application protocol data unit (APDU)

2019-06-11 [read as txt or PDF]

In the context of smart cards, an application protocol data unit (APDU) is the communication unit between a smart card reader and a smart card.

There are two categories of APDUs:

Command APDU

A command APDU is sent by the reader to the card — it contains a mandatory 4-byte header (CLA, INS, P1, P2) and from 0 to 65535 bytes of data.

Field name Length Description
CLA 1 Instruction class - indicates type of command
INS 1 Instruction code - indicates specific command
P1-P2 2 Instruction parameters for the command
Lc 0, 1 or 3 Encode number (Nc) of bytes of command data
Command data Nc Nc bytes of data
Le 0, 1, 2 or 3 Maximum number (Ne) expected response bytes

See APUDs at Wikipedia for Lc and Le encodings.

Command APDU cases:

An extended APDU is an APDU (command) with data and/or response of more than 256 bytes and up to 65536 bytes. Otherwise it is a short APDU.

Response APDU

A response APDU is sent by the card to the reader — it contains from 0 to 65536 bytes of data, and 2 mandatory status bytes (SW1, SW2).

Field name Length Description
Response data Nr (at most Ne) Response data
Response trailer (SW1 SW2) 2 Command processing status

Some status bytes

SW1 SW2 Message
63 CX Counter provided by X (valued from 0 to 15)
67 00 Incorrect length or address range error
69 82 Access conditions not fulfilled
69 85 No currently selected EF, no command to monitor
90 00 Command executed without error

See SW1 SW2 status bytes for more status bytes.