GP卡规范快速入门
GP规范培训
1、GlobalPlatform简介 2、卡架构 3、生命周期模型 4、编码规则 5、GP注册表 6、命令发分发 7、SCP02的外部认证 8、APDU命令
1、GlobalPlatform简介
• 通过领导来自支付和通信行业的公司、政府部门 、销售团体(Vendor community)而建立起来的 一个组织。这个组织发表了一份少见的、关键的 、重要的芯片卡标准 —— 硬件无关、销售商无 关、不依赖于应用的卡管理规范,即今天要学习 的GP规范。 • 目标是减少阻碍多应用智能卡夸行业发展的障碍 ,智能卡发行者具有选择各种不同的卡片、终端 和后端系统的自由。
每一个可执行装载文件包含一个或多个可执行模块,也叫应用 的代码。应用的安装会从一个可执行模块里创建一个实例连同该应 用相关的数据一起放入卡片的可变存储区中。任何应用的实例及其 相关的数据都可以被移除。一个GP卡将支持多个可执行装载文件、 多个可执行模块以及多个应用同时存在于一张GP卡上。
可执行装载文件、可执行模块和应用之间的关系
• 2.3 安全域
在卡上代表应用提供者或控制授权中心,为它们的所有者(卡发 行者,应用提供者和控制授权中心机构)的应用提供的安全服务, 包括:密钥处理,数据加密,数据解密,数字签名的生成和校验。 • 每一个安全域实现一个安全通道协议,这个安全通道协议用来完成 卡发行者、应用提供者和控制授权中心机构与其在卡上的安全域之 间的通讯。
2、卡架构
• 2.1 运行时环境
GlabalPlatform运行在任何具有安全、多应用特性的运行时环境 之上。这个运行环境负责为其它的应用提供硬件无关的API接口、安 全的存储和可执行的内存空间,确保每一个应用在卡内的代码和数 据是独立和安全的。
NVIDIA Quadro 图形卡快速入门指南说明书
NVIDIA® QUADRO®QUICK START GUIDEThank you for choosing the NVIDIA® Quadro®graphics card.This quick start guide covers the NVIDIA Quadro GP100, P6000, P5000,P4000, P2000, P1000, P620, P600, P400, M6000 24GB, M5000, M4000,M2000, K2200, K1200, K620, and K420 graphics cards. Before you begin, review the following Minimum System Requirements list to ensure your system meets the minimum hardware and software specification for your graphics card.Minimum System Requirements>MotherboardPCI Express x16 slot>Operating System• Microsoft Windows 10, 8.1, 8, 7 (all 32-bit and 64-bit)• Linux 32-bit or 64-bit on:- Red Hat Enterprise Linux 7.x, 6.x, 5.x, 4.x, 3.x- SUSE Linux Enterprise Desktop 13.x, 12.x, 11.x 10.x- OpenSUSE 13.x, 12.x, 11.x, 10.x- Fedora up to 24- Ubuntu 16.x, 15.x, 14.x, 13.x, 12.x, 11.x, 10.x, 9.x, 8.x, 7.x• Solaris>Processor• Intel Core i5, i7 or Xeon processor or later• AMD Phenom or Opteron class processor or later>System MemoryMinimum of two (2) GB memory, eight (8) GB or higher recommended >Blu-ray, DVD-ROM/CD-ROM drive, or Internet connection for driver installationENIncluded equipment with each NVIDIA Quadro graphics card.!ATTENTION: Static electricity can severely damage electronic components. Take the following precautions when installing your new NVIDIA Quadro graphics card: >Before touching any electronic parts, discharge the static electricity from your body by touching the internal metal frame of your system while it is unplugged. >Do not remove your card from the packaging clamshell until you are ready to install it. Whenever you remove a card from your system, always place it back in the clamshell.>Do not allow clothing or jewelry touch any electronic parts.>When handling your graphics card, hold it by the edges and avoid touching any circuitry or the PCIe connector.11 Remove the current graphics driver installed on the host system.• Go to Start\Control Panel\Programs and Features• Remove the current graphics driver.2 Power down your system.3 Unplug the power cord from the AC power source.4 Remove the side panel from your system to gain access to themotherboard.Note: Reference your specific computer documents for instructionson accessing the motherboard in your computer.5 R emove the existing graphics card if present. If a retention bar is holdingthe card in place, remove the screw securing the card.OR, If there is no existing graphics card, remove the accessEN6 Install the card into the primary x16 PCI slot. Press gently on thecard until it is seated securely in the slot.Install the graphics card into the primary x16 PCI slot.The Quadro GP100, P6000, P5000, M6000 24GB, and M5000 graphics cards are dual-slot cards and will cover the adjacent slot. The remaining graphic cards are single-slot cards.7 Secure the card to the system frame using the screw(s) removedin step 5.8 Connect the supplied auxiliary power cable(s) from the power supply to theback edge of the Quadro GP100, P6000, P5000, M6000 24GB, M5000,P4000, or M4000 graphics card.Note: Use the recommended power connector guidelines at /quadropowerguidelines .9 Install the side panel removed in step 4.1 Connect the display cable(s) to your Quadro graphics card.2Reconnect your power cord to the workstation.DisplayPort ConnectorSupports single-lane transfer rates over a single cable. The interface is primarily used to connect a video source to a display device such as a computer monitor.Mini-DisplayPort Connector DVI ConnectorsUse this to connect a digital display or, with an adapter, a VGA display using DVI-to-VGA adapter.DisplayPort ConnectorDVI-to-VGA Adapter(Optional - For use with DVI-IDriver InstallationWith the hardware installed, it is now time to install the graphics driver.1 Power up your computer, start Windows or Linux, and login with anaccount that has Administrator rights.Note: Since there is no GPU driver currently loaded, the display mayrun at reduced resolution or image quality.2 Download and install the driver.• Select and download the driver from /drivers. Launch the downloaded executable file, then follow the installer guides tocomplete installation.• Insert the software installation disc and follow directions for driverinstallation.The installer may require you to reboot your system once the driverinstallation is complete.Congratulations! Your NVIDIA Quadro graphicscard is now ready to use!。
GP Spec Card 中文规范 GP 卡片规范
GlobalPlatform卡片规范版本2.22006年5月目录1 介绍 (7)1.1 受众 (7)1.2 标准参考规范 (7)1.3 术语及定义 (9)1.4 缩写和符号 (12)2 系统架构 (15)3 卡片架构 (16)3.1 安全域 (16)3.2 全局服务应用 (17)3.3 运行时环境 (17)3.4 可信任框架 (17)3.5 GlobalPlatform环境(OPEN) (17)3.6 GlobalPlatform API (17)3.7 卡片内容 (17)3.8 卡片管理器 (18)4 安全架构 (19)4.1 目标 (19)4.2 安全职责和要求 (19)4.2.1 发卡方的职责 (19)4.2.2 应用提供方的职责 (19)4.2.3 授权管理者的职责 (20)4.2.4 卡片组件的安全性要求 (20)4.2.4.1 运行时环境的安全性要求 (20)4.2.4.2 可信任框架的安全性要求 (20)4.2.4.3 OPEN的安全性要求 (20)4.2.4.4 安全域的的安全性要求 (20)4.2.4.5 全局服务应用的安全性要求 (21)4.2.4.6 应用的安全性要求 (21)4.2.5 后台系统的安全性要求 (21)4.3 加密支持 (21)4.3.1 安全的卡片内容管理 (21)4.3.1.1 加载文件数据块散列值 (21)4.3.1.2 加载文件数据块签名(DAP) (22)4.3.1.3 委托管理令牌 (22)4.3.1.4 收条 (22)4.3.2 安全通信 (22)5 生命周期模型 (24)5.1 卡片生命周期 (24)5.1.1 卡片生命周期状态 (24)5.1.1.1 卡片生命周期状态OP_READY (24)5.1.1.2 卡片生命周期状态INITIALIZED (25)5.1.1.3 卡片生命周期状态SECURED (25)5.1.1.4 卡片生命周期状态CARD_LOCKED (25)5.1.1.5 卡片生命周期状态TERMINATED (25)5.1.2 卡片生命周期状态的迁移 (25)5.2 可执行加载文件和可执行模块生命周期 (26)5.2.1 可执行加载文件生命周期 (26)5.2.1.1 Executable Load Life Cycle LOADED (26)5.2.1.2 可执行加载文件的删除 (27)5.2.2 可执行模块的生命周期 (27)5.3 应用和安全域的生命周期 (27)5.3.1 应用生命周期状态 (27)5.3.1.1 应用生命周期状态INSTALLED (27)5.3.1.2 应用生命周期状态SELECTABLE (27)5.3.1.3 应用生命周期状态LOCKED (28)5.3.1.4 应用的删除 (28)5.3.1.5 应用自定义的生命周期状态 (28)5.3.1.6 应用生命周期状态的迁移 (28)5.3.2 安全域生命周期状态 (29)5.3.2.1 安全域生命周期状态INSTALLED (29)5.3.2.2 安全域生命周期状态SELECTABLE (30)5.3.2.3 安全域生命周期状态PERSONALIZED (30)5.3.2.4 安全域生命周期状态LOCKED (30)5.3.2.5 安全域的删除 (30)5.3.2.6 安全域生命周期状态的迁移 (30)5.4 生命周期图解 (31)6 GlobalPlatform环境(OPEN) (33)6.1 综述 (33)6.2 OPEN服务 (34)6.3 命令分发 (34)6.4 逻辑通道和应用选择 (34)6.4.1 隐式选择的分派 (34)6.4.2 基本逻辑通道 (35)6.4.2.1 基本逻辑通道的应用选择 (35)6.4.2.1.1 基本逻辑通道上应用的隐式选择 (35)6.4.2.1.2 基本逻辑通道上应用的显式选择 (35)6.4.2.2 基本逻辑通道上的逻辑通道管理 (36)6.4.2.3 基本逻辑通道上的应用命令分发 (37)6.4.3 补充逻辑通道 (37)6.4.3.1 补充逻辑通道的应用选择 (37)6.4.3.1.1 补充逻辑通道上应用的隐式选择 (37)6.4.3.1.2 补充逻辑通道上应用的显式选择 (37)6.4.3.2 补充逻辑通道上的逻辑通道管理 (38)6.4.3.3 补充逻辑通道上的应用命令分发 (38)6.5 GlobalPlatform注册表 (38)6.5.1 应用/可执行加载文件/可执行模块等数据元素 (39)6.5.1.1 应用/可执行加载文件/可执行模块的AID (39)6.5.1.2 应用/可执行加载文件/可执行模块的生命周期 (39)6.5.1.3 内存资源管理参数 (39)6.5.1.4 权限 (39)6.5.1.5 隐式应用选择参数 (39)6.5.1.6 关联安全域的AID (39)6.5.1.7 应用提供方ID (39)6.5.1.8 服务参数 (40)6.5.2 卡片级数据 (40)6.6 权限 (40)6.6.1 权限定义 (40)6.6.2 权限分配 (41)6.6.3 权限管理 (42)6.7 GlobalPlatform可信任框架 (42)7 安全域 (44)7.1 概要描述 (44)7.1.1 发卡方安全域 (44)7.2 关联到安全域 (44)7.3 安全域服务 (45)7.3.1 应用对安全域服务的访问 (45)7.3.2 安全域对应用的访问 (46)7.3.3 个人化支持 (46)7.3.4 运行时消息的支持 (47)7.4 安全域数据 (48)7.4.1 发卡方安全域 (48)7.4.1.1 发卡方标识编号 (48)7.4.1.2卡片映像编号 (48)7.4.1.3 卡片标识数据 (49)7.4.2 补充安全域 (49)7.4.2.1 安全域提供方标识编号 (49)7.4.2.2 安全域映像编号 (49)7.4.2.3 安全域管理数据 (49)7.5 安全域密钥 (49)7.5.1 密钥信息 (50)7.5.2 密钥访问条件 (50)7.6 数据和密钥管理 (51)8 全局平台服务 (52)8.1 全局服务应用 (52)8.1.1 注册全局服务 (52)8.1.2 应用对全局服务的访问 (52)8.1.3 全局服务参数 (53)8.2 持卡方验证方法(CVM)应用 (53)8.2.1 应用对CVM服务的访问 (53)8.2.2 CVM管理 (54)8.2.2.1 注册CVM (54)8.2.2.2 CVM状态 (54)8.2.2.2.1 CVM状态ACTIVE (54)8.2.2.2.2 CVM状态INV ALID_SUBMISSION (54)8.2.2.2.3 CVM状态V ALIDATED (54)8.2.2.2.4 CVM状态BLOCKED (55)8.2.2.3 CVM格式 (55)9 卡片和应用的管理 (56)9.1 卡片内容管理 (56)9.1.1 概述 (56)9.1.2 对OPEN的要求 (56)9.1.3 对安全域的要求 (56)9.1.3.1 具备“令牌验证权限”的安全域 (56)9.1.3.2 具备“授权管理权限”的安全域 (56)9.1.3.3 具备“委托管理权限”的安全域 (56)9.1.3.4 具备“全局删除权限”的安全域 (57)9.1.3.5 具备“全局锁定权限”的安全域 (57)9.1.3.6 具备“收条创建权限”的安全域 (57)9.2 卡片内容的授权和管理 (57)9.2.1 数据鉴别(DAP)模式验证 (57)9.2.2 加载文件数据块的散列值 (57)9.2.3 令牌 (58)9.3 卡片内容的加载、安装和可选择化 (58)9.3.1 概述 (58)9.3.2 卡片内容的加载 (58)9.3.3 卡片内容的安装 (59)9.3.4 卡片内容的加载、安装和可选择化联合操作 (59)9.3.5 卡片内容加载过程 (59)9.3.6 卡片内容的安装过程 (61)9.3.7 卡片内容的可选择化过程 (62)9.3.8 卡片内容的加载、安装和可选择化联合操作过程 (63)9.3.9 加载和安装流程的示例 (65)9.4 内容的让渡和注册表的更新 (68)9.4.1 内容的让渡 (68)9.4.2 注册表的更新 (70)9.4.2.1 普通的注册表更新 (70)9.4.2.2 注册表更新中的让渡操作 (71)9.5 内容的删除 (71)9.5.1 应用删除 (72)9.5.2 可执行加载文件的删除 (73)9.5.3 可执行加载文件和相关应用的删除 (74)9.6 安全管理 (75)9.6.1 生命周期管理 (76)9.6.2 应用的锁定和解锁 (76)9.6.3 卡片的锁定和解锁 (77)9.6.4 卡片终结 (77)9.6.5 应用状况的查询 (78)9.6.6 卡片状况的查询 (78)9.6.7 操作的频度检测 (79)9.6.7.1 内容加载和安装 (79)9.6.7.2 异常 (79)9.6.8 跟踪和事件日志 (79)9.7 内存资源管理 (79)10 安全通信 (81)10.1 安全通信 (81)10.2 显式和隐式安全通道 (81)10.2.1 显式安全通道的开启 (81)10.2.2 隐式安全通道的开启 (81)10.2.3 安全通道的终止 (81)10.3 安全通道协议的直接处理和间接处理 (82)10.4 实体认证 (82)10.4.1 对称加密算法下的认证 (82)10.4.2 非对称加密下的认证 (82)10.5 安全的消息传送 (83)10.6 安全级别 (83)10.7 安全通道协议标识符 (83)第一部介绍1 介绍GlobalPlatform是一家由支付和通信业的领先厂商、政府相关部门以及供应商社区共同建立的一个组织,并率先提出了一个跨行业的智能卡全局基础架构及其实现,其目标是为了减少隐藏在快速增长的跨行业、多应用的智能卡背后的障碍,使得发卡商在各种各样的卡片、终端和后台系统前,继续享有选择的自由。
GP培训教材
28
3D Technologies Felix 2008.09.01
肆 推動GP常見問題
1. 是不是只要有SGS的檢測報告就符合GP要求? 2. SMT製程已經全面使用無鉛製程,就算符合GP? 3. GP管理系統算是品質管理系統還是環境管理系統? 4. 所有的材料,半成品或成品一定要標示”RoHS”,”Non-
參 推動GP各單位權責
品保/品管單位: 1. 進料檢驗是否符合RoHS(GP)要求. 2. 巡檢人員對於無鉛製程的認知有多少? 2. 對於可靠度測試之方法及判定之標準,是否熟悉? 3. 對於無鉛零件之要求,認知有多少? 4. 對於IQC/IPQC/OQC/FQC之標準,是否有先行SET-
UP? 5. 對於RoHS & Lead-Free之要求,認知有多少?
3
3D Technologies Felix 2008.09.01
常聽到的名詞
1.Lead Free意思是指無鉛產品嗎?
2.GP綠色產品的定義是什麼?
3.3R是指? Green Design?
4.RoHS是由哪一個國家訂定的?
5.RoHS的要求有哪些?
4
3D Technologies Felix 2008.09.01
22
3D Technologies Felix 2008.09.01
參 推動GP各單位權責
製技/製造相關單位: 1. 生產設備是否已點檢與確認? 2. 治具/工具是否能符合無鉛製程的要求? 3. 生產區域如何劃分環保與非環保的製程? 4. 避免混料,重工區域是否有重新界定與標示? 5. 間接材料是否已經確認,並確認能符合環保的要求? 6. 週轉倉(半成品)如何標示,以免混料? 7. 所有的SOP何時可完成修訂? 8. 產品之料號(包括半成品及原物料)是否有區別?
上海通用GP11培训资料
样件批准 GP-11
SDE Module June. 2005
PD-SQD-007
1.02
1
20/05/2006
PPAP
GP-11的要求: SGM所要求的GP-11 文件清单
2
SDE Module June. 2005
PPAP
1.供应商Prototype/OTS产品保证书 OK
2. 整改计划(如果是“可用件”) 一般不需提交
3. 尺寸检验报告
OK
4.材料审核报告
OK
5.分供方清单和材料清单
OK
6. ADV计划和报告
OK
3
SDE Module June. 2005
PPAP
7. DRE批准/签署的设计记录
OK
8. 材料测试原始报告(包括所有子零件) OK
9.功能/性能测试原始报告
OK
10.零件子系统级测试原始报告(如需要)一般不需提交
11பைடு நூலகம் DRE批准的工程更改文件,如果有,没有更改不需提交
12. DFMEA
一般不需提交
4
SDE Module June. 2005
PPAP
GP-11文件的提交要求: 1、须采用插杆文件夹装订,
一个产品一个文件夹
2、同时须提交GP-11项目工程 认可报告封面 OK
5
SDE Module June. 2005
PPAP
GP-11电子版文件的提交要求:
GP-11批准后,上海泛亚DRE会将其文件寄给 我司,将其中有签字的文件扫描,没有签字 的文件直接将电子版整理,并将扫描版及电 子版整理在同一个文件夹下,并命名为xxGP11,并将其文件发邮件给相应的DRE,GP-
GP技术标准讲解及供应商管理要求09011
(Declaration Form on Banned or Restricted Substance –Accessory)(系列承認時使用或附件一 填寫空間不足時使用)____可選
MPT
本次新送樣 承認的料號
此前已經提 供合格資料 的料號
2.(第三方公正測試機構<具有ISO17025實驗室認証>的ICP測試報告)
1.對供應商的文件確認需求
MPT
• 供應商應對每個料號提供GP資料﹐這些GP資料包括﹕ •(Declaration Form on Banned or Restricted Substance)____必需 •(Declaration Form on Banned or Restricted Substance –Accessory)(系列承認時使用或附件一填寫 空間不足時使用)____可選 •(第三方公正測試機構<具有ISO17025實驗室認証>的測 試報告)___按MPT的規定
MPT • GP是Green partner(綠色伙伴)或Green product(綠色產品)﹐指 產品中不含有客戶GP規范已禁止的化學物質或含有的禁止物質在 客戶規定含量以下﹐即產品符合了客戶GP規范才是GP產品. • 客戶的GP規范或綠色采購標准是用來規定發貨到客戶的產品中有 害物質的管制或含量技朮要求﹐以使供應商在做管制時有據可 循﹐比如SONY SS-00259﹐DELL 6T198﹐松下<<化學物質管理等 級准則>>等,規范中會規定許多禁止和限制的化學物質要求. • 客戶的GP文件需求是用來証明發貨到客戶的產品中不含有有害物 質或含有的物質在管制范圍內,如承諾書+調查表+ICP測試報告等. • ICP測試是一種化學物質含量的測試方法﹐全稱叫高頻電感耦合 等離子發光光譜分析(Inductively Coupled Plasma--Atomic Emission Spectroscopy),SGS﹑ETC﹑ITS第三方具有ISO17025認 証的測試機構可進行ICP測試﹐檢測產品中化學物質的含量。
GP-卡规范V2.1.1
GP卡的开发规范说明书中文译本V2.1.1(2003.03)北京明宇科技有限公司错误!未指定书签。
修改记录日期修改者修改内容2003-12-07 平庆瑞杨向军初次做成。
2003-12-10 杨向军修改附录“E.1.2.2.隐式安全通道的初始化”中的相关内容,使表达更清楚。
2003-12-12 杨向军修改原文中的笔误及表达不明确的一些文字。
2003-12-22 王玉忠完成9章中内容2004-03-11 魏凯明全文校订目录1. 介绍 (2)2. 系统架构 (10)3. 卡的架构 (11)3.1. 运行时环境 (11)3.2. 卡的管理者(Card Manager) (12)3.2.1. GlobalPlatform运行时环境(OPEN) (12)3.2.2. 发行者安全域 (12)3.2.3. 卡持有者的校验方法 (13)3.3. 安全域(Secure Domains) (13)3.4. GP的API(Open Platform API) (13)3.5. 卡的内容 (13)4. 安全架构 (15)4.1. 目标 (15)4.2. 安全职责 (15)4.2.1. 卡发行者(Card Issuer) (15)4.2.2. 应用提供者(Application Provider) (16)4.2.3. 控制授权中心机构(Controlling Authority) (16)4.2.4. 卡上组件的安全要求 (16)4.2.4.1. 对运行时环境的安全要求 (16)4.2.4.2. 对OPEN的安全要求 (17)4.2.4.3. 对发行者安全域的安全要求 (17)4.2.4.4. 对CVM处理者的安全要求 (17)4.2.4.5. 对安全域的安全要求 (17)4.2.4.6. 对应用的安全要求 (18)4.2.5. 后台系统的安全要求 (18)4.3. 加密支持 (18)4.3.1. 卡内容的完整性校验和数据鉴别 (18)4.3.1.1. 装载文件数据块HASH (18)4.3.1.2. 装载文件数据块签名 (19)4.3.1.3. 委托管理令牌 (19)4.3.1.4. 收条 (19)4.3.2. 安全通讯 (19)5. 生命周期模型 (21)5.1. 卡的生命周期 (21)5.1.1. 卡生命周期的状态 (21)5.1.1.1. OP_READY状态 (21)5.1.1.2. INITIALIZED状态 (22)5.1.1.3. SECURED状态 (22)5.1.1.4. CARD_LOCKED状态 (22)5.1.1.5. TERMINA TED状态 (22)5.1.2. 卡生命周期状态的迁移 (23)5.2. 可执行装载文件的生命周期(Excutable Load File Life Cycle) (24)5.2.1. 可执行装载文件的生命周期 (25)5.2.1.1. LOADED状态 (25)5.2.1.2. 可执行装载文件的删除 (25)5.2.2. 可执行模块的生命周期 (25)5.3. 卡内应用和安全域的生命周期 (25)5.3.1. 卡内应用的生命周期状态 (26)5.3.1.1. INSTALLED状态 (26)5.3.1.2. SELECTBLE状态 (26)5.3.1.3. LOCKED状态 (26)5.3.1.4. 应用的删除 (27)5.3.1.5. 应用特定生命周期状态 (27)5.3.2. 安全域的生命周期状态 (28)5.3.2.1. INSTALL状态 (28)5.3.2.2. SELECTABLE状态 (28)5.3.2.3. PERSONALIZED状态 (28)5.3.2.4. LOCKED状态 (28)5.3.2.5. 安全域的删除 (29)5.4. 卡的生命周期和AP生命周期状态的演示 (30)6. 卡的管理者(CM) (32)6.1. 概述 (32)6.1.1. OPEN (32)6.1.2. 发行者安全域 (33)6.1.3. CVM处理者 (34)6.2. CM的服务 (34)6.2.1. 应用访问OPEN服务 (34)6.2.2. 应用访问CVM服务 (34)6.2.3. 应用访问发行者安全域的服务 (35)6.2.4. 发行者域访问应用服务 (35)6.4. 卡内容的管理 (41)6.4.1. 卡内容的装载和安装 (41)6.4.1.1. 卡内容的装载 (42)6.4.1.2. 卡内容的安装 (43)6.4.2. 内容的移除 (45)6.4.2.1. 应用的移除 (45)6.4.2.2. 可执行装载文件的移除 (46)6.4.2.3. 可执行装载文件和相关应用的移除 (47)6.4.3. 内容的移交(context Extradition) (48)6.5. 委托管理 (48)6.6. GP的注册表 (49)6.6.1. 发行者域数据元素的描述 (49)6.6.1.1. 发行者安全域的AID (50)6.6.1.2. 卡的生命周期状态 (50)6.6.2. 应用/可执行装载文件/可执行模块的数据元素的描述 (50)6.6.2.1. 应用/可执行装载文件/可执行模块的AID (50)6.6.2.2. 应用/可执行装载文件/可执行模块的生命周期 (50)6.6.2.3. 资源分配 (50)6.6.2.4. 应用的权限 (51)6.6.2.5. 相关联安全域的AID (52)6.7. 安全管理 (52)6.7.1. 应用的锁定 (53)6.7.2. 卡的锁定 (54)6.7.3. 卡的终止 (55)6.7.4. 操作频率的检查 (56)6.7.4.1. 卡内容的装载和安装时的频率检查 (56)6.7.4.2. 异常操作频率检查 (56)6.7.5. 跟踪和事件的记载 (57)6.7.6. 安全内容的装载和安装 (57)6.7.6.1. 装载文件的数据块HASH值 (57)6.7.6.2. 令牌 (57)6.7.6.3. 装载文件数据块的签名 (57)6.8.发行者安全域 (58)6.8.1. 发行者的标识号 (58)6.8.2. 卡的Image号 (58)6.8.3. 卡的识别数据 (59)6.8.4. 卡上的密钥信息 (59)7. 安全域 (63)7.1. 概述 (63)7.2. 安全域服务 (64)7.2.1. 访问安全域服务的应用 (64)7.2.2. 访问应用的安全域 (65)7.3.个人化支持 (65)7.4. 运行时消息支持 (66)7.5. DAP验证 (67)7.6. 代理管理 (68)7.6.1. 代理下载 (68)7.6.2. 代理安装 (69)7.6.3. 代理移交 (70)7.6.4. 代理删除 (71)7.7. 代理管理令牌、收条及DAP验证 (72)7.7.1. 下载令牌 (72)7.7.2. 下载收条 (73)7.7.3. 安装、移交令牌 (73)7.7.4. 安装收条 (73)7.7.5. 移交收条 (74)7.7.6. 删除收条 (74)7.7.7. 下载文件数据块hash (75)7.7.8. 下载文件数据块签名(DAP验证) (75)8. 安全通讯 (76)8.1. 安全通道 (76)8.2. 显式/隐式的安全通道 (76)8.2.1. 显式安全通道初始化 (76)8.2.2. 隐式安全通道初始化 (77)8.2.3. 安全通道结束 (77)8.3. 直接/间接处理安全通道协议 (77)8.4. 实体认证 (77)8.5. 安全消息传输 (77)8.6. 安全通道协议标识 (78)9. APDU命令参考 (80)9.1. 总的编码规则 (81)9.1.1. 生命周期状态的编码 (81)9.1.2. 应用的权限编码 (82)9.1.3. 一般性的错误情形 (83)9.1.4. CLASS字节编码 (84)9.1.5. APDU命令和响应数据 (84)9.1.6. 密钥类型编码 (84)9.1.7. 在委托管理的响应消息中的收条信息(可选) (85)9.2. DELETE命令 (86)9.2.1. 定义和范围 (86)9.2.2. 命令消息 (86)9.2.2.1. 引用控制参数P1 (86)9.2.2.2. 引用控制参数P2 (86)9.2.2.3. 命令消息中发送的数据字段 (86)9.2.3. 响应消息 (87)9.2.3.1. 在响应消息中返回的数据字段 (87)9.2.3.2. 在响应消息中返回的处理状态 (87)9.3. GET DATA命令 (88)9.3.1. 定义和范围 (88)9.3.2. 命令消息 (88)9.3.2.1. CLA字节 (88)9.3.2.2. 参数P1和P2 (88)9.3.2.3. 在命令消息中发送的数据字段 (89)9.3.3. 响应消息 (89)9.3.3.1. 在响应消息中返回的数据字段 (89)9.3.3.2. 在响应消息中返回的处理状态 (90)9.4. GET STATUS命令 (90)9.4.1. 定义和范围 (90)9.4.2. 命令消息 (90)9.4.2.1. 引用控制参数P1 (91)9.4.2.2. 引用控制参数P2 (91)9.4.2.3. 命令消息中发送的数据字段 (92)9.4.3. 响应消息 (92)9.4.3.1. 在响应消息中返回的数据字段 (92)9.5. INSTALL命令 (94)9.5.1. 定义和范围 (94)9.5.2. 命令消息 (94)9.5.2.1. 引用控制参数P1 (94)9.5.2.2. 引用控制参数P2 (95)9.5.2.3. 命令消息中发送的数据字段 (95)9.5.3. 响应消息 (98)9.5.3.1. 在响应消息中返回的数据字段 (98)9.5.3.2. 在响应消息中返回的处理状态 (99)9.6. LOAD命令 (99)9.6.1. 定义和范围 (99)9.6.2. 命令消息 (99)9.6.2.1. 引用控制参数P1 (100)9.6.2.2. 引用控制参数P2-块号 (100)9.6.2.3. 命令消息中发送的数据字段 (100)9.6.3. 响应消息 (101)9.6.3.1. 在响应消息中返回的数据字段 (101)9.6.3.2. 在响应消息中返回的处理状态 (101)9.7. MANAGE CHANNEL命令 (102)9.7.1. 定义和范围 (102)9.7.2. 命令消息 (102)9.7.2.1. 引用控制参数P1 (102)9.7.2.2. 引用控制参数P2 (102)9.7.2.3. 命令消息中发送的数据字段 (103)9.7.3. 响应消息 (103)9.7.3.1. 在响应消息中返回的数据字段 (103)9.7.3.2. 在响应消息中返回的处理状态 (103)9.8. PUT KEY命令 (103)9.8.1. 定义和范围 (103)9.8.2. 命令消息 (104)9.8.2.1. 引用控制参数P1 (104)9.8.2.2. 引用控制参数P2 (104)9.8.2.3. 命令消息中发送的数据字段 (105)9.8.3. 响应消息 (106)9.8.3.1. 在响应消息中返回的数据字段 (106)9.8.3.2. 在响应消息中返回的处理状态 (107)9.9. SELECT命令 (107)9.9.1. 定义和范围 (107)9.9.2. 命令消息 (107)9.9.2.1. 引用控制参数P1 (108)9.9.2.2. 引用控制参数P2 (108)9.9.2.3. 命令消息中发送的数据字段 (108)9.9.3. 响应消息 (108)9.9.3.2. 在响应消息中返回的处理状态 (109)9.10. SET STATUS命令 (109)9.10.1. 定义和范围 (109)9.10.2. 命令消息 (109)9.10.2.1. 引用控制参数P1-状态类型 (110)9.10.2.2. 引用控制参数P2-状态控制 (110)9.10.2.3. 命令消息中发送的数据字段 (111)9.10.3. 响应消息 (111)9.10.3.1. 在响应消息中返回的数据字段 (111)9.10.3.2. 在响应消息中返回的处理状态 (111)9.11. STORE DATA命令 (111)9.11.1. 定义和范围 (111)9.11.2. 命令消息 (111)9.11.2.1. 引用控制参数P1 (112)9.11.2.2. 引用控制参数P2 (113)9.11.2.3. 命令消息中发送的数据字段 (113)9.11.3. 响应消息 (114)9.11.3.1. 在响应消息中返回的数据字段 (114)9.11.3.2. 在响应消息中返回的处理状态 (114)A. GP的API (116)A.1. 不赞成的Open Platform Java卡API (116)A.2. GP在JA V A卡上 (116)A.2.1. GP特定的要求 (116)A.2.1.1. GlobalPlatform包的AID (116)A.2.1.2. 安装 (116)A.2.1.3. T=0传输协议 (117)A.2.1.4. 原子操作 (118)A.2.1.5. 逻辑通道 (118)A.2.1.6. 加密算法 (118)A.2.1.7. 信任级别 (118)A.2.1.8. GlobalPlatform方法的调用 (118)A.2.2. 类的层次 (119)A.2.2.1. 接口org.globalplatform.Application (119)A.2.2.2. 接口org.globalplatform.SecureChannel (120)A.2.2.3. 类org.globalplatform.GPSystem (127)A.2.2.4. 接口org.globalplatform.CVM (131)A.3. GP在windows Powered智能卡 (136)B. 算法(加密和HASH) (138)B.1. 数据加密标准(DES) (138)B.1.1. 加密/解密 (138)B.1.1.1. CBC模式 (138)B.1.1.2. ECB模式 (138)B.1.2. MAC (138)B.1.2.2. Single DES加上最终的TDES MAC (138)B.2. HASH算法 (139)B.2.1. 安全HASH算法(SHA-1) (139)B.3. 公钥加密方案1(PKCS#1) (139)B.4. DES数据填充 (139)C. 安全内容管理 (141)C.1. 密钥 (141)C.1.1. 发行者安全域密钥 (141)C.1.1.1. 令牌密钥 (141)C.1.1.2. 收条密钥 (141)C.1.2. 安全域密钥 (141)C.2. 下载文件数据块Hash (142)C.3. 令牌 (142)C.3.1. 下载令牌 (142)C.3.2. 安装令牌 (143)C.3.3. Extradition Token (145)C.4. 收条 (145)C.4.1. 下载收条 (146)C.4.2. 安装收条 (146)C.4.3. 删除收条 (147)C.4.4. 移交收条 (148)C.5. DAP验证 (148)C.5.1. PKC方案 (149)C.5.2. DES方案 (149)D. 安全通道协议‘01‘ (150)D.1. 安全通讯 (150)D.1.1. SCP01安全通道 (150)D.1.2. 相互认证 (150)D.1.3. 消息的完整性 (152)D.1.4. 消息数据的机密性 (152)D.1.5. ICV的加密 (152)D.1.6. 安全级别 (152)D.2. 加密密钥 (153)D.3. 加密用法 (154)D.3.1. DES会话密钥 (154)D.3.2. 鉴别密码(Authenticated Cryptogram) (156)D.3.2.1. 卡的鉴别密码(Card cryptogram) (156)D.3.2.2. 主机端鉴别密码(host cryptogram) (156)D.3.3. MAC生成和MAC校验的APDU指令 (156)D.3.4. APDU命令的加密和解密 (157)D.3.5. 关键敏感数据的加密和解密 (158)D.4. 安全通道的APDU命令 (159)D.4.1. INITIALIZE UPDATE命令 (159)D.4.1.2. 命令消息 (160)D.4.1.3. 引用控制参数P1——密钥版本号 (160)D.4.1.4. 引用控制参数P2——密钥标识 (160)D.4.1.5. 命令消息中要传送的数据段 (160)D.4.1.6. 响应消息 (160)D.4.1.7. 在响应消息中返回的执行状态 (161)D.4.2. EXTERNAL AUTHENTICATION命令 (161)D.4.2.1. 定义和范围 (161)D.4.2.2. 命令消息 (161)D.4.2.3. 引用控制参数P1——安全级别 (162)D.4.2.4. 引用控制参数P2 (162)D.4.2.5. 命令消息中要传送的数据段 (162)D.4.2.6. 响应消息返回的数据段 (162)D.4.2.7. 在响应消息中返回的执行状态 (162)E. 安全通道协议‘02‘ (164)E.1. 安全通迅 (164)E.1.1. SPC02安全通道 (164)E.1.2. 实体鉴别 (165)E.1.2.1. 显式安全通道的初始化 (166)E.1.2.2. 隐式安全通道的初始化 (167)E.1.3. 消息的完整性 (167)E.1.4. 消息数据的机密性 (168)E.1.5. 安全级别 (168)E.2. 加密密钥 (170)E.3. 加密算法 (171)E.3.1. CBC (171)E.3.2. 消息的完整性ICV在显式安全通道初始化中的使用 (171)E.3.3. 消息的完整性ICV在隐式安全通道初始化中的使用 (172)E.3.4. ICV的加密 (172)E.4. 加密用法 (172)E.4.1. DES会话密钥 (172)E.4.2. 在显式安全通道中的鉴别密码 (173)E.4.2.1. 卡的鉴别密码(Card cryptogram) (173)E.4.2.2. 主机端的鉴别密码(host cryptogram) (173)E.4.3. 在隐式安全通道中的鉴别密码(Authenticate Cryptogram) (174)E.4.4. APDU命令C-MAC的生成和校验 (174)E.4.5. APDU命令响应的R-MAC生成和校验 (176)E.4.6. APDU命令数据段的加密和解密 (177)E.4.7. 敏感数据的加密和解密 (178)E.5. 安全通道的APDU指令 (178)E.5.1. INITIALIZE UPDATE命令 (179)E.5.1.1. 定义和范围 (179)E.5.1.2. 命令消息 (179)E.5.1.3. 引用控制参数P1——密钥版本号 (180)E.5.1.4. 引用控制参数P2 (180)E.5.1.5. 命令消息中要传送的数据段 (180)E.5.1.6. 响应消息 (180)E.5.1.7. 在响应消息中返回的执行状态 (180)E.5.2. EXTERNAL AUTHENTICATION命令 (181)E.5.2.1. 定义和范围 (181)E.5.2.2. 命令消息 (181)E.5.2.3. 引用控制参数P1——安全级别 (181)E.5.2.4. 引用控制参数P2 (182)E.5.2.5. 命令消息中要传送的数据段 (182)E.5.2.6. 响应消息返回的数据段 (182)E.5.2.7. 在响应消息中返回的执行状态 (182)E.5.3. BEGIN R-MAC SESSION命令 (182)E.5.3.1. 定义和范围 (182)E.5.3.2. 命令消息 (183)E.5.3.3. 引用控制参数P1 (183)E.5.3.4. 引用控制参数P2 (183)E.5.3.5. 命令消息中要传送的数据段 (183)E.5.3.6. 响应消息返回的数据段 (184)E.5.3.7. 在响应消息中返回的执行状态 (184)E.5.4. END R-MAC SESSION命令 (184)E.5.4.1. 定义和范围 (184)E.5.4.2. 命令消息 (184)E.5.4.3. 引用控制参数P1 (185)E.5.4.4. 引用控制参数P2 (185)E.5.4.5. 命令消息中要传送的数据段 (185)E.5.4.6. 响应消息返回的数据段 (185)E.5.4.7. 在响应消息中返回的执行状态 (185)F. GP的数据及卡的识别数据 (186)F.1. 数据值 (186)F.2. 卡识别数据的结构 (186)F.3. 安全域管理数据 (187)图2-1:GP系统结构图 (10)图3-1:GP卡结构图 (11)图3-2:卡内容关系图 (14)图5-1:卡生命周期状态迁移 (24)图5-2:应用生命周期状态迁移 (28)图5-3:安全域生命周期状态迁移 (30)图5-4:卡生命周期状态和应用生命周期状态举例 (31)图6-1:OPEN的架构 (33)图6-2:装载和安装过程 (42)图6-3:装载和安装流程图 (44)图6-4:安装流程图 (45)图6-5:可执行装载文件删除流程图 (47)图6-6:应用移交流程图 (48)图6-7:应用锁定流程图 (54)图6-8:卡锁定流程图 (55)图6-9:卡终止流程图 (56)图7-1:通过相关安全域进行应用个人化 (66)图7-2:运行时消息流 (67)图7-3:代理下载与安装 (70)图7-4:代理删除 (72)图7-5:下载令牌计算 (72)图7-6:收条计算 (73)图7-7:安装和移交令牌计算 (73)图7-8:计算安装收条 (74)图7-9:移交收条计算 (74)图7-10:删除收条计算 (74)图7-11:装载文件数据块HASH计算 (75)图7-12:装载文件数据块签名计算 (75)图D-1:相互认证流程图(安全域) (151)图D-2:相互认证流程图(使用安全域的服务) (152)图D-3:会话密钥-第1步-产生原始数据 (155)图D-4:会话密钥-第2步-创建S-ENC会话密钥 (155)图D-5:会话密钥-第3步-创建S-MAC会话密钥 (155)图D-6:APDU命令的MAC生成与验证 (157)图D-7:APDU数据域的加密 (158)图E-1:显式安全通道初始化流程图 (167)图E-2:从基本密钥中创建安全通道会话密钥 (173)图E-3:在未修改的APDU上生成C-MAC (175)图E-4:在修改的APDU上生成C-MAC (175)图E-5:生成R-MAC (176)图E-6:APDU命令数据域加密 (177)表1-1:标准参考 (3)表1-2:术语和定义 (5)表1-3:缩写词与符号 (7)表9-1:每个卡生命周期状态的被认证的GlobalPlatform命令 (80)表9-2:GlobalPlatform命令的最小安全需求 (81)表9-3:可执行装载文件的生命周期编码 (82)表9-4:应用的生命周期编码 (82)表9-5:安全域的生命周期编码 (82)表9-6:发行者安全域的生命周期编码 (82)表9-7:应用的权限 (83)表9-8:一般错误情形 (83)表9-9:CLA字节编码 (84)表9-10:密钥类型编码 (85)表9-11:确认信息结构 (85)表9-12:DELETE命令消息 (86)表9-13:DELETE引用控制参数P2 (86)表9-14:DELETE[密钥]命令消息的数据字段。
GP基础培训教材资料
企业应对措施: 1、产品的环境管理物质的检测和报告 2、材料和零件相关成分的了解和收集 3、相关化学物质的毒性和禁用信息的收 集,例如MSDS。
第五节:PFOS/PFOA
PFOS是全氟辛烷磺酸盐的英文缩写, 它存在于盐、衍生体和聚合体中。 目前,PFOS已成为全氟化酸性硫酸基酸 各种类型派生物及含有这些派生物的聚合 体的代名词。当PFOS被外界所发现时, 是以经过降解的PFOS形态存在的。那些 可分解成PFOS的物质则被称作PFOS有关 物质。当前PFOS已经在出口产品材料中 被广泛限制,
第二节:卤素
属于非金属元素 包括氟(F)、氯(Cl)、溴(Br)、碘 (I)、砹(At) 五种元素; 电子、电气产品行业中无卤化主要是指 限制在塑料、PCB板中使用卤系阻燃剂, 即只对溴、氯进行限制,因此,讨论电 子产品中的卤素主要是讨论这两种元素。
氯气:常温下为黄绿色气体,可溶于水,有毒, 与水部分发生反应,生成HCl与次氯酸,次氯酸 不稳定,分解放出氧气,并生成盐酸,次氯酸 氧化性很强,可用于漂白氯气对肺部有强烈刺 激。氯气具有强氧化性。 液溴:在常温下为深红棕色液体,可溶于水, 挥发性极强,有毒,蒸气强烈刺激眼睛、粘膜 等。加热可使反应加快。氢溴酸是一种强酸, 酸性强于氢氯酸。溴一般用于有机合成等方面。
<1000 <1000
<100 禁用orN.D.
<1000 <1000
禁用orN.D. 禁用orN.D.
包材、包装用部件、电池所有一级禁止对象 塑胶/全部
多溴联苯醚(PBDEs)
<1000
禁用orN.D.
塑胶(包括橡胶)、模治具部件/全部
注:N.D是指未检测出(低于检测极限值)
卡片基本规范
块的第1个域。它包含节点地址(NAD)子域、协议控制字节(PCB)和长度(LEN)。 3.22 协议控制字节 protocol control byte(PCB)
起始域中的一个子域。它包含传输控制信息。 3.23 接收准备块 receive ready block (R-block)
用于存储不由卡来解释的数据的基本文件。 3.47 冷复位 cold reset
激活后的第一次复位。 3.48 热复位
除冷复位以外的任何复位。
5
4 缩略语
以下缩略语适用于本部分。
AAC
应用鉴定密码
AC
访问条件
AC
应用加密
ACK
确认
AID
应用标识
APDU
应用协议数据单元
ARQC
授权请求密码
ASC
应用专用指令集
被卡作为一个整体来处理的字节串, 并可通过记录号或记录标识符来引用。 3.44 记录标识符 record identifer
一种与记录相关的值,它用于引用该记录。 在一个基本文件中,少数几个记录可以有相 同的记录标识符。 3.45 记录号 record number
分配给每一个记录的顺序号, 它唯一地标识一个基本文件中的记录。 3.46 基本工作文件 working elementary file
在等类分类中,仅优先一个给定文件的专用文件。 3.40 口令 password
一个应用可能需要的代表卡的用户的数据。 3.41 路径 path
没有定界的文件标识符的连接。如果路径以主文件的识别符开始, 它就是一个路径。 3.42 提供者 provider
GP培训教材
IQC專用檢驗區 倉庫專用存儲區 專用生產設備
出貨
安達電子RoHS對應措施- 1
供應商提供保證書(或公開聲明 書)保證材料符合RoHS指令
供應商提供材料有害物質檢驗 報告或知名公司GP證書
安達材料中有害物質含量分析 報告(X-ray自檢或送SGS檢驗)
RoHS & WEEE要點介紹
一、指令目的與範圍
(一) 廢電器及電子設備指令(WEEE)2002/96/EC及電器 及 電子設備使用某些危害物質限制指令 (RoHS)2002/95/EC兩個指令於2003.2.13經歐盟公 報公告。
(二) 目的︰前者為求(減少電器)廢棄量,增加廢電器之再 使用、再生利用、回收再利用率、改進操作者環境 績效。後者則為將設備中危害物質限制使用或限制 含量,減少WEEE對環境衝擊以維護人員健康及良 好環境。(預防原則、污染者付費原則)。
绿色采购简介
内部讲稿
➢ROHS & WEEE ➢顧客要求 ➢安達管制標准 ➢有害物質檢測
品保中心教材
歐盟簡介
(一)歐盟全圖︰EU歐盟
EEC歐洲經濟體/歐洲共同市場 ❖ 歐盟(European Union) 最早稱為歐洲共同體
(European Community),是為了改善歐洲國家之 間產品安全法規的不協調、為達到各自的與共同 的最大利益而以通行法律為基礎形成的國家集團 。 ❖ 25個歐盟成員國為:奧地利、比利時、丹麥、芬 蘭、法國、德國、希臘、愛爾蘭、義大利、盧森 堡、荷蘭、葡萄牙、西班牙、瑞典、英國、賽浦 路斯、捷克共和國、愛沙尼亞、匈牙利、拉托維 亞、立陶宛、馬耳他、波蘭、斯洛伐尼亞以及斯 洛伐克。
GC-MS
氣相色譜-質譜聯用
•XRF
X射線熒光光譜
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
GlobalPlatform Card Specification NutShell1.AbstractThe GlobalPlatform card specification is a standard for the management of the infrastructure of a smart card. This management comprises the installation, the removal of applications and additional management tasks on a card. The main authority for this is the card issuer, which has full control over the card contents, but he can grant also other institutions to administrate their own applications. This management is achieved by applying cryptographic protocols, which authenticate and encipher these processes. The Open Platform specification should enable multi application capable smart cards which can be joined by multiple institutions where all installations are authorized by the card issuer and each institution has its own secure area on the card.2.Overview over Architecture2.1 Runtime EnvironmentGlobalPlatform can be built on top of every multi application capable runtime environment. In practice the runtime environment is always the Java Card Runtime Environment.2.2 Security DomainA Security Domain is a protected area on a smart card. To this Security Domain are assigned applications, which can use cryptographic services it offers. By default only the Security Domain of the card issuer exists on a card. If another institution wants to have its own Security Domain, e.g. for having its own secure application environment or managing its own applications, such a domain can be created with the help of the card issuer. Institutions managing their own applications are also referred to as Application Providers.2.3 Card ManagerThe card manager is the central component of a GlobalPlatform card. Every service is executed by it and it offers interfaces to use its services internal through the GlobalPlatform API and external through APDU commands. In addition the Card Manager includes the Security Domain of the card issuer, due to the fact that it can also own applications on the card.2.4 GlobalPlatform APIThe GlobalPlatform API gives applications on the card access to certain management functions of the Card Manager and the possibility to authenticate the communication partner and using a secure channel with it within the current active Security Domain.3.Concepts and FunctionalityFor a use case diagram illustrating the common usages see the following figure:3.1 Mutual Authentication and Negotiated Security LevelTo access the management functions of a card it is necessary to authenticate the host and the card against each other. Only in an early life cycle state of teh card, this is not necessary. If the Security Domain of the card issuer is not the default selected application or another Security Domain should be the context of the communication session it must be chosen by executing a SELECT command, which must be given the AID of the Security Domain. An AID is a hexadecimal identifier for application concerning card content. The most common default AID of the Security Domain of the card issuer is A0 00 00 00 03 00 00 00.Each Security Domain owns at least a set of three 3DES keys, the Secure Channel Keys, which must also be known to the host system. These three keys are the Encryption Key, which is used to generate an encryption session key for encrypting the transmitted messages, the Message Authentication Key, to generate a MAC session key for ensuring the integrity of transmitted messages and the Key Encryption Key to encrypt newly transferred keys. The first command sent to the card is the INITIALIZE UPDATE command. The INITIALIZE UPDATE command transmits a random number and states which key set version should be used during thefollowing session and at which key index the three successive keys are found. The values 0 for the key set version and 0 for the key index are used to denote the first available keys. The random number is encrypted with the Encryption Key in 3DES ECB mode and the resulting card cryptogram is sent back with an own random number to challenge the host. If the card cryptogram is verified successfully the host encrypts the random number of the card also in 3DES in ECB mode and sends the host cryptogram back in an EXTERNAL AUTHENTICATE command. The card verifies also this host cryptogram. With the EXTERNAL AUTHENTICATE command the host proposes a security level during the communication of this session. This security level can be plain text, where no integrity or confidentiality is given, the integrity of each message can be protected by appending a MAC using the MAC session key or in addition to the integrity also the confidentiality of the messages can be assured by using the encryption session key.3.2 Loading, Installation and Removal of contentsThe most noticeable task is the management of the card content. These are the loading, the installation and the removal of card contents. These tasks are performed in the context of a Security Domain.3.2.1 Loading and InstallationThe complete loading and installation happens in four steps:3.2.1.1 INSTALL [for load]The INSTALL [for load] command prepares the card to a following LOAD command. With this command the AID of the Load File Data Block is transmitted and the AID of the Security Domain, in which the Load File Data Block will be installed. A Load File Data Block is a data block, which contains one or more applicationsor libraries. In the case of the Java Card Runtime Environment this is equivalent to a package which can be saved in a format like the CAP format or the more common IJC format. Also parameters concerning the resource allocation on the card are indicated. These are the necessary space for storing the Load File Data Block referred to as Non Volatile Code Space Limit, the needed space of persistent memory to store the resulting data of the application, referred to as Non Volatile Data Space Limit and the amount of volatile memory space, which is needed during execution of the application, referred to as Volatile Data Space Limit. The most cards are only interested in the Non Volatile Code Space Limit. Optional a Load File DAP can be given. A Load File DAP is a hash to verify to correct transmission of a Load File. To accomplish this, the whole Load File is hashed by SHA-1. A Load File can contain in addition to a Load File Data Block prefixed Load File Data Block DAPs. The point DAP Verification and Mandated DAP Verification should clarify this. If all given arguments are checked, which is the case, if no content on the card has the same AID like this Load File Data Block, the associated Security Domain does exist and the requested resource allocations can be satisfied.3.2.1.2 LOADThe LOAD command transfers the Load File in one or multiple messages depending on the Load File size to the card. If a Load File DAP was contained in the INSTALL [for load] command, the validity of this hash is verified. From the contained Load File Data Block a so called Executable Load File is created with the same AID as the Load File Data Block. An entry of the Executable Load file is created in the registry of the Card Manager and its associated Security Domain. The registry contains information of all installed contents, its privileges and its associated Security Domains.3.2.1.3 INSTALL [for install]This command installs an application from an Executable Load File. Therefor the AID of the Load File Data Block, which is the Executable Load File, the AID of the one to be installed content in the Executable Load File and the intended AID of application instance is declared. The one to be installed content equals in the context of the Java Card an applet class. The AID of the application instance corresponds to the AID of the applet class instance which is running the whole card life and which is used to select the application. In addition the resource concerning parameters like in INSTALL [for load] for the application are given. Most cards are only interested in the amount of the Non Volatile Data Space Limit. Another mandatory argument is the application privileges. Some notable privileges here are the Security Domain privilege, which states that the installed application is a Security Domain and the privilege, that the application is the default selected application, which means that it is selected implicitly byconnecting to a card. Other privileges are mentioned in the following paragraphs. To the installed application a maximum of 32 bytes of install parameters can be passed. In the Java Card terminology the install method of the applet is called with these parameters. If the Executable Load File is existent on the card, the application is contained in the Executable Load File, the application instance AID is not used by another content on the card and the resource requirements can be satisfied, the Card Manager creates an application from the Executable Load File, an entry for the application instance in the registry and associates its Security Domain.3.2.1.4 INSTALL [for make selectable]The INSTALL [for make selectable] command makes the application available to be selected. The AID of the application instance and the applet privileges are required. If the AID exists the application instance is marked as SELECTABLE in its life cycle status. A life cycle state of an application defines the selectable state of an application. E.g. after the INSTALL [for install] command the application is in the state INSTALLED. A complete overview of the life cycle states is given in the paragraph Life Cycle Management. The last to steps can be combined in a INSTALL [for install and make selectable] command.3.2.2 Removal3.2.2.1 DELETEA DELETE command deletes content on a card by its AID. Before this is done it is checked if the AID exists in the registry and if this content is not referenced by another installed content on the card. E.g. installed applications depend on their Executable Load File. If the content can be deleted its entry is removed from the registry and all persistent is marked as available.3.3 Delegated ManagementBy default only the Security Domain of the card issuer is allowed to load, install and remove contents on a card. To enable also other Application Providers with their Security Domain on the card to manage their contents the privilege of Delegated Management was introduced. This privilege must be given to the Security Domain by installation time. In order that the card issuer keeps the control of the card each content change must be authorized by him. Content which is loaded and installed on a card must be signed by a digital signature of the card issuer. The loading of content is granted by the verification of a Load DAP, also referredto as Load Token, during the INSTALL [for load] phase. The installation of content is granted by the verification of a Install DAP, also termed Install Token, in the INSTALL [for install and make selectable] command. Separate INSTALL [for install] and INSTALL [for make selectable] commands are not possible. These DAPs are calculated with RSA PKCS#1 over the parameters given in the INSTALL [for install and make selectable] command. To verify the signature the Security Domain of the card issuer must has access to a public RSA key, referred to as Token Key. In the case of a DELETE command no DAP is necessary. The execution of the loading, installation and removal is confirmed by the return of the Receipt. A Receipt is the proof to the card issuer that the owner of the Security Domain with Delegated Management privilege has carried out the operation. The Receipt is a MAC with a variation of 3DES in CBC mode. To calculate this Receipt the Security Domain of the card issuer must know a 3DES key for the Receipt generation. This key is termed Receipt Key. There is one Receipt type according to each loading and installation process. Every Receipt signs some card unique data together with a confirmation counter. The card unique data is some data which makes this card distinguishable from other cards. The confirmation counter assures that no former Receipt can be used to forge the confirmation. The Load Receipt signs in addition the Executable Load File AID created by the LOAD command and the associated Security Domain AID. The Install Receipt signs also the Executable Load File AID and the application instance AID. The computation of the Delete Receipt includes the AID of the deleted content.3.4 DAP Verification and Mandated DAP VerificationDAP Verification permits another institution as the card issuer to verify the integrity of a Load File Data Block. This can be useful if a Security Domain has not the ability to load content to the card or if a controlling entity may require that all content is certified. At installation time the Security Domain must obtain the DAP Verification privilege and after its installation a DAP Verification Key, a 3DES key or public RSA key, must be deposited in it to verify the integrity of the loaded content. To check the integrity a Load File Data Block DAP must be created by calculating a digital signature with RSA PKCS#1 or a MAC with a variation of 3DES in CBC mode over the Load File Data Block. The result of this operation is also called DAP Block. This DAP Block is prefixing the Load File Data Block and transferred as Load File with the LOAD command. The DAP Block is verified by the Security Domain with its key. If the DAP Block is valid the loading is granted. The difference between DAP Verification and Mandated DAP verification is that the Card Manager only contacts the Security Domain with the first privilege if the Security Domain is the associated Security Domain of the content to be loaded while a Security Domain with the second privilege must always verify the content which is loaded to the card.3.5 Key ManagementTo support the management function a variety of keys are necessary. Apart from the mandatory Encryption Key, Message Authentication Key and Key Encryption Key the Security Domain of the card issuer can have a Token Key and a Receipt Key, referred to as Delegated Management Keys, to support Delegated Management. A Security Domain or another institution can have a DAP Verification Key.3.5.1 PUT KEYThe PUT KEY command is used to populate the Security Domain with keys or replace existing keys. The pure Open Platform specification does not provide a way to delete keys. Beneath the possibility to put or replace Secure Channel and Delegated Management Keys, single keys can also be managed. The PUT KEY command must be passed one or multiple keys, the key set version in which the key(s) should be added or replaced and the key index within this key set version where the first key should be stored. For Delegated Management Keys there may be restriction on the key set version number. On some card it is possible to view key information or delete keys. If the card does not offer a way of deleting keys and view key information the tracking of available keys is the responsibility of the owner of the Security Domain.3.5.2 Viewing Key InformationIf a card supports the retrieval of key information the GET DATA command is used to obtain key information templates of the selected Security Domain. Key information templates contain the key set version number the key belongs to, the key index of the key and the key type.3.6 DELETE [key]Another optional enhancement is the deletion of keys in a Security Domain. Necessary parameters are the key set version number and the key index. It is possible to delete a whole key set version by giving the key set version number and a key set index of zero. The same is possible for keys with the same key index by giving a key set version number of zero.3.7 Life Cycle ManagementTo reply to security violations each application, Executable Load File and the Card Manager have a life cycle state.For the card issuer Security Domain those values can be OP READY, INITIALIZED, SECURED, LOCKED and TERMINATED. The difference between OP READY and INITIALIZED is only administrative and both mean, that the card is ready for receiving command, but is not ready for card holder. The state INITIALIZED can mean that already a key set version is installed. The state SECURED means that the card is ready for the card holder. A key set version is installed and all communication must take place in a secure channel. The last three states are irreversible. The state LOCKED may mean that a security violation has occurred and no application except the Card Manager can be selected and no key and content change is allowed to happen. The state TERMINATED means the end of the life of the card and the card shall only respond to a GET DATA command. Usually only the Security Domain of the card issuer can lock or terminate the card. Other Security Domains must have the Card Manager Lock privilege and Card Terminate privilege respectively.An Executable Load File can only be in the state LOADED.An application has three possible life cycle states. These are INSTALLED, SELECTABLE and LOCKED. If an application should not be selectable the application can be LOCKED. An application can only be unlocked by its Security Domain.A Security Domain can be in state INSTALLED, SELECTABLE, PERSONALIZED and LOCKED. The state PERSONALIZED means that the Security Domain is equipped with some personal content like keys. A Security Domain can be associated with content in this state. For a Security Domain the state LOCKED means, that only the Security Domain of the card issuer can unlock it.3.7.1 GET STATUSWith this command the life cycle status of the Card Manager, Executable Load Files and applications can be obtained. Additional the application privileges are returned.3.7.2 SET STATUSThe command SET STATUS is used to set the life cycle state of an installed content. The AID of the card content to set the life cycle state must be given. Some lifecycle states can only be set with a method of the Open Platform API by an application on the card.3.8 Card DataThere is a variety of card data objects. The Open Platform specification proposes only that the CPLC data should be retrievable. CPLC is an abbreviation for Card Production Life Cycle. This data object contains information about the production process of the card like the operating system or the ICC manufacturer. The Card issuer BIN data contains usually the serial number of the card. Apart from that the user defined Card issuer data can be used e.g. for deriving the keys. Some other possible values can be the available resources like EEPROM space.3.8.1 GET DATAThe GET DATA command is used to retrieve the above data. Each card data object has a tag name which is used to access it.3.8.2 PUT DATAPossible writable data can be stored with the PUT DATA command. The same tag names for the card data objects like in GET DATA are used.。