer to reset between an integrated circuit card(s) with synchronous transmission and an interface device such as a terminal.
Created in 2004, updated in 2017.
This part of ISO/IEC 7816 specifies security-related interindustry commands to be used for personal verification through biometric methods in integrated circuit cards. It also defines the data structure and data access methods for use of the card as a carrier of the biometric reference and/or as the device to perform the verification of the cardholder’s biometric probe (on-card biometric comparison). Identification of persons using biometric methods is outside the scope of this standard.
Created in 2005.
According to its abstract, it specifies the operating conditions of an integrated circuit card that provides a USB interface. An integrated circuit card with a USB interface is named USB-ICC.
ISO/IEC 7816-12:2005 specifies:
ISO/IEC 7816-12:2005 provides two protocols for control transfers. This is to support the protocol T=0 (version A) or to use the transfer on APDU level (version B). ISO/IEC 7816-12:2005 provides the state diagrams for the USB-ICC for each of the transfers (bulk transfers, control transfers version A and version B). Examples of possible sequences which the USB-ICC must be able to handle are given in an informative annex.
The USB CCID device class defines a standard for communicating with ISO/IEC 7816 smart cards over USB.
This part specifies commands for application management in a multi-application environment.
Created in 2004, amended in 2004, 2007, 2008, updated in 2016.
According to its abstract, it specifies a card application. This application contains information on cryptographic functionality. Further, ISO/IEC 7816-15:2016 defines a common syntax (in ASN.1) and format for the cryptographic information and mechanisms to share this information whenever appropriate.
ISO/IEC 7816-15:2016 supports the following capabilities:
An Answer To Reset (ATR) is a message output by a contact Smart Card conforming to ISO/IEC 7816 standards, following electrical reset of the card's chip by a card reader. The ATR conveys information about the communication parameters proposed by the card, and the card's nature and state.
By extension, ATR often refers to a message obtained from a Smart Card in an early communication stage; or from the card reader used to access that card, which may transform the card's message into an ATR-like format (this occurs e.g. for some PC/SC card readers when accessing an ISO/IEC 14443 Smart Card).
The presence of an ATR is often used as a first indication that a Smart Card appears operative, and its content examined as a first test that it is of the appropriate kind for a given usage.
Contact Smart Cards communicate over a signal named Input/Output (I/O) either synchronously (data bits are sent and received at the rhythm of one per period of the clock supplied to the card on its CLK signal) or asynchronously (data bits are exchanged over I/O with another mechanism for bit delimitation, similar to traditional asynchronous serial communication). The two modes are exclusive in a given communication session, and most cards are built with support for a single mode. Microprocessor-based contact Smart Cards are mostly of the asynchronous variety, used for all Subscriber Identity Modules (SIM) for mobile phones, those bank cards with contacts that conform to EMV specifications, all contact Java Cards, and Smart Cards for pay television. Memory-only cards are generally of the synchronous variety.
ATR under asynchronous and synchronous transmission have entirely different form and content. The ATR in asynchronous transmission is precisely normalized (in order to allow interoperability between cards and readers of different origin), and relatively complex to parse.
Some Smart Cards (mostly of the asynchronous variety) send different ATR depending on if the reset is the first since power-up (Cold ATR) or not (Warm ATR).
Note: Answer To Reset should not be confused with ATtRibute REQuest (ATR_REQ) and ATtRibute RESponse (ATR_RES) of NFC, also abbreviated ATR. ATR_RES conveys information about the communication parameters supported, as does Answer To Reset, but its structure is different.CEPAS
CEPAS, the Specification for Contactless e-Purse Application, is a Singaporean specification for an electronic money smart card. CEPAS has been deployed island-wide, replacing the previous original EZ-Link card effective 1 October 2009.Card reader
A card reader is a data input device that reads data from a card-shaped storage medium. The first were punched card readers, which read the paper or cardboard punched cards that were used during the first several decades of the computer industry to store information and programs for computer systems. Modern card readers are electronic devices that can read plastic cards embedded with either a barcode, magnetic strip, computer chip or another storage medium.
A memory card reader is a device used for communication with a smart card or a memory card.
A magnetic card reader is a device used to read magnetic stripe cards, such as credit cards.
A business card reader is a device used to scan and electronically save printed business cards.Card standards
Card standard(s) may refer to any of a number of standards related to smartcards.
ISO/IEC 7810 Identification cards — Physical characteristics
ISO/IEC 7812 Identification cards — Identification of issuers
ISO/IEC 7816 Identification cards — Integrated circuit cards
ISO/IEC 14443 Identification cards — Contactless integrated circuit cards — Proximity cardsDatacard
A datacard is an electronic card for data operations (storage, transfer, transformation, input, output).EMV
EMV is a payment method based upon a technical standard for smart payment cards and for payment terminals and automated teller machines that can accept them.
EMV cards are smart cards (also called chip cards or IC cards) that store their data on integrated circuits in addition to magnetic stripes (for backward compatibility). These include cards that must be physically inserted (or "dipped") into a reader, as well as contactless cards that can be read over a short distance using near-field communication (NFC) technology. Payment cards that comply with the EMV standard are often called Chip and PIN or Chip and Signature cards, depending on the authentication methods employed by the card issuer.
There are standards based on ISO/IEC 7816 for contact cards, and standards based on ISO/IEC 14443 for contactless cards (Mastercard Contactless, Visa PayWave, American Express ExpressPay).
EMV originally stood for "Europay, Mastercard, and Visa", the three companies that created the standard. The standard is now managed by EMVCo, a consortium of financial companies. The most widely known chips of the EMV standard are
VIS – Visa
Mastercard chip – Mastercard
AEIPS – American Express
UICS – China Union Pay
J Smart – JCB
D-PAS – Discover/Diners Club International.
Rupay – NPCIVisa and Mastercard have also developed standards for using EMV cards in devices to support (CNP) card not present transactions over the telephone and Internet. Mastercard has the Chip Authentication Program (CAP) for secure e-commerce. Its implementation is known as EMV-CAP and supports a number of modes. Visa has the Dynamic Passcode Authentication (DPA) scheme, which is their implementation of CAP using different default values.
In February 2010, computer scientists from Cambridge University demonstrated that an implementation of EMV PIN entry is vulnerable to a man-in-the-middle attack but only implementations where the PIN was validated offline were vulnerable.ISO/IEC 14443
ISO/IEC 14443 Identification cards -- Contactless integrated circuit cards -- Proximity cards is an international standard that defines proximity cards used for identification, and the transmission protocols for communicating with it.ISO/IEC 15693
ISO/IEC 15693, is an ISO standard for vicinity cards, i.e. cards which can be read from a greater distance as compared with proximity cards. Such cards can normally be read out by a reader without being powered themselves, as the reader will supply the necessary power to the card over the air (wireless).
ISO/IEC 15693 systems operate at the 13.56 MHz frequency, and offer maximum read distance of 1–1.5 meters. As the vicinity cards have to operate at a greater distance, the necessary magnetic field is less (0.15 to 5 A/m) than that for a proximity card (1.5 to 7.5 A/m).ISO/IEC 7813
ISO/IEC 7813 is an international standard codified by the International Organization for Standardization and International Electrotechnical Commission that defines properties of financial transaction cards, such as ATM or credit cards.Istanbulkart
istanbulkart is a contactless smart card for fare payment on public transport in Istanbul, Turkey. It was introduced on March 23, 2009 in addition to, and to eventually replace, the Akbil, an integrated electronic ticket system (Akbil iButtons are now being phased out as of 2015). The card was developed and put into practice by the information technology company Belbim of the Metropolitan Municipality.The Istanbulkart is valid for boarding buses, funiculars, LRT, subway, commuter trains, ferryboats and trams operated by the Metropolitan Municipality and private companies. Cash payment on these transport systems is not possible. Reduced fees are applicable for up to five transfers within two hours to other vehicles on the transportation network.There are four different types of the Istanbulkart, one ordinary and three special. The special cards are issued upon the holder's legal eligibility, and are therefore personalized:
Ordinary card: for full fare payment,
Mavi Kart (Blue card) (season ticket): seasonal ticket discounted on monthly use basis,
Discounted card: for students, teachers, senior citizens (over 60 years of age)
Free card: for handicapped or disabled persons,senior citizens (over 65 years of age) and government employees underway on duty.The ordinary cards may be acquired from offices at major transport interchanges for a nonrefundable deposit of 10 TL. It can be purchased for 6TL from vending machines located at metro entrances. The remaining sum will be deposited on the card. Afterwards, the cards can be loaded with credits up to 300 TL at these offices, special purpose machines, vending machines on the metro or at news-stands and small shops which offer this service. Cards for a limited number of passes (1, 2, 3, 5 or 10) are also available.
Unlike the ordinary cards, the special cards are issued on a named basis, so they require an application to be made at one of the 13 application centers, or on the internet.
To pay the fare, the smart card is brought into close proximity, up to 8 cm (3.1 in), with a contactless reader during boarding of the transportation vehicle or at the toll gates of the station. It is not necessary for the card to touch the reader, cards inside a wallet or a handbag can be also read for rapid payment. The reader device signals confirmation of the fare payment with an audible sound, and the screen turns green showing the payment and the remaining deposit after a split second.In case of insufficient deposit on the smart card, the card reader shows the warning message "Yetersiz Bakiye" (Insufficient deposit) on its display along with an audible warning. Counterfeit cards will be confiscated by the bus driver or security personnel at the turnpikes.The Istanbulkart is compatible with international standards such as ISO/IEC 7816 and ISO/IEC 14443 and is built using NXP's DESFire technology. Its use is planned to be extended to payments at municipality operated parking lots and theatres, as well as for privately owned taxis, Dolmuş (share taxis) and movie theatres. The personalized type of the smart card can also be used in a more general form for admission to an event or establishment or for municipality provided social welfare purposes.Longitudinal redundancy check
In telecommunication, a longitudinal redundancy check (LRC), or horizontal redundancy check, is a form of redundancy check that is applied independently to each of a parallel group of bit streams. The data must be divided into transmission blocks, to which the additional check data is added.
The term usually applies to a single parity bit per bit stream, calculated independently of all the other bit streams (BIP-8), although it could also be used to refer to a larger Hamming code.This "extra" LRC word at the end of a block of data is very similar to checksum and cyclic redundancy check (CRC).OpenPGP card
In cryptography, the OpenPGP card is an ISO/IEC 7816-4, -8 compatible smart card that is integrated with many OpenPGP functions. Using this smart card, various cryptographic tasks (encryption, decryption, digital signing/verification, authentication etc.) can be performed. It allows secure storage of secret key material; all versions of the protocol state, "Private keys and passwords cannot be read from the card with any command or function." However, new key pairs may be loaded onto the card at any time, overwriting the existing ones.
The original OpenPGP card was built on BasicCard, and remains available at retail. Several mutually compatible JavaCard implementations of the OpenPGP Card's interface protocol are available as open source software and can be installed on generic JavaCard smart cards, including NFC-enabled cards. Nitrokey and Yubico provide USB tokens implementing the same protocol through smart card emulation.
The smart card daemon, in combination with the supported smart card readers, as implemented in GnuPG, can be used for many cryptographic applications. With gpg-agent in GnuPG 2, an ssh-agent implementation using GnuPG, an OpenPGP card can be used for SSH authentication also.Open Smart Card Development Platform
The Open Smart Card Development Platform (OpenSCDP) provides a collection of tools that support users in the development, test and deployment of smart card applications. The platform supports GlobalPlatform Scripting, Profile and Messaging technology.
The complete toolset is written in Java and uses ECMAScript as a scripting language. Access to smart cards is provided through an enhanced version of the OpenCard Framework. Drivers are included for most ISO/IEC 7816-4 compliant smart cards, PC/SC and CT-API card readers. The platform also provides cryptographic support through the Java Cryptography Extension (JCE) with the Bouncy Castle Crypto API.
The toolsets and libraries of OpenSCDP are provided as Open Source under the GNU General Public License (GPL).Padding (cryptography)
In cryptography, padding refers to a number of distinct practices which all include adding data to the beginning, middle, or end of a message prior to encryption. In classical cryptography, padding may include adding nonsense phrases to a message to obscure the fact that many messages end in predictable ways, e.g. sincerely yours.Pirate decryption
Pirate decryption most often refers to the decryption, or decoding, of pay TV or pay radio signals without permission from the original broadcaster. The term "pirate" in this case is used in the sense of copyright infringement and has little or nothing to do with sea piracy, nor with pirate radio, which involved the operation of a small broadcast radio station without lawfully obtaining a license to transmit. The MPAA and other groups which lobby in favour of intellectual property (specifically copyright and trademark) regulations have labelled such decryption as "signal theft" even though there is no direct tangible loss on the part of the original broadcaster, arguing that losing out on a potential chance to profit from a consumer's subscription fees counts as a loss of actual profit.SIMpad
The SIMpad is a portable computer developed by the company Keith & Koep by order of Siemens AG, with an 8.4" TFT touchscreen. Commonly used with wireless network cards, it was marketed as a device to browse the World Wide Web. Initially announced in January 2001 at the Consumer Electronics Show, the SIMpad was not very popular in the mainstream US market.
There are five known model variants, all out of production:
CL4: The low-end model with 32 MB RAM and 16 MB Flash ROM without PC card slot but with DECT modem.
WP50: A variant sold by Swisscom. Same as the CL4.
T-Sinus Pad: A variant sold by Deutsche Telekom. This one is the same as the CL4 but with a PC card slot.
SL4: The high end model, with 64 MB RAM and 32 MB Flash ROM. This one also has a PC card slot.
SLC: Identical to the SL4, but with the addition of a Siemens MD34 DECT modem, allowing connection to certain Siemens ISDN telephone systems.All variants contain:
An Intel StrongARM#SA-1110 SA-1110 32-bit RISC processor with a clock frequency of 206 MHz
An 8.4" TFT LCD with an SVGA resolution (800×600 pixels)
4-wire analog resistive touch interface
A single 16-bit PC card slot (not included in some CL4 models designed to use the Siemens MD34 DECT module)
A standard ISO/IEC 7816 SmartCard interface
A USB 1.1 client interface (not fully functional in production releases, but see Mullenger.org below)
An IrDA interface (V1.3, SIR)
A serial interface (proprietary Siemens "Lumberg" socket)
A 7.2 V 2800 mA·h Lithium Ion Battery (~4hr life)
A built-in mono speaker
A built-in microphone (not on CL4 models)
A headphone interface (proprietary Siemens "Lumberg" socket)All devices weigh approximately 2.2 lb (1 kg) and measure 10.35 × 7.08 × 1.10 inches (263 mm ×181 mm × 30 mm). The SIMpad was initially released with the Handheld PC 2000 (Windows CE 3.0) operating system, while later units (mostly SL4 and SLC) were released with Windows CE.NET (Windows CE 4.0). Since the SIMpad was discontinued in 2002, all manufacturer support was also discontinued, no future updates are likely to appear.
The OpenSIMpad project offers a SIMpad related Wiki where one can find information about Linux, Windows CE, hardware and mods.
The Mullenger.org commercial website offers a licensed Windows CE 4.2 ".net" bug fix and upgrade for all SIMpad models.Sky Cable
Sky Cable (stylized as SKY cable) is a cable television service of Sky Cable Corporation. Its franchise area covers Metro Manila, and its suburb or neighboring areas and it is also in provincial areas that both digital and few analog services, and it has 700,000 subscribers controlling 45% of the cable TV market.Smart card
A smart card, chip card, or integrated circuit card (ICC) is a physical electronic authorization device, used to control access to a resource. It is typically a plastic credit card sized card with an embedded integrated circuit. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, mobile phones (SIM), public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Several nations have deployed smart cards throughout their populations.Smart card application protocol data unit
In the context of smart cards, an application protocol data unit (APDU) is the communication unit between a smart card reader and a smart card. The structure of the APDU is defined by ISO/IEC 7816-4 Organization, security and commands for interchange.
ISO standards by standard number