ISO/IEC 7816-4
Identification cards — Integrated circuit cards — Part 4: Organization, security and commands for interchange
Cartes d’identification — Cartes à circuit intégré — Partie 4: Organisation, sécurité et commandes pour les échanges

EXTERNAL AUTHENTICATE command
The command conditionally updates the security status using the result (yes or no) of the computation by the card based on a challenge previously issued by the card (e.g., by a GET CHALLENGE command), a key possibly secret stored in the card and authentication data transmitted by the interface device. Any successful authentication requires the use of the last challenge obtained from the card. The card may record unsuccessful authentications (e.g., to limit the number of further uses of the reference data). The absence of command data field may be used either to retrieve the number ‘X’ of further allowed retries
(SW1-SW2 set to ’63CX’), or to check whether the verification is required or not (SW1-SW2 set to ’9000′).

Table 68 EXTERNAL AUTHENTICATE command-response pair
CLA INS P1-P2 As defined in 5.1.1 ’82′ See 7.5.1 and Table 65
Lcfield Absent for encoding Nc= 0, present for encoding Nc> 0
Data field Absent or authentication-related data (e.g., response to a challenge)
Lefield Absent for encoding Ne= 0
Data field Absent
SW1-SW2 See Tables 5 and 6 when relevant, e.g., ’6300′ (see 7.5.1), ’63CX’ (see 7.5.1), ’6581′, ’6700′, ’6982′, ’6983′, ’6984′, ’6A81′, ’6A82′, ’6A86′, ’6A88′ (see 7.5.1)

MUTUAL AUTHENTICATE function — The MUTUAL AUTHENTICATE function uses the same functionalities as EXTERNAL and INTERNAL AUTHENTICATE commands. It is based upon a previous GET CHALLENGE command and a key, possibly secret, stored in the card. The card and the interface device share authentication-related data, including two challenges: one issued by the card, another one issued by the interface device.

NOTE: The command may be used for implementing authentication as specified in parts 2 and 3 of ISO/IEC 9798[8].
The operation can be performed only if the security status satisfies the security attributes for this operation.

Table 69 Command-response pair for MUTUAL AUTHENTICATE function
CLA INS P1-P2 As defined in 5.1.1 ’82′ See 7.5.1 and Table 65
Lcfield Present for encoding Nc> 0
Data field Authentication-related data
Lefield Present for encoding Ne> 0
Data field Authentication-related data
SW1-SW2 See Tables 5 and 6 when relevant, e.g., ’6300′ (see 7.5.1), ’63CX’ (see 7.5.1), ’6581′, ’6700′, ’6982′, ’6983′, ’6984′, ’6A81′, ’6A82′, ’6A86′, ’6A88′ (see 7.5.1)

GENERAL AUTHENTICATE command
The command refines the EXTERNAL, INTERNAL and MUTUAL AUTHENTICATE functions; namely, either an entity in the outside world authenticates an entity in the card (INTERNAL AUTHENTICATE function), or an entity in the card authenticates an entity in the outside world (EXTERNAL AUTHENTICATE function), or both (MUTUAL AUTHENTICATE function). While appropriate for authentication mechanisms involving challenge-response pairs, the EXTERNAL and INTERNAL AUTHENTICATE commands preclude authentication mechanisms involving witness-challengeresponse triples (see ISO/IEC 9798-5[8]). The exchange of triples requires two or more GENERAL AUTHENTICATE command-response pairs: such command-response pairs may be chained (see 5.1.1.1).

The function (either INTERNAL, or EXTERNAL, or MUTUAL AUTHENTICATE) can be performed only if the security status satisfies the security attributes for this operation. Any successful authentication may be subject to completion of prior commands (e.g., VERIFY, SELECT) or selections (e.g., the relevant secret). The result (yes or no) of a control performed by the card may conditionally update the security status. The card may record the number of times the function is issued, in order to limit the number of further uses of the relevant secret or the algorithm. The card may record unsuccessful authentications (e.g., to limit the number of further uses of the reference data).

Table 70 GENERAL AUTHENTICATEcommand-response pair
CLA INS P1-P2 As defined in 5.1.1 ’86′ or ’87′ See 7.5.1 and Table 65
Lcfield Present for encoding Nc> 0
Data field Authentication-related data
Lefield Absent for encoding Ne= 0, present for encoding Ne> 0
Data field Absent (either due to the absence of Lefield, e.g., the last command of an EXTERNAL AUTHENTICATE function, or if the process is aborted), or authentication-related data
SW1-SW2 See Tables 5 and 6 when relevant, e.g., ’6300′ (see 7.5.1), ’63CX’ (see 7.5.1), ’6581′, ’6700′, ’6982′, ’6983′, ’6984′, ’6A81′, ’6A82′, ’6A86′, ’6A88′ (see 7.5.1)

When present, each data field shall contain an interindustry template referenced by tag ’7C’. In the dynamic authentication template, the context-specific class (first byte from ’80′ to ‘BF’) is reserved for dynamic authentication data objects as listed in Table 71.

Table 71 — Dynamic authentication data objects

Mifare DESFire 8K Card,NXP MF3ICD81 Cards,Mifare DESFire EV1 8K Contactless Cards,Mifare DESFire EV1 8K Blank White Cards,

The following rules apply within the interindustry template for dynamic authentication.
–If a data object is empty in a template, then it shall be complete in the template in the next data field.
–In the first command data field, the template indicates the dynamic authentication function as follows.
  -A witness request, e.g., an empty witness, denotes an INTERNAL AUTHENTICATE function.
  -A challenge request, e.g., an empty challenge, denotes an EXTERNAL AUTHENTICATE function.
  -The absence of empty data object denotes a MUTUAL AUTHENTICATE function. Then unless the card aborts the process, the template in the response data field shall contain the same data objects as the template in the command data field. The MUTUAL AUTHENTICATE function allows two entities to agree on a session key using a pair of “exponential” data elements referenced by tag ’85′ (see key agreement techniques in ISO/IEC 11770-3[14]).
The dynamic authentication may protect data fields exchanged during a session. Both entities maintain a current hash-code, updated by including one command or response data field at a time. The data object with tag ’84′ conveys an authentication code resulting from updating the current code by including a witness data object with tag ’80′. The verifier successively reconstructs a witness and an authentication code: if the reconstructed witness is not zero and if the two codes are identical, then the authentication is successful.
Annex C illustrates GENERAL AUTHENTICATE command-response pairs for implementing INTERNAL, EXTERNAL and MUTUAL AUTHENTICATE functions, with extensions to data field authentication and key agreement.