Been there, done that.

One good thing, if the vendor is Chinese, he won't be using DES.

Anyway, about the COS: The credential can, in fact, hold an application. But it is typically not an execuable app in the manner you might normally think of it.
What there IS, is a short routine on the credentail that is akin to a file control system; it accesses, reads and writes blocks of memory. Of course, the most significant memory block is the one containing the Identification Number. All this happens
after the authentication handshaking, which typcially uses some kind of encryption. This is the reason this type of transaction is so slow; there is a lot of
data to pass in both directions and the bandwidth is very low on this type of communication. The communication frequency is typically 13.56 MHZ on the most recent SmartCards,
and thus the range (distance between dongle and credential] is short.

Just some FYI

Sarge