The smart card processing unit executes a chip operating system that
implements a hierarchical file system on the non-volatile memory of the
card, and a set of access and control operations both for the card
itself and for the file system.
The following descriptions of card data structures, card operations, and card security architecture are taken from ISO 7816-4. This document, although still a draft, is currently undergoing balloting through ISO. It is complete enough to indicate the general types of structures and operations that cards should be expected to support.
The file system supports a special root directory file (``master file''), optional sub-directory files (``dedicated files''), and data files (``elementary files''). The identifiers of all files along the path from the master file down to a specific file unambiguously identify the specific file. All three categories of files contain control information, such as a file identifier, file name, specifications of record or data lengths in the file, etc. The draft standards specify various types of elementary file structures: a sequence of records of identical length, a sequence of records of variable length, a sequence of records with identical length organized as a ring, and a ``transparent structure'' that is seen at the interface as a sequence of data units.
The following commands are a subset of those specified in ISO 7816-4, and are included here merely to give a basic understanding of the types of operations supported on smart cards.
Smart cards implement three levels of logical access control. The first is the association of a set of privileges with a user's password, and the ability to control access to files on the card based on those privileges. The second level of logical access control is the ability to detect and respond to a sequence of invalid access attempts. The third level is the ``logical channel'' - a logical link between the host system and a file on the smart card.
Two categories of access control mechanisms are promoted today in the smart card market. Both mechanisms are built-in characteristics of the relation between privileges and users for given objects.
Most, but not all, smart cards keep a record of sequential invalid access
attempts (a supplied set of parameters for a function that fail to
evaluate to TRUE), and deny further access to the card (or to the
targetted file) once the count reaches a certain limit. In some cards the
limit is configurable, while in others it is fixed at a small number such
as 3 or 7. The count is reset to 0 when a valid access is made. Exceeding
the limit either invalidates the card entirely, or puts it in a state
where only a limited set of operations is available. These limited
operations may be sufficient for an administrator to restore access.
Denial of access after a small number of invalid attempts prevents ``password guessing'' attacks on the card.
A ``logical channel'' is a logical link between the host system and a
file on the smart card, either the Master File, a Dedicated File, or an
Elementary File. When logical channels are in use, the selection of a
file associates the file and its security status with the logical channel
encoded in a reserved field of the selection command header.
Logical channels provide a mechanism for allowing multiple, independent applications to use the storage capabilities of the card. The card interface software on the host system must manage the mapping between processes and logical channels; the channel numbers are either assigned by the external world or by the card itself.
The logical channel portion of ISO 7816-4 conveys 2 concepts. The first one deals with a logical link to files and requires the outside world to manage the channel numbers. In the second concept, the card allocates the logical channel number and supports a mechanism similar to swapping with a stack number. In both situations, cards implementing these standards grant applications the same control of access to files and data structures (without losing the security status) as if only one application had access.