application protocol data unit (APDU)
2019-06-11 [read as txt or PDF]
In the context of smart cards, an application protocol data unit (APDU) is the communication unit between a smart card reader and a smart card.
There are two categories of APDUs:
- command APDUs
- response APDUs
Command APDU
A command APDU is sent by the reader to the card — it contains a mandatory 4-byte header (CLA, INS, P1, P2) and from 0 to 65535 bytes of data.
| Field name | Length | Description |
|---|---|---|
| CLA | 1 | Instruction class - indicates type of command |
| INS | 1 | Instruction code - indicates specific command |
| P1-P2 | 2 | Instruction parameters for the command |
| Lc | 0, 1 or 3 | Encode number (Nc) of bytes of command data |
| Command data | Nc |
Nc bytes of data |
| Le | 0, 1, 2 or 3 | Maximum number (Ne) expected response bytes |
See APUDs at Wikipedia for Lc and Le encodings.
Command APDU cases:
- Case 1: no command data, no response data:
|Header| - Case 2: no command data, response data:
|Header|Le| - Case 3: command data, no response data:
|Header|Lc|Data| - Case 4: command data, response data:
|Header|Lc|Data|Le|
An extended APDU is an APDU (command) with data and/or response of more than 256 bytes and up to 65536 bytes. Otherwise it is a short APDU.
Response APDU
A response APDU is sent by the card to the reader — it contains from 0 to 65536 bytes of data, and 2 mandatory status bytes (SW1, SW2).
| Field name | Length | Description |
|---|---|---|
| Response data | Nr (at most Ne) |
Response data |
| Response trailer (SW1 SW2) | 2 | Command processing status |
Some status bytes
| SW1 SW2 | Message |
|---|---|
| 63 CX | Counter provided by X (valued from 0 to 15) |
| 67 00 | Incorrect length or address range error |
| 69 82 | Access conditions not fulfilled |
| 69 85 | No currently selected EF, no command to monitor |
| 90 00 | Command executed without error |
See SW1 SW2 status bytes for more status bytes.