7.3.3 Logical Characteristics

The smart card processing unit executes a chip operating system that implements a hierarchical file system on the non-volatile memory of the card, and a set of access and control operations both for the card itself and for the file system.

The following descriptions of card data structures, card operations, and card security architecture are taken from ISO 7816-4. This document, although still a draft, is currently undergoing balloting through ISO. It is complete enough to indicate the general types of structures and operations that cards should be expected to support.

Data structures

The file system supports a special root directory file (``master file''), optional sub-directory files (``dedicated files''), and data files (``elementary files''). The identifiers of all files along the path from the master file down to a specific file unambiguously identify the specific file. All three categories of files contain control information, such as a file identifier, file name, specifications of record or data lengths in the file, etc. The draft standards specify various types of elementary file structures: a sequence of records of identical length, a sequence of records of variable length, a sequence of records with identical length organized as a ring, and a ``transparent structure'' that is seen at the interface as a sequence of data units.

Operations

The following commands are a subset of those specified in ISO 7816-4, and are included here merely to give a basic understanding of the types of operations supported on smart cards.

READ BINARY

Return all or part of the contents of an elementary file.

WRITE BINARY

Write binary values into an elementary file.

ERASE BINARY

Erase all or part of the contents an elementary file.

SELECT FILE

Set a ``current file'' that may be referred to implicitly in subsequent commands.

VERIFY

Compare verification data sent from the host system with reference data stored in the card (e.g., a password).

INTERNAL AUTHENTICATE

Compute authentication data using challenge data sent from the host system and a relevant secret (e.g., a key) stored in the card.

EXTERNAL AUTHENTICATE

Conditionally update the security status of the card based on the result of a computation based on a challenge previously issued by the card, a key stored in the card, and authentication data sent from the host system.

Security Architecture

Smart cards implement three levels of logical access control. The first is the association of a set of privileges with a user's password, and the ability to control access to files on the card based on those privileges. The second level of logical access control is the ability to detect and respond to a sequence of invalid access attempts. The third level is the ``logical channel'' - a logical link between the host system and a file on the smart card.

Privileges and access control

Two categories of access control mechanisms are promoted today in the smart card market. Both mechanisms are built-in characteristics of the relation between privileges and users for given objects.

• One system is the combinational system, where privileges are a first order logic function between authorization variables (v[i]). For example f(v[1], v[2], ..., v[n], p1) will be TRUE for a user/subject for a READ access, if and only if the user/subject knows the values of every authorization variable v[i] AND knows the password p1. The function f is combinational, e.g., (v[1] AND v[2] OR v[3] XOR v[4]) AND value_in_pwd_filex_of(p1).
• The second system is a sequential system where privileges are the result of a sequential function between authorization variables (v[i]). For example, f(v[1], v[2], ..., v[n], p1) gives READ access for an object to a user/subject, if and only if the user/subject knows which values (v[i]) have to be presented in state s[k], where k identifies a sequential file selection and key presentation step.s[k] is determined by the current selected file and the current keys activated.

Invalid access attempts

Most, but not all, smart cards keep a record of sequential invalid access attempts (a supplied set of parameters for a function that fail to evaluate to TRUE), and deny further access to the card (or to the targetted file) once the count reaches a certain limit. In some cards the limit is configurable, while in others it is fixed at a small number such as 3 or 7. The count is reset to 0 when a valid access is made. Exceeding the limit either invalidates the card entirely, or puts it in a state where only a limited set of operations is available. These limited operations may be sufficient for an administrator to restore access.

Denial of access after a small number of invalid attempts prevents ``password guessing'' attacks on the card.

Logical channels

A ``logical channel'' is a logical link between the host system and a file on the smart card, either the Master File, a Dedicated File, or an Elementary File. When logical channels are in use, the selection of a file associates the file and its security status with the logical channel encoded in a reserved field of the selection command header.

Logical channels provide a mechanism for allowing multiple, independent applications to use the storage capabilities of the card. The card interface software on the host system must manage the mapping between processes and logical channels; the channel numbers are either assigned by the external world or by the card itself.

The logical channel portion of ISO 7816-4 conveys 2 concepts. The first one deals with a logical link to files and requires the outside world to manage the channel numbers. In the second concept, the card allocates the logical channel number and supports a mechanism similar to swapping with a stack number. In both situations, cards implementing these standards grant applications the same control of access to files and data structures (without losing the security status) as if only one application had access.