Case 3.a — Status not protected

The secured command APDU is as follows. Command header Command body

CLA* INS P1 P2 New Lc field – New data field

New data field = Two data objects = {T* – L – Plain value} – {T – L -Cryptographic checksum}

Data covered by the cryptographic checksum =

 One or more blocks = {T* -L – Plain value -Padding} if bit 3 of CLA* set to 0

 Two or more blocks = {CLA** INS P1 P2 Padding} – {T* – L – Plain value -Padding} if bit 3 of CLA* set to 1

The secured response APDU is as follows. Response body Response trailer

Absent SW1-SW2
 Case 3.b — Status protected

The secured command APDU is as follows. Command header Command body

CLA* INS P1 P2 New Lc field – New data field – New Le field (= ’00′)

New data field = Two data objects = {T* – L – Plain value} – {T – L – Cryptographic checksum}

Data covered by the cryptographic checksum =

 One or more blocks = {T* -L – Plain value -Padding} if bit 3 of CLA* set to 0

 Two or more blocks = {CLA** INS P1 P2 Padding} – {T* – L – Plain value -Padding} if bit 3 of CLA* set to 1

The secured response APDU is as follows. Response body Response trailer

New data field (= {T* – L – SW1-SW2} – {T – L – Cryptographic checksum}) SW1-SW2

New data field = Two data objects = {T* – L – SW1-SW2} – {T – L – Cryptographic checksum} Data covered by the cryptographic checksum = One block = {T* – L – SW1-SW2 -Padding}

Case 4 — Command data, response data

The unsecured command-response pair is as follows. Command header Command body

CLA INS P1 P2 Lc field – Data field – Le field

Response body Response trailer

Data field SW1-SW2

The secured command APDU is as follows. Command header Command body

CLA* INS P1 P2 New Lc field – New data field – New Le field (one or two bytes set to ’00′)

New data field = Three data objects = {T* – L – Plain value} – {T* – L – Le} – {T – L – Cryptographic checksum} Data covered by the cryptographic checksum = ⎯ One or more blocks = {T* -L – Plain value – T* – L – Le – Padding} if bit 3 of CLA* set to 0 ⎯ Two or more blocks = {CLA** INS P1 P2 Padding} – {T* – L – Plain value – T* – L – Le – Padding} if bit 3 of CLA* set to 1

The secured response APDU is as follows. Response body Response trailer

New data field SW1-SW2
(={T* – L – Plain value} – {T* – L – SW1-SW2} – {T – L – Cryptographic checksum})  

New data field = Three data objects = {T* – L – Plain value} – {T* – L – SW1-SW2} – {T – L – Cryptographic checksum}

Data covered by the cryptographic checksum = One or more blocks = {T* – L – Plain value – T* – L – SW1-SW2 – Padding}

—————————————————————————————————————

[1] ISO 3166-1:1997, Codes for the representation of names of countries and their subdivisions — Part 1: Country codes
[2] ISO/IEC 7810:2003, Identification cards — Physical characteristics
[3] ISO/IEC 7812-1:2000, Identification cards — Identification of issuers — Part 1: Numbering system
[4] ISO/IEC 7816 (all parts), Identification cards — Integrated circuit cards
[5] ISO/IEC TR 9577:1999, Information technology — Protocol identification in the network layer
[6] ISO/IEC 9796 (all parts), Information technology — Security techniques — Digital signature schemes giving message recovery
[7] ISO/IEC 9797 (all parts), Information technology — Security techniques — Message Authentication Codes (MACs)
[8] ISO/IEC 9798 (all parts), Information technology — Security techniques — Entity authentication
[9] ISO/IEC 9979:1999, Information technology — Security techniques — Procedures for the registration of cryptographic algorithms
[10] ISO 9992-2:1998, Financial transaction cards — Messages between the integrated circuit card and the card accepting device — Part 2: Functions, messages (commands and responses), data elements and structures
[11] ISO/IEC 10116:1997, Information technology — Security techniques — Modes of operation for an n-bit block cipher
[12] ISO/IEC 10118 (all parts), Information technology — Security techniques — Hash-functions
[13] ISO/IEC 10536 (all parts), Identification cards — Contactless integrated circuit(s) cards — Closecoupled cards
[14] ISO/IEC 11770 (all parts), Information technology — Security techniques — Key management
[15] ISO/IEC 14443 (all parts), Identification cards — Contactless integrated circuit(s) cards — Proximity cards
[16] ISO/IEC 14888 (all parts), Information technology — Security techniques — Digital signatures with appendix
[17] ISO/IEC 15693 (all parts), Identification cards — Contactless integrated circuit(s) cards — Vicinity cards
[18] ISO/IEC 18033 (all parts), Information technology — Security techniques — Encryption algorithms
[19] IETF RFC 1738:1994, Uniform resource locators (URL)
[20] IETF RFC 2396:1998, Uniform resource locators (URL): General syntax