ISO IEC 25185-1-2016 PDF

Full title and description

ISO/IEC 25185-1:2016 — Identification cards — Integrated circuit card authentication protocols — Part 1: Protocol for Lightweight Authentication of Identity. Specifies the PLAID protocol for interoperable authentication between integrated circuit cards (ICCs / smart cards) and terminals, aimed at physical and logical access control systems.

Abstract

Defines the PLAID (Protocol for Lightweight Authentication of IDentity) exchange and implementation details sufficient for independent interoperable implementations. The protocol is a hybrid authentication scheme that relies on standard algorithms (AES-128, RSA-2048 and SHA-256) to provide mutual authentication and session key derivation for ICC-based access control. The document explicitly does not prescribe key distribution, credential record management or operational handling of payloads such as PINs or biometric templates.

General information

• Status: Published (confirmed at systematic review).
• Publication date: 2016-01 (published January 2016; confirmation recorded in 2025).
• Publisher: ISO and IEC (ISO/IEC JTC 1 — Information technology).
• ICS / categories: 35.240.15 (Identification cards; chip cards; biometrics).
• Edition / version: Edition 1 (2016).
• Number of pages: 20 pages.

These bibliographic and lifecycle details are taken from the ISO catalog entry and related standard records.

Scope

Specifies an authentication protocol for use with integrated circuit cards in physical and logical access control contexts where fast, interoperable and privacy-aware authentication is required. The scope covers message flows (INITIAL AUTHENTICATE / FINAL AUTHENTICATE), session key derivation, key diversification and APDU-style command semantics for ICC environments, but excludes operational policies for key distribution, credential lifecycle management (including revocation) and payload administrative procedures.

Key topics and requirements

• PLAID protocol definition: message sequences, TLV/data-object dictionary and APDU command formats tailored to ICCs.
• Cryptographic primitives: normative use of AES‑128 (symmetric), RSA‑2048 (asymmetric) and SHA‑256 (hashing) for authentication and key derivation.
• Key diversification and session-key derivation mechanisms to limit the impact of key compromise (DivData, IAKey/FAKey, KeySetID concepts).
• Interoperability aids: normative test vectors, reference implementation guidance and informative annexes to support multiple vendor implementations.
• Limitations: does not specify how keys or credential records are distributed, stored or revoked; does not mandate handling of PINs/biometric templates beyond data-object definitions.

Typical use and users

Primary users include smart-card and secure-element implementers, access-control system integrators, system architects for physical/logical access solutions, testing and conformance labs, and security evaluators. Typical deployments are contact and contactless ICC-based access control systems (employee badges, facility access tokens, logical workstation access) that require interoperable, standards-based authentication and session protection.

Related standards

Commonly used alongside or in contexts informed by other identification and ICC standards such as the ISO/IEC 7816 family (contact ICCs and APDU/command conventions), ISO/IEC 14443 (contactless proximity card air interface) and ISO/IEC 24727 (programming interfaces and architecture for ICC interoperability). The PLAID work was originally published in Australian Standard AS 5185-2010 and later adopted as ISO/IEC 25185-1:2016.

Keywords

PLAID, ICC, smart card, authentication protocol, ISO/IEC 25185-1, access control, AES-128, RSA-2048, SHA-256, key diversification, APDU, TLV.

FAQ

Q: What is this standard?

A: ISO/IEC 25185-1:2016 is an international standard that defines the PLAID (Protocol for Lightweight Authentication of IDentity) authentication protocol for integrated circuit cards used in physical and logical access control systems.

Q: What does it cover?

A: It covers the PLAID message flows, data-object/TLV definitions, APDU-style commands, session key derivation and key diversification methods, and provides normative test vectors and implementation guidance to allow interoperable implementations. It does not cover operational key distribution, credential record management or detailed handling of PINs/biometric payloads.

Q: Who typically uses it?

A: Smart-card vendors, secure element implementers, access-control integrators, security architects, conformance/test labs and evaluators working on ICC-based access solutions.

Q: Is it current or superseded?

A: As published in January 2016 (Edition 1), the ISO catalog entry shows the standard was reviewed and confirmed (systematic review) in 2025 and therefore remains current (confirmed).

Q: Is it part of a series?

A: It is designated "Part 1" of ISO/IEC 25185; this document is the first part (Part 1) and represents the published PLAID protocol specification. Other parts of the series would carry subsequent part numbers if developed; users should check ISO records for any additional parts or updates beyond Part 1.

Q: What are the key keywords?

A: PLAID; ICC; smart card authentication; AES‑128; RSA‑2048; SHA‑256; key diversification; session keys; APDU; access control.