ISO/IEC 7816-4
Identification cards — Integrated circuit cards — Part 4: Organization, security and commands for interchange
Cartes d’identification — Cartes à circuit intégré — Partie 4: Organisation, sécurité et commandes pour les échanges

Access rule references
Access rules in expanded format may be stored in an EF supporting a linear structure with records of variable size. Such an EF is named EF.ARR. One or more access rules may be stored in each record referenced by a record number. Such a record number is named ARR byte. Table 24 illustrates the layout of an EF.ARR.

Table 24 —EF.ARR layout
Record number(ARR byte) Record content(one or more access rules)
1 Access mode data object, one or more security condition data objects, access mode data object, …
2 Access mode data object, one or more security condition data objects, …

Referenced by tag ’8B’, security attribute data objects referencing expanded format (see Table 25) may be present in the control parameters of any file (see Table 12).
–If the length is one, then the value field is an ARR byte that references a record in an implicitly known EF.ARR.
–If the length is three, then the value field is a file identifier followed by an ARR byte; the file identifier references EF.ARR and the ARR byte is the record number in EF.ARR.
–If the length is even and at least four, then the value field is a file identifier followed by one or more pairs of bytes. Each pair consists of a SEID byte followed by an ARR byte; the SEID byte identifies the security environment where the access rules referenced by the ARR byte apply.

Table 25 —Security attribute data objects referencing expanded format
Tag Length Value
’8B’ 1 ARR byte (one byte)
3 File identifier (two bytes) – ARR byte (one byte)
Even, > 3 File identifier (two bytes) – SEID byte (one byte) – ARR byte (one byte) – [SEID byte - ARR byte] – …

The ARR byte of the current SE indicates the access rules valid for the current access to the application DF.
NOTE: If no SE is set in a former MANAGE SECURITY ENVIRONMENT command, then the default SE is the current SE.

Security support data elements
This clause specifies a collection of security support data elements with rules governing the way their values are handled. The security support data elements extend and refine the control reference data objects. The card may provide them as generic support to security mechanisms performed by an application. Applications may reference them for secure messaging and for security operations (see ISO/IEC 7816-8[4]). This clause specifies neither some characteristics of the security support data elements, e.g., their lengths, nor the algorithms that alter their value.

Principles——The card shall maintain and use the value of security support data elements as follows.
–Update is done with new values either computed by the card, or provided by the outside world, in accordance with the specific rule for a specific type of security support data element.
–Update is performed before any output is produced for the command causing an update. The update is independent of the completion status of the command. If the value is to be used by the application in an operation that causes an update, the update is performed before the value is used.
–Access to application-specific security support data elements is restricted to functions performed by the specific application.
NOTE: The actual security achieved in a command-response pair ultimately depends on the algorithms and protocols
specified by the application; the card only provides support with these data elements and associated usage rules.

Data elements——The card may support command-response pair security with data elements called progression values. Increased at specific events throughout the life of the card, these values are different each time the card is activated. Two progression values are specified: a card session counter and a session identifier.
–The card session counter is incremented once during card activation.
–The session identifier is computed from the card session counter and from data provided by the outside world.

Two types of progression values are specified.
–Internal progression values, if so specified for an application, register the number of times specific events are performed. The data element shall be incremented after the event; the card may provide a reset function for these counters which if so specified for an application sets its value to zero. Internal progression values cannot be controlled by the outside world and are suitable for use as secured in-card approximate representations of real time. Their values can be used in cryptographic computations.
–External progression values, if so specified for an application, shall only be updated by a data value from the outside world. The new value shall be numerically larger than the current value stored in the card.

References——The card may provide access to the value of security support data elements as follows.
–An EF may be present in the MF, e.g., for a card session counter, or in an application DF, e.g., for application-specific progression values.
–Auxiliary data objects (tags ’88′, ’92′, ’93′, see Table 33) may be present in a control reference template. These tags can be used if the SE supports unambiguous use of these data elements.
–Within the interindustry template referenced by tag ’7A’, the context-specific class (first byte from ’80′ to ‘BF’) is reserved for security support data objects as listed in Table 26.

  Table 26 — Security support data objects