ISO 7816-4 Annex F: Use of Secure Messaging

Home / ISO 7816-4 Annex F: Use of Secure Messaging

ISO 7816 Part 4: Interindustry Commands for Interchange

ISO 7816 part 4, section..1 2 3 4 5 6 7 8 9 annex.. A B C D E F

For the latest version of ISO7816 part 4, please contact ISO in Switzerland.

ISO 7816-4 Annex F: Use of Secure Messaging

Annex F.1 Abbreviations
Annex F.2 Use of cryptographic checksums
Annex F.3 Use of cryptograms
Annex F.4 Use of control references
Annex F.5 Use of response descriptor
Annex F.6 Use of the ENVELOPE command


Annex F.1 Abbreviations

For the purpose of this annex, the following abbreviations apply

CC Cryptographic checksum
CG Cryptogram
CH Command header (CLA INS P1 P2)
CR Control reference
FR File reference
KR Key reference
L Length
PB Padding bytes (’80’ followed by 0 to k-1 times ’00’ where k is the block length)
PI Padding indicator byte
PV Plain value
RD Response descriptor
T Tag
|| Concatenation

For all the examples, CLA indicates the use of secure messaging by an appropriate value (‘0X’, ‘8X’, ‘9X’ or ‘AX’) where bit b4 of CLA is set to 1 (see table 9).

Annex F.2 Use of cryptographic checksums

The use of cryptographic checksums (see 5.6.3.1) is shown for the four cases defined in table 4 and figure 4 .

  • Case 1 – No data, no data
    Command data field = Tcc||Lcc||CC

    • Data covered by CC (b3=1 in CLA) = First and only data block = CH||PB

    The command of case 1 is transformed into a command of case 3.

  • Case 2 – No data, data
    Command data field = Tcc||Lcc||CC

    • Data covered by CC (b3=1 in CLA) = First and only data block = CH||PB

    Response data field = Tpv (b1=1)||Lpv||PV||Tcc||Lcc||CC

    Data covered by CC = Data blocks = Tpv (b1=1)||Lpv||PV||PB

  • Case 3.a – Data, no data
    Command data field = Tpv (b1=1)||Lpv||PV||Tcc||Lcc||CC

    • Data covered by CC (b3=0 in CLA) = Data blocks = Tpv (b1=1)||Lpv||PV||PB

  • Case 3.b – Data, no data
    Command data field = Tpv1 (b1=0)||Lpv1||PV1||Tpv2 (b1=1)||Lpv2||PV2||Tcc||Lcc||CC

    • Data covered by CC (b3=1 in CLA) = Data blocks = CH||PB||Tpv (b1=1)||Lpv2||PV2||PB

  • Case 4 – Data, data
    Command data field = Tpv (b1=1)||Lpv||PV||Tcc||Lcc||CC

    • Data covered by CC (b3=0 in CLA) = Data blocks = Tpv (b1=1)||Lpv||PV||PB

    Response data field = Tpv (b1=1)||Lpv||PV||Tcc||Lcc||CC

    Data covered by CC = Data blocks = Tpv (b1=1)||Lpv||PV||PB


Annex F.3 Use of cryptograms

The use of cryptograms (see 5.6.4) is shown with and without padding.

  • Case a – Plain data not coded in BER-TLV
    Command data field = Tcg||Lcg||PI||CG

    • Data carried by CG = Data blocks = Non BER-TLV coded data band padding bytes, if indicated in PI.


Annex F.4 Use of control references

The use of control references (see 5.6.5.1 ) is shown.

Command data field = Tcr||Lcr||CR
Where CR = Tfr||Lfr||Tkr||Lkr||KR

Annex F.5 Use of response descriptor

The use of response descriptor (see 5.6.5.1 ) is shown.

Command data field = Trd||Lrd||RD
Where RD = Tpv||’0C’||Tcc||’00’

Response data field = Tpv||Lpv||PV||Tcc||Lcc||CC


Annex F.6 Use of the ENVELOPE command

The use of the ENVELOPE command is shown.

Commad data field = Tcg||Lcg||PI||CG

Data carried by CG = Command APDU starting by CH and padding bytes according to PI

Response data field = Tcg||Lcg||PI||CG

Data carried by CG = Response APDU and padding bytes according to PI