Oman eID

Use the Detail control in the header to switch every explanation between Beginner, Intermediate and Expert. Then jump to the Lab to watch these ideas happen on a real or simulated card.

Chapter 1What is the Oman eID?

It's the Omani national ID card — but with a tiny secure computer (a chip) inside. The chip can prove who you are online, hold a digital signature, and act as an e-passport, all protected so it can't be copied.

Citizen / ResidenteID + e-signaturee-passportbiometrics

Chapter 2Anatomy of a smart card

The chip is a complete little computer with no screen or battery. It only wakes up in a reader, and it only ever receives a request, thinks, and sends an answer back.

Chapter 3APDUs — how we talk to a card

Every message to the card is a small command packet, and the card replies with data plus a 2-byte 'verdict' code. 9000 means OK.

Lc
08
Data fields
ISD AIDA0 00 00 00 18 43 4D 00
00 A4 04 00 08 A0 00 00 00 18 43 4D 00

Chapter 4TLV — how data is stored

Data on the card is packed as labelled boxes: a Tag (what it is), a Length (how big), and the Value (the contents).

5F20 06 4F 4D 41 4E 49 44
Tag 5F20 (name) · Length 6 · Value "OMANID"

Chapter 5GlobalPlatform & Java Card

Think of the card as a phone and the features as pre-installed apps. GlobalPlatform is the 'device admin + app store' that installs them and decides who's allowed to.

GP ISD (Card Manager)
A0 00 00 00 18 43 4D 00
9000
MPCOS (ID / DL / e-Auth)
A0 00 00 00 18 52 4F 50 01
9000
IAS Classic (PKI)
A0 00 00 00 18 0C 00 00 01 63 42 00
9000
BioManager — MOCA
A0 00 00 00 30 80 00 00 00 0A B1 00 01
9000
FIDO U2F
A0 00 00 06 47 2F 00 01
9000
eTravel / ICAO
A0 00 00 02 47 10 01
9000

Chapter 6Identifying a card

Before doing anything, we read three harmless things: the card's 'hello' (ATR), its 'birth certificate' (CPLC), and an identity tag that says Citizen vs Resident and Test vs real.

ATR 3B7A9700008065B0 85 20 05 0272D643
20 = Citizen · 05 = MAV5.2
→ Watch a real inspection in the Lab

Chapter 7Keys & diversification

Every card shares one factory ‘master key’ family — but it would be dangerous if they were all identical. So each card mixes the master key with its own serial number to make keys that are unique to it. We never see the keys; we only see a short ‘fingerprint’ that proves they’re right.

Mother key (test batch)
secretKCV 8A1C44
combined with card serial
Diversification data
4D 00 00 B3 5E 00 01 02 03 04
AES-CMAC(mother, role ‖ serial)
K-ENC
secretKCV 1F9E20
K-MAC
secretKCV 77B3C1
K-DEK
secretKCV 0A55E9
keys never displayedKCV fingerprint only

Chapter 8SCP03 & staying safe

To manage the card you must prove you know its secret key. Both sides swap random numbers and compute a matching proof. The big danger: guessing wrong locks the card forever after only 3 tries. So our tool checks the card's proof first and only sends our reply when it already knows it will succeed — it can never lock the card.

INITIALIZE UPDATEhost → card
host challenge
card responsecard → host
div data · challenge · cryptogram
Card cryptogram verifiedverify
safe to authenticate
EXTERNAL AUTHENTICATEhost → card
host cryptogram + C-MAC
9000 — channel opencard → host
velocity counter reset
Host challenge
7D 4C F9 8F 97 53 FA 0A
card challenge
Card challenge
01 02 03 04 05 06 07 08
SCP03 KDF (SP 800-108, AES-CMAC)
S-ENC
secretKCV C41A07
S-MAC
secretKCV 9B2E55
S-RMAC
secretKCV 30FFA1
Why this is safe:a wrong key is never submitted to the card, because the card's own cryptogram is verified before EXTERNAL AUTHENTICATE. Live cards are refused before INITIALIZE UPDATE.
→ Run the SCP03 handshake in the Lab (sim)

Chapter 9Writing data & the safety gate

Reading is safe; writing changes the card. Personalization means writing the cardholder's details into little files on the chip. To make sure nothing happens by accident, the tool always asks you to confirm first — and real cards are protected until you deliberately turn writes on.

EFTagFieldValue
EF015ACivil Number12345678
EF025BFull Name (EN)AHMED AL SAID
EF045F57Date of Birth19900115
EF075F35GenderM
EF095F24Date of Expiry20340101
The safety gate: destructive operations stop and wait for an explicit confirmation. Nothing is written until you approve it, and real-card writes stay off until deliberately enabled — so you can explore the whole flow in simulation with zero risk.
→ Run MPCOS perso in the Lab (sim)

Chapter 10IAS, PKI & secure messaging

IAS is the part of the card that does digital signatures and proves your identity online, using public-key cryptography (PKI). Installing it is a card-management job done over the encrypted admin channel — so every command is signed to prove it really came from us and wasn't tampered with on the way.

SCP03 channel already openverify
C-MAC on every command
SET STATUS → SECUREDhost → card
84 F0 … (C-MAC)
INSTALL [for install] IAShost → card
84 E6 0C 00 … (C-MAC)
PUT DATA (A5 4D)host → card
84 DA 00 00 … (C-MAC)
9000 eachcard → host
IAS installed
→ Run IAS install in the Lab (sim)

Chapter 11Lifecycle & dangerous operations

A card has a “life cycle” — stages from factory-fresh to retired. Some moves forward can never be undone, and a few operations can permanently brick the card. The tool is built so you can explore all of this safely, but it's important to know which actions are the dangerous ones.

OP_READY01
Fresh from the factory.
one-way →
INITIALIZED07
Being prepared for issuance.
one-way →
SECURED0Fcurrent
Normal in-the-field operation.
one-way →
CARD_LOCKED7F
Temporarily locked; refuses app selection.
reversible (with keys)
TERMINATEDFF
End of life — responds to almost nothing.
PERMANENT
Permanent (no recovery): SET STATUS → TERMINATED · PUT KEY to a key you don't hold · exhausting GP auth (≈3 on MAV5.2 perso) · PUK exhaustion.
Recoverable: CARD_LOCKED (unlock with keys) · PIN block (unblock with PUK).
Always safe: SELECT · GET DATA · a correct, completed SCP03 handshake.

Chapter 12e-Passport (eTravel) & PACE

The card can also act as an e-passport. To stop anyone secretly reading it over the air, the chip only opens up after you prove you can physically see the document — by entering a password printed on it (the machine-readable text, or a 6-digit number). Then the reader can fetch the holder's details and photo, and check the issuer's signature to be sure nothing was changed.

SELECT eTravel + read EF.CardAccesshost → card
learn the PACE parameters
PACE (MRZ/CAN password)verify
MSE:Set AT + GENERAL AUTHENTICATE ×4
secure messaging opencard → host
AES KSEnc / KSMac
read DG1 MRZ · DG2 face · …host → card
encrypted + MAC'd
passive authenticationverify
verify EF.SOD hashes + CSCA signature
Who can read what
ObjectNo authBACPACEEAC
EF.CardAccess
PACE parameters
EF.COM / EF.SOD
DG index + signature
DG1
MRZ (name, number, dates)
DG2
facial image
DG14 / DG15
Chip / Active Authentication keys
DG3 / DG4
fingerprints / iris
→ Run the eTravel read walkthrough in the Lab