P.URIEN Internet Draft Document: draft-urien-smarttp-00.txt Schlumberger CP8 Expires: December, 2001 June 2001 Category: Experimental SmartTP Smart Transfer Protocol Status of this Memo This document is an Internet-Draft and is NOT offered in accordance with Section 10 of RFC2026, and the author does not provide the IETF with any rights other than to publish as an Internet-Draft This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force(IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." To view the entire list of current Internet-Drafts, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice. Copyright (C) Bull CP8 (2001) All Rights Reserved Relevant patent. European patent, WO0010139, Pascal Urien, "Method for communication between a user station and a network, in particular as internet and implementing architecture". Urien Expires December 2001 [Page 1] INTERNET DRAFT Smart Transfer Protocol June 2001 Abstract. This note describes a protocol named Smart Transfer Protocol (SmartTP).This protocol defines data exchange mechanisms, which overcome ISO 7816 standard constraints, and which have been designed in order to transform a smartcard or an embedded system, into an internet node. This function is achieved through a cooperation between a terminal and an ICC, which allows the ICC to share the terminal TCP/IP stack. Table of Contents. 1 Terminology.......................................................3 2 Conventions used in this document.................................3 3 Motivation........................................................3 4 Architecture......................................................4 5 Relation to ISO 7816..............................................6 5.1 Communication from terminal to ICC ............................8 5.2 Communication from ICC to Terminal ............................8 6 SmartTP protocol..................................................8 6.1 Overview ......................................................8 6.2 SmartTP_PDU ...................................................9 6.2.1 Source reference ..........................................9 6.2.2 Destination reference .....................................9 6.2.3 Flags .....................................................9 6.2.4 Information ..............................................10 6.2.5 Token ....................................................10 6.2.6 Notation .................................................10 6.2.7 Implicit token ...........................................10 6.3 SmartTP entity ...............................................10 6.3.1 Basic design rules .......................................10 6.4 SmartTP protocol rules .......................................11 6.4.1 SmartTP entity ...........................................11 6.4.2 Smart Agent ..............................................11 6.5 SmartTP agents ...............................................12 6.6 Example of server Agent state machine ........................13 6.7 Example of client agent state machine ........................14 6.8 A TCP network agent example. .................................15 6.9 Traces .......................................................16 6.9.1 Web Server Agent. ........................................16 6.9.2 Proxy Agent. .............................................17 7 Relation to other standards......................................18 8 Assigned number..................................................18 9 Authors' Addresses...............................................20 10 References......................................................20 Urien Expires December 2001 [Page 2] INTERNET DRAFT Smart Transfer Protocol June 2001 1 Terminology AMUX APDU Multiplexor. APDU Application Protocol Data Unit. CSL Card Smart Layer. HSL Host Smart Layer. HTTP Hyper Text Transfer Protocol. ICC Integrated Circuit Card IP Internet Protocol. OSI Open System Interconnection. PDU Protocol Data Unit. SAP Service Access Point. SL Smart Layer. SmartTP Smart Transfer Protocol. SmartTP Agent an autonomous software entity SmartTP_PDU SmartTP protocol data unit SSL Secure Socket Layer. TCP Transmission Control Protocol. 2 Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119[2]. 3 Motivation Smartcard is a tamper resistant device, it is a safe place to store information or to process cryptographic algorithms. ISO 7816 [4] standards have defined communication mechanisms between computer and smartcard; data are carried in APDUs (Application Protocol Data Unit), which in turn are exchanged through a serial link, according to transmission protocols like T=0 or T=1. This standard only define a set of low level commands, (typically, writing orders, reading orders, or cryptographic functions invocation); consequently an application which uses smartcard must be adapted for each type of these devices. One benefit of the SmartTP protocol, is to develop an unique software stack for each computer type, that works with all existing cards, implementing SmartTP. Most computers are connected to internet and includes a TCP/IP stack; furthermore there is an increasing need to enhance internet application security. The goal of SmartTP is to provide an internet access to an ICC, by sharing the terminal TCP/IP stack. Smartcard implements security functions (authentication, privacy, data integrity), as an example, it performs a subset of the SSL (TLS) protocol, which is transported through the internet network by IP packets, sent/received to/from terminal. It should be noticed that computers need card reader to work with smartcard. Urien Expires December 2001 [Page 3] INTERNET DRAFT Smart Transfer Protocol June 2001 In this memo card reader will be consider as a part of the computer hardware, even if generally it's a separate device. Most computers operating systems support the PC/SC standard [7] specified in 1996 by a set of computers and cards manufacturers. 4 Architecture In TCP/IP architecture, a network application (such as a web browser) is based on a model which includes the first four layers of OSI model[6]. Layers 1 (physical layer) and 2 (data link layer) are materialized for example by an ethernet board or a modem. The computer reaches a network resource (ethernet board...) through a particular software interface, sometimes called low-level driver (for example NDIS is a low-level driver developed by Microsoft). In OSI terminology this driver interface is called a Service Access Point (SAP) of level 2 (SAP2). +-----------------------------+ | Application layer | | HTTP, FTP | +-----------------------------+ | +-----------------------------+ | Transport layer | | TCP - UDP | +-----------------------------+ | +-----------------------------+ | Network layer | | IP | +-----------------------------+ | +-----------------------------+ | Data link Layer OSI2 | | Physical Layer OSI1 | +-----------------------------+ Figure 1 TCP/IP architecture In a similar way an internet application uses TCP/IP layers by means of a network library (for example the socket library) hosted by the computer. An internet application can work with such a library through SAP of OSI layer 3 (network layer) or OSI layer 4 (transport layer). Urien Expires December 2001 [Page 4] INTERNET DRAFT Smart Transfer Protocol June 2001 In summary, a computer offers three network access points : - A SAP2 at network board level (or modem). - A SAP3 at network level (IP). - A SAP4 at transport level (TCP) An application working with a SAP4,uses the whole computer TCP/IP stack. A SmartTP agent, is an autonomous software entity located either in a terminal or in an ICC. Agents exchange information, and follow rules according to a specific protocol (SmartTP). They can be located either in computer (terminal agent) or in ICC (card agent). They may use computer network resources (network agent) or not (local agent). According to these criteria's we shall distinguish three types of SmartTP agents, terminal-local, card-local, card-network. A network agent, which is always hosted in a computer, works with a particular SAP, therefore we should distinguish three kinds of such agents according to the communication layer in which there are located. The SmartTP protocol enables smartcard to access an IP network via two agents, one running in computer (a network terminal agent) and the other running in card (a local card agent). These two agents exchange application data (HTTP, SSL...) transported by SmartTP PDUs and APDUs. A communication stack, compatible with computers supporting 7816 standards is presented in figure 2, and includes three kinds of functional blocks: A- OSI layer 1 and 2, supporting ISO 7816-3 transmission protocol. B- AMUX layer which routes (in terminal or smartcard) APDUs to/from a smart layer. C-Smart Layer, which is named HSL (Host Smart Layer) on computer side and CSL (Card Smart Layer) on ICC side. This layer includes one or several SmartTP agents, and a SmartTP entity. Agents process data carried by APDUs. SmartTP entity acts as a switch which routes incoming APDUs to the right agent. An application sends APDUs to the smartcard using APIs, made available by the host operating system. We call AMUX (APDU Multiplexor) the layer located in the card or in the terminal which switches the APDUs stream towards an ICC or a host application. Urien Expires December 2001 [Page 5] INTERNET DRAFT Smart Transfer Protocol June 2001 HOST SYSTEM SMARTCARD +--------------------------------------+ +-------------------+ | Host Smart Layer | | Card Smart Layer | |Network Library HSL | | CSL | |+-----------+ +----+ +--------------+| |+-----------------+| ||Layer4-TCP |--|SAP4|-|+-----+ +-----+| || +-----+ +-----+ || |+-----------+ | | ||Smart| |Smart|| || |Smart| |Smart| || | | | | ||Agent| |Agent|| || |Agent|.|Agent| || |+-----------+ | | |+-----+ +-----+| || +-----+ +-----+ || ||Layer3-IP |--|SAP3|-| | | | || | | || |+-----+-----+ +----+ | | | | || | | || | | |+-------------+| ||+---------------+|| |+-------------------+ |SmartTP entity|| |||SmartTP entity ||| || Low Level SAP2|-|+-------------+| ||+---------------+|| |+ driver | +--------------+| |+-----------------+| |+-------------------+ | | | | | | | +--------------+| | +-------------+ | | | | AMUX || | | AMUX | | | | Ethernet | ISO 7816-4 || | | ISO 7816-4 | | |MODEM | Board +--------------+| | +-------------+ | | | | | Card reader | | | | | |+-----------------+ +-------------+|| | | | || +--------- ---+ | |+--- --------+|| | +-------------+ | || | Layer2 | | || Layer2 ||| | | Layer2 | | || |DataLinkLayer| | || ISO 7816-3 ||| | | ISO 7816-3 | | || +-------------+ | |+------------+|| | +-------------+ | || | | | | || | | | || +-------------+ | |+------------+|| | +-------------+ | || | Layer1 | | || Layer1 ||| | | Layer1 | | || | | | || ISO 7816-2 ||| | | ISO 7816-2 | | || +-------------+ | |+------------+|| | +-------------+ | |+-----------------+ +--------------+| | | | | | | | | | | +------|----------------------|--------+ +---------|---------+ | | | NETWORK +--------------------+ Figure 2 SmartTP architecture 5 Relation to ISO 7816 An application located in a smartcard communicates with the outside world by means of application protocol data unit (APDU), which are exchanged through the serial link between card and reader. An APDU contains either a command message or a response message sent from reader to card or conversely. The dialogue is carried out according to a command/response paradigm; terminal sends a request, ICC replies. In fact the ISO 7816-4 layer defines the equivalent of an OSI session since it fixes the rules for the dialogue between ICC and terminal. Urien Expires December 2001 [Page 6] INTERNET DRAFT Smart Transfer Protocol June 2001 An APDU command consists of five bytes CLA INS P1 P2 P3. The first two bytes (CLAss, INStruction) indicate the nature of the requested operation (writing, or reading for example).The two following (P1 P2) provide more details about that operation (for example an address). The last one (P3) specifies either the length of following data block, or the length of the expected ICC response. The response carries optional data bytes, and ends by two status bytes SW1 and SW2. Status 90 00 (SW1, SW2), means that no error had occurred during the previous command. The length of the response data, which is not known before hand is obtained by interpreting the two status bytes; SW1 shall be 61 or 9F, and SW2 shall give the total length of the data issued by the card. This procedure is in conformance with ISO 7816 [4] or ETSI standard (GSM 11.11 ([5]). ISO 7816 services are used by SmartTP to exchange PDU between smartcard and computer. Error recovery functions are performed by 7816 communication protocols, SmartTP_PDU transport is assumed by two specific APDUs, named SmartTP_Write and SmartTP_Read. +-------------------+ | SmartTP Agent + +-------------------+ | SmartTP Entity | +-------------------+ | 7816 Standards + +-------------------+ Figure 3, relation between smart layer and ISO 7816 Figure 3 summarizes the relation between SmartTP and ISO 7816. Agents, which implement internet application, exchange information according to the SmartTP protocol. SmartTP_PDU are transported using ISO 7816 facilities, but other smartcard standards could be supported, if necessary, in future version. Urien Expires December 2001 [Page 7] INTERNET DRAFT Smart Transfer Protocol June 2001 5.1 Communication from terminal to ICC An APDU named SmartTP_WRITE is used to send SmartTP_PDU from a terminal to a smartcard, it consists of five bytes and a smartTP_PDU: SmartTP_WRITE: 10 C2 BC 00 xx SmartTP_PDU, where xx is the length (in bytes) of the SmartTP_PDU. BC 00 is the protocol identifier (PID) of SmartTP stack (Bull CP8 protocol #00). ICC always returns a two bytes status 61 yy or 9F yy where yy is the response length. Status 90 00 may be returned to notify that PDU response is an implicit token. 5.2 Communication from ICC to Terminal An APDU named SmartTP_READ is used to get a SmartTP PDU produced by an ICC. This APDU is always issued following a SmartTP_WRITE, it is defined in ISO 7816 as a GET RESPONSE. SmartTP_READ: 10 C0 00 00 yy where yy is the exact length of the expected SmartTP_PDU. ICC returns a smartTP_PDU whose length is equal to yy bytes, and adds a two words status byte SW1 SW2. 6 SmartTP protocol 6.1 Overview SmartTP can be thought as a light version of the well known TCP protocol[3]. In TCP, six flags (URG, ACK, PSH, RST, SYN, and FIN) are used to manage a connection. Each application, working over this connection (a client or a server)is associated to a port, identified by a two bytes number, which is a well known value for a server, and an ephemeral value for a client. The usual size of TCP header is around 20 bytes. SmartTP only supports port and flag concept, therefore its header size is five bytes, and includes three fields, source port (2 bytes), destination port (2 bytes) and flag (1 byte). SmartTP PDUs are transported between terminal and ICC using 7816 protocols, which are in charge of error recovery, therefore it's not necessary to define error detection and correction mechanisms. Urien Expires December 2001 [Page 8] INTERNET DRAFT Smart Transfer Protocol June 2001 6.2 SmartTP_PDU +----------------+---------------------+-------+-------------+ +Source Reference+Destination Reference+ Flags + Information + + LSB MSB + LSB MSB + f7.f0 + 0-240 bytes + +----------------+---------------------+-------+-------------+ Figure 4, SmartTP_PDU A SmartTP PDU is divided in four parts - source reference (2 bytes) - destination reference (2 bytes) - flags (1 byte) - information (optional) Agents are identified by a two bytes number (a reference) which, as in TCP, can be either a fix value (server agent), or pseudo random (and ephemeral) value (client agent). 6.2.1 Source reference The reference of agent which has issued this SmartTP_PDU. It's transmitted in the order LSB - MSB. 6.2.2 Destination reference The reference of agent to which PDU is sent. It is transmitted in the order LSB - MSB. If the most significant bit (b15) is set, destination agent is located in the same smart layer (ICC or terminal), otherwise the SmartTP_PDU is sent towards the other smart layer. 6.2.3 Flags +------+-------+-----+------+------+-------+-------+------+ + f7 + f6 + f5 + f4 + f3* + f2* + f1* + f0* + +------+-------+-----+------+------+-------+-------+------+ + Open + Close + Ack + Nack + Data + Block + Write + Read + +------+-------+-----+------+------+-------+-------+------+ Figure 4, flags field, *: only used by Agents. This field is a set of 8 bit indicators (f7...f0). Indicators f3, f2,f1,f0 are not meaningful for SmartTP entity, and are only used by agents. - f7 Open, when set, this indicator means that a session is being opened between destination and source reference. - f6 Close, when set, this indicator means that a session had been closed between the destination and the source agent. - f5 Ack, this indicator is always set by the source SmartTP entity and is reserved for future used, therefore agent never uses this indicator. Urien Expires December 2001 [Page 9] INTERNET DRAFT Smart Transfer Protocol June 2001 - f4 Nack, when set this flag indicates that an error had been detected, either by an agent or a SmartTP entity. Upon reception of this event an agent will close its current session. - f3 Data, this flag may be used by a destination agent to determine whether a SmartTP_PDU information is interpreted as a command or data. This indicator is always reset for a PDU sent to a SmartTP entity. - f2 Block, when set, this indicator notifies to a destination agent that a source agent is waiting for a response and remains in a freeze state. - f1 Write, this indicator is set to indicate a writing operation. - f0 Read, this indicator is set to indicate a reading operation. 6.2.4 Information This field is optional, its maximum length value is dependent on the used transmission protocol. This value is fixed to 240 bytes for ISO 7816 T=0 protocol. This value is fixed to 240 bytes for ISO 7816 T=1 protocol. 6.2.5 Token A Token is a PDU which contains no information, its length is therefore equal to five bytes. A Null Token is issued by SmartTP, whose source reference is null. On the contrary a data PDU includes information bytes. 6.2.6 Notation In the next sections , SmartTP_PDU exchanges will be represented according to the following notations: - A PDU begins and ends by a bracket [] - s=, denotes the source reference. - d=, denotes the destination reference. - Set indicators (Ack, Nack, Open, Close, Data, Block, Read, Write) are separated by the "+" sign. If no indicator is set, the "null" symbol is used. - information if any, is represented by the string data. This symbol is omitted if the information field is empty. Some examples are listed below: [s=2,d=4567,null], a token with no indicator set. [s=4567,d=5, Block+Write], a token whose indicators Block and Write are set. [s=56,d=5432, Open, data], a PDU whose open indicator is set and which includes data. Urien Expires December 2001 [Page 10] INTERNET DRAFT Smart Transfer Protocol June 2001 6.2.7 Implicit token An ICC smartTP entity receives a PDU [s=SourceReference, d=DestinationReference,...]. An implicit token is a response PDU whose content is [s=DestinationReference, d=SourceReference, Ack]. 6.3 SmartTP entity SmartTP is in charge of switching packets to/from the destination/source agent. It's associated to a Null reference; SmartTP entity acts in fact as a server agent, whose reference is equal to zero. Incoming PDU +---------+ | RefDest | | =0 | +-+-----+-+ / \ / \ No/ \Yes / \ +------+-----+ Send token | RefDest | | =RefAgent | +--+-----+--+ / \ / \ No/ \Yes / \ +----+----+ PDULength = SmartTP2Agent(PDU) | Open | if (PDULength =0 | | PDU = token = +-+-----+-+ Set Ack / \ Send PDU / \ No/ \Yes / \ Send token Send Figure 6, PDU processing, by smartTP entity 6.3.1 Basic design rules Let's assume that a PDU had been received. Three cases are taken into account: Urien Expires December 2001 [Page 11] INTERNET DRAFT Smart Transfer Protocol June 2001 Case 1 -If the destination reference (RefDest) is null, a token () is always generated on the ICC side, while on terminal side no PDU is produced. Case 2 - If the destination reference (RefDest) is not null and is affected to a client agent or a server agent, then it's routed towards the corresponding agent. If this agent generates no response , an Ack token () is always generated on the ICC side, while on terminal side no PDU is produced. When a PDU is produced, the Ack indicator is always set by SmartTP entity. Case 3 - If there is no match between the destination reference (RefDest) and an agent reference, a token () is generated if the Open indicator is not set; otherwise, a Nack token is produced () 6.4 SmartTP protocol rules 6.4.1 SmartTP entity Rule 1 - SmartTP (ICC side) always sends a PDU following an incoming PDU; it can be either an agent generated PDU or a Null Token. Rule 2 - SmartTP (terminal side) never responds upon reception of a Null token. Rule 3 - SmartTP sends a Null Token if a PDU is received without the Open indicator set and with an unknown destination reference. Rule 4 - SmartTP produces a token with the Close indicator set upon the reception of an Open PDU whose destination reference is unknown. 6.4.2 Smart Agent Rule 1 - An agent ignores (no outgoing PDU is generated) every PDU whose open indicator is not set, and which can't be associated to an existing session. Rule 2 - An agent never responds (no outgoing PDU is generated) to a PDU whose close flag is set. If necessary a token will be generated by SmartTP entity. Rule 3 - Upon reception of a PDU whose source reference is null and with close indicator set, an agent closes all its open sessions, and no outgoing PDU is generated. Rule 4 - An agent always responds to a PDU whose blocking indicator is set, if necessary by a token. Urien Expires December 2001 [Page 12] INTERNET DRAFT Smart Transfer Protocol June 2001 6.5 SmartTP agents Two Agents are connected through a session. An agent is identified by an integer (ranging between 1 and 65535, value 0 is assigned to SmartTP entity). The most significant bit (b15) of this reference indicates if an agent is local (located in the same smart layer) or remote (b15=0). This feature means that agents can communicate within a smart layer or between two smart layers (terminal side and card side). A client sends a PDU of which the OPEN indicator is set (request for opening of session). A server receives this request for session opening. A server reference is constant; i.e. it is a well-known value. A session is identified by a couple, client reference, server reference. The client reference is chosen so that this couple is unique for a reasonable amount of time. The transmission of a PDU with the indicator CLOSE ends a session. There are six particular properties characterizing Agents : - Terminal, an agent located in the host system. - Card, an agent located in the card. - Local, an Agent which can't use network resources. - Network, an Agent, which can access to network. - Client, an agent which initializes a session (via the Open indicator). - Server, an agent which receives a request for opening a session (indicator Open is set). In the computer side, network agents are able to access the network resources (low-level driver, network library). From a TCP/IP point of view these agents are acting as server or client; they give an internet access to the card agents to which they are connected. Urien Expires December 2001 [Page 13] INTERNET DRAFT Smart Transfer Protocol June 2001 6.6 Example of server Agent state machine I n c o m i n g PDU | CT= Session Counter --------- | O P E N | --------- / \ Yes/ \No / \ + + ---- ---- |CT=1| |CT=0| ---- ---- | \ / \ No| \Yes Yes/ \No + + + + CT=1 Tx:Token End ------- Sref= +Close |Source | Reference |=Sref | Source ------- Tx:Token / \ No/ \Yes / \ + + ------ ================ |Source| || Processing || |=Null | || Http 1.1 || ------ ================ / \ | Yes/ \No | + + ----- ----- End |CLOSE| |CLOSE| ----- ----- / \ / \ No/ \Yes No/ \Yes / \ / \ + + + + ----- CT=0 End CT=0 |BLOCK| End End ----- / \ No/ \Yes + + End Tx:Token Figure 7, example of a smartTP server state machine Urien Expires December 2001 [Page 14] INTERNET DRAFT Smart Transfer Protocol June 2001 6.7 Example of client agent state machine I n c o m i n g PDU | | | ----- |CT=0 | ----- CT=Session Counter / \ Yes/ \No / \ + + End -------- | Source | | =Sref | -------- / \ / \ No/ \Yes / \ + + ------ ================ |Source| || Processing || |=Null | || || ------ ================ / \ | Yes/ \No | / \ | + + ----- ----- End |CLOSE| |CLOSE| ----- ----- / \ / \ No/ \Yes No/ \Yes / \ / \ + + + + ----- CT=0 End CT=0 |BLOCK| End End ----- / \ No/ \Yes / \ + + End Tx:Token Figure 8, Example of SmartTP client state machine. Urien Expires December 2001 [Page 15] INTERNET DRAFT Smart Transfer Protocol June 2001 6.8 A TCP network agent example. WAIT TCP IDDLE AND BLOCK TRANSMIT LEAVE ----- --------- -------- ----- | | | | | | | | |TCP Server | | | |Connection Established| | Rx:Close PDU | |--------------------->|-------->|-------------> | |Tx : Token Open Block |Rx:Data | Network Error | | | Write | | | | Block | | | | | | | | | | | TCP CONNECT | | TCP RECEIVE | | ----------- | | ----------- | | | | | | | | |TCP | | | | |outgoing |connection |<--------|<------ |Network | |TCP client|Established|Tx:Token |Rx:Data |Error | |--------->|---------->| Block | Write|------->| |Rx:Data | Tx:Token | | Block|Rx:Close| | Open | Block | | PDU | | Block | |Rx:Token | | | | |----------------->| | | | | | | | | |Tx:Data Write | | | | | Block | | | | |<-----------------| | | | | | | | |Rx:Close PDU | | | |-------------------------->| | | | | | | | | | Rx:Close PDU | | | ------------------------------------->| | | Network error | | | | | | | [Network Error]=>Tx:Close | | <----------------------------------------------- | | [Rx:Close]=>TCP connection release | | | Figure 9, example of a network agent state machine. A TCP network agent works as a protocol translator between SmartTP and TCP. It's organized around a central state WAIT_AND_BLOCK in which no operation is performed. Urien Expires December 2001 [Page 16] INTERNET DRAFT Smart Transfer Protocol June 2001 The system is waiting for an acknowledgment (a token), which will specify the next agent state (writing to network or reading from network). This agent includes five states. 1-IDDLE, in this state a TCP server (SmartTP client) is awaiting for an incoming TCP connection or a SmartTP server is waiting for an incoming OPEN PDU. In the case of an incoming TCP connection an open token is sent to a server agent, agent switches to the WAIT_AND_BLOCK state. 2- TCP_CONNECT, this state in meaningful only for a TCP client. An incoming open PDU has been received. The associated data specified the host name (or IP address) and the TCP port. A TCP connection is in progress (SYN has been sent). Upon connection completion (TCP established state)a block token is sent, the agent switches to the WAIT_AND_BLOCK state. If a network error occurs or if a close PDU is received agent switches to the LEAVE state. 3- WAIT_AND_BLOCK, in this state agent is waiting for an incoming PDU; no network operation is in progress. According to an incoming PDU, agent can switch to the TCP_TRANSMIT state (if a writing operation is required) or to the TCP_RECEIVE state (if a token has been received). If a close PDU is received agent switches to the LEAVE state. 4- TCP_TRANSMIT, data are being sent through the network. If a network error occurs or if a close PDU is received agent switches to the LEAVE state. Upon transmission completion a block token is sent, agent switches to the WAIT_AND_BLOCK state. 5- TCP_RECEIVE, agent is awaiting data from the network. When a write PDU is received agent switches to the TCP_TRANSMIT state. If a network error occurs or if a close PDU is received agent switches to the LEAVE state. When data are received from the network a write block PDU is sent, agent switches to the WAIT_AND_BLOCK state. 6- LEAVE, if a network error had occurred a close token is sent, otherwise a close PDU has been received and the TCP connection is closed. 6.9 Traces 6.9.1 Web Server Agent. In this scenario a browser opens an http session with a web server agent (#2) located in an ICC. A network agent (#15361) performs the translation between TCP and SmartTP protocols. A web browser opens a TCP connection with a network agent which acts as a TCP server (using for example port 80). Urien Expires December 2001 [Page 17] INTERNET DRAFT Smart Transfer Protocol June 2001 [s=15361,d=2,Open+Block+Ack], [s=2,d=15361,Ack]. An http request is sent from browser towards an ICC web server. [s=15361,d=2,Write+Block+Ack,data], [s=2,d=15361,Ack]. Last part of the request is sent. [s=15361,d=2,Write+Block+Ack,data]. The ICC server sends its response. [s=2,d=15361,Write+Block+Ack,data], [s=15361,d=2,Block+Ack]. [s=2,d=15361,Write+Block+Ack,data], [s=15361,d=2,Block+Ack]. The card server closes the TCP connection. [s=2,d=15361,Write+Close+Ack,data]. 6.9.2 Proxy Agent. In this scenario a browser opens an http session with a web server agent (#2) located in an ICC. A network agent (#15360) performs the translation between TCP and SmartTP protocols. A new session is then opened between an ICC client agent (#2559) and a network agent (#1) which acts as a TCP client and performs the translation between TCP and SmartTP protocols. A first session is opened between a browser and network agent [s=15360,d=2,Open+Block],[s=2,d=15360,Ack]. Web browser sends an http request to an ICC web server. [s=15360,d=2,Write+Block,data], [s=2,d=15360,Ack]. Last part of the request is sent. [s=15360,d=2,Write+Block,data]. ICC proxy opens a second connection towards an internet server. [s=2559,d=1,Open+Block+Ack,data], [s=1,d=2559,Block+Ack]. ICC proxy sends data (an http request) to the internet server. [s=2559,d=1,Write+Block+Ack,data], [s=1,d=2559,Block+Ack]. Last part of the request is sent. [s=2559,d=1,Write+Ack,data]. ICC proxy forwards data between the two terminal network agents. [s=1,d=2559,Block+Ack], [s=2,d=15360,Block+Ack], [s=15360,d=2,Ack], [s=2559,d=1,Ack]. Urien Expires December 2001 [Page 18] INTERNET DRAFT Smart Transfer Protocol June 2001 Data are received from the network. [s=1,d=2559,Write+Block+Ack,data], [s=2,d=15360,Write+Block+Ack,data]. [s=15360,d=2,Block+Ack], [s=2559,d=1,Block+Ack], [s=1,d=2559,Ack], [s=2,d=15360,Ack]. Agent #5 is ready to receive data again. Session end. =========== The card proxy forwards data... [s=1,d=2599,Write+Block+Ack], [s=2,d=15360,Write+Block+Ack]. Agent #15360 releases a (blocking) token. [s=15360,d=2,Block+Ack], [s=2559,d=1,Block+Ack]. The web browser ends the TCP connection session, agent #15360 closes its session. [s=15360,d=2,Close+Ack], [s=2559,d=1,Close+Ack]. Agent #1 closes its session with agent #2559, but two SmartTP_PDU which had been produced before the session end are sent by HSL to CSL, CSL acknowledges each of them by a Null token. [s=1,d=2559,Ack], [s=0,d=0,Ack]. [s=1,d=2559,Write+Block+Ack,data], [s=0,d=0,Ack]. 7 Relation to other standards Agents can exchange information carried by SmartTP PDUs and routed by SmartTP entity. This architecture allows to design agents which are independent from the platform in which they are running. Therefore Smart Layer can work over communication stack which are not defined by 7816 standards. As an example SmartTP PDU, identified by a specific protocol number, can be transported in IPv4 or IPv6 packets. 8 Assigned number Network Agent TCP port is set to ???? + x, where x is a physical channel number between 0 and 3 (hexadecimal value). The standard (TCP client) network agent reference is set to 1. Data associated to the open PDU designed an internet server and port separated by the sign ":". The web agent (server) reference is set to 2. SmartTP protocol number is set to BC00. Urien Expires December 2001 [Page 19] INTERNET DRAFT Smart Transfer Protocol June 2001 9 Authors' Addresses Pascal Urien Schlumberger CP8 68 route de Versailles - BP 45 78431 Louveciennes Cedex France eMail: Pascal.Urien@Bull.net 10 References 1 Bradner, S., "The Internet Standards Process -- Revision 3", RFC 2026, October 1996 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997 3 Postel, J., "Transmission Control Protocol", RFC 793, September 1981 4 ISO/IEC 7816, "Identification Cards - Integrated Circuit(s) Cards with Contacts_ 5 ETSI GSM 11.11, "Digital cellular telecommunications system (Phase 2+) Specification of the Subscriber Identity Module - Mobile Equipment (SIM - ME) interface" 6 ISO 7498, "Information Processing Systems - Open Systems Interconnection - Basic Reference Model " 7 PC/SC, (c) 1996 CP8 Transac, HP, Microsoft, Schlumberger, Siemens Nixdorf, "Interoperability Specification for ICCs and Personal Computer Systems". 8 T Berners Lee & All "Hypertext transfer Protocol - HTTP/1/1" - RFC2616 - June 1999 9 Pascal Urien Internet Smartcard, a smartcard as a true Internet node", Computer Communication volume 23, issue 17 - October 2000 Urien Expires December 2001 [Page 20]