ISO/IEC 7816-4
Identification cards — Integrated circuit cards — Part 4: Organization, security and commands for interchange
Cartes d’identification — Cartes à circuit intégré — Partie 4: Organisation, sécurité et commandes pour les échanges

PUT DATA command
The command initiates the management of either the content of an EF supporting data objects, or one data object, possibly constructed, within the current context (e.g., application-specific environment or current DF). For example, it allows sending a command-to-perform (tag ’52′) or a cardholder certificate (tag ’7F21′), possibly too long for a single command. If the data object is too long for a single command, then command chaining shall apply (see 5.1.1.1); the value field of the data object is the concatenation of the command data fields.
The definition or the nature or the content of the data objects shall induce the exact management functions, e.g., writing once and / or updating and / or appending.
SW1-SW2 set to ’63CX’ indicates a successful change of memory state, but after an internal retry routine; ‘X’ > ’0′ encodes the number of retries; ‘X’ = ’0′ means that no counter is provided.

Table 64 PUT DATAcommand-response pair
CLA INS P1-P2 As defined in 5.1.1 ‘DA’ or ‘DB’ See Table 62
Lc field Present for encoding Nc> 0
Data field Data bytes according to P1-P2 (INS = ‘DA’), or concatenation of BER-TLVdata objects (INS = ‘DB’)
Le field Absent for encoding Ne= 0
Data field Absent
SW1-SW2 See Tables 5 and 6 when relevant, e.g., ’63CX’, ’6581′, ’6700′, ’6981′, ’6982′, ’6985′, ’6A80′, ’6A81′, ’6A84′, ’6A85′

Basic security handling
The commands of this group reserve P1-P2 for referencing an algorithm and some related reference data (e.g., a key). If there is a current key and a current algorithm, then the command may implicitly use them.
P1——Unless otherwise specified, P1 references the algorithm to use: either a cryptographic algorithm, or a biometric algorithm (see ISO/IEC 7816-11[4]). P1 set to ’00′ means that no information is given, i.e., either the reference is known before issuing the command, or the command data field provides it.
P2——Unless otherwise specified, P2 qualifies reference data according to Table 65. P2 set to ’00′ means that no information is given, i.e., either the qualifier is known before issuing the command, or the command data field provides it. The qualifier may be for example a password number or a key number or a short EF identifier.

Table 65 P2
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
0 0 0 0 0 0 0 0 No information given
0 1 Global reference data (e.g., MF specific password or key) Specific reference data (e.g., DF specific password or key)
- x x - - - - - 00 (any other value is reserved for future use)
- - - x x x x x Qualifier, i.e., number of the reference data or number of the secret

NOTE A MANAGE SECURITY ENVIRONMENT command may set an algorithm reference and / or a reference data qualifier.
In this group of commands, SW1-SW2 set to ’6300′ or ’63CX’ indicates that the verification failed, ‘X’ > ’0′ encodes the number of further allowed retries. SW1-SW2 set to ’6A88′ means “reference data not found”.

INTERNAL AUTHENTICATE command
The command initiates the computation of authentication data by the card using the challenge data sent by the interface device and a relevant secret (e.g., a key) stored in the card.
–If the relevant secret is attached to the MF, then the command may be used to authenticate the card as a whole.
–If the relevant secret is attached to another DF, then the command may be used to authenticate that DF.
Any successful authentication may be subject to completion of prior commands (e.g., VERIFY, SELECT) or selections (e.g., the relevant secret).

The card may record the number of times the command is issued, in order to limit the number of further uses of the relevant secret or the algorithm.
NOTE The response data field may include data useful for further security functions (e.g., random number).

Table 66 INTERNAL AUTHENTICATEcommand-response pair
CLA INS P1-P2 As defined in 5.1.1 ’88′ See 7.5.1 and Table 65
Lcfield Present for encoding Nc> 0
Data field Authentication-related data (e.g., challenge)
Lefield Present for encoding Ne> 0
Data field Authentication-related data (e.g., response to a challenge)
SW1-SW2 See Tables 5 and 6 when relevant, e.g., ’6300′ (see 7.5.1), ’63CX’ (see 7.5.1), ’6581′, ’6700′, ’6982′, ’6983′, ’6984′, ’6A81′, ’6A82′, ’6A86′, ’6A88′ (see 7.5.1)

GET CHALLENGE command
The command requires the issuing of a challenge (e.g., a random number for a cryptographic authentication or a sentence to prompt for a biometric authentication using voiceprints) for use in a security-related procedure (e.g., EXTERNAL AUTHENTICATE command).
The challenge is valid at least for the next command; this clause specifies no further condition.

Table 67 GET CHALLENGEcommand-response pair
CLA INS P1 P2 As defined in 5.1.1 ’84′ See 7.5.1 ’00′ (any other value is reserved for future use)
Lc field Absent for encoding Nc= 0
Data field Absent
Le field Present for encoding Ne> 0
Data field Challenge
SW1-SW2 See Tables 5 and 6 when relevant, e.g., ’6300′ (see 7.5.1), ’63CX’ (see 7.5.1), ’6581′, ’6700′, ’6982′, ’6983′, ’6984′, ’6A81′, ’6A82′, ’6A86′, ’6A88′